 Good morning, Kevin. And you and I have just chatted briefly. What I was hoping that we would get out of here and you're telling, you told me we will touch on this for sure is how the legislators themselves are kind of to our vulnerabilities, risks in this system, that you have a presentation that you've prepared. So, for the record, new as of yesterday, so apologies for the non-updated signature block. Kevin Moore, Deputy Director, excuse me, Director of IT for the General Assembly. Director of, yes, for the General Assembly. So, good morning, thank you for having me. I did try to do some interpretation based off the subject line. So, if I'm not going in the right direction, please redirect me and I'm happy to discuss anything you would like to discuss. So, given that, turning your page, sir, thank you. So, I've structured, it's just a handful of slides. What are we talking about? Current trading opportunities that are available to legislators and staff alike, but specifically legislators. Common concerns and vulnerabilities we have with staff and legislators specifically. It does focus primarily on cybersecurity as that has been a sole focus, or not the sole, but a primary focus of this committee, cybersecurity. So, I wanted to make sure we were there and then training recommendations in order to address those concerns and vulnerabilities. So, some of the current training opportunities we provide in-house training. So, it's developed in-house, it's either ad hoc in nature or we actually put together some presentation materials, class materials. It's available to legislators in a variety of ways. It could be a specific one-on-one scenario. It could be a committee as a whole that we train. That's a very frequent request that we receive at the beginning of session to provide refresher training opportunities. It is typically centered around the use of the iPad within the committee process. But we talk about many different technologies that are in use during those conversations and how to use them better and how to use them to improve the productivity of that committee. The other times that we provide training is when technology changes have been significant, what IT seems as significant, and then we directly reach out to those committees and request time to talk about it and update everybody to make sure everybody's comfortable with those changes. And then the other piece that we take care of in-house is new as of last year, which we want to see continue. We are very happy to see it happen, which was the house cybersecurity training for the entire chamber. It was more of me talking at folks, which is not great, but it is the only opportunity that we've had so far to address the body as a whole and provide the same information as a whole. It was incredibly beneficial from our perspective to have that happen and we would really appreciate at some point doing the same for the Senate chamber. Hopefully we can do that in the future. Questions before we move on? Do you have to have people using electronics at the Senate? Well, it's not specific to the chamber, Senator. It certainly can, the presentation doesn't have to happen within the chamber. No, that's not what I mean. Yeah. It doesn't. But we... We can say it. We would like to provide the same training to make sure that all users of the legislative information system have the same understanding of what the vulnerabilities may be. So this was the pre-session that you did this, right? Yes, so this was the cyber security training was... The all house. It was the all house training. I was preceded by Chief Romy I for physical security training at that point. But it was in December. That's what I'm asking you. I believe it was really January. I think it was January. It was early January. Yeah, so all legislators were present at that point and the speaker invited us in to provide that training. Was that required? I believe it was required by the speakers. Do we anticipate doing that again this year, even though it's seven years? I would welcome the opportunity to do the same refresher. I think it would be great. I think it is beneficial to have the information provided regularly and consistent. Is there any reason to think it wouldn't be happening this year? I don't know. I hadn't given it a thought. I would make the assumption that the speaker and I would discuss it getting closer to see if it's something that she wants to dedicate time to again, being the second year of a biennial. As everybody has already heard that information, but I again would welcome the opportunity to come in one more time. Yes. I agree. We could use it a second time around, even though people are... It's something that even IT professionals should be receiving, again, regularly. The timeframe, which you determine as regular, is always subject to the needs of the organization. But it's certainly something that I would like to see happen no less than an annual. Next slide, sir. Third party training. So to supplement our in-house training, we bring in and contract with third party specialized trainers when we have large changes. So this year, we had a Windows 10 upgrade. So from Windows 7 to Windows 10, we brought in the third party trainer who does nothing but Windows 10 training to make sure that they could teach the staff the differences between those two operating systems. It's what we call a bit of a force multiplier, have that trainer in. It allows us to continue to do our day-to-day job without having to dedicate an individual or more than an individual staff member to that training while making sure everybody still receives it. It is typically around specific technologies or specific subjects, and it is typically made only upon request either of, again, a large change or if a legislative body or a large staff unit have requested a specific training. So, training recommendations. Touchdown already. Cybersecurity awareness training. I believe it should be mandatory or routine for all users of the legislative information systems. That includes legislators, staff, and anybody that we allow access to include contractors. And we want to make sure that their systems are just as secure and that they understand our security policies. IT should periodically audit and test user training. That's a nice way to say that we should send phishing scams to you and see if you bite on them and see what that response rate looks like, what that acceptance rate looks like. Maybe you said this, but are you already doing them in a routine way with staff? No. So, cybersecurity awareness training is relatively new to the legislature. We received our first dedicated position last year, not even quite a year ago, almost a year ago. Brian Corris is behind me. He is our dedicated cybersecurity professional that we have on staff. So we are still building up this system. We're trying to, we also hired a new user support specialist this year whose primary duty is training. Unfortunately, we see some staff changes happening in the near future. So that is on the back burner for the moments. Once we get through the next month or so, we will continue those efforts to try to bring a training framework specific to cybersecurity to the staff as a whole and the legislators as a whole. Is there a industry level of bare minimums that you would like to see achieved by everybody within the building and that could be signed off for contractors as we have achieved these minimums? There is. I don't have the specifics with me. I would have to defer to Ryan as far as the specific cybersecurity requirements we would have. But we generally follow the NIST 853 framework to make sure that our information systems are secure. We are still working through that framework and using that as a guide as we evolve as an organization. Did you want to bring Ryan? Did you want Ryan? Do you have anything to add at this point? Nothing to add. So it's something that we should be doing. What we haven't done yet, again, is we need a bit of buy-in to be able to poke at the legislators specifically to send false and potentially scary emails to see if people bite on them. It's a great, great way to provide insight into how well that training is actually working. What would that look like? What would it look like? So we would use a commercial-based system to craft an email that is malicious in intent but safely malicious. It essentially says, oh, we got you. Once you get through the end of the clicking of those links, and it provides some data back to us to analyze to make sure we understand what that click rate looks like. So what's scary, the I got you, or the text of the original message? So it's the I got you. It's understanding that you were susceptible to a phishing account. That can be scary for some folks. And we want to make sure that everybody's aware that it could happen, that we might send something out. But we don't want to advertise it too widely, obviously. To the fire girl. Fire girl. At the end of it, can we suggest that here's the training options that you can? Certainly. I don't see why we couldn't pursue it in that direction. For the individual who failed? Yes. No. I just want to be clear. It's like detention. I'm picturing myself trying to convince Senate colleagues that we need to do this. And I want to come back to the staff idea. It seems like that conversation goes easily when we can say, the whole building has done this, and we, you know, I'm sorry, four months of work is not the excuse. We're now the weak link. So I don't know if you agree, but it seems like it could be something that we would, as a committee, suggest. But it sure would feel better for me if we were sort of saying, look, everybody's dealing with this. And in fact, everybody has already gone through it, or is scheduled, or whatever. So is that a recommendation for everyone to do the training recommendation for? Yes, I mean, so they're already working with everybody that works in the building, other than legislators, it sounds like. We have not provided cyber security awareness training to all staff at this point. Right, but that's on the short list, right? You're saying, and I'm saying, when that's either scheduled or been completed, it then I think gets easier for us to say to colleagues, you know, we got to have time for us to do our part. Otherwise, I mean, if you have a weak link in the system, right, the whole system vulnerable, so. Absolutely, so in my note, I very specifically call it out that our IT infrastructure is only as strong as the weakest link, and quite frankly, it's the users of the system that are the weakest link. So when we do the recommendation, I think it's important to put it in that context of the overall every user of the network and the potential risk that's posed. To that point, do you have any thoughts on people who haven't achieved this, perhaps being