Bill Text: VA HB2323 | 2015 | Regular Session | Chaptered


Bill Title: Information technology projects and services; Chief Information Officer authorized to approve.

Spectrum: Partisan Bill (Republican 1-0)

Status: (Passed) 2015-04-30 - Governor: Acts of Assembly Chapter text (CHAP0768) [HB2323 Detail]

Download: Virginia-2015-HB2323-Chaptered.html

CHAPTER 768
An Act to amend and reenact §§2.2-225, 2.2-603, 2.2-1509.3, 2.2-2006 through 2.2-2009, 2.2-2012, 2.2-2015, 2.2-2017, 2.2-2018.1, and 2.2-2021 of the Code of Virginia, relating to information technology projects and services in the Commonwealth.
[H 2323]
Approved April 30, 2015

 

Be it enacted by the General Assembly of Virginia:

1. That §§2.2-225, 2.2-603, 2.2-1509.3, 2.2-2006 through 2.2-2009, 2.2-2012, 2.2-2015, 2.2-2017, 2.2-2018.1, and 2.2-2021 of the Code of Virginia are amended and reenacted as follows:

§2.2-225. Position established; agencies for which responsible; additional powers.

The position of Secretary of Technology (the Secretary) is created. The Secretary shall be responsible to the Governor for the following agencies, councils, and boards: Information Technology Advisory Council, Innovation and Entrepreneurship Investment Authority, Virginia Information Technologies Agency, Virginia Geographic Information Network Advisory Board, and the E-911 Services Board. The Governor, by executive order, may assign any other state executive agency to the Secretary, or reassign any agency listed in this section to another Secretary.

Unless the Governor expressly reserves such power to himself, the Secretary may, with regard to strategy development, planning and budgeting for technology programs in the Commonwealth:

1. Monitor trends and advances in fundamental technologies of interest and importance to the economy of the Commonwealth and direct and approve a stakeholder-driven technology strategy development process that results in a comprehensive and coordinated view of research and development goals for industry, academia and government in the Commonwealth. This strategy shall be updated biennially and submitted to the Governor, the Speaker of the House of Delegates and the President Pro Tempore of the Senate.

2. Work closely with the appropriate federal research and development agencies and program managers to maximize the participation of Commonwealth industries and universities in these programs consistent with agreed strategy goals.

3. Direct the development of plans and programs for strengthening the technology resources of the Commonwealth's high technology industry sectors and for assisting in the strengthening and development of the Commonwealth's Regional Technology Councils.

4. Direct the development of plans and programs for improving access to capital for technology-based entrepreneurs.

5. Assist the Joint Commission on Technology and Science created pursuant to §30-85 in its efforts to stimulate, encourage, and promote the development of technology in the Commonwealth.

6. Continuously monitor and analyze the technology investments and strategic initiatives of other states to ensure the Commonwealth remains competitive.

7. Strengthen interstate and international partnerships and relationships in the public and private sectors to bolster the Commonwealth's reputation as a global technology center.

8. Develop and implement strategies to accelerate and expand the commercialization of intellectual property created within the Commonwealth.

9. Ensure the Commonwealth remains competitive in cultivating and expanding growth industries, including life sciences, advanced materials and nanotechnology, biotechnology, and aerospace.

10. Monitor the trends in the availability and deployment of and access to broadband communications services, which include, but are not limited to, competitively priced, high-speed data services and Internet access services of general application, throughout the Commonwealth and advancements in communications technology for deployment potential. The Secretary shall report annually by December 1 to the Governor and General Assembly on those trends.

11. Review and approve or disapprove, according to the recommendations of the Chief Information Officer (CIO) pursuant to §2.2-2008, the selection or termination of any Commonwealth information technology project that has been defined or designated as a "major information technology project" pursuant to subdivision 13 and any Commonwealth information technology project with high risk and high complexity.

12. Review and approve statewide technical and data standards for information technology and related systems, including the utilization of nationally recognized technical and data standards for health information technology systems or software purchased by a state agency of the Commonwealth, as recommended by the CIO pursuant to §2.2-2007.

13. Develop the criteria, requirements, and process for defining a Commonwealth information technology project as a "major information technology project" for the purposes of §2.2-2006, including the criteria, requirements, and process for designating a Commonwealth information technology project that has a cost below $1 million as a "major information technology project."

14. Designate Commonwealth information technology projects as major information technology projects according to the criteria, requirements, and process developed pursuant to subdivision 13.

15. Review and approve the initiation or termination of any procurement conducted pursuant to §2.2-2012 with a total estimated cost over $1 million, and contracts or amendments thereto.

