HB1035: Information Technology; governance in State, substantive and technical changes.

Be it enacted by the General Assembly of Virginia:

1.  That §§ 2.2-106, 2.2-225, 2.2-603, 2.2-1115.1, 2.2-1507, 2.2-1509.3, 2.2-2005, 2.2-2006, 2.2-2007, 2.2-2009, 2.2-2012, 2.2-2013, 2.2-2023, 2.2-2033, 2.2-2034, 2.2-2423, 2.2-4343, 23-38.88, 23-38.111, 23-77.4, 56-484.12, 56-484.13, 56-484.14, 56-484.15, 56-484.17, and 58.1-1840.1 of the Code of Virginia and that the Code of Virginia is amended by adding in Chapter 20.1 of Title 2.2 an article numbered 8, consisting of sections numbered 2.2-2035 and 2.2-2036, by adding in Title 2.2 a chapter numbered 20.2, containing articles numbered 1 through 4, consisting of sections numbered 2.2-2037 through 2.2-2052, and by adding in Chapter 26 of Title 2.2 articles numbered 35 and 36, consisting of sections numbered 2.2-2699.5 through 2.2-2699.8, as follows:

§ 2.2-106. Appointment of agency heads; severance.

A. Notwithstanding any provision of law to the contrary, the Governor shall appoint the administrative head of each agency of the executive branch of state government except the:

1. Executive Director of the Virginia Port Authority;

2. Director of the State Council of Higher Education for Virginia;

3. Executive Director of the Department of Game and Inland Fisheries;

4. Executive Director of the Jamestown-Yorktown Foundation;

5. Executive Director of the Motor Vehicle Dealer Board;

6. Librarian of Virginia;

7. Administrator of the Commonwealth's Attorneys' Services Council;

8. Executive Director of the Virginia Housing Development Authority; and

9. Executive Director of the Board of Accountancy; and

10. Chief Information Officer of the Commonwealth.

However, the manner of selection of those heads of agencies chosen as set forth in the Constitution of Virginia shall continue without change. Each administrative head and Secretary appointed by the Governor pursuant to this section shall (i) be subject to confirmation by the General Assembly, (ii) have the professional qualifications prescribed by law, and (iii) serve at the pleasure of the Governor.

B. As part of the confirmation process for each administrative head and Secretary, the Secretary of the Commonwealth shall provide copies of the resumes and statements of economic interests filed pursuant to § 2.2-3117 to the chairs of the House of Delegates and Senate Committees on Privileges and Elections. For appointments made before January 1, copies shall be provided to the chairs within 30 days of the appointment or by January 7 whichever time is earlier; and for appointments made after January 1 through the regular session of that year, copies shall be provided to the chairs within seven days of the appointment. Each appointee shall be available for interviews by the Committees on Privileges and Elections or other applicable standing committee. For the purposes of this section and § 2.2-107, there shall be a joint subcommittee of the House of Delegates and Senate Committees on Privileges and Elections consisting of five members of the House Committee and three members of the Senate Committee appointed by the respective chairs of the committees to review the resumes and statements of economic interests of gubernatorial appointees. The members of the House of Delegates shall be appointed in accordance with the principles of proportional representation contained in the Rules of the House of Delegates. No appointment confirmed by the General Assembly shall be subject to challenge by reason of a failure to comply with the provisions of this paragraph subsection pertaining to the confirmation process.

C. For the purpose of this section, "agency" includes all administrative units established by law or by executive order that are not (i) arms of the legislative or judicial branches of government; (ii) institutions of higher education as classified under §§ 23-253.7, 22.1-346, 23-14, and 23-252, and; (iii) regional planning districts, regional transportation authorities or districts, or regional sanitation districts; and (iv) assigned by law to other departments or agencies, not including assignments to secretaries under Article 7 (§ 2.2-215 et seq.) of Chapter 2 of this title.

D. Severance benefits provided to any departing agency head, whether or not appointed by the Governor, shall be publicly announced by the appointing authority prior to such departure.

§ 2.2-225. Position established; agencies for which responsible.

A. The position of Secretary of Technology (the Secretary) is created. The Secretary shall be responsible to the Governor for the following agencies and boards: Information Technology Investment Board, Innovation and Entrepreneurship Investment Authority, Virginia Information Technologies Agency, Department of Technology Management, Virginia Geographic Information Network Advisory Board, and the Wireless E-911 Services Board. The Governor, by executive order, may assign any other state executive agency to the Secretary, or reassign any agency listed in this section to another Secretary.

