HOUSE BILL NO. 2038

AMENDMENT IN THE NATURE OF A SUBSTITUTE

(Proposed by the House Committee on General Laws

on ________________)

(Patron Prior to Substitute—Delegate Anthony)

A BILL to amend the Code of Virginia by adding a section numbered 2.2-4321.4 and by adding in Chapter 55.3 of Title 2.2 sections numbered 2.2-5514.2 and 2.2-5514.3, relating to uncrewed aircraft systems; procurement and use of prohibited.

Be it enacted by the General Assembly of Virginia:

1. That the Code of Virginia is amended by adding a section numbered 2.2-4321.4 and by adding in Chapter 55.3 of Title 2.2 sections numbered 2.2-5514.2 and 2.2-5514.3 as follows:

§ 2.2-4321.4. Prohibition on procurement of uncrewed aircraft systems by noncompliant public body.

No public body shall contract with a nongovernmental source for the purchase, lease, or use, whether directly or through work with or on behalf of another public body, of an uncrewed aircraft system, as that term is defined in § 2.2-5514.2, if such public body is not compliant with the provisions of § 2.2-5514.2.

§ 2.2-5514.2. Prohibition on procurement and use of insecure uncrewed aircraft systems.

A. For the purposes of this section:

"Advanced air mobility" or "AAM" means the integration of highly automated, uncrewed, or non-piloted aircraft into airspace systems to provide innovative and efficient transportation solutions for passengers or cargo.

"Cybersecurity incident" means any event that jeopardizes the confidentiality, integrity, or availability of data stored, processed, or transmitted by a UAS, including unauthorized access, data breaches, or system vulnerabilities.

"Insecure UAS" means a UAS that includes components, software, or hardware flagged for cybersecurity vulnerabilities; is manufactured, assembled, or controlled by entities domiciled in countries identified as foreign adversaries pursuant to § 55.1-507; and does not meet supply chain security standards or has not been certified by VITA.

"Public body" means the same as that term is defined in § 2.2-3701.

"Secure UAS" means a UAS that meets cybersecurity, operational safety, and data privacy standards as defined by the Virginia Information Technologies Agency (VITA) and is certified by VITA as compliant with state standards and included in the approved list of secure UAS.

"Uncrewed aircraft system" or "UAS" means an aircraft system operated without an onboard human pilot, including the aircraft, control stations, communication links, and components required for its safe operation. This includes drones and systems that may be remotely piloted or autonomous but excludes platforms specifically designed for passenger or large cargo transport under AAM.

B. Beginning January 1, 2026, no public body shall purchase, lease, or otherwise procure an insecure UAS, nor shall any public body use, whether directly or through work with or on behalf of another public body, an insecure UAS. Only those uncrewed aircraft systems which VITA has certified to be secure and approved for use pursuant to subsection D may be procured or used by any public body.

C. VITA shall establish cybersecurity standards for certification of UAS as secure and maintain a list of approved secure UAS manufacturers and models published on its website. VITA shall employ a UAS cybersecurity specialist to provide technical expertise on cybersecurity risks, evaluate UAS, and deliver training on UAS to public bodies. VITA shall also employ a statewide UAS compliance officer to certify secure UAS, conduct annual compliance audits of public bodies, and otherwise monitor such compliance. Public bodies shall submit annual reports on or before December 1 of each year to VITA detailing UAS procurement and usage and steps taken by such bodies to comply with this section.

D. In the event of a cybersecurity incident involving a UAS, VITA shall be responsible for administering, coordinating, and otherwise managing the response. Public bodies shall report all cybersecurity incidents involving UAS within 24 hours of the discovery of such incident to the Virginia Fusion Intelligence Center established in Chapter 11 (§ 52-47 et seq.) of Title 52. The Virginia Fusion Intelligence Center shall share such reports with the Chief Information Officer, as described in § 2.2-2005, or his designee at VITA, promptly upon receipt.

E. The Joint Commission on Technology and Science (JCOTS) shall review cybersecurity standards published by VITA and make recommendations every two years to ensure alignment with emerging UAS technologies, evolving cybersecurity threats, the operational and safety needs of public bodies, and public safety priorities within the Commonwealth. Such review shall involve consultation with VITA, the Department of Criminal Justice Services, the Department of Aviation, public safety agencies, cybersecurity experts, and other relevant stakeholders. Findings and recommendations from these reviews shall be submitted to the House Committee on Public Safety and the Senate Committee for Courts of Justice for consideration.

F. VITA shall submit an annual report to the General Assembly on or before December 1 of each year detailing the compliance rate of public bodies with this section, the perceived impact of the Uncrewed Aircraft Replacement Grant Program, established pursuant to § 2.2-5514.3,on the transition of public bodies away from insecure UAS, and any recommendations for updates based on emerging cybersecurity threats or operational needs.

§ 2.2-5514.3. Uncrewed Aircraft Replacement Grant Program.

A. As used in this section:

"Insecure UAS" means a UAS that includes components, software, or hardware flagged for cybersecurity vulnerabilities; is manufactured, assembled, or controlled by entities domiciled in countries identified as foreign adversaries pursuant to § 55.1-507; and does not meet supply chain security standards or has not been certified by VITA.

"Public body" means the same as that term is defined in § 2.2-3701.

"Secure UAS" means a UAS that meets cybersecurity, operational safety, and data privacy standards as defined by the Virginia Information Technologies Agency (VITA) and is certified by VITA as compliant with state standards and included in the approved list of secure UAS.

"Uncrewed aircraft system" or "UAS" means an aircraft system operated without an onboard human pilot, including the aircraft, control stations, communication links, and components required for its safe operation. This includes drones and systems that may be remotely piloted or autonomous but excludes platforms specifically designed for passenger or large cargo transport under AAM.

B. With all funds appropriated for such purpose and any gifts, donations, grants, bequests, and other funds received on its behalf, the Uncrewed Aircraft Replacement Grant Program (the Program) is hereby established to provide grants to public bodies for the purpose of aiding such bodies with the transition from insecure UAS to secure UAS. Public bodies that fail to comply with the provisions of § 2.2-5514.2 are ineligible for an award under the Program. Public bodies with significant operational reliance on UAS and limited resources for replacing insecure UAS shall be given priority when awarding grant funds.

C. The Program shall be administered by the Department of Criminal Justice Services (DCJS). To assist with the administration of the Program, DCJS shall employ a program manager to review grant applications and monitor available funds. DCJS may issue guidelines for the administration of the Program as it deems appropriate. DCJS shall establish procedures for grant applications and determining amounts and prioritizing the award of such grants if the moneys appropriated to the Program are not sufficient to provide each applicant the full grant amount for which such applicant applies and is eligible. DCJS shall submit an annual report to the General Assembly on or before December 1 of each year summarizing grant program outcomes, including grants awarded and the impact of such grants on the transition from insecure UAS to secure UAS.

2. That any public body in possession of an insecure uncrewed aircraft system, as that term is defined by the provisions of this act, shall decommission and cease use of such insecure uncrewed aircraft system no later than January 1, 2026.