| 1 | 1 | | 2025 SESSION |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | INTRODUCED |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | 25103274D |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | HOUSE BILL NO. 2591 |
|---|
| 8 | 8 | | |
|---|
| 9 | 9 | | Offered January 13, 2025 |
|---|
| 10 | 10 | | |
|---|
| 11 | 11 | | Prefiled January 13, 2025 |
|---|
| 12 | 12 | | |
|---|
| 13 | 13 | | A BILL to amend and reenact 2.2-2006 of the Code of Virginia and to amend the Code of Virginia by adding a section numbered 2.2-2012.2, by adding in Chapter 55.3 of Title 2.2 a section numbered 2.2-5514.2, and by adding in Title 59.1 a chapter numbered 58, consisting of a section numbered 59.1-607, relating to information and communications technology and services; transactions with foreign adversaries. |
|---|
| 14 | 14 | | |
|---|
| 15 | 15 | | |
|---|
| 16 | 16 | | |
|---|
| 17 | 17 | | PatronFreitas |
|---|
| 18 | 18 | | |
|---|
| 19 | 19 | | |
|---|
| 20 | 20 | | |
|---|
| 21 | 21 | | Committee Referral Pending |
|---|
| 22 | 22 | | |
|---|
| 23 | 23 | | |
|---|
| 24 | 24 | | |
|---|
| 25 | 25 | | Be it enacted by the General Assembly of Virginia: |
|---|
| 26 | 26 | | |
|---|
| 27 | 27 | | 1. That 2.2-2006 of the Code of Virginia is amended and reenacted and that the Code of Virginia is amended by adding a section numbered 2.2-2012.2, by adding in Chapter 55.3 of Title 2.2 a section numbered 2.2-5514.2, and by adding in Title 59.1 a chapter numbered 58, consisting of a section numbered 59.1-607, as follows: |
|---|
| 28 | 28 | | |
|---|
| 29 | 29 | | 2.2-2006. Definitions. |
|---|
| 30 | 30 | | |
|---|
| 31 | 31 | | As used in this chapter, unless the context requires a different meaning: |
|---|
| 32 | 32 | | |
|---|
| 33 | 33 | | "Commonwealth information technology project" means any state agency information technology project that is under Commonwealth governance and oversight. |
|---|
| 34 | 34 | | |
|---|
| 35 | 35 | | "Commonwealth Project Management Standard" means a document developed and adopted by the Chief Information Officer (CIO) pursuant to 2.2-2016.1 that describes the methodology for conducting information technology projects, and the governance and oversight used to ensure project success. |
|---|
| 36 | 36 | | |
|---|
| 37 | 37 | | "Confidential data" means information made confidential by federal or state law that is maintained in an electronic format. |
|---|
| 38 | 38 | | |
|---|
| 39 | 39 | | "Enterprise" means an organization with common or unifying business interests. An enterprise may be defined at the Commonwealth level or secretariat level for program and project integration within the Commonwealth, secretariats, or multiple agencies. |
|---|
| 40 | 40 | | |
|---|
| 41 | 41 | | "Executive branch agency" or "agency" means any agency, institution, board, bureau, commission, council, public institution of higher education, or instrumentality of state government in the executive department listed in the appropriation act. However, "executive branch agency" or "agency" does not include the University of Virginia Medical Center, a public institution of higher education to the extent exempt from this chapter pursuant to the Restructured Higher Education Financial and Administrative Operations Act ( 23.1-1000 et seq.) or other law, or the Virginia Port Authority. |
|---|
| 42 | 42 | | |
|---|
| 43 | 43 | | "Foreign adversary" means the same as that term is defined in 55.1-507. |
|---|
| 44 | 44 | | |
|---|
| 45 | 45 | | "Information and communications technology and services" means any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communications by electronic means, including transmission, storage, and display. |
|---|
| 46 | 46 | | |
|---|
| 47 | 47 | | "Information technology" means communications, telecommunications, automated data processing, applications, databases, data networks, the Internet, management information systems, and related information, equipment, goods, and services. The provisions of this chapter shall not be construed to hamper the pursuit of the missions of the institutions in instruction and research. |
|---|
| 48 | 48 | | |
|---|
| 49 | 49 | | "ITAC" means the Information Technology Advisory Council created in 2.2-2699.5. |
|---|
| 50 | 50 | | |
|---|
| 51 | 51 | | "Major information technology project" means any Commonwealth information technology project that has a total estimated cost of more than $1 million or that has been designated a major information technology project by the CIO pursuant to the Commonwealth Project Management Standard developed under 2.2-2016.1. |
|---|
| 52 | 52 | | |
|---|
| 53 | 53 | | "Secretary" means the Secretary of Administration. |
|---|
| 54 | 54 | | |
|---|
