Authority: Title 2.2, Chapter 20.1, Code of Virginia.

A. Out of this appropriation, $7,631,481 the first year and $7,631,481 the second year for Technology Security Oversight Services is sum sufficient and amounts shown are estimates from an internal service fund which shall be paid solely from charges to other programs within this agency.

B.1. The Virginia Information Technologies Agency shall operate an information technology security service center to support the information technology security needs of agencies electing to participate in the information technology security service center. Support for participating agencies shall include, but not be limited to, vulnerability scans, information technology security audits, and Information Security Officer services. Participating agencies shall cooperate with the Virginia Information Technologies Agency by transferring such records and functions as may be required.

2.a. The Virginia Information Technologies Agency shall perform vulnerability scans of all public-facing websites and systems operated by state agencies. All state agencies which operate such websites and systems shall cooperate with the Virginia Information Technologies Agency in order to complete the vulnerability scans. However, the State Corporation Commission shall not be required to disable, in full or in part, any software system, process, or other tool utilized to protect such public-facing websites and systems. All state agencies shall mitigate or resolve website risks and vulnerabilities identified by the Virginia Information Technologies Agency.

b. Out of this appropriation, $318,676 the first year and $318,676 the second year from the general fund shall be used to support vulnerability scanning of public-facing websites and systems of the Commonwealth.

3. Agencies electing to participate in the information technology security service center shall enter into a memorandum of understanding with the Virginia Information Technologies Agency. Such memorandums shall outline the services to be provided by the Virginia Information Technologies Agency and the costs to provide those services. If a participating agency elects to not renew its memorandum of understanding, the agency shall notify the Virginia Information Technologies Agency twelve months prior to the scheduled renewal date of its intent to become a non-participating agency.

4. Non-participating agencies shall be required by July 1 each year to notify the Chief Information Officer of the Commonwealth that the agency has met the requirements of the Commonwealth's information security standards. If the agency has not met the requirements of the Commonwealth's information security standards, the agency shall report to the Chief Information Officer of the Commonwealth the steps and procedures the agency is implementing in order to satisfy the requirements.

5. Out of this appropriation, $2,690,250 the first year and $2,690,250 the second year for Information Technology Security Service Center is sum sufficient and amounts shown are estimates from an internal service fund which shall be paid solely from internal service fund revenues.

6. Notwithstanding any other provision of state law, and to the extent and in the manner permitted by federal law, the Virginia Information Technologies Agency shall have the legal authority to access, use, and view data and other records transferred to or in the custody of the information technology security service center pursuant to this item. The services of the center are intended to enhance data security, and no state law or regulation imposing data security or dissemination restrictions on particular records shall prevent or burden the custodian agency's authority under this item to transfer such records to the center for the purpose of receiving the center's services. All such transfers and any access, use, or viewing of data by center personnel in support of the center's provision of such services to the transferring agency shall be deemed necessary to assist in valid administrative needs of the transferring agency's program that received, used, or created the records transferred, and personnel of the center shall, to the extent necessary, be deemed agents of the transferring agency's administrative unit that is responsible for the program. Without limiting the foregoing, no transfer of records under this item shall trigger any requirement for notice or consent under the Government Data Collection and Dissemination Practices Act (GDCDPA) (§ 2.2-3800 et. Seq.) or other law or regulation of the Commonwealth. The transferring agency shall continue to be deemed the custodian of any record transferred to the center for purposes of the GDCDPA, the Freedom Of Information Act, and other laws or regulations of the Commonwealth pertaining to agencies that administer the transferred records and associated programs. Custody of such records for security purposes shall not make the Virginia Information Technologies Agency a custodian of such records. Any memorandum of understanding under authority of this item shall specify the records to be transferred, security requirements, and permitted use of data provided. VITA and any contractor it uses in the provision of the center's services shall hold such data in confidence and implement and maintain all information security safeguards defined in the memorandum of understanding or required by federal or state laws, regulations, or policies for the protection of sensitive data.

7. The rates required to recover the costs of the information technology security service center shall be provided by the Virginia Information Technologies Agency to the Department of Planning and Budget by September 1 each year for review and approval of the subsequent fiscal year's rate.

C.1. Out of this appropriation, $616,299 the first year and $616,299 the second year for Cloud Based Services Oversight is sum sufficient and amounts shown are estimates from an internal service fund which shall be paid solely from internal service fund revenues for a program to support the use of cloud service providers by state agencies served by the Virginia Information Technologies Agency.

2. As part of the program, the Virginia Information Technologies Agency shall develop policies, standards, and procedures for the use of cloud services providers by state agencies served by the Virginia Information Technologies Agency. These policies, standards, and procedures shall address the security and privacy of Commonwealth and citizen data; ensure compliance with federal and state laws and regulations; and provide for ongoing oversight and management of cloud services to verify performance through service level agreements or other means. VITA shall also establish a statewide contract of approved vendors authorized to offer cloud based services to state agencies.

3. Requests to use cloud providers shall be submitted by participating agencies to the Virginia Information Technologies Agency, which shall review such requests in accordance with the Commonwealth's policies, standards, and procedures. For approved requests, and consistent with Chapter 20.1 of Title 2.2, the Virginia Information Technologies Agency will procure cloud services on behalf of other agencies or may, upon request, authorize other state agencies to undertake such procurements on their own. The Virginia Information Technologies Agency shall also administer and oversee all contracts for cloud services used by agencies participating in the cloud services center, including verification of security and performance.

4. The Virginia Information Technologies Agency shall work with state agencies to assess opportunities for additional use of cloud services, including infrastructure, platform, and software as a service. This assessment shall include a review of options for use of service brokers and integrators, and options for providing storage and server services through cloud or on-premises means.

5. The rates required to recover the costs associated with providing oversight and management of cloud based services shall be included in the submission required by § 4-5.03 of this act.