16. Review and approve statewide information technology project, procurement, and investment management policies and standards, as developed and recommended by the CIO pursuant to §2.2-2007.

17. Designate specific projects as enterprise information technology projects, prioritize the implementation of enterprise information technology projects, establish enterprise oversight committees to provide ongoing oversight for enterprise information technology projects. At the discretion of the Governor, the Secretary shall designate a state agency or public institution of higher education as the business sponsor responsible for implementing an enterprise information technology project, and shall define the responsibilities of lead agencies that implement enterprise information technology projects. For purposes of this subdivision, "enterprise" means an organization with common or unifying business interests. An enterprise may be defined at the Commonwealth level or Secretariat level for programs and project integration within the Commonwealth, Secretariats, or multiple agencies.

18. Review and approve the Commonwealth Project Management Standard as defined in §2.2-2006.

19. 12. Establish Internal Agency Oversight Committees and Secretariat Oversight Committees as necessary and in accordance with §2.2-2021.

13. Review and approve the Commonwealth strategic plan for information technology, as developed and recommended by the Chief Information Officer pursuant to §2.2-2007.

14. Communicate regularly with the Governor and other Secretaries regarding issues related to the provision of information technology services in the Commonwealth, statewide technology initiatives, and investments and other efforts needed to achieve the Commonwealth's information technology strategic goals.

§2.2-603. Authority of agency directors.

A. Notwithstanding any provision of law to the contrary, the agency director of each agency in the executive branch of state government shall have the power and duty to (i) supervise and manage the department or agency and (ii) prepare, approve, and submit to the Governor all requests for appropriations and to be responsible for all expenditures pursuant to appropriations.

B. The director of each agency in the executive branch of state government, except those that by law are appointed by their respective boards, shall not proscribe any agency employee from discussing the functions and policies of the agency, without prior approval from his supervisor or superior, with any person unless the information to be discussed is protected from disclosure by the Virginia Freedom of Information Act (§2.2-3700 et seq.) or any other provision of state or federal law.

C. Subsection A shall not be construed to restrict any other specific or general powers and duties of executive branch boards granted by law.

D. This section shall not apply to those agency directors that are appointed by their respective boards or by the Board of Education. Directors appointed in this manner shall have the powers and duties assigned by law or by the board.

E. In addition to the requirements of subsection C of § 2.2-619, the director of each agency in any branch of state government shall, at the end of each fiscal year, report to (i) the Secretary of Finance and the Chairmen of the House Committee on Appropriations and the Senate Committee on Finance a listing and general description of any federal contract, grant, or money in excess of $1,000,000 for which the agency was eligible, whether or not the agency applied for, accepted, and received such contract, grant, or money, and, if not, the reasons therefore and the dollar amount and corresponding percentage of the agency's total annual budget that was supplied by funds from the federal government and (ii) the Chairmen of the House Committees on Appropriations and Finance, and the Senate Committee on Finance any amounts owed to the agency from any source that are more than six months delinquent, the length of such delinquencies, and the total of all such delinquent amounts in each six-month interval. Clause (i) shall not be required of public institutions of higher education.

F. Notwithstanding subsection D, the director of every agency and department in the executive branch of state government, including those appointed by their respective boards or the Board of Education, shall be responsible for securing the electronic data held by his agency or department and shall comply with the requirements of the Commonwealth's information technology security and risk-management program as set forth in §2.2-2009.

G. The director of every department in the executive branch of state government shall report to the Chief Information Officer as described in §2.2-2005, all known incidents that threaten the security of the Commonwealth's databases and data communications resulting in exposure of data protected by federal or state laws, or other incidents compromising the security of the Commonwealth's information technology systems with the potential to cause major disruption to normal agency activities. Such reports shall be made to the Chief Information Officer within 24 hours from when the department discovered or should have discovered their occurrence.

§2.2-1509.3. Budget bill to include appropriations for major information technology projects.

A. For purposes of this section, unless the context requires a different meaning:

"Commonwealth Project Management Standard" means the same as that term is defined in §2.2-2006.

"Major information technology project" means the same as that term is defined in §2.2-2006.

"Major information technology project funding" means an estimate of each funding source for a major information technology project for the duration of the project.

B. In "The Budget Bill" submitted pursuant to § 2.2-1509, the Governor shall provide for the funding of major information technology projects, as specified herein. Such funding recommendations shall be for major information technology projects that have or are pending project initiation approval as defined in the Commonwealth Project Management Standard.

