Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · Virginia · Title 2.2 · Chapter 55.3

Code of Virginia § 2.2-5514. Prohibited products and services and required incident reporting.

511 words·~2 min read·/va/title-2-2/chapter-55-3/2-2-5514·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

A. As used in this chapter, unless the context requires a different meaning:
"Cybersecurity information" means information describing or relating to any security system or measure, whether manual or automated, that is used to control access to or use of information technology; security risks, threats, or vulnerabilities involving information technology; or security preparedness, response, or recovery related to information technology. "Cybersecurity information" includes critical infrastructure information and information regarding cybersecurity risks, cybersecurity threats, and incidents, as those terms are defined in 6 U.S.C. § 650.
"Public body" means any legislative body; any court of the Commonwealth; any authority, board, bureau, commission, district, or agency of the Commonwealth; any political subdivision of the Commonwealth, including counties, cities, and towns, city councils, boards of supervisors, school boards, planning commissions, and governing boards of institutions of higher education; and other organizations, corporations, or agencies in the Commonwealth supported wholly or principally by public funds.
"Public body" includes any committee, subcommittee, or other entity however designated of the public body or formed to advise the public body, including those with private sector or citizen members and corporations organized by the Virginia Retirement System.
B. No public body may use, whether directly or through work with or on behalf of another public body, any hardware, software, or services that have been prohibited by the U.S. Department of Homeland Security for use on federal systems.
C. Every public body shall report all
(i)known incidents that threaten the security of the Commonwealth's data or communications or result in exposure of data protected by federal or state laws and
(ii)other incidents compromising the security of the public body's information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies. Such reports shall be made to the Virginia Fusion Intelligence Center within 24 hours from when the incident was discovered. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in § 2.2-2005 , or his designee at the Virginia Information Technologies Agency, promptly upon receipt.
D. No cybersecurity information received by the Virginia Information Technologies Agency
(VITA)shall be subject to the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) or the Government Data Collection and Dissemination Practices Act (§ 2.2-3800 et seq.) while in the possession of VITA, neither transferring cybersecurity information to nor sharing cybersecurity information with VITA shall make VITA the custodian of such information for public records purposes. No provision of cybersecurity information to state agencies shall constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection. Persons having access to cybersecurity information maintained by VITA shall keep such information confidential, and no person or agency receiving cybersecurity information from VITA shall release or disseminate such information without prior authorization. The Chief Information Officer, as pursuant to § 2.2-2005 , or his designee may authorize publication or disclosure of reports or aggregate cybersecurity information as appropriate.
2019, c. 302 ; 2022, cc. 626 , 627 ; 2024, c. 503 .
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.