B. Unless the Governor expressly reserves such power to himself, the Secretary may, with regard to strategy development, planning, and budgeting for technology programs in the Commonwealth:

1. Develop a comprehensive, statewide, two-year strategic plan for information technology that includes, but is not limited to, (i) trends in needs for application and infrastructure services by state agencies and recommendations on appropriate services to meet those needs, including telework; (ii) progress in the use of information technology standards by state agencies, local government, and state institutions of higher education in a manner that promotes the security of sensitive information and the efficient exchange of electronic information between the public and private sectors in the Commonwealth; (iii) identification of unmet needs for access to technology that may impede the secure and free flow of information, including but not limited to broadband access; and (iv) opportunities for collaboration, and steps to address any barriers thereto, between state agencies, local governments, and state institutions of higher education that may promote more efficient and effective provision of service.

The strategic plan shall also identify how information technology can be used to increase economic efficiency, citizen convenience, and public access to state government. The strategic plan shall be updated annually and submitted to the Governor.

2. Upon the advice of the Director of the Department of Technology Management pursuant to § 2.2-2042, and in consultation with the Information Technology Investment Council pursuant to § 2.2-2699.6, terminate information technology projects.

3. Coordinate the efforts of, and resolve any conflicts that might arise between, the Virginia Information Technologies Agency and the Department of Technology Management.

C. Unless the Governor expressly reserves such power to himself, the Secretary may, with regard to strategy development, technology-related research, and economic development:

1. Monitor trends and advances in fundamental technologies of interest and importance to the economy of the Commonwealth and direct and approve a stakeholder-driven technology strategy development process that results in a comprehensive and coordinated view of research and development goals for industry, academia and government in the Commonwealth. This strategy shall be updated biennially and submitted to the Governor, the Speaker of the House of Delegates and the President Pro Tempore of the Senate.

2. Work closely with the appropriate federal research and development agencies and program managers to maximize the participation of Commonwealth industries and universities in these programs consistent with agreed strategy goals.

3. Direct the development of plans and programs for strengthening the technology resources of the Commonwealth's high technology industry sectors and for assisting in the strengthening and development of the Commonwealth's Regional Technology Councils.

4. Direct the development of plans and programs for improving access to capital for technology-based entrepreneurs.

5. Assist the Joint Commission on Technology and Science created pursuant to § 30-85 in its efforts to stimulate, encourage, and promote the development of technology in the Commonwealth.

6. Continuously monitor and analyze the technology investments and strategic initiatives of other states to ensure the Commonwealth remains competitive.

7. Strengthen interstate and international partnerships and relationships in the public and private sectors to bolster the Commonwealth's reputation as a global technology center.

8. Develop and implement strategies to accelerate and expand the commercialization of intellectual property created within the Commonwealth.

9. Ensure the Commonwealth remains competitive in cultivating and expanding growth industries, including life sciences, advanced materials and nanotechnology, biotechnology, and aerospace.

10. Monitor the trends in the availability and deployment of and access to broadband communications services, which include, but are not limited to, competitively priced, high-speed data services and Internet access services of general application, throughout the Commonwealth and advancements in communications technology for deployment potential. The Secretary shall report annually by December 1 to the Governor and General Assembly on those trends.

§ 2.2-603. Authority of agency directors.

A. Notwithstanding any provision of law to the contrary, the agency director of each agency in the executive branch of state government shall have the power and duty to (i) supervise and manage the department or agency and (ii) prepare, approve, and submit to the Governor all requests for appropriations and to be responsible for all expenditures pursuant to appropriations.

B. The director of each agency in the executive branch of state government, except those that by law are appointed by their respective boards, shall not proscribe any agency employee from discussing the functions and policies of the agency, without prior approval from his supervisor or superior, with any person unless the information to be discussed is protected from disclosure by the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) or any other provision of state or federal law.

C. Subsection A shall not be construed to restrict any other specific or general powers and duties of executive branch boards granted by law.

D. This section shall not apply to those agency directors that are appointed by their respective boards or by the Board of Education. Directors appointed in this manner shall have the powers and duties assigned by law or by the board.