The Governor shall include in "The Budget Bill" submitted pursuant to §2.2-1509 a biennial appropriation for major information technology projects and the following information for each such project:

1. For major information technology projects that have been recommended for funding, a brief statement explaining the business case for the project, the priority of the project in the Recommended Technology Investment Projects Report as required by §2.2-2007, and an explanation, if necessary, if the Governor informed the Secretary of Technology Chief Information Officer (CIO) that an emergency existed as set forth in §2.2-2008;

2. A brief explanation of the inclusion of any project in the budget bill that has not undergone review and approval by the Secretary of Technology as required by §2.2-225;

3. Total estimated project costs, as defined by the Commonwealth Project Management Standard, including the amount of the agency's or institution's operating appropriation that will support the project;

4. 3. All project costs incurred to date as defined by the Commonwealth Project Management Standard;

5. 4. Recommendations or comments of the Public-Private Partnership Advisory Commission, if the project is part of a proposal under the Public-Private Education Facilities and Infrastructure Act of 2002 (§56-575.1 et seq.);

6. 5. The CIO's assessment of the project and the status as of the date of the budget bill submission to the General Assembly;

7. 6. The planned project start and end dates as defined by the Commonwealth Project Management Standard; and

8. 7. Projected annual operations and maintenance expenditures, including but not limited to fees, licenses, infrastructure, and agency and nonagency staff support costs, for information technology delivered by major information technology projects for the first budget biennium after project completion.

C. The Secretary of Technology CIO shall immediately notify each member of the Senate Finance Committee and the House Appropriations Committee of any decision to terminate in accordance with §2.2-225 2.2-2015 any major information technology project in the budget bill. Such communication shall include the Secretary of Technology's CIO's reason for such termination.

§2.2-2006. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Commonwealth information technology project" means any state agency information technology project that is under Commonwealth governance and oversight.

"Commonwealth Project Management Standard" means a document developed and recommended adopted by the Chief Information Officer (CIO) pursuant to §2.2-2008, and approved by the Secretary pursuant to §2.2-225, that describes the methodology for conducting information technology projects, and the governance and oversight used to ensure project success.

"Communications services" includes telecommunications services; automated data processing services; local, wide area, metropolitan, and all other data networks; and management information systems that serve the needs of state agencies and institutions.

"Confidential data" means information made confidential by federal or state law that is maintained by a state agency in an electronic format.

"Enterprise" means an organization with common or unifying business interests. An enterprise may be defined at the Commonwealth level or secretariat level for program and project integration within the Commonwealth, secretariats, or multiple agencies.

"Information technology" means telecommunications, automated data processing, applications, databases, the Internet, management information systems, and related information, equipment, goods, and services. The provisions of this chapter shall not be construed to hamper the pursuit of the missions of the institutions in instruction and research.

"ITAC" means the Information Technology Advisory Council created in §2.2-2699.5.

"Major information technology project" means any Commonwealth information technology project that has a total estimated cost of more than $1 million or that has been designated a major information technology project by the Secretary pursuant to §2.2-225 or that has been designated a major information technology project by the CIO pursuant to the Commonwealth Project Management Standard developed under §2.2-2008.

"Noncommercial telecommunications entity" means any public broadcasting station as defined in §22.1-20.1.

"Public broadcasting services" means the acquisition, production, and distribution by public broadcasting stations of noncommercial educational, instructional, informational, or cultural television and radio programs and information that may be transmitted by means of electronic communications, and related materials and services provided by such stations.

"Public telecommunications entity" means any public broadcasting station as defined in §22.1-20.1.

"Public telecommunications facilities" means all apparatus, equipment and material necessary for or associated in any way with public broadcasting stations as defined in §22.1-20.1 or public broadcasting services, including the buildings and structures necessary to house such apparatus, equipment and material, and the necessary land for the purpose of providing public broadcasting services, but not telecommunications services.

"Public telecommunications services" means public broadcasting services.

"Secretary" means the Secretary of Technology.

"State agency" or "agency" means any agency, institution, board, bureau, commission, council, or instrumentality of state government in the executive branch listed in the appropriation act. However, the terms "state agency," "agency," "institution," "public body," and "public institution of higher education," shall not include the University of Virginia Medical Center.

"Technology asset" means hardware and communications equipment not classified as traditional mainframe-based items, including personal computers, mobile computers, and other devices capable of storing and manipulating electronic data.

"Telecommunications" means any origination, transmission, emission, or reception of data, signs, signals, writings, images, and sounds or intelligence of any nature, by wire, radio, television, optical, or other electromagnetic systems.