firewalled from the rest of the network? So we take many precautions proactively for what we call our risky users to, for lack of a better term, firewall them from information systems that could be damaged. And who are your risky users? I will not identify risky users. What's the method then? Your methodology. Are they individual? We have a lot of questions. Are they individuals? They're individuals. Yes, it's not specific groups. So we anecdotally, the risky users span legislators and staff members alike. So it is not a specific group that is worse than the other. So you're firewalling. I wanna make sure I understand this. Specific individuals. There are times when we have to put additional security controls in place to protect those individuals from their usage. So I would like to understand a little bit more about when that determination gets made and how that determination gets made. So it is typically after, there's no set process. Just so that's clear, there's no set process currently. It is a operational decision made after multiple attempts of typically educating that individual on some of the risky usage patterns. And it's not always retained. So that is something that we wanna make sure we protect against. Multiple attempts. So there's no process. There's no set and still in process currently. But the process is you identify it. You try to go to the individual and have them correct and stop that behavior. And then on that individual facts of the case, you make a determination to firewall. But if anybody on that list would know if you'd come to that person, individual where they might be multiple times to say, this, what you're doing here is creating a real risk for the network. Is that what people know that? I think that's a fair assumption to make. So we by default go to the users first. We try to educate first and we try to do it multiple times. We will never restrict access to the tools and information systems that they need in order to do their job. We will make sure that they have all the resources they need to do their job effectively. I think what we ultimately need to do in order to prevent situations like this is an in mass cybersecurity awareness training program. Again, that is mandatory and that is routine. And the event that somebody refuses, most information systems will then disable the account. Most organizations disable the account temporarily until that training is required and satisfied. So you have the authority now to do some sort of fish fishing expedition with us? Are you asking? Yes. No, we do not have the authority at this point to do so. That is typically something you'd want a committee level buy in on before we start proactively sending fishing attempts throughout our network. So authority versus comfort level. So you don't have the authority. And you're uncomfortable. I am uncomfortable doing it without committee level buy in. And you're not explicitly prevented from doing it? I am not explicitly prevented from doing it either. There's nothing saying you can't do it. We certainly could, but it's something that should be part of a listed approach, a comprehensive approach to cybersecurity. We don't want to be ad hoc. Well, I'm curious for you or for others. Did these questions all fall to this committee or some of this alleged counsel? Committee, I'm just curious. I mean, we can obviously make recommendations. Nobody's passing a bill here, but I'm just curious where the jurisdiction is sort of shared. So my interpretation of the jurisdiction as of yesterday would be the legislative management committee or the legislative IT committee. Right, I'm good. I'm on the legislative management. I'm on the legislative IT. Oh, we can go over what the people are. And also, we are. And our chairs are gone, by the way. Yes, yes. But you guys are going to take our committee away. I hope I've heard. We've talked about, right, when you create another structure and make that kind of change, as Kevin said yesterday, everybody was in agreement. IT needed to be a separate entity. And we moved on that yesterday. So we're looking at other committees that have been created over time in light of this newly created. So we just don't want to layer on something else on top of everything that's there. Well, I'm only one member, but I think it would make sense to be folded into larger. Thank you. That's consistent with what I'm thinking. So we are working on a recommendation letter as well, which we'll talk with back in a little later today. So that would go to. So before we move on to the next slide, the biggest thing that we want to see as a training outcome is the improvement of your base level knowledge across the user base, is what we call it. That way, every user of the legislative system understands the base level of expectation when it comes to cybersecurity and what we call cyber hygiene. Just good practices on how to be alert, pay attention, and report what you see in an effective manner. Next slide, sir. Common concerns, vulnerabilities. So this is generic to some extent, but these are issues we see across the board to include legislators and staff members. Social engineering, that is the art of having a conversation with somebody and extracting information that they otherwise wouldn't have given you. We have had that happen here multiple times, where we have outside entities calling up perhaps the speaker's office and say, hey, I'm from Canaan. And by the way, we need a new supply of ownership. Can you give us X, Y, and Z information? All of that information should never go to the speaker's office. It's still to the IT department. So they immediately should be alerted, triggered at that point, knowing that that is potentially a social engineering or a vision call, voice fishing, for that information. So that's an area of concern. Fishing, email fishing, everybody is more or less aware of it at this point. What the concept means is a huge concern of ours. The organization receives many fishing attempts. Some are, I don't want to say necessarily successful at all times, but some get further than others do. There might be a first round of response, and then they go, oh, wait a second, this isn't accurate. This is not something that I should be responding to. And we receive a lot of reports for fishing emails from our users, which is encouraging. General malware. So general malware across information systems is obviously a big concern. You can get that from a variety of means, include attachments to get email or downloading something you shouldn't be downloading, which is why we secure the information systems. The way we do is to try to avoid those pitfalls and to reduce the opportunity for threats to be introduced into the environment. Can I ask a question on these lines? I've never fully understood this, but is there a time when just having received the email is dangerous, or is it always like then clicking the attachment or clicking the link? And this is where I will bring Ryan to the table to get into the very specifics of it. So come on over, sir. Yeah, I mean, you're like, oh, I already, all I did was open the message, whatever the message. I didn't even open, it just comes up, you know, it's the email. Morning, I am Ryan Tarkas. I am the network security administrator for the legislative, I think obviously. We don't have a name yet. To address the specific question, the act of receiving email in and of itself is not a hazard. Depending on the configuration of the email client, there could be tracking pixels that are downloaded. Most modern email browsers are set to disable that by default. That's why you've probably seen that download pictures button. So if that button's not pressed, the attacker has no idea that the email has been received, only that it was not rejected. And like on my phone, it'll preview a message, right? Is that sometimes bad practice in terms of triggering that stuff? Typically no, so long as it does not download external content without user intervention. Well, that's it. I've wondered that myself. Thank you for asking. I'm not afraid to look foolish. Thank you, actually. Well, I do routinely. So the greatest risk then would be in this, it's downloading files that you're not sure of the sender. Is that where, is that if you were to look at where we might be at greatest risk, would it be clicking on that, what? I'm sorry. Clicking on that and downloading whatever it is that's attached. Well, that is a great risk. That's not the greatest. The greatest risk is the efficient attack that is seeking to extract your username and password. Okay, all right. That's usually a link that you click on or what? It's a link. Occasionally it's a piece of malware, but most often it is a link to a falsified web page. Is that like when I win gazillions of millions of pounds and I could send them, is that an example? That's a potential moment. I get those all the time. I'm very wealthy when I listen to them. It's specific to each message. We'd have to analyze each message, but that is an example of where you could have a situation where you're getting the most compromised. There's a difference between a scam and a fish. That's really what I'm asking. So like when you get something from a bank it looks official, your credit card or Amazon on your order, that would come in scam bucket or is that fishing? Again, it depends on how it's connected. I don't mind saying, could you distinguish between the two because I'm not sure I'm clear. So I will try to create two separate examples using Amazon link, sort of Amazon imposter email. So the first one is saying, hey, your order's on the way. Can you please confirm some information for us? They can turn around and say, please enter your username and password in order to check your order. Make sure that's being delivered. That would be a fish. That's a fishing attempt. Or they can turn around and they can say, hey, your order was delayed because your payment wasn't processed. Please send us your payment information. No, recenter payment information. That could be an example of a scam. Those are areas where they're trying to extract credit card information rather than access information. Information versus money. Right. Okay. So scam is money. Scam is typically money oriented. Web-based attacks, these are less prominent but still a concern as far as Ryan was saying. Our single point that we would have to point to at this point is fishing. Fishing is our largest concern. Web-based attacks, cross-site scripting, drive-by downloads, insecure websites. I won't get into the details. There are plenty of threats online due to insecure web server hosting practices. No organization is immune to web-based vulnerabilities. It's how many layers of security do you have in place to make it less interesting to an attacker? I have a question. I had sent Anson Tebbitt's an email and