E. In addition to the requirements of subsection C of § 2.2-619, the director of each agency in any branch of state government shall, at the end of each fiscal year, report to (i) the Secretary of Finance and the Chairmen of the House Committee on Appropriations and the Senate Committee on Finance a listing and general description of any federal contract, grant, or money in excess of $1,000,000 $1 million for which the agency was eligible, whether or not the agency applied for, accepted, and received such contract, grant, or money, and, if not, the reasons therefore therefor and the dollar amount and corresponding percentage of the agency's total annual budget that was supplied by funds from the federal government and (ii) the Chairmen of the House Committees on Appropriations and Finance, and the Senate Committee on Finance any amounts owed to the agency from any source that are more than six months delinquent, the length of such delinquencies, and the total of all such delinquent amounts in each six-month interval. Clause (i) shall not be required of public institutions of higher education.

F. The director of every department in the executive branch of state government shall report to the Chief Information Officer as described in § 2.2-2005, and the Director of the Department of Technology Management (DTM) as described in § 2.2-2037 all known incidents that threaten the security of the Commonwealth's databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the Commonwealth's information technology systems with the potential to cause major disruption to normal agency activities. Such reports shall be made to the Chief Information Officer and Director of DTM within 24 hours from when the department discovered or should have discovered their occurrence.

§ 2.2-1115.1. Standard vendor accounting information.

A. The Division, the Virginia Information Technologies Agency, and the State Comptroller shall develop and maintain data standards for use by all agencies and institutions for payments and purchases of goods and services pursuant to §§ 2.2-1115 and 2.2-2012. Such standards shall include at a minimum the vendor number, name, address, and tax identification number; commodity code, order number, invoice number, and receipt information; and other information necessary to appropriately and consistently identify all suppliers of goods, commodities, and other services to the Commonwealth. The Division, the Virginia Information Technologies Agency, and the State Comptroller shall annually review and update these standards to provide the Commonwealth information to monitor all procurement of goods and services and to implement adequate controls to pay only authorized providers of goods and services to the Commonwealth.

B. The Division and the Virginia Information Technologies Agency shall submit these standards to the Information Technology Investment Board in accordance with § 2.2-2458 for approval as statewide technical and data standards for information technology.

§ 2.2-1507. Participation of certain agencies in budget development process of other agencies.

Agencies having responsibilities granted under §§ 2.2-703, 2.2-2011, and 2.2-2696 shall participate in the budget development process of relevant agencies and receive from these agencies, prior to submission to the Department their proposed programs and budgets. Recommendations to the appropriate agencies and the secretaries of the Governor on related matters shall be made prior to budget submissions.

§ 2.2-1509.3. Budget bill to include appropriations for major information technology projects.

A. For purposes of this section:

"Director" means the Director of the Department of Technology Management.

"Major information technology project" means the same as that term is defined in § 2.2-2006.

"Major information technology project funding" means an estimate of each funding source for a major information technology project for the duration of the project.

B. In "The Budget Bill" submitted pursuant to § 2.2-1509, the Governor shall provide for the funding of major information technology projects, as specified herein. Such funding recommendations shall be for major information technology projects that have or are pending project development or procurement approval as defined by § 2.2-2019 or procurement approval as defined by § 2.2-2020 § 2.2-2045.

The Governor shall include in "The Budget Bill" submitted pursuant to § 2.2-1509 a biennial appropriation for major information technology projects and the following information for each such project:

1. A brief statement explaining the project, the Information Technology Investment Board's Director's ranking and recommendations on the project as required by § 2.2-2458, an explanation, if necessary, if the Governor informed the Chief Information Officer Director that an emergency existed as set forth in § 2.2-2008 § 2.2-2043, and the anticipated duration of the project;

2. A brief explanation of the inclusion of any project in the budget bill that has not undergone review and approval by the Information Technology Investment Board as required by § 2.2-2458 Director;

3. Total estimated project costs, as defined by the Commonwealth's Project Management Standards, including the amount of the agency's or institution's operating appropriation, which will support the project, and long-term contract cost beyond the biennium;

4. Costs incurred to date, as defined by the Commonwealth's Project Management Standards, which includes both the project planning cost and internal operating costs to support the project;

5. Recommendations or comments of the Public-Private Partnership Advisory Commission, if the project is part of a proposal under the Public-Private Education Facilities and Infrastructure Act of 2002 (§ 56-575.1 et seq.); and

6. The Information Technology Investment Board's Director's assessment of the project and the status as of the date of the budget bill submission to the General Assembly.

C. The Information Technology Investment Board Secretary of Technology shall immediately notify each member of the Senate Finance Committee and the House Appropriations Committee of any Board decision to terminate in accordance with § 2.2-2458 any major information technology project in the budget bill. Such communication shall include the Information Technology Investment Board's reason for such termination.

§ 2.2-2005. Creation of Agency; appointment of Chief Information Officer.