"Telecommunications facilities" means apparatus necessary or useful in the production, distribution, or interconnection of electronic communications for state agencies or institutions including the buildings and structures necessary to house such apparatus and the necessary land.

§2.2-2007. Powers of the CIO.

A. In addition to such other duties as the Secretary may assign, the CIO shall:

1. Monitor trends and advances in information technology; develop a comprehensive six-year Commonwealth strategic plan for information technology to include: (i) specific projects that implement the plan; (ii) a plan for the acquisition, management, and use of information technology by state agencies; (iii) a report of the progress of any ongoing enterprise information technology projects, any factors or risks that might affect their successful completion, and any changes to their projected implementation costs and schedules; and (iv) a report on the progress made by state agencies toward accomplishing the Commonwealth strategic plan for information technology. The Commonwealth strategic plan for information technology shall be updated annually and submitted to the Secretary for approval.

2. Direct the formulation and promulgation of policies, guidelines, standards, and specifications for the purchase, development, and maintenance of information technology for state agencies, including, but not limited to, those (i) required to support state and local government exchange, acquisition, storage, use, sharing, and distribution of geographic or base map data and related technologies, (ii) concerned with the development of electronic transactions including the use of electronic signatures as provided in §59.1-496, and (iii) necessary to support a unified approach to information technology across the totality of state government, thereby assuring that the citizens and businesses of the Commonwealth receive the greatest possible security, value, and convenience from investments made in technology.

3. Direct the development of policies and procedures, in consultation with the Department of Planning and Budget, that are integrated into the Commonwealth's strategic planning and performance budgeting processes, and that state agencies and public institutions of higher education shall follow in developing information technology plans and technology-related budget requests. Such policies and procedures shall require consideration of the contribution of current and proposed technology expenditures to the support of agency and institution priority functional activities, as well as current and future operating expenses, and shall be utilized by all state agencies and public institutions of higher education in preparing budget requests.

4. Review budget requests for information technology from state agencies and public institutions of higher education and recommend budget priorities to the Secretary.

Review of such budget requests shall include, but not be limited to, all data processing or other related projects for amounts exceeding $250,000 in which the agency or institution has entered into or plans to enter into a contract, agreement or other financing agreement or such other arrangement that requires that the Commonwealth either pay for the contract by foregoing revenue collections, or allows or assigns to another party the collection on behalf of or for the Commonwealth any fees, charges, or other assessments or revenues to pay for the project. For each project, the agency or institution, with the exception of public institutions of higher education that meet the conditions prescribed in subsection B of §23-38.88, shall provide the CIO (i) a summary of the terms, (ii) the anticipated duration, and (iii) the cost or charges to any user, whether a state agency or institution or other party not directly a party to the project arrangements. The description shall also include any terms or conditions that bind the Commonwealth or restrict the Commonwealth's operations and the methods of procurement employed to reach such terms.

State agencies and institutions, with the exception of public institutions of higher education that meet the conditions prescribed in subsection B of §23-38.88, shall submit to the CIO a projected biennial operations and maintenance budget for technology assets owned or licensed by the agency or institution, and submit a budget decision package for any shortfalls.

5. Direct the development of policies and procedures for the effective management of information technology investments throughout their entire life cycles, including, but not limited to, identification, business case development, selection, procurement, implementation, operation, performance evaluation, and enhancement or retirement. Such policies and procedures shall include, at a minimum, the periodic review by the CIO of agency and public institution of higher education Commonwealth information technology projects.

6. Provide technical guidance to the Department of General Services in the development of policies and procedures for the recycling and disposal of computers and other technology assets. Such policies and procedures shall include the expunging, in a manner as determined by the CIO, of all state confidential data and personal identifying information of citizens of the Commonwealth prior to such sale, disposal, or other transfer of computers or other technology assets.

7. Oversee and administer the Virginia Technology Infrastructure Fund created pursuant to §2.2-2023.

8. Periodically evaluate the feasibility of outsourcing information technology resources and services, and outsource those resources and services that are feasible and beneficial to the Commonwealth.

9. Have the authority to enter into contracts, and with the approval of the Secretary of Technology for any contracts over $1 million, with one or more other public bodies, or public agencies or institutions or localities of the several states, of the United States or its territories, or the District of Columbia for the provision of information technology services.

