Code of Virginia

Creating a Report: Check the sections you'd like to appear in the report, then use the "Create Report" button at the bottom of the page to generate your report. Once the report is generated you'll then have the option to download it as a pdf, print or email the report.

Code of Virginia
Title 2.2. Administration of Government
Chapter 20.1. Virginia Information Technologies Agency
5/23/2022

Chapter 20.1. Virginia Information Technologies Agency.

Article 1. General Provisions.

§ 2.2-2005. Creation of Agency; appointment of Chief Information Officer.

A. There is hereby created the Virginia Information Technologies Agency (VITA), which shall serve as the agency responsible for administration and enforcement of the provisions of this Chapter.

B. The Governor shall appoint a Chief Information Officer of the Commonwealth (the CIO) to oversee the operation of VITA. The CIO shall exercise the powers and perform the duties conferred or imposed upon him by law and perform such other duties as may be required by the Governor and the Secretary of Administration.

2003, cc. 981, 1021; 2009, c. 826; 2010, cc. 136, 145; 2016, c. 296; 2020, c. 738.

§ 2.2-2006. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Commonwealth information technology project" means any state agency information technology project that is under Commonwealth governance and oversight.

"Commonwealth Project Management Standard" means a document developed and adopted by the Chief Information Officer (CIO) pursuant to § 2.2-2016.1 that describes the methodology for conducting information technology projects, and the governance and oversight used to ensure project success.

"Confidential data" means information made confidential by federal or state law that is maintained in an electronic format.

"Enterprise" means an organization with common or unifying business interests. An enterprise may be defined at the Commonwealth level or secretariat level for program and project integration within the Commonwealth, secretariats, or multiple agencies.

"Executive branch agency" or "agency" means any agency, institution, board, bureau, commission, council, public institution of higher education, or instrumentality of state government in the executive department listed in the appropriation act. However, "executive branch agency" or "agency" does not include the University of Virginia Medical Center, a public institution of higher education to the extent exempt from this chapter pursuant to the Restructured Higher Education Financial and Administrative Operations Act (§ 23.1-1000 et seq.) or other law, or the Virginia Port Authority.

"Information technology" means communications, telecommunications, automated data processing, applications, databases, data networks, the Internet, management information systems, and related information, equipment, goods, and services. The provisions of this chapter shall not be construed to hamper the pursuit of the missions of the institutions in instruction and research.

"ITAC" means the Information Technology Advisory Council created in § 2.2-2699.5.

"Major information technology project" means any Commonwealth information technology project that has a total estimated cost of more than $1 million or that has been designated a major information technology project by the CIO pursuant to the Commonwealth Project Management Standard developed under § 2.2-2016.1.

"Secretary" means the Secretary of Administration.

"Technology asset" means hardware and communications equipment not classified as traditional mainframe-based items, including personal computers, mobile computers, and other devices capable of storing and manipulating electronic data.

"Telecommunications" means any origination, transmission, emission, or reception of data, signs, signals, writings, images, and sounds or intelligence of any nature, by wire, radio, television, optical, or other electromagnetic systems.

1984, c. 746, § 2.1-563.13; 1997, c. 858; 2001, c. 844, § 2.2-1301; 2003, cc. 981, 1021; 2004, c. 145; 2007, c. 769; 2010, cc. 136, 145; 2011, c. 739; 2012, cc. 803, 835; 2014, cc. 37, 181; 2015, c. 768; 2016, c. 296; 2020, c. 738.

§ 2.2-2007. Powers of the CIO.

A. The CIO shall promulgate regulations necessary or incidental to the performance of duties or execution of powers conferred under this chapter. The CIO shall also develop policies, standards, and guidelines for the planning, budgeting, procurement, development, maintenance, security, and operations of information technology for executive branch agencies. Such policies, standards, and guidelines shall include those necessary to:

1. Support state and local government exchange, acquisition, storage, use, sharing, and distribution of data and related technologies.

2. Support the development of electronic transactions including the use of electronic signatures as provided in § 59.1-496.

3. Support a unified approach to information technology across the totality of state government, thereby assuring that the citizens and businesses of the Commonwealth receive the greatest possible security, value, and convenience from investments made in technology.

4. Ensure that the costs of information technology systems, products, data, and services are contained through the shared use of existing or planned equipment, data, or services.

5. Provide for the effective management of information technology investments through their entire life cycles, including identification, business case development, selection, procurement, implementation, operation, performance evaluation, and enhancement or retirement. Such policies, standards, and guidelines shall include, at a minimum, the periodic review by the CIO of agency Commonwealth information technology projects.

6. Establish an Information Technology Investment Management Standard based on acceptable technology investment methods to ensure that all executive branch agency technology expenditures are an integral part of the Commonwealth's performance management system, produce value for the agency and the Commonwealth, and are aligned with (i) agency strategic plans, (ii) the Governor's policy objectives, and (iii) the long-term objectives of the Council on Virginia's Future.

B. In addition to other such duties as the Secretary may assign, the CIO shall:

1. Oversee and administer the Virginia Technology Infrastructure Fund created pursuant to § 2.2-2023.

2. Report annually to the Governor, the Secretary, and the Joint Commission on Technology and Science created pursuant to § 30-85 on the use and application of information technology by executive branch agencies to increase economic efficiency, citizen convenience, and public access to state government.