A. There is hereby created the Virginia Information Technologies Agency (VITA), which shall serve as the agency responsible for administration and enforcement of the provisions of this Chapter and the rules and policies of the Board chapter. VITA is created in order to manage the consolidation and provision of the Commonwealth's information technology infrastructure services and to oversee the Commonwealth's efforts to modernize the planning, development, implementation, improvement, and retirement of Commonwealth applications, including the coordination and development of enterprise-wide or multi-agency applications.

B. The Board Governor shall appoint, subject to confirmation by the General Assembly, a Chief Information Officer (the CIO) as the chief administrative officer of the Board to oversee the operation of VITA. The CIO shall be employed under special contract for a term not to exceed five years and shall, under the direction and control of the Board, Governor and exercise the powers and perform the duties conferred or imposed upon him by law and perform such other duties as may be required by the Board Governor.

C. The head of each state agency shall designate an existing employee to be the agency's information technology resource who shall be responsible for compliance with the procedures, policies, and guidelines developed pursuant to this chapter.

§ 2.2-2006. Definitions.

As used in this chapter For purposes of this chapter and Chapter 20.2 (§ 2.2-2037 et seq.):

"Board" means the Information Technology Investment Board created in § 2.2-2457.

"Application" means an automated solution or computer program designed to fulfill one or more functions. It may be a single program designed for a single business function, or it may be an enterprise system that supports multiple business functions.

"Architecture" means an organizing model used to manage and align business processes and information technology.

"CIO" means the Chief Information Officer.

"Communications services" includes telecommunications services, automated data processing services, and management information systems that serve the needs of state agencies and institutions.

"Confidential data" means information made confidential by federal or state law that is maintained by a state agency in an electronic format.

"Department" means the Department of Technology Management.

"Enterprise" means a strategic approach to information technology that includes all executive branch agencies collectively, and may also include institutes of higher education and the judicial and legislative branches of state government.

"Information technology" means telecommunications, automated data processing, databases, the Internet, management information systems, and related information, equipment, goods, and services. It is in the interest of the Commonwealth that its public institutions of higher education in Virginia be in the forefront of developments in technology. Therefore, the provisions of this chapter shall not be construed to hamper the pursuit of the missions of the institutions in instruction and research.

"Infrastructure" means the basic physical and organizational structure necessary to implement information technology assets and service, including telecommunications.

"Major information technology project" means any state agency information technology project that (i) is mission-critical, (ii) has statewide application is for the enterprise, or (iii) has a total estimated cost of more than $1 million or more.

"Noncommercial telecommunications entity" means any public broadcasting station as defined in § 2.2-2427.

"Public telecommunications entity" means any public broadcasting station as defined in § 2.2-2427.

"Public telecommunications facilities" means all apparatus, equipment and material necessary for or associated in any way with public broadcasting stations or public broadcasting services as those terms are defined in § 2.2-2427, including the buildings and structures necessary to house such apparatus, equipment and material, and the necessary land for the purpose of providing public broadcasting services, but not telecommunications services.

"Public telecommunications services" means public broadcasting services as defined in § 2.2-2427.

"Secretary" means the Secretary of Technology.

"State agency" or "agency" means any agency, institution, board, bureau, commission, council, or instrumentality of state government in the executive branch listed in the appropriation act. However, the terms "state agency," "agency," "institution," "public body," and "public institution of higher education," shall not include the University of Virginia Medical Center.

"Technology asset" means hardware and communications equipment not classified as traditional mainframe-based items, including personal computers, mobile computers, and other devices capable of storing and manipulating electronic data.

"Telecommunications" means any origination, transmission, emission, or reception of signs, signals, writings, images, and sounds or intelligence of any nature, by wire, radio, television, optical, or other electromagnetic systems.

"Telecommunications facilities" means apparatus necessary or useful in the production, distribution, or interconnection of electronic communications for state agencies or institutions including the buildings and structures necessary to house such apparatus and the necessary land.

§ 2.2-2007. Powers and Duties of the CIO.

A. In addition to such other duties as the Board Governor may assign, the CIO shall:

1. Monitor trends and advances in information technology; develop a comprehensive, statewide, four-year strategic plan for information technology to include specific projects that implement the plan; and plan for the acquisition, management, and use of information technology by state agencies. The statewide plan shall be updated annually and submitted to the Board for approval. Report annually to the Secretary of Technology on the needs of VITA's customer agencies with regard to (i) consistent, reliable, and secure information technology applications and infrastructure services; (ii) existing capabilities for building and supporting those services; (iii) existing and anticipated opportunities for enterprise or multi-agency application or infrastructure solutions; (iv) projected future needs for those services; and (v) recommended approaches to ensure the future development, maintenance, and financing of information technology services to ensure the provision of capabilities befitting the needs of state agencies and the service level requirements of its citizens.