10. Report annually to the Governor, the Secretary, and the Joint Commission on Technology and Science created pursuant to §30-85 on the use and application of information technology by state agencies and public institutions of higher education to increase economic efficiency, citizen convenience, and public access to state government. The CIO shall prepare an annual report for submission to the Secretary, the Information Technology Advisory Council, and the Joint Commission on Technology and Science on a prioritized list of Recommended Technology Investment Projects (RTIP Report) based upon major information technology projects submitted for business case approval pursuant to this chapter. As part of the RTIP Report, the CIO shall develop and regularly update a methodology for prioritizing projects based upon the allocation of points to defined criteria. The criteria and their definitions shall be presented in the RTIP Report. For each project recommended for funding in the RTIP Report, the CIO shall indicate the number of points and how they were awarded. For each listed project, the CIO shall also report (i) all projected costs of ongoing operations and maintenance activities of the project for the next three biennia following project implementation; (ii) a justification and description for each project baseline change; and (iii) whether the project fails to incorporate existing standards for the maintenance, exchange, and security of data. This report shall also include trends in current projected information technology spending by state agencies and secretariats, including spending on projects, operations and maintenance, and payments to VITA. Agencies shall provide all project and cost information required to complete the RTIP Report to the CIO prior to May 31 immediately preceding any budget biennium in which the project appears in the Governor's budget bill.

11. Direct the development of policies and procedures that require the Division of Project Management established pursuant to §2.2-2016, on behalf of the CIO, to review and recommend Commonwealth information technology projects proposed by state agencies and institutions. Such policies and procedures shall be based on the criteria outlined within §2.2-2017.

12. Provide oversight for state agency or public institution of higher education efforts to modernize the planning, development, implementation, improvement, operations and maintenance, and retirement of Commonwealth information technology, including oversight for the selection, development and management of enterprise information technology. At the discretion of the Governor, the CIO shall designate a state agency or public institution of higher education as the business sponsor responsible for implementing an enterprise information technology project, and define the responsibilities of lead agencies that implement enterprise information technology projects.

13. Develop and recommend to the Secretary statewide technical and data standards for information technology and related systems, including the utilization of nationally recognized technical and data standards for health information technology systems or software purchased by a state agency of the Commonwealth.

14. Establish Internal Agency Oversight Committees and Secretariat Oversight Committees as necessary and in accordance with § 2.2-2021.

B. Consistent with §2.2-2012, the CIO may enter into public-private partnership contracts to finance or implement information technology programs and projects. The CIO may issue a request for information to seek out potential private partners interested in providing programs or projects pursuant to an agreement under this subsection. The compensation for such services shall be computed with reference to and paid from the increased revenue or cost savings attributable to the successful implementation of the program or project for the period specified in the contract. The CIO shall be responsible for reviewing and approving the programs and projects and the terms of contracts for same under this subsection. The CIO shall determine annually the total amount of increased revenue or cost savings attributable to the successful implementation of a program or project under this subsection and such amount shall be deposited in the Virginia Technology Infrastructure Fund created in §2.2-2023. The CIO is authorized to use moneys deposited in the Fund to pay private partners pursuant to the terms of contracts under this subsection. All moneys in excess of that required to be paid to private partners, as determined by the CIO, shall be reported to the Comptroller and retained in the Fund. The CIO shall prepare an annual report to the Governor, the Secretary, and General Assembly on all contracts under this subsection, describing each information technology program or project, its progress, revenue impact, and such other information as may be relevant.

C. The CIO shall develop and recommend to the Secretary a technology investment management standard based on acceptable technology investment methods to ensure that all state agency or public institution of higher education technology expenditures are an integral part of the Commonwealth's performance management system, produce value for the agency and the Commonwealth, and are aligned with (i) agency strategic plans, (ii) the Governor's policy objectives, and (iii) the long-term objectives of the Council on Virginia's Future.

D. Subject to review and approval by the Secretary, the The CIO shall have the authority to enter into and amend contracts for the provision of information technology services.

§2.2-2008. Additional duties of the CIO relating to project management.

The CIO shall have the following duties relating to the management of information technology projects:

1. Develop and recommend to the Secretary a Commonwealth Project Management Standard for information technology projects by state agencies or public institutions of higher education that establishes a methodology for the initiation, planning, execution, and closeout of information technology projects and related procurements. Such methodology shall include the establishment of appropriate oversight for information technology projects. The basis for the governance and oversight of information technology projects shall include, but not necessarily be limited to, an assessment of the project's risk and complexity. The Commonwealth Project Management Standard shall require that all such projects conform to the Commonwealth strategic plan for information technology developed and approved pursuant to §2.2-2007 and the strategic plans of agencies and public institutions of higher education. All executive branch agencies and public institutions of higher education shall conform to the requirements of the Commonwealth Project Management Standard.