3. Prepare annually a report for submission to the Secretary, the Information Technology Advisory Council, and the Joint Commission on Technology and Science on a prioritized list of Recommended Technology Investment Projects (RTIP Report) based upon major information technology projects submitted for business case approval pursuant to this chapter. As part of the RTIP Report, the CIO shall develop and regularly update a methodology for prioritizing projects based upon the allocation of points to defined criteria. The criteria and their definitions shall be presented in the RTIP Report. For each project recommended for funding in the RTIP Report, the CIO shall indicate the number of points and how they were awarded. For each listed project, the CIO shall also report (i) all projected costs of ongoing operations and maintenance activities of the project for the next three biennia following project implementation; (ii) a justification and description for each project baseline change; and (iii) whether the project fails to incorporate existing standards for the maintenance, exchange, and security of data. This report shall also include trends in current projected information technology spending by executive branch agencies and secretariats, including spending on projects, operations and maintenance, and payments to VITA. Agencies shall provide all project and cost information required to complete the RTIP Report to the CIO prior to May 31 immediately preceding any budget biennium in which the project appears in the Governor's budget bill.

4. Provide oversight for executive branch agency efforts to modernize the planning, development, implementation, improvement, operations and maintenance, and retirement of Commonwealth information technology, including oversight for the selection, development and management of enterprise information technology.

5. Develop statewide technical and data standards and specifications for information technology and related systems, including (i) the efficient exchange of electronic information and technology, including infrastructure, between the public and private sectors in the Commonwealth and (ii) the utilization of nationally recognized technical and data standards for health information technology systems or software purchased by an executive branch agency.

6. Direct the compilation and maintenance of an inventory of information technology, including but not limited to personnel, facilities, equipment, goods, and contracts for services.

7. Provide for the centralized marketing, provision, leasing, and executing of licensing agreements for electronic access to public information and government services through the Internet, wireless devices, personal digital assistants, kiosks, or other such related media on terms and conditions as may be determined to be in the best interest of the Commonwealth. VITA may fix and collect fees and charges for (i) public information, media, and other incidental services furnished by it to any private individual or entity, notwithstanding the charges set forth in § 2.2-3704, and (ii) such use and services it provides to any executive branch agency or local government. Nothing in this subdivision authorizing VITA to fix and collect fees for providing information services shall be construed to prevent access to the public records of any public body pursuant to the provisions of the Virginia Freedom of Information Act (§ 2.2-3700 et seq.). VITA is authorized, subject to the approval by the Secretary of Administration and any other affected Secretariat, to delegate the powers and responsibilities granted in this subdivision to any agency within the executive branch.

8. Periodically evaluate the feasibility of outsourcing information technology resources and services, and outsource those resources and services that are feasible and beneficial to the Commonwealth.

9. Have the authority to enter into and amend contracts, including contracts with one or more other public bodies, or public agencies or institutions or localities of the several states, of the United States or its territories, or the District of Columbia, for the provision of information technology services.

C. Consistent with § 2.2-2012, the CIO may enter into public-private partnership contracts to finance or implement information technology programs and projects. The CIO may issue a request for information to seek out potential private partners interested in providing programs or projects pursuant to an agreement under this subsection. The compensation for such services shall be computed with reference to and paid from the increased revenue or cost savings attributable to the successful implementation of the program or project for the period specified in the contract. The CIO shall be responsible for reviewing and approving the programs and projects and the terms of contracts for same under this subsection. The CIO shall determine annually the total amount of increased revenue or cost savings attributable to the successful implementation of a program or project under this subsection and such amount shall be deposited in the Virginia Technology Infrastructure Fund created in § 2.2-2023. The CIO is authorized to use moneys deposited in the Fund to pay private partners pursuant to the terms of contracts under this subsection. All moneys in excess of that required to be paid to private partners, as determined by the CIO, shall be reported to the Comptroller and retained in the Fund. The CIO shall prepare an annual report to the Governor, the Secretary, and General Assembly on all contracts under this subsection, describing each information technology program or project, its progress, revenue impact, and such other information as may be relevant.

D. Executive branch agencies shall cooperate with VITA in identifying the development and operational requirements of proposed information technology systems, products, data, and services, including the proposed use, functionality, and capacity, and the total cost of acquisition, operation, and maintenance.

1999, cc. 412, 421, 433, § 2.1-51.47; 2000, c. 995; 2001, c. 844, § 2.2-226; 2002, c. 424; 2003, cc. 981, 1021; 2005, cc. 933, 945; 2007, cc. 276, 701; 2009, c. 86; 2010, cc. 136, 145; 2011, c. 739; 2015, c. 768; 2016, c. 296; 2020, c. 738.

§ 2.2-2007.1. Additional duties of the CIO relating to information technology planning and budgeting.

