Legislation enacted during the 2022 session of the General Assembly takes effect today requiring public bodies to report cybersecurity incidents to the Virginia Fusion Center within 24 hours from when the incident was discovered. This Administration supported legislation was filed and enacted in order to improve the Commonwealth’s ability to catalogue and analyze various cybersecurity threats and incidents that impact public bodies at both the state and local level. Reports can be made by visiting www.reportcyber.virginia.gov.
As previously reported, VACo worked with patrons of the legislation and the Virginia IT Agency (VITA) to improve the original drafts of the legislation. One such improvement was to ensure that the existing FOIA protections in place through the Virginia State Police’s Fusion Center would also apply to incident reports submitted to reportCyber.virginia.gov. Additionally, the legislation was given an enactment clause requiring the Chief Information Officer (CIO) of the Commonwealth to convene a workgroup of multiple state and local stakeholders, including VACo, to review current cybersecurity reporting and information sharing practices and make recommendations on best practices for the reporting of cybersecurity incidents, as well as the scope and implementation of the required incident reporting.
The incident reporting website contains eight easy-to-answer questions designed to provide maximum flexibility to incident reporters. As specified in the enacting legislation, public bodies are required to report all “(i) known incidents that threaten the security of the Commonwealth’s data or communications or result in exposure of data protected by federal or state laws and (ii) other incidents compromising the security of the public body’s information technology systems with the potential to cause major disruption to normal activities of the public body or other public bodies.” The website contains a Frequently Asked Questions (FAQ) section which further details what might constitute a reportable incident.
VACo is appreciative of the efforts of VITA and the Cyber Incident Reporting Work Group to design the website in manner that minimizes the burden upon local governments, protects potentially sensitive information, and enhances cybersecurity collaboration. VACo will continue to participate in the Work Group to ensure that local government perspective is continued to be taken into consideration regarding efforts at coordinated cybersecurity reporting and response by the Commonwealth.
VACo Contact: Jeremy R. Bennett