2. Establish minimum qualifications and training standards for project managers.

3. Establish an information clearinghouse that identifies best practices and new developments and contains detailed information regarding the Commonwealth's previous experiences with the development of major information technology projects.

4. Disapprove any agency or public institution of higher education request to initiate a major information technology project or related procurement if funding for such project has not been included in the budget bill in accordance with §2.2-1509.3. The provisions of this subdivision shall not apply upon a determination by the Governor that an emergency exists and a major information technology project is necessary to address the emergency.

5. Review and approve or disapprove the selection or termination of any Commonwealth information technology project that has not been defined or designated as a major information technology project pursuant to §2.2-225 or that does not have high risk and high complexity. For any Commonwealth information technology projects defined or designated as major information technology projects, or that have high risk and high complexity, the CIO shall recommend approval or disapproval to the Secretary pursuant to § 2.2-225.

6. Disapprove or recommend for disapproval by the Secretary any Commonwealth information technology projects that do not conform to the Commonwealth strategic plan for information technology developed and approved pursuant to §2.2-2007 or to the strategic plans of state agencies or public institutions of higher learning.

§2.2-2009. Additional duties of the CIO relating to security of government information.

A. To provide for the security of state government electronic information from unauthorized uses, intrusions or other security threats, the CIO shall direct the development of policies, procedures and standards for assessing security risks, determining the appropriate security measures and performing security audits of government electronic information. Such policies, procedures, and standards will apply to the Commonwealth's executive, legislative, and judicial branches, and independent agencies and institutions of higher education. The CIO shall work with representatives of the Chief Justice of the Supreme Court and Joint Rules Committee of the General Assembly to identify their needs.

B. The CIO shall also develop policies, procedures, and standards that shall address the scope of security audits and the frequency of such security audits. In developing and updating such policies, procedures, and standards, the CIO shall designate a government entity to oversee, plan and coordinate the conduct of periodic security audits of all executive branch and independent agencies and institutions of higher education. The CIO will coordinate these audits with the Auditor of Public Accounts and the Joint Legislative Audit and Review Commission. The Chief Justice of the Supreme Court and the Joint Rules Committee of the General Assembly shall determine the most appropriate methods to review the protection of electronic information within their branches.

C. The CIO shall annually report to the Governor, the Secretary, and General Assembly those executive branch and independent agencies and institutions of higher education that have not implemented acceptable policies, procedures, and standards to control unauthorized uses, intrusions, or other security threats. For any executive branch or independent agency or institution of higher education whose security audit results and plans for corrective action are unacceptable, the CIO shall report such results to (i) the Secretary, (ii) any other affected cabinet secretary, (iii) the Governor, and (iv) the Auditor of Public Accounts. Upon review of the security audit results in question, the CIO may take action to suspend the public body's information technology projects pursuant to §2.2-2015, limit additional information technology investments pending acceptable corrective actions, and recommend to the Governor and Secretary any other appropriate actions.

The CIO shall also include in this report (a) results of security audits, including those state agencies, independent agencies, and institutions of higher education that have not implemented acceptable regulations, standards, policies, and guidelines to control unauthorized uses, intrusions, or other security threats and (b) the extent to which security standards and guidelines have been adopted by state agencies.

D. All public bodies subject to such audits as required by this section shall fully cooperate with the entity designated to perform such audits and bear any associated costs. Public bodies that are not required to but elect to use the entity designated to perform such audits shall also bear any associated costs.

E. The provisions of this section shall not infringe upon responsibilities assigned to the Comptroller, the Auditor of Public Accounts, or the Joint Legislative Audit and Review Commission by other provisions of the Code of Virginia.

F. To ensure the security and privacy of citizens of the Commonwealth in their interactions with state government, the CIO shall direct the development of policies, procedures, and standards for the protection of confidential data maintained by state agencies against unauthorized access and use. Such policies, procedures, and standards shall include, but not be limited to:

1. Requirements that any state employee or other authorized user of a state technology asset provide passwords or other means of authentication to (i) use a technology asset and (ii) access a state-owned or operated computer network or database; and

2. Requirements that a digital rights management system or other means of authenticating and controlling an individual's ability to access electronic records be utilized to limit access to and use of electronic records that contain confidential data to authorized individuals.

G. The CIO shall promptly receive reports from directors of departments in the executive branch of state government made in accordance with §2.2-603 and shall take such actions as are necessary, convenient or desirable to ensure the security of the Commonwealth's electronic information and confidential data.