A. The CIO shall have the following duties related to information technology planning:

1. Monitor trends and advances in information technology, plan and forecast future needs for information technology, and conduct studies and surveys of organizational structures and best management practices of information technology systems and procedures;

2. Evaluate the needs of executive branch agencies in the Commonwealth with regard to (i) a consistent, reliable, and secure information technology infrastructure; (ii) existing capabilities related to building and supporting that infrastructure; and (iii) recommendation of approaches to ensure the future development, maintenance, and financing of information technology infrastructure befitting the needs of executive branch agencies and the service level requirements of its citizens; and

3. Develop a comprehensive six-year Commonwealth strategic plan for information technology to include (i) specific projects that implement the plan; (ii) a plan for the acquisition, management, and use of information technology by executive branch agencies; (iii) a report of the progress of any ongoing enterprise information technology projects, any factors or risks that might affect their successful completion, and any changes to their projected implementation costs and schedules; and (iv) a report on the progress made by executive branch agencies toward accomplishing the Commonwealth strategic plan for information technology. The Commonwealth strategic plan for information technology shall be updated annually and submitted to the Secretary for approval.

B. The CIO shall have the following duties related to budgeting for information technology projects:

1. Develop policies, standards, and guidelines, in consultation with the Department of Planning and Budget, that are integrated into the Commonwealth's strategic planning and budgeting processes, and that executive branch agencies shall follow in developing information technology plans and technology-related budget requests. Such policies and procedures shall require consideration of the contribution of current and proposed technology expenditures to the support of executive branch agency priority functional activities, as well as current and future operating expenses, and shall be utilized by all state agencies in preparing budget requests.

2. Assist executive branch agencies in the development of information technology strategic plans pursuant to § 2.2-2014 and the preparation of budget requests for information technology that are consistent with the policies, standards, and guidelines developed pursuant to this section.

3. Review budget requests for information technology from executive branch agencies and recommend budget priorities to the Secretary. Review of such budget requests shall include all information technology projects for amounts exceeding $250,000 for which the contract or proposed contract would, as a means of payment for the project, require the Commonwealth to forgo certain revenue collections or would allow another party to collect fees, charges, or other revenues on behalf of the Commonwealth. For each information technology project, the agency shall provide the CIO (i) a summary of the terms, (ii) the anticipated duration, and (iii) the cost or charges to any user, whether a state agency or other party not directly a party to the project arrangements. The description shall also include any terms or conditions that bind the Commonwealth or restrict the Commonwealth's operations and the methods of procurement employed to reach such terms. Executive branch agencies and institutions shall submit to the CIO a projected biennial operations and maintenance budget for technology assets owned or licensed by the agency or institution and submit a budget decision package for any shortfalls. The provisions of this subdivision shall not apply to public institutions of higher education that meet the conditions prescribed in subsection A of § 23.1-1002.

2016, c. 296.

§ 2.2-2008. Repealed.

Repealed by Acts 2016, c. 296, cl. 2.

§ 2.2-2009. Additional duties of the CIO relating to security of government information.

A. To provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, standards, and guidelines for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, standards, and guidelines shall apply to the Commonwealth's executive, legislative, and judicial branches and independent agencies. The CIO shall work with representatives of the Chief Justice of the Supreme Court and Joint Rules Committee of the General Assembly to identify their needs. Such policies, standards, and guidelines shall, at a minimum:

1. Address the scope and frequency of security audits. In developing and updating such policies, standards, and guidelines, the CIO shall designate a government entity to oversee, plan, and coordinate the conduct of periodic security audits of all executive branch agencies and independent agencies. The CIO shall coordinate these audits with the Auditor of Public Accounts and the Joint Legislative Audit and Review Commission. The Chief Justice of the Supreme Court and the Joint Rules Committee of the General Assembly shall determine the most appropriate methods to review the protection of electronic information within their branches;

2. Control unauthorized uses, intrusions, or other security threats;

3. Provide for the protection of confidential data maintained by state agencies against unauthorized access and use in order to ensure the security and privacy of citizens of the Commonwealth in their interaction with state government. Such policies, standards, and guidelines shall include requirements that (i) any state employee or other authorized user of a state technology asset provide passwords or other means of authentication to use a technology asset and access a state-owned or state-operated computer network or database and (ii) a digital rights management system or other means of authenticating and controlling an individual's ability to access electronic records be utilized to limit access to and use of electronic records that contain confidential information to authorized individuals;

4. Address the creation and operation of a risk management program designed to identify information technology security gaps and develop plans to mitigate the gaps. All agencies in the Commonwealth shall cooperate with the CIO, including (i) providing the CIO with information required to create and implement a Commonwealth risk management program, (ii) creating an agency risk management program, and (iii) complying with all other risk management activities; and

5. Require that any contract for information technology entered into by the Commonwealth's executive, legislative, and judicial branches and independent agencies require compliance with applicable federal laws and regulations pertaining to information security and privacy.

B. 1. The CIO shall annually report to the Governor, the Secretary, and General Assembly on the results of security audits, the extent to which security policy, standards, and guidelines have been adopted by executive branch and independent agencies, and a list of those executive branch agencies and independent agencies that have not implemented acceptable security and risk management regulations, policies, standards, and guidelines to control unauthorized uses, intrusions, or other security threats. For any executive branch agency or independent agency whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the executive branch agency's or independent agency's information technology projects pursuant to subsection B of § 2.2-2016.1, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions.

2. Executive branch agencies and independent agencies subject to such audits as required by this section shall fully cooperate with the entity designated to perform such audits and bear any associated costs. Public bodies that are not required to but elect to use the entity designated to perform such audits shall also bear any associated costs.