2. Direct the formulation and promulgation of policies, guidelines, standards, and specifications for the purchase, development, and maintenance of information technology for state agencies, including, but not limited to, those (i) required to support state and local government exchange, acquisition, storage, use, sharing, and distribution of geographic or base map data and related technologies, (ii) concerned with the development of electronic transactions including the use of electronic signatures as provided in § 59.1-496, and (iii) necessary to support a unified approach to information technology across the totality of state government, thereby assuring that the citizens and businesses of the Commonwealth receive the greatest possible security, value, and convenience from investments made in technology. Oversee the development of any enterprise information technology project unless otherwise provided for by the Secretary of Technology.

3. Direct the development of policies and procedures, in consultation with the Department of Planning and Budget, that are integrated into the Commonwealth's strategic planning and performance budgeting processes, and that state agencies and public institutions of higher education shall follow in developing information technology plans and technology-related budget requests. Such policies and procedures shall require consideration of the contribution of current and proposed technology expenditures to the support of agency and institution priority functional activities, as well as current and future operating expenses, and shall be utilized by all state agencies and public institutions of higher education in preparing budget requests.

4. Review budget requests for information technology from state agencies and public institutions of higher education and recommend budget priorities to the Information Technology Investment Board.

Review of such budget requests shall include, but not be limited to, all data processing or other related projects for amounts exceeding $100,000 in which the agency or institution has entered into or plans to enter into a contract, agreement or other financing agreement or such other arrangement that requires that the Commonwealth either pay for the contract by foregoing revenue collections, or allows or assigns to another party the collection on behalf of or for the Commonwealth any fees, charges, or other assessments or revenues to pay for the project. For each project, the agency or institution, with the exception of public institutions of higher education that meet the conditions prescribed in subsection B of § 23-38.88, shall provide the CIO (i) a summary of the terms, (ii) the anticipated duration, and (iii) the cost or charges to any user, whether a state agency or institution or other party not directly a party to the project arrangements. The description shall also include any terms or conditions that bind the Commonwealth or restrict the Commonwealth's operations and the methods of procurement employed to reach such terms.

5. Direct the development of policies and procedures for the effective management of information technology investments throughout their entire life cycles, including, but not limited to, project definition, procurement, development, implementation, operation, performance evaluation, and enhancement or retirement. Such policies and procedures shall include, at a minimum, the periodic review by the CIO of agency and public institution of higher education information technology projects estimated to cost $1 million or more or deemed to be mission-critical or of statewide application by the CIO. The CIO shall provide technical guidance to the Department of General Services in the development of policies and procedures for the recycling and disposal of computers and other technology assets. Such policies and procedures shall include the expunging, in a manner as determined by the CIO, of all state confidential data and personal identifying information of citizens of the Commonwealth prior to such sale, disposal, or other transfer of computers or other technology assets.

63. Oversee and administer the Virginia Technology Infrastructure Fund created pursuant to § 2.2-2023.

7. Periodically evaluate the feasibility of outsourcing information technology resources and services, and outsource those resources and services that are feasible and beneficial to the Commonwealth.

8. Have the authority to enter into contracts, and with the approval of the Board for any contracts over $1 million, with one or more other public bodies, or public agencies or institutions or localities of the several states, of the United States or its territories, or the District of Columbia for the provision of information technology services.

9. Report annually to the Governor and the Joint Commission on Technology and Science created pursuant to § 30-85 on the use and application of information technology by state agencies and public institutions of higher education to increase economic efficiency, citizen convenience, and public access to state government.

10. Direct the development of policies and procedures that require VITA to review information technology projects proposed by state agencies and institutions exceeding $100,000, and recommend whether such projects be approved or disapproved. The CIO shall disapprove projects between $100,000 and $1 million that do not conform to the statewide information plan or to the individual plans of state agencies or institutions of higher education.