H. The CIO shall also develop policies, procedures, and standards that shall address the creation and operation of a risk management program designed to identify information technology security gaps and develop plans to mitigate the gaps. All agencies in the Commonwealth shall cooperate with the CIO. Such cooperation includes, but is not limited to, (i) providing the CIO with information required to create and implement a Commonwealth risk management program; (ii) creating an agency risk management program; and (iii) complying with all other risk management activities.

I. The CIO shall provide all directors of agencies and departments with all such information, guidance, and assistance required to ensure that agencies and departments understand and adhere to the policies, procedures, and standards developed pursuant to this section.

§2.2-2012. Procurement of information technology and telecommunications goods and services; computer equipment to be based on performance-based specifications.

A. Information technology and telecommunications goods and services of every description shall be procured by (i) VITA for its own benefit or on behalf of other state agencies and institutions or (ii) such other agencies or institutions to the extent authorized by VITA. Such procurements shall be made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.), regulations that implement the electronic and information technology accessibility standards of the Rehabilitation Act of 1973 (29 U.S.C. §794d), as amended, and any regulations as may be prescribed by VITA. In no case shall such procurements exceed the requirements of the regulations that implement the electronic and information technology accessibility standards of the Rehabilitation Act of 1973, as amended.

The CIO shall disapprove any procurement that does not conform to the Commonwealth strategic plan for information technology developed and approved pursuant to §2.2-2007 or to the individual strategic plans of state agencies or public institutions of higher education.

B. All statewide contracts and agreements made and entered into by VITA for the purchase of communications services, telecommunications facilities, and information technology goods and services shall provide for the inclusion of counties, cities, and towns in such contracts and agreements. Notwithstanding the provisions of §2.2-4301, 2.2-4302.1, or 2.2-4302.2, VITA may enter into multiple vendor contracts for the referenced services, facilities, and goods and services.

C. VITA may establish contracts for the purchase of personal computers and related devices by licensed teachers employed in a full-time teaching capacity in Virginia public schools or in state educational facilities for use outside the classroom. The computers and related devices shall not be purchased with public funds, but shall be paid for and owned by teachers individually provided that no more than one such computer and related device per year shall be so purchased.

D. If VITA, or any agency or institution authorized by VITA, elects to procure personal computers and related peripheral equipment pursuant to any type of blanket purchasing arrangement under which public bodies, as defined in §2.2-4301, may purchase such goods from any vendor following competitive procurement but without the conduct of an individual procurement by or for the using agency or institution, it shall establish performance-based specifications for the selection of equipment. Establishment of such contracts shall emphasize performance criteria including price, quality, and delivery without regard to "brand name." All vendors meeting the Commonwealth's performance requirements shall be afforded the opportunity to compete for such contracts.

E. VITA shall allow private institutions of higher education chartered in Virginia and granted tax-exempt status under §501(c)(3) of the Internal Revenue Code to purchase directly from contracts established for state agencies and public bodies by VITA.

F. This section shall not be construed or applied so as to infringe upon, in any manner, the responsibilities for accounting systems assigned to the Comptroller under §2.2-803.

G. The Comptroller shall not issue any warrant upon any voucher issued by a state agency covering the purchase of any information technology and telecommunications goods and services when such purchases are made in violation of any provision of this chapter or the Virginia Public Procurement Act (§2.2-4300 et seq.).

H. Intentional violations of centralized purchasing requirements for information technology and technology and telecommunications goods and services pursuant to this chapter by a state agency, continued after notice from the Governor to desist, shall constitute malfeasance in office and shall subject the officer responsible for the violation to suspension or removal from office, as may be provided in law in other cases of malfeasance.

§2.2-2015. Authority of CIO to modify or suspend information technology projects; project termination.

The CIO may direct the modification or suspension of any Commonwealth information technology project that, as the result of a periodic review authorized by subdivision A 5 of §2.2-2007, has not met the performance measures agreed to by the CIO and the sponsoring state agency or public institution of higher education, or if he otherwise deems such action appropriate and consistent with the terms of any affected contracts.

The CIO may direct the termination of any Commonwealth information technology project that has not been defined or designated a major information technology project, or does not have high risk and high complexity and that, as the result of a periodic review authorized by subdivision A 5 of §2.2-2007, has not met the performance measures agreed to by the CIO and the sponsoring state agency or public institution of higher education, or if he otherwise deems such action appropriate and consistent with the terms of any affected contracts.

The CIO may recommend to the Secretary pursuant to § 2.2-225 the termination of any major information technology project, or any information technology project with high risk and high complexity that, as the result of a periodic review authorized by subdivision A 5 of §2.2-2007, has not met the performance measures agreed to by the CIO and the sponsoring state agency or public institution of higher education, or if he otherwise deems such action appropriate and consistent with the terms of any affected contracts.