he responded to me, but on my iPhone, it came in in Chinese, the text. But when it went in on my home computer, it was just regular English. What would... It could be device misconfiguration. However, I would strongly... It only happened once. To send that as a potential issue to our IT team. We could talk about that afterwards. Okay. Well, I think I deleted it. Okay. That's my uniform response to everything, it's delete. So, without seeing it, I don't have a good answer. Oh, okay. However, that would be... It is pretty weird. It is pretty weird. And the fact that it was coming up on my phone in that way, but it was on your computer. But not on the computer. It could be a device misconfiguration. Oh, it could be. It could be... They want me to learn Chinese. Nothing, it could be something. All right. All right, that's for one for five. Password conflict awareness is another area of great concern that we have. Many organizations to include ours are sometimes in the habit for convenience to share login credentials to information systems. So I'm just pulling an example out of my hat. It's not saying it's true or not. Let's say a committee assistant is out sick for that day and there's a pressing need in order to post content to that committee's webpage. Perhaps that committee assistant says rather than waiting to get the proper access because everybody's containerized into the access they're supposed to have, rather than waiting to get that proper access, here just use my credentials. Get it uploaded quickly and call it a day. At that point, that person has now disclosed their password and their username to those other folks and it is no longer considered secure. On all of our documentation when we issue accounts, it explicitly states not to share credentials. However, we don't necessarily have enforcement tools to make sure you don't share your credentials. That's an area of concern that we have and again we'll be part of a comprehensive approach in the short term. So how would you address that? In other words, there's the need to act. People get out of sick. Do you have a redundant method so that that information could still be posted timely? Oh, absolutely. So we're in the process of changing some of these systems that we've had in place in the past of which may have been built either ad hoc in nature or hastily in order to meet the need. So we wanna make sure that those systems are as secure as possible and provide the appropriate level of access regardless of the situation. So that could be a change in web portal access. That could be a change in policy level access in the back end. It's something we can put technical components in place to take care of. Are you saying that the staffer for the Health and Welfare Committee can't post gen items to the finance? Yes. And so could it be a simple, because in every case we get covered usually somehow of just temporarily empowering the substitute staffer. And that seems like that's really usually what has happened in fact to work around, right? Is that probably the substitute is getting the password from the phone? So they're not at this point. So we've worked out a workaround process for that specific instance to where we escalate the level of access for a short period of time. It's not an ideal situation, but it is a way to ensure that we are not sharing credentials. We never ask for credentials. We don't want your credentials. We don't want your password. If you give it to us, we're gonna tell you. Credentials are password? Username password and anything else? Well, it depends on the system. Here in the... Oh, like a secondary path? It could be a secondary piece. But it's whatever you use in order to access information system and that is tied to you as an individual. We want to make sure that we maintain the privacy of those to ensure that everything is auditable based off the user. So if somebody makes the system change, it should be noted that it was that person that made the system change versus somebody using those passwords and usernames. You mentioned that you don't have enforced amenability. So what would that look like? So we have many working policies that we've developed over the last few years. So our organization obviously has continued to change and evolve drastically over the last about five or six years. So we now have a series of cybersecurity policies but just general IT based policies that have not been formally adopted by the IT committee at this point. That is an area of improvement that is necessary to make sure that we can then refer to those policies for enforcement purposes if we have a concern. We have many of them ready to go. And then as I've already touched on the last slide, cyber hygiene, feel free to go to the next slide. Like cyber hygiene is just good paying attention. It's, you know, is this a scam? Is it a phishing attempt? Do I use the same password in multiple locations? Don't do that. Do I use the same username? It might be appropriate, depending on what you're doing. So those are the things we wanna make sure that part of our cybersecurity awareness program that people understand what that means, what it looks like to pay attention and ask questions and be skeptical at all times, specifically around phishing attempts and scams through email or reading phone calls, as I previously mentioned. Those are areas of concern. To consistent vulnerabilities, I guess, we get a number of emails that are presumably valid, either from the National Guard or from surveys that are looking for legislative input. And from the National Guard, there's almost always an attachment of some sort and it's never from the, is there a way we can communicate to groups that are in regular contact with us? Hey, stop doing that, that's setting people for failure. Having worked in a DOD environment, specifically for the Vermont Guard, we can provide many points of recommendation, most of which will likely be ignored due to the policies that come down from what we used to call big army. So they have very specific security frameworks in place that they must follow, that they have no control over. So when they send an email, it's gonna be self-signed typically from their system. You're gonna see some sort of bad signature, potentially from that, because they use their own certificate authority. If you live in the DOD environment, if you live in that, that Department of Defense environment, you'll never notice the differences. As soon as they're interacting with folks outside of their environment, that you notice it. I am more than happy to engage them to see if there's something that we can do to make it a little more user-friendly when it comes down to reading it and accessing it. But their policy, by default, is to flag all external emails to disable all links to make sure that it is as difficult as possible to introduce any kind of malicious action. But how would we know when we're being invited to the F-35, is it a ban? The talk, not, I think that's, is that what you, as a, you're talking about on the DOD side, but I'm talking about, if I got something, how do I know it's really from the big army? So that's part of the training program. How do I identify the actual sender address to make sure that it is legit? The other piece that we are in a process of rolling out, through, we've worked through one staff office, we're trying to get it through other staff offices as well, is a flagging of specific external emails. And so it flags it in the subject line that says this is external. At the top of your email says this is external. And then at the bottom it gives you some very basic directions on what to pay attention to. Attachments, links, things of that nature. So we're in the process of rolling that out and it will eventually be rolled out to legislators as well. You should always be skeptical, is what it comes down to. Always be skeptical, make sure that it is indeed from the sender that you believe it's from. If you are not expecting it, don't open attachments. If you are concerned that that's an attachment that you might want to review, feel free to contact that sender either directly through a known email address or through a phone. And say, hey, did you send this to me? That's always an okay response. What I was getting at is a lot of those raise the same red flags that a fake email would. So if people get in the habit of, oh, okay, this looks like it's from the DoD, I'll just click on it. That sets them up for failure because they're in a bad habit because of the format from video. Yeah, and that's something that's pretty tough to try to handle as a receiver of email. But again, if that's something that the committee thinks is worthy of pursuing, I'm more than happy to reach out and see if there's a way we can communicate a little bit better and try to clean that up. And we are all obviously getting, legislators are getting tons of emails from people we don't know. Yes. Which is a bit unusual compared to a lot of people. And it's a high profile organization. So because of the profile of the organization and the individual legislators, it requires a higher level of vigilance. I think that there's one thing that we all need to be very cautious about whether we're doing it electronically or whether we're just using pen and paper. And that is what you say, what you put in writing and how you say it. Because all in North learned that nothing ever is deleted. And sometimes I was aware of some internal exchange. This was involving a state office. And under freedom of information, those kinds of documents have to be released. And I think there's also a certain sensitivity toward what you say and the nature of the communication. Because it can come back in a way that you may not have anticipated. And so if you don't want anybody to see it or what you're saying, you don't want to have other people to see. Don't say it. You better go to the bathroom and have a conversation in there or something. But it's just something that we need to be aware. Because I do think you could probably, you would have the ability to access anything that's historically on the network. So we frequently. Does delete really mean delete? It depends on the situation. So if we are underneath the litigation hold for any reason, we do have to retain certain content based off of that litigation hold. We frequently only would express written consent of each legislator, assist during freedom of information by the Brecon Act request. We do not look at the content. We do not see the content. We provide it to the attorney who then works with the individual legislator to address what that. Because we've all had those requests. But you have to sign before they'll help you really. You have to provide written consent. Yes. I just went through my files of sent or. You did, right? But if you want staff to be peaking, you