B. Consistent with § 2.2-2012, the CIO may enter into public-private partnership contracts to finance or implement information technology programs and projects. The CIO may issue a request for information to seek out potential private partners interested in providing programs or projects pursuant to an agreement under this subsection. The compensation for such services shall be computed with reference to and paid from the increased revenue or cost savings attributable to the successful implementation of the program or project for the period specified in the contract. The CIO shall be responsible for reviewing and approving the programs and projects and the terms of contracts for same under this subsection. The CIO shall determine annually the total amount of increased revenue or cost savings attributable to the successful implementation of a program or project under this subsection and such amount shall be deposited in the Virginia Technology Infrastructure Fund created in § 2.2-2023. The CIO is authorized to use moneys deposited in the Fund to pay private partners pursuant to the terms of contracts under this subsection. All moneys in excess of that required to be paid to private partners, as determined by the CIO, shall be reported to the Comptroller and retained in the Fund. The CIO shall prepare an annual report to the Governor and General Assembly on all contracts under this subsection, describing each information technology program or project, its progress, revenue impact, and such other information as may be relevant.

§ 2.2-2009. Additional duties of the CIO relating to security of government information.

A. To provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, procedures and standards for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, procedures, and standards will apply to the Commonwealth's executive, legislative, and judicial branches, and independent agencies and institutions of higher education. The CIO shall work with representatives of the Chief Justice of the Supreme Court and Joint Rules Committee of the General Assembly to identify their needs.

B. The CIO shall also develop policies, procedures, and standards that shall address the scope of security audits and the frequency of such security audits. In developing and updating such policies, procedures, and standards, the CIO shall designate a government entity to oversee, plan and coordinate the conduct of periodic security audits of all executive branch and independent agencies and institutions of higher education. The CIO will coordinate these audits with the Auditor of Public Accounts and the Joint Legislative Audit and Review Commission. The Chief Justice of the Supreme Court and the Joint Rules Committee of the General Assembly shall determine the most appropriate methods to review the protection of electronic information within their branches.

C. The CIO shall report to the Governor and General Assembly by December 2008 and annually thereafter, those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch and independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to the (i) Information Technology Investment Board, (ii) affected cabinet secretary, (iii) Governor, and (iv) Auditor of Public Accounts. Upon review of the security audit results in question, the Information Technology Investment Board may take action to suspend the public bodies information technology projects pursuant to subdivision 3 of § 2.2-2458, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor any other appropriate actions.

D. All public bodies subject to such audits as required by this section shall fully cooperate with the entity designated to perform such audits and bear any associated costs. Public bodies that are not required to but elect to use the entity designated to perform such audits shall also bear any associated costs.

E. The provisions of this section shall not infringe upon responsibilities assigned to the Comptroller, the Auditor of Public Accounts, or the Joint Legislative Audit and Review Commission by other provisions of the Code of Virginia.

F. To ensure the security and privacy of citizens of the Commonwealth in their interactions with state government, the CIO shall direct the development of policies, procedures, and standards for the protection of confidential data maintained by state agencies against unauthorized access and use. Such policies, procedures, and standards shall include, but not be limited to:

1. Requirements that any state employee or other authorized user of a state technology asset provide passwords or other means of authentication to (i) use a technology asset and (ii) access a state-owned or operated computer network or database; and

2. Requirements that a digital rights management system or other means of authenticating and controlling an individual's ability to access electronic records be utilized to limit access to and use of electronic records that contain confidential data to authorized individuals.

G. The CIO shall promptly receive reports from directors of departments in the executive branch of state government made in accordance with § 2.2-603 and shall take such actions as are necessary, convenient or desirable to ensure the security of the Commonwealth's electronic information and confidential data.

The CIO is responsible for ensuring the security of information technology infrastructure and applications that are directly owned or managed by VITA or its contractual partners, including but not limited to the security of computers, networks, and messaging systems. All agencies in the Commonwealth shall cooperate with the CIO and VITA in ensuring the security of IT infrastructure, including but not limited to assisting the CIO and VITA in (i) controlling access to information technology infrastructure located at agency facilities, (ii) controlling access to information technology infrastructure used by agency personnel, and (iii) ensuring agency personnel comply with regulations, standards, policies, and guidelines for proper use of information technology infrastructure. In fulfilling this duty, the CIO shall take all necessary and prudent steps as should be reasonably anticipated or as otherwise directed by existing regulations, standards, policies, and guidelines developed by the Department of Technology Management (DTM).

§ 2.2-2012. Procurement of information technology and telecommunications goods and services; computer equipment to be based on performance-based specifications.