C. In addition to coordinating security audits as provided in subdivision B 1, the CIO shall conduct an annual comprehensive review of cybersecurity policies of every executive branch agency, with a particular focus on any breaches in information technology that occurred in the reviewable year and any steps taken by agencies to strengthen cybersecurity measures. Upon completion of the annual review, the CIO shall issue a report of his findings to the Chairmen of the House Committee on Appropriations and the Senate Committee on Finance and Appropriations. Such report shall not contain technical information deemed by the CIO to be security sensitive or information that would expose security vulnerabilities.

D. The provisions of this section shall not infringe upon responsibilities assigned to the Comptroller, the Auditor of Public Accounts, or the Joint Legislative Audit and Review Commission by other provisions of the Code of Virginia.

E. The CIO shall promptly receive reports from directors of departments in the executive branch of state government made in accordance with § 2.2-603 and shall take such actions as are necessary, convenient or desirable to ensure the security of the Commonwealth's electronic information and confidential data.

F. The CIO shall provide technical guidance to the Department of General Services in the development of policies, standards, and guidelines for the recycling and disposal of computers and other technology assets. Such policies, standards, and guidelines shall include the expunging, in a manner as determined by the CIO, of all confidential data and personal identifying information of citizens of the Commonwealth prior to such sale, disposal, or other transfer of computers or other technology assets.

G. The CIO shall provide all directors of agencies and departments with all such information, guidance, and assistance required to ensure that agencies and departments understand and adhere to the policies, standards, and guidelines developed pursuant to this section.

H. The CIO shall promptly notify all public bodies as defined in § 2.2-5514 of hardware, software, or services that have been prohibited pursuant to Chapter 55.3 (§ 2.2-5514).

I. 1. This subsection applies to the Commonwealth's executive, legislative, and judicial branches and independent agencies.

2. In collaboration with the heads of executive branch and independent agencies and representatives of the Chief Justice of the Supreme Court and the Joint Rules Committee of the General Assembly, the CIO shall develop and annually update a curriculum and materials for training all state employees in information security awareness and in proper procedures for detecting, assessing, reporting, and addressing information security threats. The curriculum shall include activities, case studies, hypothetical situations, and other methods of instruction (i) that focus on forming good information security habits and procedures among state employees and (ii) that teach best practices for detecting, assessing, reporting, and addressing information security threats.

3. Every state agency shall provide annual information security training for each of its employees using the curriculum and materials developed by the CIO pursuant to subdivision 2. Employees shall complete such training within 30 days of initial employment and by January 31 each year thereafter.

State agencies may develop additional training materials that address specific needs of such agency, provided that such materials do not contradict the training curriculum and materials developed by the CIO.

The CIO shall coordinate with and assist state agencies in implementing the annual information security training requirement.

4. Each state agency shall (i) monitor and certify the training activity of its employees to ensure compliance with the annual information security training requirement, (ii) evaluate the efficacy of the information security training program, and (iii) forward to the CIO such certification and evaluation, together with any suggestions for improving the curriculum and materials, or any other aspects of the training program. The CIO shall consider such evaluations when it annually updates its curriculum and materials.

2000, c. 961, §§ 2.1-563.42 - 2.1-563.44; 2001, c. 844, §§ 2.2-136 - 2.2-138; 2002, c. 247, § 2.2-226.1; 2003, cc. 981, 1021; 2004, c. 638; 2007, cc. 769, 775; 2010, cc. 136, 145; 2015, c. 768; 2016, c. 296; 2017, c. 664; 2018, c. 775; 2019, c. 302; 2020, c. 717.

§ 2.2-2010. Repealed.

Repealed by Acts 2016, c. 296, cl. 2.

§ 2.2-2011. Additional powers and duties relating to development, management, and operation of information technology.

A. Unless specifically exempted by law, VITA shall be responsible for the development, operation, and management of information technology for every executive branch agency, pursuant to the provisions of this chapter.

B. The CIO shall have the following powers and duties concerning the development, operation, and management of information technology:

1. Manage, coordinate, and provide the information technology used by executive branch agencies;

2. Acquire, lease, or construct such land, facilities, and equipment as necessary to deliver comprehensive information technology services, and to maintain such land, facilities, and equipment owned or leased; and

3. Provide technical assistance to executive branch agencies in the planning, development, operation, and management of information technology.

1984, c. 746, §§ 2.1-563.16, 2.1-563.17, 2.1-563.18; 1985, c. 265; 1995, c. 357; 1997, c. 858; 1999, cc. 412, 421, 433; 2001, c. 844, § 2.2-1303; 2002, c. 579; 2003, cc. 981, 1021; 2016, c. 296.

§ 2.2-2012. Additional powers and duties related to the procurement of information technology.

A. The CIO shall develop policies, standards, and guidelines for the procurement of information technology of every description.

B. 1. Information technology shall be procured by (i) VITA for its own benefit or on behalf of other executive branch agencies or (ii) such other agencies to the extent authorized by VITA. Such procurements shall be made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.), regulations that implement the electronic and information technology accessibility standards of the Rehabilitation Act of 1973 (29 U.S.C. § 794d), as amended, and any regulations, policies, procedures, standards, and guidelines of VITA. In no case shall such procurements exceed the requirements of the regulations that implement the electronic and information technology accessibility standards of the Rehabilitation Act of 1973, as amended.