have to sign off. So they're not doing it with that. Pretty powerful tools that speed the process after legislators. But because of the nature of those tools and what they can access, we want to make sure that we have that and express written consent. Other questions for Kevin. So could you refresh us what whaling is? I know it's big fish. It's big fish. No, it's actually not a fish. A whale is not a fish. But you've differentiated between scam and fishing. Now solicit it between fishing and whaling. So fishing is generally targeted towards the masses. Whaling is targeted towards a specific person of typically power and organization of higher higher. Individuals or it could be a group. Correct. It could be a group. It could be a generic nature across a little company for regular fishing attacks. Whaling is typically targeted in going after big fish. So whoever has that higher career is perceived to have that higher level access. So for what? Would they, would you be the target? I am a target, yes. Yeah, absolutely. I am a target. So any IT organization is a target. So I heard you mentioned earlier, Kevin, that you may have some staffing challenge coming up. I know you had some staffing challenges behind. Can you just give us an overall sense of what you're staffing? And we know that in general that's our challenge. Can you just tell us a little bit about it? So staffing is always a challenge for our department in particular. We're a pretty small organization. Begin with, we all wear a very, we wear a lot of hats, all of us, at any given point. So Ryan is not only our network security administrator, that is his primary focus, period. But he also helps whatever we can help. You'll see him down helping the user if necessary if anybody else is tied up. The challenges we're facing right now are retaining staff, retaining qualified staff, and making sure that we can provide a intriguing enough environment for them to want to come here. So you have a vacancy now? Or you anticipate a vacancy? We anticipate a vacancy coming up. And it's, I have to be generic. We anticipate it coming up in the near future. Hopefully we can right away fill up. It is not a high level position that we are losing, or anticipating losing. So it should be a pretty easy fill. We do have one position that is vacant and that is our session only. Use your support position, which we don't typically hire until at November. So we are at full staff. Once we hire that other position in backfill, based off of the current number of positions we have a lot of tools. That has not been the case in recent years. It has not been the case in recent years. So we were at 50% staff level earlier this year. We worked fairly diligently in order to fill those positions. One loss, one person out of our department is a big loss. It takes a big hat. We frequently have concerns about lack of coverage. So if somebody is sick, we frankly expect him to still be available remotely, as necessary. So Ryan is the only now secured administrator we have. We don't have another one. Sean Allen is our only assistance administrator. We don't have another one. I backfill and try to assist as best I can. But in the event that we lose one of those positions, that is a strategic key loss of our department. There's simply a number, there's just no death. So if we have something happening with the system at 2 a.m., how do you know? So we have plenty of monitoring systems. We get 2 a.m. wake up calls from our own monitoring systems to say fix us now. In the events that the monitoring system fails, well, we'll find out in the morning. But that doesn't happen frequently if at all. So we have- Is it frequently or at all? It doesn't happen frequently. We have in the past, we have had issues where they were not identified via our monitoring systems and we came into not a crisis, but an issue that needed to be addressed promptly. How often did the 2 a.m. call? So I haven't had one in multiple years now. So that's considered- That's pretty good. Pretty good? That's pretty good. Okay, great. We're gonna wrap up. We have a turn here. Thank you. Thank you very much. Thank you very much. If folks have their devices, I've been uploading some new presentation materials to the Chai Talk website this morning. So if you're all along there, we're also making as much as many printouts this weekend. Good morning. Good morning. I'm gonna put your presentation on top of it. Oh, okay. As you need to change slides, I'll try to keep up, okay? All right. Good morning, Karen. We have about 45 minutes. Thank you very much for coming in. Well, thank you for having me come in and talk to you. It's clearly a huge issue for local governments. Everybody, businesses, government and individuals need to be constantly vigilant to protect their digital information. And right now, governments are targets for cyber crime. We hold significant amounts of sensitive information at the local level, and cyber criminals want them. And many of our municipalities are clearly ill-prepared to end off attacks. Some of the issues that we have are equipment can be old. Equipment can be very old. Staff across a municipality, or actually I'm sure that Kevin may have talked about it earlier, can click on a phishing message that compromises the entire system. Passwords may be infrequently changed or inadequate. Towns may not have their own domain, but rather just a laptop and a password that they're working off of. And that's just kind of a smattering of the sorts of issues that we have. We also understand that the weakest link is the human being. Criminals gain entry to systems when you click on the wrong link, when you answer the wrong call, when you respond to the wrong email. When anybody's not completely suspicious about pretty much everything that comes into the system. While there have been breaches due to human error at the local level in Vermont, we're not actually aware of any ransomware attack in Vermont yet. The most recent example of a breach of security due to human error is the Norwich situation. In Norwich. In Norwich, back in August. I'm thinking of Norwich University. No, no, no, Town of Norwich. They received, the finance director received several emails that looked like they were from the town manager. And as a result, she made four transactions to an unknown bank, which amounted to about $250,000 before the system was shipped down. And so the town is likely to recover from one of the banks about $80,000. The LCT, because we ensure liability for municipalities is, and because of the particular nature of that situation, is going to make up the difference, which amounts to about $170,000. That is a good question. Since the lead carries the insurance that you just referenced, usually insurance has certain requirements. You know, like if you put in a stove, you have to have certain. So are there requirements for that liability coverage relative to training and what actions do you have to take in order to sort of minimize that risk or loss? Well, so it's a new area for us. It was 2018 when we first started offering the insurance to municipalities based on risks created by software-based criminal activities. But usually the insurer says, but we need to have assurances that you are doing X, Y, and Z. Yeah, we do a lot of training of local officials through passive. I don't know that there are... I actually don't know if we have requirements around multi-factor authentication, you know, upgrading your equipment, like ongoing training. It's something that we're starting to work on. This coverage was just offered beginning, I think I just said that, in 2018. We insure 348 municipalities ranging from fire districts to public safety authorities. We insure seven cities of the nine and 230 towns and 22 villages for liability. So clearly it's a huge issue for us. It's getting to be more and more of an issue. Our coverage limits, we wouldn't be able to cover every situation that happened. There are limits to coverage. Municipalities can buy up, they can buy additional coverage, but it's quite expensive to do that because we have to... I'm not an insurance person, but you have to work with the insurance market as well. So there's a lot of issues around that. Karen, so you talked about you don't have a requirement yet for any kind of training. Would that be, can you just help me understand what you put that in place for accessing or participating in any insurance? What we do is we assess a town's risk and a town's losses and that's what the cost of insurance is based on. So if you have multiple losses due to, you know, cyber criminal activity or inattention of staff, that is going to affect what you get charged in the following years. The individual town, not every subscriber, it's not spread over. So this is not a commercial product, then this is just the... This is a risk pool for municipalities, municipal governments. We are getting a lot of competition from commercial, you know, not to get sidetracked, but initially when we started the passive program, it was because private vendors were not interested in underwriting municipalities. So over time there are there are periods of time when the private vendors are interested and this is one of those times. But we have a risk pool. Why is this a risk pool? What has the loss history been so far in Latino? Around this particular issue. We haven't had a lot of losses. There was a situation in Essex where they... There were two situations that I was told about yesterday, one in Middlebury and one in Essex. Essex was able to stop and halt the breach and they really didn't suffer any damages. In Middlebury there was a falsified payroll check issued. I'm not sure exactly how, but it amounted to about $2,500. So we haven't seen a lot yet, but we have no illusions that we are going to see more. And with regard to... I believe you said you're not aware of any ransom. So I am of a larger... of a municipality. Several years ago. And so I wonder... I just wonder why... and they're active BLCT people. So is that guilt haul or... Guilt haul. Guilt haul is... there's nothing to... in Essex County. It's... Killfrog. It's Brattleboro. It's Brattleboro. I can find out for you. Well, no. So I wonder to what... I just wonder... Recently? In the last couple of years, yeah. Okay. So I'm wondering to what extent these are sharing that information? Well, I mean, if they want to... if they're a member of passive and they want to recover their losses, they have to tell us. They're not going to pay them back. They don't tell us. But this may have predated you since it was 2018. So actually, yeah, that is true. I think that's exactly it. So I will find out more details about that. How does the league... because when you talk about how many entities out there, and not all of them are obviously participating, as you say, in this risk