A. Information technology and telecommunications goods and services of every description shall be procured by (i) VITA Pursuant to regulations, standards, policies, and guidelines developed by DTM, the CIO or his authorized designees may enter into contracts and otherwise procure information technology and telecommunications goods and services of every description for its own benefit or on behalf of other state agencies and institutions or (ii) such other agencies or institutions to the extent authorized by VITA. Such procurements shall be made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.), regulations that implement the electronic and information technology accessibility standards of the Rehabilitation Act of 1973 (29 U.S.C. § 794d), as amended, and any regulations as may be prescribed by VITA. In no case shall such procurements exceed the requirements of the regulations that implement the electronic and information technology accessibility standards of the Rehabilitation Act of 1973, as amended.

The CIO shall disapprove any procurement that does not conform to the statewide information technology plan or to the individual plans of state agencies or public institutions of higher education.

B. All statewide contracts and agreements made and entered into by VITA for the purchase of communications services, telecommunications facilities, and information technology goods and services shall provide for the inclusion of counties, cities, and towns in such contracts and agreements. Notwithstanding the provisions of § 2.2-4301, VITA may enter into multiple vendor contracts for the referenced services, facilities, and goods and services.

B1. The Department VITA may establish contracts for the purchase of personal computers and related devices by licensed teachers employed in a full-time teaching capacity in Virginia public schools or in state educational facilities for use outside the classroom. The computers and related devices shall not be purchased with public funds, but shall be paid for and owned by teachers individually provided that no more than one such computer and related device per year shall be so purchased.

C. If VITA, or any agency or institution authorized by VITA, elects to procure personal computers and related peripheral equipment pursuant to any type of blanket purchasing arrangement under which public bodies, as defined in § 2.2-4301, may purchase such goods from any vendor following competitive procurement but without the conduct of an individual procurement by or for the using agency or institution, it shall establish performance-based specifications for the selection of equipment. Establishment of such contracts shall emphasize performance criteria including price, quality, and delivery without regard to "brand name." All vendors meeting the Commonwealth's performance requirements shall be afforded the opportunity to compete for such contracts. The CIO may enter into contracts with one or more other public bodies, or public agencies or institutions or localities of the several states, of the United States or its territories, or the District of Columbia for the provision of information technology services. Any contracts with a value of $1 million or more must be approved by the Secretary of Technology.

D. This section shall not be construed or applied so as to infringe upon, in any manner, the responsibilities for accounting systems assigned to the Comptroller under § 2.2-803. The CIO shall periodically evaluate the feasibility of outsourcing information technology resources and services and outsource those resources and services that are feasible and beneficial to the Commonwealth.

E. The CIO of VITA shall, on or before October 1, 2009, and every two years thereafter, solicit from each state agency and public institution of higher education a list of procurements that were competed with the private sector that appear on the Commonwealth Competition Council's commercial activities list and were, until that time, being performed by each state agency and public institution of higher education during the previous two years, and the outcome of that competition. The CIO shall make the lists available to the public on VITA's website. The CIO may enter into public-private partnership contracts to finance or implement information technology programs and projects. The CIO may issue a request for information to seek out potential private partners interested in providing programs or projects pursuant to an agreement under this subsection. The compensation for such services shall be computed with reference to and paid from the increased revenue or cost savings attributable to the successful implementation of the program or project for the period specified in the contract. The Secretary of Technology shall be responsible for reviewing and approving the programs and projects and the terms of contracts pursuant to this subsection. The CIO shall determine annually the total amount of increased revenue or cost savings attributable to the successful implementation of a program or project initiated pursuant to this subsection and such amount shall be deposited in the Virginia Technology Infrastructure Fund created in § 2.2-2023. The CIO is authorized to use moneys deposited in the Fund to pay private partners pursuant to contract terms for programs or projects initiated pursuant to this section. All moneys in excess of that required to be paid to private partners, as determined by the CIO, shall be reported to the Comptroller and retained in the Fund. The CIO shall prepare an annual report to the Governor and General Assembly on all contracts entered pursuant to this subsection, describing each information technology program or project, its progress, revenue impact, and such other information as may be relevant.

F. The CIO may provide for the centralized marketing, provision, leasing, and executing of license agreements for electronic access to public information and government services through the Internet, wireless devices, personal digital assistants, kiosks, or other such related media on terms and conditions as may be determined to be in the best interest of the Commonwealth. VITA may fix and collect fees and charges for (i) public information, media, and other incidental services furnished by it to any private individual or entity, notwithstanding the charges set forth in § 2.2-3704, and (ii) such use and services it provides to any state agency or local government. Nothing in this subsection authorizing VITA to fix and collect fees for providing information services shall be construed to prevent access to the public records of any public body pursuant to the provisions of the Virginia Freedom of Information Act (§ 2.2-3700 et seq.). VITA is authorized, subject to approval by the Secretary of Technology and any other affected Secretariat, to delegate the powers and responsibilities granted in this subsection to any agency within the executive branch.