2. The CIO shall review, and approve or disapprove, all executive branch agency procurements of information technology, including approval of all agreements and contracts prior to the execution of the procurement. The CIO may exempt from review requirements, but not from the Commonwealth's competitive procurement process, any executive branch agency that establishes, to the satisfaction of the CIO, (i) its ability and willingness to administer efficiently and effectively the procurement of information technology or (ii) that it has been subjected to another review process coordinated through or approved by the CIO.

3. The CIO shall develop and administer a system to monitor and evaluate executed information technology contracts and billing and collection systems.

The CIO shall disapprove any procurement that does not conform to the Commonwealth strategic plan for information technology developed and approved pursuant to subdivision A 3 of § 2.2-2007.1 or to the individual strategic plans of executive branch agencies developed and approved pursuant to § 2.2-2014.

4. The CIO shall require that before any executive branch agency procures any computer system, equipment, or software, it shall consider whether the proposed system, equipment, or software is capable of producing products that facilitate the rights of the public to access public records under the Freedom of Information Act (§ 2.2-3700 et seq.) or other applicable law.

C. All statewide contracts and agreements made and entered into by VITA for the purchase of information technology shall provide for the inclusion of counties, cities, and towns in such contracts and agreements. Counties, cities, and towns and local school divisions are authorized to purchase information technology goods and services of every description from VITA and its vendors, provided that such purchases are not prohibited by the terms of contracts for such goods and services. Notwithstanding the provisions of § 2.2-4302.1, 2.2-4302.2, 2.2-4303.1, or 2.2-4303.2, VITA may enter into multiple vendor contracts for the referenced services, facilities, and goods and services.

D. VITA may establish contracts for the purchase of personal computers and related devices by licensed teachers employed in a full-time teaching capacity in Virginia public schools or in state educational facilities for use outside the classroom. The computers and related devices shall not be purchased with public funds, but shall be paid for and owned by teachers individually provided that no more than one such computer and related device per year shall be so purchased.

E. If VITA, or any executive branch agency authorized by VITA, elects to procure personal computers and related peripheral equipment pursuant to any type of blanket purchasing arrangement under which public bodies, as defined in § 2.2-4301, may purchase such goods from any vendor following competitive procurement but without the conduct of an individual procurement by or for the using agency or institution, it shall establish performance-based specifications for the selection of equipment. Establishment of such contracts shall emphasize performance criteria including price, quality, and delivery without regard to "brand name." All vendors meeting the Commonwealth's performance requirements shall be afforded the opportunity to compete for such contracts.

F. VITA shall allow private institutions of higher education that are (i)(a) chartered in Virginia or (b) chartered by an Act of Congress in 1821 and that have owned and operated since 1991 a campus with a significant presence in the Commonwealth and (ii) granted tax-exempt status under § 501(c)(3) of the Internal Revenue Code to purchase directly from contracts established for state agencies and public bodies by VITA.

G. This section shall not be construed or applied so as to infringe upon, in any manner, the responsibilities for accounting systems assigned to the Comptroller under § 2.2-803.

H. The Comptroller shall not issue any warrant upon any voucher issued by an executive branch agency covering the purchase of any information technology when such purchases are made in violation of any provision of this chapter or the Virginia Public Procurement Act (§ 2.2-4300 et seq.).

I. Intentional violations of centralized purchasing requirements for information technology pursuant to this chapter by an executive branch agency, continued after notice from the Governor to desist, shall constitute malfeasance in office and shall subject the officer responsible for the violation to suspension or removal from office, as may be provided in law in other cases of malfeasance.

1984, c. 746, §§ 2.1-563.16, 2.1-563.17, 2.1-563.18; 1985, c. 265; 1995, c. 357; 1997, c. 858; 1999, cc. 412, 421, 433; 2001, c. 844, § 2.2-1303; 2002, c. 579; 2003, cc. 352, 895, 981, 1021; 2004, cc. 237, 278; 2007, c. 630; 2010, cc. 136, 145; 2011, c. 739; 2012, cc. 803, 835; 2013, c. 583; 2014, cc. 36, 180; 2015, cc. 462, 760, 768, 776; 2016, c. 296.

§ 2.2-2012.1. Major information technology project procurement; terms and conditions.

A. For purposes of this section, "supplier" means an offeror with whom the Commonwealth has entered into a contract for a major information technology project.

B. Except as provided in subsection C, in any contract for a major information technology project, terms and conditions relating to the indemnification obligations and liability of a supplier shall be reasonable and shall not exceed in aggregate twice the value of the contract. There shall be no limitation on the liability of a supplier for (i) the intentional or willful misconduct, fraud, or recklessness of a supplier or any employee of a supplier or (ii) claims for bodily injury, including death, and damage to real property or tangible personal property resulting from the negligence of a supplier or any employee of a supplier.

C. If the CIO believes that a major information technology project presents an exceptional risk to the Commonwealth, he shall conduct a risk assessment prior to the issuance of a Request for Proposal. Such risk assessment shall include consideration of the nature, processing, and use of sensitive or personally identifiable information. If the risk assessment concludes that the project presents an exceptional risk to the Commonwealth and the limitation of liability amount provided in subsection B is not reasonably adequate to protect the interest of the Commonwealth, the CIO may recommend and request approval by the Secretary of Administration to increase the limitation of liability amount.