pool, how do... Is there some organized way of getting information, cautions, alerts out to your membership and or training opportunities? Yeah. Just from the examples you've given, it shows it's sort of occurring in a variety of ways in a variety of towns, and everybody is sort of going to... We're in a different world here than even five years ago. So I was wondering what you have in place to make people better informed and how to alert all the membership that this just happened in, for example, where it was avoided because people being vigilant, but it could be happening in multiple areas. So we do have... We have a page on our website now that is technology assessments, learning about your systems, and has a number of links to vendors who will do security audits. I gave you some of this information. I actually have copies also. That's that new harbor, for example. Our keynote speaker at our annual meeting this year was Morgan Wright, who's a cybersecurity expert. And we followed up that with... No, ten things. It's more copies. We made ten copies. I wasn't sure who was going to be there. I guess it's our expert then. We've been trying to develop some kind of collaboration with Champlain College. They're Patrick Lee Center for Digital Investigation and provide training through there. There's a training on October 22nd. We're not actually... I guess the person that we were working with at the Universal Assistance Center left Champlain College. So we have to sort of close those conversations now. But we've hosted a webinar just this week on Computer Security Awareness with KnowledgeWave. We have about 80 participants on that who are local officials. The issue is you may have two people that are watching the webinar. It's likely not the Public Words Director and all those people add to the vulnerability of a system. We have an online university that is for the members of PASA, the Liability Insurance Program. That's an ongoing thing. We've had it for quite a few years. Cybersecurity is one of the issues that they address around loss control. We've had a very good response rate to that, to those kinds of classes. The National Link of Cities just issued a new publication protecting our data what cities need to know about or should know about cybersecurity. I think I sent that to Mike also if you want to take a look at it. It's short, but it does hit the things that cities and towns really need to look at. It is on the website. Should we look at it? If you posted it, there were a couple. It is on the website, yeah. It talks about efforts on the part of some other states. Georgia, West Virginia, New York and Virginia to help fund local government security measures. It also talks about things that you need to do identifying one person to be responsible for your cybersecurity in your town, educating your workforce which is going to be a never-ending job. Analyzing your vulnerabilities on your system backing up your data on a regular basis. All those kinds of things. Multi-factor authentication. We're actually doing that in our office right now and planning for managing potential attacks so that you have a plan of what to do when you actually do get attacked. I think, Karen, did you want a different? Do you have the NLC report there? The other presentation? Yeah, there's a report. Yeah, that. Oh, wow, that thing's big. So down page 21, I think it has the recommendations for what towns need to do. This one? Yeah, see there's six there. And on the printed they also gave you an article from the Georgia Association of Municipalities around same idea, what towns really need to do. So we have to do I think in order to be successful to your issues and we have to do a lot more. We have to do we have to get all of our members trained. We have to have equipment that is that can support the software improvements and so forth. And we were told the other day that only Microsoft 10 I believe is going forward and I guarantee you there's municipal computers out there that are going to be able to make that shift. So there's a lot that needs to be done. I did talk to the agency of digital services yesterday to John Quinn and they have some ideas but we're hoping that and we're happy to meet with to work with you and we're hoping that what you decide to do involves assistance versus mandates that a lot of towns aren't going to be able to actually accommodate. So it's really a different kind of issue area. And we also just one other thought we've been working with the Department of Taxes and Jill as they put together a request for proposal. Jill. I'm going to make sure it was Jill. As they put together the RFP and received responses to the RFP for a new modern integrated property tax management system that incorporates security measures and that's a significant interface between the locals and the state so that's also a potential vulnerability. Okay. This is fascinating and I feel like it's such a timely discussion ideally we might have had five years ago but better now than in five years. And I'm thinking about our shift in vital records in the last few years where we have I would hope because we are sort of centralizing that through the Secretary of State's office I think Department of Health we're sort of in a sense I would guess making that slightly less vulnerable since it's less directly under control of the 200 whatever towns and I'm wondering it is from a budget point of view not going to be realistic to expect all towns to jump into best practice technologically and I wonder if the league in your discussions have about places where we could create one system that towns then hinge off of and therefore the best practice and all the security. Like a single network? Yeah, I don't know. There would be some pushback people want to have their own flexibility but on the other hand we're I'm just trying to think of how you get around it doesn't make a lot of sense when so much of this can be cloud based to have it be in municipal buildings located 10 miles apart from each other all throughout the state I guess I'm just wondering if you guys have had or started thinking about ways that we might look to take the data that's most vulnerable and pull it into some centralized system that towns could then access. We haven't really thought in that direction although another example of that would be the parcel mapping GIS program that has been ongoing for the last few years I don't know if we're I mean I'm also known an IT person I don't know if we're ultimately safer having everything in one place versus first so I guess my short answer right now would be no we haven't actually thought about that and I'm not an IT maybe it's not the right solution but just sort of when you look at it the prospect of going town to town to update individual systems seems really unrealistic and very expensive and inefficient but you're going to have to do I think you're going to have to do that if municipalities are going to be accessing central locations well clearly there's a training element to it but adding so training that's a big deal but adding to that then system development upgrades and ongoing because at the end of the day a lot of small towns are going to be run by a very small number of people and maybe you get in there get them a practice but do we really think that they're then you know able just have the bandwidth to be upgrading their software you know all of these ongoing things that I don't know it strikes me that there would be a rule maybe for the state to come in and help and work with the league I have no idea but please don't misunderstand me I don't know if that's the solution but the point is just the sort of broad thinking of how we come together and do this for you know the great majority of our tiny municipalities yeah I don't have a good answer for you right now one thing that also occurs to me is that the Department of Taxes actually does training for listers you know around the grand list and I believe that's required they don't have to do it but we don't require it to I think there is a hook there somewhere around reassessment dollars or something like that but I guess I would ask you mentioned you know could the state help us rather than just mandate something and I respect that it's proven of you to have that I'm not surprised but if you know as we're having these conversations I just hope we will be thinking of like where do we really want to be in five years as opposed to what we do right now because we're in shambles and try to have that conversation so that we're just sort of learning over in shambles but another area that's been in the news quite frequently is around elections and voting elections and so there's that whole issue and I think that the Secretary of State maybe optimistically said that our system was more protective because it was dispersed and you have that but I mean I don't know well they're not online but that's big yeah and the really scary thing is what's the next thing that comes down the pipe changing all the time so that actually leads to a question that I have which is what is the entity at BLCT what is that structure that's kind of grappling with this issue do you like a subcommittee is it we have at BLCT we have our municipal assistance center which is free attorneys and free other staff people we have our own IT staff that have moved us to the cloud and given us multi-factor authentication and so and also the leadership team that are all sort of involved in but trying to address this issue not only for our office but on the municipal level too for cities and towns it affects pretty much everything you do for that yet another question that I'm wondering about which is if you have any sense of risk varying with the size of towns or if there are typical problems that start to merge with different size towns or concerns is that anything that you're looking at well clearly larger towns have more capacity to put protections in place and to Senator Pearson's comment the smaller towns you're usually operating with a very small number of people so that's an issue on the other hand I mean larger towns are likely to have larger losses when somebody gets through so although probably not I mean they'd be debilitating in any municipality if you look around the country so in Texas this summer there were 23 towns that were hit with ransomware and they all had a common vendor for their cloud and that's that malware came in through the cloud vendor and then went out to the 23 towns that's good to know that cloud vendors covering their losses and around the country Augusta Georgia and Maine I guess fairly recently had an attack that was they were able to stop I mean the state of Maine so there's a lot there's a lot of lessons to be learned out there right now the questions that I had asked you before this meeting was if the LCT had