| 55 | 55 | | "Technology asset" means hardware and communications equipment not classified as traditional mainframe-based items, including personal computers, mobile computers, and other devices capable of storing and manipulating electronic data. |
|---|
| 56 | 56 | | |
|---|
| 57 | 57 | | "Telecommunications" means any origination, transmission, emission, or reception of data, signs, signals, writings, images, and sounds or intelligence of any nature, by wire, radio, television, optical, or other electromagnetic systems. |
|---|
| 58 | 58 | | |
|---|
| 59 | 59 | | 2.2-2012.2. Additional powers of the CIO related to prohibited information and communications technology and services. |
|---|
| 60 | 60 | | |
|---|
| 61 | 61 | | A. The CIO shall establish and maintain a list of prohibited information and communications technology and services that (i) are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary and (ii) have been determined to pose an unacceptable risk to the national security of the United States or the security and safety of the United States. The list shall include any information and communications technology and services determined by the U.S. Department of Commerce, the Federal Communications Commission, the U.S. Department of Homeland Security, or any other appropriate federal agency to pose an unacceptable risk to the national security of the United States or the security and safety of the United States pursuant to the provisions of Executive Order 13873 on Securing the Information and Communications Technology and Services Supply Chain and any related regulations or official guidance. |
|---|
| 62 | 62 | | |
|---|
| 63 | 63 | | B. The list shall be published on the publicly accessible website of the Virginia Information Technologies Agency and updated at least annually. |
|---|
| 64 | 64 | | |
|---|
| 65 | 65 | | C. The CIO shall develop and implement procedures for any public body or person conducting business in the Commonwealth to apply for and receive a waiver to the prohibitions in 2.2-5514.2 and 59.1-607 on acquiring, importing transferring, installing, dealing in, or using any information and communications technology and services included on the list established and maintained pursuant to subsection A as long as the waiver (i) does not pose an unacceptable risk to the national security of the United States or the security and safety of the United States and (ii) is not otherwise prohibited by law. |
|---|
| 66 | 66 | | |
|---|
| 67 | 67 | | 2.2-5514.2. Prohibited transactions involving information and communications technology and services from foreign adversaries. |
|---|
| 68 | 68 | | |
|---|
| 69 | 69 | | A. No public body, as defined in 2.2-5514, shall acquire, import, transfer, install, deal in, or use any information and communications technology and services included on the list of prohibited information and communications technology and services established and maintained by the Chief Information Officer (CIO) of the Virginia Information Technologies Agency pursuant to subsection A of 2.2-2012.2. |
|---|
| 70 | 70 | | |
|---|
| 71 | 71 | | B. The provisions of subsection A shall not apply if (i) (a) such transaction was initiated, is pending, or will be completed after July 1, 2025, or (b) the public body received a waiver from the CIO pursuant to subsection C of 2.2-2012.2 and (ii) such transaction is not otherwise prohibited by law. |
|---|
| 72 | 72 | | |
|---|
| 73 | 73 | | C. The Superintendent of State Police, in consultation with the CIO, may grant an exception to the provisions of subsection A for the purpose of allowing any employee, agent, person, or entity to participate in any law-enforcement-related matters. |
|---|
| 74 | 74 | | |
|---|
| 75 | 75 | | CHAPTER 58. |
|---|
| 76 | 76 | | |
|---|
| 77 | 77 | | SECURING INFORMATION AND COMMUNICATIONS TECHNOLOGY AND SERVICES SUPPLY CHAIN ACT. |
|---|
| 78 | 78 | | |
|---|
| 79 | 79 | | 59.1-607. Prohibited transactions involving information and communications technology and services from foreign adversaries. |
|---|
| 80 | 80 | | |
|---|
| 81 | 81 | | A. No person conducting business in the Commonwealth shall acquire, import, transfer, install, deal in, or use any information and communications technology and services included on the list of prohibited information and communications technology and services established and maintained by the Chief Information Officer (CIO) of the Virginia Information Technologies Agency pursuant to 2.2-2012.2. |
|---|
| 82 | 82 | | |
|---|
| 83 | 83 | | B. The provisions of subsection A shall not apply if (i) (a) such transaction was initiated, is pending, or will be completed after July 1, 2025, or (b) the person conducting business in the Commonwealth received a waiver from the CIO pursuant to subsection C of 2.2-2012.2 and (ii) such transaction is not otherwise prohibited by law. |
|---|