The CIO shall make such recommendation in writing setting forth the reasons that the limitations in subsection B are not adequate to protect the Commonwealth's interests. The recommendation shall describe the risks presented to the Commonwealth and how those risks are not sufficiently mitigated by the expected terms and conditions associated with the Request for Proposal. The CIO shall recommend a reasonable maximum alternative limitation of liability amount that is a multiple of the contract value, with the same exceptions to the limitation as provided in subsection B.

The Secretary of Administration shall review and may approve any recommended maximum alternative limitation of liability amount to be included in any Request for Proposal issued for the project. The CIO shall annually publish a list of all approvals granted under this subsection pertaining to any Request for Proposal issued in the previous 12-month period.

D. Notwithstanding the provisions of this section, the Commonwealth may agree to a lower limitation for any contract subject to subsection B or C.

2019, cc. 605, 606.

§ 2.2-2013. Internal service and special funds.

A. There is established the Information Technology and Management Internal Service Fund to be administered by VITA.

B. There is established the Acquisition Services Special Fund to be administered by VITA and used to finance procurement and contracting activities and programs unallowable for federal fund reimbursement.

C. Upon written request of the CIO, the Joint Legislative Audit and Review Commission may direct the Comptroller to establish internal service fund accounts on his books and record the receipts and expenditures for appropriate functions of VITA. Charges for services rendered sufficient to offset costs involved in these operations shall be established.

D. All users of services provided for in this chapter administered by VITA shall be assessed a surcharge, which shall be deposited in the appropriate fund. This charge shall be an amount sufficient to allow VITA to finance the operations and staff of the services offered.

E. Additional moneys necessary to establish these funds or provide for the administration of the activities of VITA may be advanced from the general account of the state treasury.

F. The CIO shall direct that the following activities be conducted with respect to VITA's internal service funds:

1. VITA shall establish fee schedules for the collection of fees from users when general fund appropriations are not available for the services rendered.

2. VITA shall develop and implement information, billing, and collections methods that will assist state agencies in analyzing and effectively managing their use of VITA's services, and which will allow VITA to forecast service demands and balances of its internal service funds.

3. By September 1 of each year, VITA shall submit biennial projections of future revenues and expenditures for each internal service fund and estimates of any anticipated changes to fee schedules to the Joint Legislative Audit and Review Commission and the Department of Planning and Budget.

4. In the event that changes to fee schedules or rates are required, the CIO shall submit documentation to the Joint Legislative Audit and Review Commission and the Department of Planning and Budget no later than September 1 prior to the fiscal year in which the new or revised rates are to take effect so that the impact of the rate changes can be considered for inclusion in the executive budget submitted to the General Assembly pursuant to § 2.2-1508. In emergency circumstances, deviations from this approach shall be approved in advance by the Joint Legislative Audit and Review Commission.

1984, c. 746, §§ 2.1-563.19, 2.1-563.20, 2.1-563.21, 2.1-563.22; 2001, c. 844, § 2.2-1304; 2003, cc. 981, 1021; 2010, cc. 136, 145; 2012, cc. 55, 285; 2016, c. 296.

§ 2.2-2014. Submission of information technology plans by state agencies and public institutions of higher education; designation of technology resource.

A. All executive branch agencies shall prepare and submit information technology strategic plans to the CIO for review and approval. All executive branch agencies shall maintain current information technology plans that have been approved by the CIO.

B. The head of each executive branch agency shall designate an existing employee to be the agency's information technology resource who shall be responsible for compliance with the policies, standards, and guidelines established by the CIO.

1999, cc. 412, 421, 433, § 2.1-51.47; 2000, c. 995; 2001, c. 844, § 2.2-226; 2002, c. 424; 2003, cc. 981, 1021; 2016, c. 296.

§ 2.2-2015. Repealed.

Repealed by Acts 2016, c. 296, cl. 2.

Article 2. Division of Project Management.

§ 2.2-2016. Division of Project Management established.

There is established within VITA a Division of Project Management (the Division). The CIO and the Division shall exercise the powers and duties conferred in this article.

2003, cc. 981, 1021; 2016, c. 296.

§ 2.2-2016.1. Additional powers and duties of the CIO relating to project management.

A. The CIO shall have the following duties related to the management of information technology projects:

1. Develop policies, standards, and guidelines that require the Division to review and recommend to the CIO Commonwealth information technology projects proposed by executive branch agencies. Such policies, standards, and guidelines shall include in the review an assessment of the (i) degree to which the project is consistent with the Commonwealth's overall strategic plan; (ii) technical feasibility of the project; (iii) benefits to the Commonwealth of the project, including customer service improvements; (iv) risks associated with the project; (v) continued funding requirements; and (vi) past performance by the executive branch agency on other projects.