conducted a statewide assessment of risk for municipalities we haven't we don't have the capacity to do that right now you know it would be that would be a huge job some of the towns they'll actually retain services some of these companies that come in and do that kind of do you know if that's happening with some or is it just more in a proactive way as opposed to responding yeah it is absolutely happening in some towns it seems like the where the experience has been is really on the financial side to date for the towns is trying to like that happen or which are tempted in aspects as to dealing with dealing with so I'm just wondering like how much of it is on the internet versus just internal IT support you know what I'm saying in other words it's payroll I would think would be I don't know maybe it's not how would they those kind of internal financial functions as opposed to what's your internal risk against your external risk so and towns again it sort of covers the spectrum in terms of towns that have done assessments of that or not yeah is there any information on the median cost per user for IT and cyber security among the towns is there an idea to spread high to low I I'm sure that it is I'm not sure I can get it for you but I can try okay thank you so Karen Secretary Quinn was not in here when I asked you that previous question about a statewide assessment and so I actually what I've asked is if the LCT has considered doing a state-wide risk assessment for municipalities and Karen's response was that they don't have those types of resources and I'm trying to really understand and think about what state interest there might be in having that type of assessment so we've talked about several functions taxes, elections, and so you know I'm not going to I am sort of putting you on the spot but I'm not expecting I don't know if you have any thoughts or anything to add in terms of something we should know that the state does in terms of assessments or if that's something maybe to come back but I just wanted to connect you to that conversation for the future at least okay for the record I'm John Quinn the state CIO I'm recalling a Department of Homeland Security grant probably six months ago I'm not sure if it was awarded or not there was money there to do local assessments at least at a high level to do a survey to towns and provide some guidance I haven't heard much about it lately but I can certainly check into that and see where it was awarded and who received the contract to help with that work this was in Vermont yes the Department of Homeland Security grants all run through public safety and I just wasn't part of the conversation the last couple of months okay so what I just to follow up what I think you're saying is there was a grant that came in that you believe had some assessment of municipalities yes that you don't have really a further understanding and you're going to come back to us okay how can we do that without the municipalities you know what you're leaving maybe it just hasn't started you don't know everything oh really oh okay well if somebody took advantage of it that's wonderful and it would be nice to know what other resources there might be in that area so we could through Karen's organization encourage other towns to take advantage of it or sometimes you get a grant and it takes a little while to start up but maybe you should find out the experience of it so maybe it's just can you do it again and maybe no one bit on the work I'm not quite sure we thought about being able to do it seeing if we could do it internally but because of the way the funds were all back organization ADS's so it was hard for us because it would have had to have been free we couldn't have used the grant to pay for our people to do it it was a little complex and that's why I'm aware of it but I can find out if it was awarded and if so to Hill and see what the next steps are yeah I would like to flag this conversation to revisit this conversation in November both if you're available Karen and I think Secretary Quinn thinking about what availability particularly where we have these state systems so Senator Pearson was speaking earlier about networking what consistencies I think that we can offer opportunities rather than every town investing in their own system and analysis or consultants or whatever surely there would be some efficiency and in many cases hands might be happy to have that kind of system I mean I just don't know but thinking about this process repeating 270 times or whatever it is I'm thinking in terms of the functions though for example even in the state the fiscal and the disbursement and payroll is done through vision it's done through you know so central yeah but it's not it's different it's like for example we get paid through that system vision it has nothing to do with our legislative network I'm just wondering if there's certain functions that lend themselves like you were talking about to particularly where they are connecting back into state systems as we've talked about so it's kind of interesting to see where those opportunities might be and it sounds like we're doing that we're exploring that with property tax yeah well a network system that's being used by most towns I would think we would want to make sure that it has some kind of a cybersecurity component to it because all of the towns are many of them well everybody uploads their grand list through the system so there's already these common systems you know I guess as we're following up is what are those systems that we already have who's sort of in charge of them and is that something the state should be aware of and potentially help with yeah are you getting that so we're talking about following this thread in November I'll make sure I send Karen and John and Bites I was just going to point out that Vermont Center geographic information which is a division of ADS they're a mapping group in all of the towns use their information so that's one area that we share that service out to the municipalities another area that is education is we're building that unified chart of account system am I going to see it before I depart my earthly existence I hope so Martha Heath was chair of appropriations we set that money aside to get a uniform yeah I'm serious six years ago it's been a while well there has been a uniform chart of accounts for many many years problem was the municipalities each used it differently and so the accounts were uniform but what was in them was not okay in the case of education I don't think it was I guess you're right it's one bucket they put like tangent but related to GIS do you know if they're using the UVM drone survey folks to get a full map regularly of the state I'm not sure if they're using the drone group or not I think they're using the light and satellite they've got higher resolution every year you find a little bit of satellite photography that's in the capital yes thank you Karen is there anything else that is there any one of the other questions that I had asked you well I had asked you about training you know if there was an opportunity and also what the legislature would be helpful you've said not mandate I think the biggest need is for funding for training because that's the weak link is the people and you need to train on an ongoing basis like we get so once a month at least once a month they might do it more frequently but we get make email test emails and if you click on them that goes back to the IT department and they come talk to you about what about towns for towns within our office but that's one of the best practices that you would put in place we've just heard that actually when you think about this the question is pretty expansive because they're while we're talking about local government in fact state government funds so many service providers for example like designated agencies are essentially quasi-judicial entities so the whole issue around security is it's pretty universal that's where you think about it we have a lot of money millions and millions that are going out through those provider systems and a lot of them are well I think the cost of training of IT systems is for example our DA's right now all in the process of getting new health information systems and how they are well protected is about sensitive information and at least we've wanted it to as opposed to what we had with vital which is anything that is meaningful to use I recall discussing that one of our previous meetings in terms of how the state government's resources go out into these other organizations and that maybe we needed to look at it in terms of AHS in terms of their master agreements with these organizations what kind of cybersecurity issues do you have Mr. Designated Agency because we're going to be filing stuff through you and we want to make sure your organization as secure as you would like it to be and it should be part of that master contract negotiation new rules perhaps expanded rules I don't know if they may already be there I don't know but we just want to assure ourselves that there is some protection there I'd be curious when we follow up on this if people think it makes sense to ask Karen to touch base with you you said there's a subcommittee of your board or whatever that looks into this well it's mostly staff that does well maybe we hear directly from them or they join you or something because I do think I don't have a good handle on the opportunity for the state to help or you know you've made us aware that this is a considerable concern but anyway if that makes sense if you think that makes sense I would appreciate it I think what I'm trying to put together in my head here is where the state is already intersecting with municipalities what opportunity there is for a statewide assessment of risk there do you understand for the record I'm director of property evaluation the tax department so as part of our rolling out our brand list software which I'd love to come back and talk to you about because I do think it kind of represents a seismic shift and a pretty big opportunity to move towns in the right direction we did a informal technology assessment because we're basically going to have sort of minimum standards that they're going to have to meet the local level to use the system so I'd be happy to bring that back to this group if you'd like can you that would be great okay we did an informal technology assessment right so we surveyed towns we actually had a researcher at ELCT help us take sure we got to all the towns and ask them so things like bandwidth age of hardware things like that it's not probably to the level who was actually doing an IT audit would want to know what's vulnerable but it sort of sets the standard of what we've got that seems to me like it would be useful and I'm not sure every town