Cybersecurity statutes (background)
In plain terms. West Virginia runs state cybersecurity through the Office of Technology, with a statutory Cyber Security Program and a state cyber incident-reporting law.
Who it applies to. State agencies and their IT vendors. West Virginia participates in StateRAMP.
What it requires. State law establishes the Office of Technology, a Cyber Security Program that sets and coordinates state cybersecurity, and a cyber incident-reporting requirement directing how incidents are reported within state government. Public-records management law applies to state information.
Why it matters. Vendors serving West Virginia agencies operate under the Office of Technology's security program, and incidents on supported systems feed the state's cyber incident-reporting process; cloud services should plan for StateRAMP.
Citation. W. Va. Code §§ 5A-6 (Office of Technology), 5A-6B (Cyber Security Program), and 5A-6C (West Virginia Cyber Incident Reporting); § 5A-8 (Public Records Management and Preservation Act). Participates in StateRAMP.
Regulations & policies (background)
In plain terms. West Virginia's vendor-facing security rules come through Office of Technology policies and a cloud procurement addendum.
Who it applies to. State agencies and their IT and cloud vendors.
What it requires. Office of Technology policies cover information-security audits, contract management, and certification and accreditation of systems, and a dedicated Cloud/SaaS procurement addendum sets security terms for cloud services; CIO review and approval applies to covered IT.
Why it matters. Cloud and IT vendors should expect the Office of Technology's policies and the Cloud/SaaS addendum to govern their contracts, alongside StateRAMP.
Citation. West Virginia Office of Technology policies WVOT-PO1008 (Information Security Audit), WVOT-PO1012 (Contract Management), and WVOT-PO1025 (Certification and Accreditation); WV Cloud/SaaS Procurement Addendum; CIO-19-001 (CIO Review Approval).