2. Develop a Commonwealth Project Management Standard for information technology projects by executive branch agencies that establishes a methodology for the initiation, planning, execution, and closeout of information technology projects and related procurements. Such methodology shall include the establishment of appropriate oversight for information technology projects. The basis for the governance and oversight of information technology projects shall include, but not be limited to, an assessment of the project's risk and complexity. The Commonwealth Project Management Standard shall require that all such projects conform to the Commonwealth strategic plan for information technology developed and approved pursuant to subdivision A 3 of § 2.2-2007.1 and the strategic plans of agencies developed and approved pursuant to § 2.2-2014. All executive branch agencies shall conform to the requirements of the Commonwealth Project Management Standard.

3. Establish minimum qualifications and training standards for project managers.

4. Establish an information clearinghouse that identifies best practices and new developments and contains detailed information regarding the Commonwealth's previous experiences with the development of major information technology projects.

5. Review and approve or disapprove the selection or termination of any Commonwealth information technology project. The CIO shall disapprove any executive branch agency request to initiate a major information technology project or related procurement if funding for such project has not been included in the budget bill in accordance with § 2.2-1509.3, unless the Governor has determined that an emergency exists and a major information technology project is necessary to address the emergency. The CIO shall disapprove any Commonwealth information technology projects that do not conform to the Commonwealth strategic plan for information technology developed and approved pursuant to subdivision A 3 of § 2.2-2007.1 or to the strategic plan of executive branch agencies developed and approved pursuant to § 2.2-2014.

6. Establish Internal Agency Oversight Committees and Secretariat Oversight Committees as necessary and in accordance with § 2.2-2021.

B. The CIO may direct the modification, termination, or suspension of any Commonwealth information technology project that, as the result of a periodic review authorized by subdivision A 5 of § 2.2-2007, has not met the performance measures agreed to by the CIO and sponsoring executive branch agency, or if he otherwise deems such action appropriate and consistent with the terms of any affected contracts.

Nothing in this subsection shall be construed to supersede the responsibility of a governing board for the management and operation of a public institution of higher education.

The provisions of this subsection shall not apply to research projects, research initiatives, or instructional programs at public institutions of higher education. However, technology investments in research projects, research initiatives, or instructional programs at such institutions estimated to cost $1 million or more of general fund appropriations may be reviewed as provided in subdivision A 5 of § 2.2-2007. The CIO and the Secretary of Education, in consultation with public institutions of higher education, shall develop and provide to such institution criteria to be used in determining whether projects are mission-critical.

2016, c. 296.

§ 2.2-2017. Powers and duties of the Division.

The Division shall have the power and duty to:

1. Implement the approval process for information technology projects developed in accordance with the Commonwealth Project Management Standard;

2. Assist the CIO in the development and implementation of project management policies, standards, and guidelines to be used for information technology projects in accordance with this article;

3. Provide ongoing assistance and support to executive branch agencies in the development of information technology projects;

4. Establish a program providing cost-effective training to executive branch agency project managers;

5. Review information management and information technology plans submitted by executive branch agencies and recommend to the CIO the approval of such plans and any amendments thereto;

6. Monitor the implementation of information management and information technology plans and periodically report its findings to the CIO;

7. Review and recommend to the CIO information technology projects based on the policies, standards, and guidelines developed pursuant to § 2.2-2016.1;

8. Provide oversight for executive branch agency information technology projects; and

9. Report on a quarterly basis to the CIO, the Secretary, the Governor, the Information Technology Advisory Council, the Joint Legislative Audit and Review Commission, the Auditor of Public Accounts, the House Committee on Appropriations, the Senate Committee on Finance and Appropriations, and the Joint Commission on Technology and Science the status and performance of each major information technology project and related procurement conducted by any executive branch agency.

2003, cc. 981, 1021; 2011, c. 739; 2015, c. 768; 2016, c. 296.

§ 2.2-2018. Repealed.

Repealed by Acts 2011, c. 739, cl. 2.

§ 2.2-2018.1. Project and procurement investment business case approval.

A. Executive branch agencies shall obtain CIO approval prior to the initiation of any Commonwealth information technology project or procurement. When selecting an information technology investment, executive branch agencies and public institutions of higher education shall submit to the Division an investment business case, outlining the business value of the investment, the proposed technology solution, if known, and an explanation of how the project will support the agency strategic plan, the agency's secretariat's strategic plan, and the Commonwealth strategic plan for information technology developed and approved pursuant to subdivision A 3 of § 2.2-2007.1. The Division may require the submission of additional information if needed to adequately review any such proposal.

B. The Division shall review each investment business case submitted in accordance with this section and recommend its approval or rejection to the CIO pursuant to the policies and procedures developed in § 2.2-2016.1.

C. In accordance with policies and standards outlined in the Commonwealth Project Management Standard, the CIO shall review the business case for any Commonwealth information technology project or procurement and approve or disapprove.

2011, c. 739; 2015, c. 768; 2016, c. 296.

§ 2.2-2019. Repealed.

Repealed by Acts 2011, c. 739, cl. 2.

§ 2.2-2020. Procurement approval for information technology projects.

An executive branch agency shall submit a copy of any Invitation for Bid (IFB) or Request for Proposal (RFP) for a procurement related to an information technology project to the Division. The Division shall review the IFB or RFP and recommend its approval or rejection to the CIO. The agency shall submit a copy of any proposed contract or final contract to the Division. The Division shall review the proposed contract or final contract and recommend its approval or rejection to the CIO. A project shall be granted project initiation approval as provided by the Commonwealth Project Management Standard before the award of any contract.