participated but we had over 50% so thank you thank you thank you okay do we want to take a quick break Cass is next and is Darren here and I think Cass is up she is do you want to break down now or do we want to take a quick break quick break Cass Madison Deputy Commissioner Ardiva and program sponsor for IE Director Darren Prail Director of Digital Services for the agency of digital services the first one yes and do you have a printout that I can look at there's no iPad to scroll through that way I can talk to you thank you very much okay okay because we have you listed as the IT Director for the agency of human services well I know okay so going on your presentation to make sure that we're able to get through next okay so just very quickly on the leadership transition just so you all know obviously every time we testify we have both AHS and ADS in the room on that AHS side program sponsorship for integrated eligibility will be taken over by Lori Collins who has been with the state for 40 years she also oversees the MMIS Medicaid Management Information Systems IT project and she's the Chief Operating Officer for DEVA so they're sort of working out the organizational structure but she'll be at the head of it I think there are some really clear advantages to that on the federal side they've moved to a consolidated model so we used to have a separate state officer for each one of our major IT projects they have one now just for Vermont so I think having one person on the AHS side and one person on the CMS side is actually a really good thing so I think the commissioner will figure out with the secretary of ADS how testimony will be handled going forward but from a project management and sponsorship perspective it'll be Lori I have a question are we in the process of rebidding the MMIS did that get postponed and I'm just they're taking a modular approach to MMIS as well and so they just implemented a few modules and they're working on them piece by piece so I think it'll be good to have that digit coordinated okay okay so maybe everybody knows what MMIS is that's the Medicaid Management Information Systems the claim payment it used to be EDS years ago and now Hewlett Packard DXE changed over time so but it's what pays the providers for Medicaid beneficiaries okay so we have two things prepared for you today one is the executive summary which is basically the first two pages of the November 1st report which is complete and will be released to you all later today so that you have a chance to have plenty of time to review it and ahead of the making a recommendation to joint fiscal and then I have some slides that just walk through the high level things that we talked about last time that we wanted to make sure to hit on today so the on the summary not a lot has changed since the last time we talked it hasn't been very long essentially what you see on the color coded chart is what we saw last time all of the projects with the exception of business intelligence are on track and in the green the last time we talked we had just gone live with our enterprise content management system on base and that launch is going on continuing to go well we're just trying to finish up some remaining security items on that project and that project is slated to close in November we'll get into a little bit more detail in the slides on the business intelligence topic because I know that's when you all are interested in and then the two big projects that are starting up online application and premium processing are going well the vendor kickoffs for those projects happened this past week so successful procurement vendors are on the ground and now that work that development work is starting in earnest so good news there so I won't spend any more time on the report itself we can go through the slides but those are the big takeaways from that summary I noticed Cass on your fourth or fifth bold point here that CMS has approved the cost allocation that to me seems like an important thing it is and I have a slide or two on specifically that we'll get to in a few minutes good yeah that was sort of hanging out a little worried about that one ok so if we go to the second slide before we get to it I'm looking at the color coded slide regarding project performance and the comparison of estimated project spend and current projected spend and I haven't done a math but as I look through what appear to be higher than anticipated project spend and then compare it to what's lower just by eyeballs tell me that the estimated the original estimated is lower than the project is lower than the project spend is that right I didn't see a total here so there's a couple things to note so the legislative report asks for report outs in very specific projects so it doesn't ask for an analysis of the overall IE budget although we have that and one of the things I'm leaving the team with is all the backup budget documents for actual financial testimony in January so that's one thing the other thing to know about these numbers is these project numbers bridge fiscal years so it's not a one to one if you can't just like add all of them up and then compare it to our appropriation the project's bridge years the high level read out on where we are is that even though the cost of some of the individual projects are higher we've been able to live within our means so the fiscal year 19 budget closed out and we under spent by just about $100,000 the analysis that we have on fiscal year 20 is that we're going to be able to meet all of our commitments pending the resolution of some of what happens with BI but within the budget that we've been appropriated for fiscal year 21 we're about $200,000 short if we get the full appropriation based on what we're currently projecting but we believe we can manage that because the one thing that we've seen year to year is that we always under spend so I think the staff on the ground tend to overestimate the amount of staffing time for example that we're actually going to need on the project so we see staffing hours come in lower stuff also moves slower than you anticipate some invoices come in later than you anticipate and I think we talked about this in September like we right now feel like we are in good shape with what we asked for and being able to deliver on our commitments within that budget what might just comfort lies is I look at projects I really would like to see where we're saving this money if virtually every individual project that we're measuring for this is over I can't figure out where the savings are and I haven't seen anything that effectively summarizes the detail and add the two fiscal years together to show me what we're spending and what we're saving in other words where the money is coming from that represents the ability to come on budget when the individual key project most if not all seem to be over budget we have all that data I'd like to see that like on one piece of paper a summary that really gives me comfort that I understand what I'm looking at looking to understand senator is so we see that these projects I want to make sure I'm clear these projects most of them are over they're projected spend some of them are twice their budget and what my understanding is is we are not however going over budget in the budget year that these projects are taking place over fiscal years so what you are asking for is to see how we're managing that over multiple year budgets sure I'd like to see for example if these are over what's under yes so over multiple years of dealing with this you can take the fiscal years the two that we're looking at and list them separately and then show us a total yes and I will just say that the reality of this of budgeting for these projects is that at any point in time the projections are like constantly being updated and so we have to pick some very clear points in time so if the question is hey when you guys came and presented a budget to us in January of 2019 here's what you said you would spend line by line and then where did you end up at in July of sorry in January of 2018 and where did you end up in July of 2019 like we just need to pick those concrete points in time we have all of that data and can share that with you as well as we have line by line with paragraph explanations for every line item for what we're projected to spend in the next two fiscal years I think the challenge is that you know you create these projections before the project starts so it's your best guess of what you're going to need and that every single week you're updating that based on new information so we know the forecast change over time but at the point in time in which we're trying to do an evaluation to understand how the project is going it's helpful to understand if we started out with an overall budget for this project as defined as integrated eligibility how much did we project that we were going to spend at some given point in time how much have we spent so far and then based on what we know right now what is the forecast as to how we will end up when this project is done and then of the individual elements of the project what's over and what's under so the first thing you ask for is in the long form report that you'll be getting this afternoon so it has hey our projected budget was actually 16 million in fiscal year 2019 and we spent 10 so those numbers are there as well as what we're projecting to spend in gross and state share for the next two fiscal years we have what we can do is get the budget detailed to the committee that's behind it okay and I want to just I want to again what I'm hearing you ask for is also a forecasting so that is okay yeah that's something that you can also provide yeah I mean I I would have to go back to Sarah Clark and ask what is the plan for the BAA for the capital bill and like when is that information when is it appropriately appropriate to release that information given that this is your last day yes they have all the sure we connect with you and Mike sure that who Mike should follow that that makes much sense if I just want to understand what Senator Brock is saying some of which you can manage just because of cash flow and the way timing comes in but I think if I understand what you're saying is at the end of the day at knowing you're going to have these variations and and crossing fiscal years if we thought the program was you know that the work was going to cost 15 million and at the end whatever when completion it comes in at 18 for example so some of this just shocking you know that occurs because of timing development estimates on staff I think the fundamental question is when we say this this phase has been completed are we going to come in at that end how close to what we thought was going to be I mean historically we are under spending our projected budget I think there's when