Nothing in this section shall be construed to supersede the responsibility of a board of visitors for the management and operation of a public institution of higher education.

The provisions of this section shall not apply to research projects, research initiatives or instructional programs at public institutions of higher education. However, technology investments in research projects, research initiatives or instructional programs at such institutions estimated to cost $1 million or more of general fund appropriations may be reviewed as provided in subdivision A 5 of §2.2-2007. The CIO and the Secretary of Education, in consultation with public institutions of higher education, shall develop and provide to such institution criteria to be used in determining whether projects are mission-critical.

§2.2-2017. Powers and duties of the Division.

The Division shall have the power and duty to:

1. Implement the approval process for information technology projects developed in accordance with the Commonwealth Project Management Standard;

2. Assist the Secretary and the CIO in the development and implementation of project management policies, standards, guidelines and methodologies to be used for information technology projects in accordance with this article;

3. Provide ongoing assistance and support to state agencies and public institutions of higher education in the development of information technology projects;

4. Establish a program providing cost-effective training to agency project managers;

5. Review information management and information technology plans submitted by agencies and public institutions of higher education and recommend to the CIO the approval of such plans and any amendments thereto;

6. Monitor the implementation of information management and information technology plans and periodically report its findings to the CIO;

7. Review and recommend information technology projects based on criteria developed pursuant to §2.2-2007 that assess the (i) degree to which the project is consistent with the Commonwealth's overall strategic plan; (ii) technical feasibility of the project; (iii) benefits to the Commonwealth of the project, including customer service improvements; (iv) risks associated with the project; (v) continued funding requirements; and (vi) past performance by the agency on other projects;

8. Provide oversight for state agency information technology projects; and

9. Report on a quarterly basis to the CIO, the Secretary, the Governor, the Information Technology Advisory Council, the Joint Legislative Audit and Review Commission, the Auditor of Public Accounts, the House Appropriations Committee, the Senate Finance Committee, and the Joint Commission on Technology and Science the status and performance of each major information technology project and related procurement conducted by any state agency or institution.

§2.2-2018.1. Project and procurement investment business case approval.

A. In accordance with policies and standards approved by the Secretary pursuant to §2.2-225, state State agencies and public institutions of higher education shall obtain CIO approval prior to the initiation of any Commonwealth information technology project or procurement with a total estimated cost below $1 million, or Secretary approval for any Commonwealth information technology project or procurement with a total estimated cost of $1 million or more. When selecting an information technology investment, state agencies and public institutions of higher education shall submit to the Division an investment business case, outlining the business value of the investment, the proposed technology solution, if known, and an explanation of how the project will support the agency strategic plan, the agency's secretariat's strategic plan, and the Commonwealth strategic plan for information technology developed and approved pursuant to §2.2-2007. The Division may require the submission of additional information if needed to adequately review any such proposal.

B. The Division shall review each investment business case submitted in accordance with this section and recommend its approval or rejection to the CIO pursuant to the policies and procedures developed in § 2.2-2007.

C. In accordance with policies and standards outlined in the Commonwealth Project Management Standard, the CIO shall review the business case for any Commonwealth information technology project or procurement and approve or disapprove, or recommend approval or disapproval to the Secretary pursuant to §2.2-225.

§2.2-2021. Project oversight committees.

A. Whenever the project charter has been approved for a major information technology project, an enterprise information technology project, or for an information technology project with high risk and high complexity, the Secretary shall establish an Internal Agency Oversight Committee (IAOC). Whenever the project charter has been approved for any other Commonwealth information technology project, the CIO shall establish an IAOC. The IAOC shall represent all business or functional stakeholders of the project including stakeholders in other agencies, assure that all stakeholders have the opportunity to work together toward a mutually beneficial integrated solution, have the authority to approve or reject any changes in the project's scope, schedule, or budget, provide oversight and direction to the project, and review and approve the schedule baseline and all project documentation.

B. Whenever the project charter has been approved for a major information technology project, an enterprise information technology project, or for an information technology project with high risk and high complexity, the Secretary shall establish a Secretariat Oversight Committee (SOC). Whenever the project charter has been approved for any other Commonwealth information technology project, the CIO shall establish an SOC. The SOC shall represent all business or functional stakeholders of the project including stakeholders in other secretariats, validate the proposed project business case, review and make recommendations on changes in the project's scope, schedule or budget, and review Independent Verification and Validation reports and recommend corrective actions if needed.

feedback