2003, cc. 981, 1021; 2010, cc. 136, 145; 2011, c. 739; 2016, c. 296.

§ 2.2-2021. Project oversight committees.

A. Whenever the project charter has been approved for an enterprise information technology project, the Secretary shall establish an Internal Agency Oversight Committee (IAOC) and a Secretariat Oversight Committee (SOC). The IAOC shall represent all business or functional stakeholders of the project, including stakeholders in other agencies, assure that all stakeholders have the opportunity to work together toward a mutually beneficial integrated solution, have the authority to approve or reject any changes in the project's scope, schedule, or budget, provide oversight and direction to the project, and review and approve the schedule baseline and all project documentation. The SOC shall represent all business or functional stakeholders of the project, including stakeholders in other secretariats, validate the proposed project business case, review and make recommendations on changes in the project's scope, schedule, or budget, and review Independent Verification and Validation reports and recommend corrective actions if needed.

B. For all other projects, other than enterprise information technology projects, the CIO shall establish an IAOC and an SOC in accordance with the Commonwealth Project Management Standard.

2003, cc. 981, 1021; 2010, cc. 136, 145; 2011, c. 739; 2015, c. 768; 2016, c. 296.

Article 3. Virginia Technology Infrastructure Fund.

§ 2.2-2022. Definitions; purpose.

A. As used in this article, unless the context requires a different meaning:

"Costs" means the reasonable and customary charges for goods and services incurred or to be incurred in major information technology projects.

"Technology infrastructure" means telecommunications, automated data processing, word processing and management information systems, and related information, equipment, goods and services.

B. In order for the Commonwealth to take advantage of technological applications in providing services and solving problems of Virginia's citizens, there is a need to reinvest savings that accrue from increased usage of technology into new and emerging technologies that will provide for both greater efficiencies and better responsiveness. The purpose of this article is to create the Virginia Technology Infrastructure Fund (the Fund). The Fund shall make moneys available to state agencies and institutions of higher education for major information technology projects.

1996, cc. 94, 823, §§ 9-145.52, 9-145.53; 1999, cc. 412, 421, 433; 2001, c. 844, § 2.2-1702; 2003, cc. 981, 1021.

§ 2.2-2023. Virginia Technology Infrastructure Fund created; contributions.

A. The Virginia Technology Infrastructure Fund (the Fund) is created in the state treasury. The Fund is to be used to fund major information technology projects or to pay private partners as authorized in subsection C of § 2.2-2007.

B. The Fund shall consist of: (i) the transfer of general and nongeneral fund appropriations from executive branch agencies which represent savings that accrue from reductions in the cost of information technology and communication services; (ii) the transfer of general and nongeneral fund appropriations from executive branch agencies which represent savings from the implementation of information technology enterprise projects; (iii) funds identified pursuant to subsection C of § 2.2-2007; (iv) such general and nongeneral fund fees or surcharges as may be assessed to executive branch agencies for enterprise technology projects; (v) gifts, grants, or donations from public or private sources; and (vi) such other funds as may be appropriated by the General Assembly. Savings shall be as identified by the CIO through a methodology reviewed by the ITAC and approved by the Secretary of Finance. The Auditor of Public Accounts shall certify the amount of any savings identified by the CIO. For public institutions of higher education, however, savings shall consist only of that portion of total savings that represent general funds. The State Comptroller is authorized to transfer cash consistent with appropriation transfers. Appropriated funds from federal sources are exempted from transfer. Except for funds to pay private partners as authorized in subsection C of § 2.2-2007, moneys in the Fund shall only be expended as provided by the appropriation act.

Interest earned on the Fund shall be credited to the Fund. The Fund shall be permanent and nonreverting. Any unexpended balance in the Fund at the end of the biennium shall not be transferred to the general fund of the state treasury.

1996, cc. 94, 823, §§ 9-145.54, 9-145.55; 2001, c. 844, § 2.2-1703; 2003, cc. 981, 1021; 2010, cc. 136, 145; 2016, c. 296.

§ 2.2-2024. Annual plan; allowable uses of Fund.

The CIO shall prepare a plan that identifies the projects in which the Fund will participate. The plan shall be consistent with the statewide plan for information technology and shall consider the use of existing resources and long-term operation and maintenance costs. Projects having the greatest benefit to state government as a whole shall have the highest priority in the plan.

1996, cc. 94, 823, § 9-145.56; 1999, cc. 412, 421, 433; 2001, c. 844, § 2.2-1704; 2003, cc. 981, 1021; 2009, c. 86.

Article 4. Virginia Geographic Information Network.

§ 2.2-2025. Repealed.

Repealed by Acts 2020, c. 423, cl. 2.

Article 5. Division of Public Safety Communications.

§ 2.2-2031. Repealed.

Repealed by Acts 2020, c. 423, cl. 2.

Article 6. Virginia Information Providers Network.

§ 2.2-2032. Repealed.

Repealed by Acts 2005, c. 939, cl. 2.

Article 7. Division of Enterprise Applications.

§ 2.2-2033. Repealed.

Repealed by Acts 2010, cc. 136 and 145, cl. 2, effective March 11, 2010.