G. This section shall not be construed or applied so as to infringe upon, in any manner, the responsibilities for accounting systems assigned to the Comptroller under § 2.2-803.

§ 2.2-2013. Internal service funds; Applications Services Internal Service Fund; Infrastructure Services Internal Service Fund; Telecommunication Services Internal Service Fund.

A. There are established the following internal service funds to be administered by VITA:

1. The Automated Applications Services Internal Service Fund to be used to finance automated systems design, development and testing services and staff of VITA;

2. The Computer Infrastructure Services Internal Service Fund to be used to finance computer infrastructure operations and staff of VITA, excluding telecommunications infrastructure; and

3. The Telecommunication Services Internal Service Fund to be used to finance telecommunications operations and staff of VITA.

B. There is established the Acquisition Services Special Fund to be administered by VITA and used to finance procurement and contracting activities and programs unallowable for federal fund reimbursement.

C. All users of services provided for in this chapter administered by VITA shall be assessed a surcharge, which shall be deposited in the appropriate fund. This charge shall be an amount sufficient to allow VITA to finance the operations and staff of the services offered.

D. Additional moneys necessary to establish these funds or provide for the administration of the activities of VITA may be advanced from the general account of the state treasury.

E. The CIO shall direct that the following activities be conducted with respect to VITA’s internal service funds:

1. VITA shall establish fee schedules for the collection of fees from users when general fund appropriations are not available for the services rendered.

2. VITA shall develop and implement information, billing, and collections systems that will aid state agencies in analyzing their use of VITA’s services and allow VITA to forecast trends in service demands.

3. By October 1 of each year, VITA shall submit biennial projections of future revenues and expenditures for each internal service fund and estimates of any anticipated changes to fee schedules to the Joint Legislative Audit and Review Commission and the Department of Planning and Budget.

4. That on or before October 1, 2010, the CIO shall, in consultation with the Joint Legislative Audit and Review Commission and the Department of Planning and Budget, develop standard documentation and information to be used as part of any requests for changes to its fee schedules and rates. In the event that changes to fee schedules or rates are required, the CIO shall submit the documentation developed in accordance with this section to the Joint Legislative Audit and Review Commission and the Department of Planning and Budget no later than September 1 prior to the fiscal year in which the new or revised rates are to take effect so that the impact of the rate changes can be considered for inclusion in the executive budget submitted to the General Assembly pursuant to §2.2-1508 of the Code of Virginia. In emergency circumstances, deviations from this approach shall be approved in advance by the Joint Legislative Audit and Review Commission.

§ 2.2-2023. Virginia Technology Infrastructure Fund created; contributions.

A. The Virginia Technology Infrastructure Fund (the Fund) is created in the state treasury. The Fund is to be used to fund major information technology projects or to pay private partners as authorized in subsection B of § 2.2-2007 E of § 2.2-2012.

B. The Fund shall consist of: (i) the transfer of general and nongeneral fund appropriations from state agencies which represent savings that accrue from reductions in the cost of information technology and communication services, (ii) the transfer of general and nongeneral fund appropriations from state agencies which represent savings from the implementation of information technology enterprise projects, (iii) funds identified pursuant to subsection B of § 2.2-2007 E of § 2.2-2012, (iv) such general and nongeneral fund fees or surcharges as may be assessed to agencies for enterprise or collaborative technology projects or use of enterprise and collaborative applications, (v) gifts, grants, or donations from public or private sources, and (vi) such other funds as may be appropriated by the General Assembly. Savings shall be as identified by the CIO through a methodology approved by the Board Secretary of Technology and the Secretary of Finance. The Auditor of Public Accounts shall certify the amount of any savings identified by the CIO. For public institutions of higher education, however, savings shall consist only of that portion of total savings that represent general funds. The State Comptroller is authorized to transfer cash consistent with appropriation transfers. Appropriated funds from federal sources are exempted from transfer. Except for funds to pay private partners as authorized in subsection B of § 2.2-2007 E of § 2.2-2012, moneys in the Fund shall only be expended as provided by the appropriation act.

Interest earned on the Fund shall be credited to the Fund. The Fund shall be permanent and nonreverting. Any unexpended balance in the Fund at the end of the biennium shall not be transferred to the general