you look at any particular fiscal year there's really three reasons that you see that we're able to stay within even if projects go over so one is some projects move slower than intended but it could mean that the cost which is why I give you that's why I give you this view because if you take business intelligence for example which we'll talk about that we under spent based on what we projected for fiscal year 19 because that project was moving more slowly than we anticipated the total cost of the project is going up because of some of the contingencies we've triggered which is why you get this view but from a budget perspective like some most of those costs got shifted into state fiscal year 20 which contributed to our ability to stay in budget for fiscal year 19 so there's a couple different weight slices of the budget that it sounds like you want to see it just depends on the project the other thing is we have program support staff so we're running seven projects simultaneously so there's a pool of staff that help us manage the big picture we under spent on those staff by several million dollars in 19 so we had projected an amount we under spent that that was true money that we thought we would spend that we didn't that isn't getting pushed into 20 so there's a bunch of different reasons you have to just look at it line by line so I want to just see if the committee is comfortable we'll get a sounds like we would like a deep dive kind of multi-year financial overview in November and can we move forward with today anything with excruciating detail and complexity and envisioning something that ought to be able to be put on a single piece of paper that would show us what did we project that we were going to spend with some line items associated with it these are the individual projects at a given point in time when we're evaluating how much have we spent to date in actuality and then forecast and we know that forecast change as time goes on how do we forecast that we're going to end in terms of what we're going to spend in terms of eligibility and if those things are going over what are they if those things are where we're making up the savings what are they the fear that I have from an oversight perspective is that savings as we've described here I can't put my fingers on what those where we're making the money up and the knowing feeling that I have is that what we may be doing is putting a lump of money out for what we're going to spend in project costs overhead costs or whatever that is kind of a cushion to allow us to have tremendous variations in what we actually spend and it makes me wonder how good our planning is and my suspicion frankly has been fueled by what happened in Vermont Health Connect in which by the end of the day we wound up spending $200 million which was by no means what we expected to do and that's the real oversight function I have some information for you I would like to just I think it's important to look back at fiscal year 19 where we projected an amount and came within $100,000 of that spend so I think that is a good indication that there is not a significant amount of pushing in our budget the budgets IE used to be carrying were about $36 million a year and we've been significantly coming down from that trying to get more precise that being said there's all sorts of stuff that we're learning every day the amount of money that we need and move stuff from bucket to bucket and we can provide all that information I'm going to ask us to focus on two things we need to make a recommendation about the release of the next set of funds and any information that you need us to know with your departure um I think we want you to go through your presentation we good? just one thing, Catherine Benham's here obviously from joint fiscal has been involved in that capital bill so and because it's coming to joint fiscal it might be good Catherine if you look at the materials make sure that we're getting the kind of information in a way that is not only important here but would be for joint fiscal as well and you're talking about the request that Senator Brown was making as well as that because this is an issue that has been raised by joint fiscal members as well in terms of and I think you had a memo that explains the ups and downs that you did for the earlier meetings so I can and we've actually we have that I have that memo and all of the projections with and have already sent them to Dan Smith so he has them as of today the question that we need to just I need to check with finance and management about the release of those as part of the budget so that's the only thing I want to check on before when I leave here today okay so it's just can you go through the next yep, go through the next one about what have we delivered and this looks a lot like what we looked at last time but it's just the recap that again we committed to delivering four products in 2019 and three in 2020 as of September 16th the last time we talked we had to deliver two products that was enterprise content management the document imaging and scanning system and the paper application to deliver the dock uploader in October or November time frame it probably will close out midway through November and then the fourth product we'll talk about in more detail is business intelligence which we're still our goal is still February and then we're on track to continue meeting our CMS mitigation requirements for the age-blinded disabled population slide so I already mentioned but there are two projects that we just started the premium processing project which will return qualified health plans back to the insurance carriers by October of 2020 and the online application for the age-blinded disabled population to be released in June of 2020 and the economic services programs to be added to that application by the end of next year both of those projects are on track and the vendor kickoffs were held this week so the vendors are on the ground and working master data management I previewed this last time the steering committee voted this week to put that project on hold until a later date because we have too many things going on at once right now and it does not seem prudent to start another project that isn't a requirement of either the legislature or CMS until we get some of these other things business intelligence in particular across the finish line is master data management it's not on there because we haven't started it yet so there is a paragraph on it in the long form report that says hey we're putting this on hold it was planned in our roadmap we had wanted to start it in October but like I said based on the fact that we're still trying to get business intelligence across the finish line that we're starting two big I mean significant public facing projects online application and premium processing both need to deliver real changes to the public we just don't feel it's prudent to start another project right now so what premium processing when would that become effective October of next year would be those of us who are on the budget a couple years ago you assumed a million dollars in savings by having the insurers do the billing so they'll pick it up for plan year 2021 but remember it's not like a clean break so insurance carriers will start doing the billing for plan year 2021 in November of next year we the state need to continue to accept payments for 2020 plan year till about March of 2021 and need to be able to adjudicate 1095 changes you have a three month grace period if you're going to advance premium tax so yeah so there's some decommissioning that has to happen in the first and probably second quarters of 2021 before we're fully out of that okay the master what was it called master plan management is there a budget implication for putting that on hold it wasn't a lot of money it was the money that was in the budget was about $570,000 gross so it was to be allocated across all programs so it saved us maybe like $150,000 from the state budget by putting that on hold which we need for business intelligence so but it's small okay so before we get into BI there was one particular request that came out of the I think this committee and out of dance mess recommendation when the last round of money was released about network connectivity and essentially how is the state going to prevent projects from being impacted by network connectivity issues in the future I'm going to tie this one over to Darren sure we've adopted a new testing tool that will identify whether there are issues with the network and with the solutions performance that's a software from Apache and I think we've incorporated it into our development life cycle so it's going to be run as part of the routine testing cycles along with the other testing we hope that will avoid issues in the future and this has to do with the transfer of data that cause the significant delay so this is functioning now yes we haven't had any replication issues for a couple months now so it seems to be working correctly in terms of the network itself but now we have additional testing tools to look at and we'll see who's looking right now who's pressing anybody in the grid I don't know it's a question of something upset let's talk about business intelligence I put a couple slides in here so you can see the conversations we're having behind the scenes because it can get complicated so just bear with me just a recap on what the business intelligence project is so I for short is our reporting in analytics capabilities for Vermont Health Connect and essentially we've been using a standalone solution called Oracle Business Intelligence which is part of the larger Oracle platform to run our analytics for Vermont Health Connect and when I say analytics I it's not your typical analytics solution in that remember that the technology for VHD is broken so we've been able to do a lot and improve the customer service experience with technology that is not working even today the way we want it to so a lot of it is manual intervention and we really rely on our reporting system to be able to do our day to day work so there are spreadsheets that are used to mail merge notices to people there's spreadsheets that we use to do 1095s to get them out the door to do corrections it is part and parcel to our day functioning it's not like we're just using it to run reports on who's on our programs as you would think of a typical data browser analytics solution so it's really a part of our core business operations at this point so the idea was hey everyone else in the state and everyone all the other programs in integrated eligibility are using a program called Microsoft SQL that is owned and managed and maintained by the state and so it was for us to be able to sunset that standalone Oracle solution sunset the contractor that we've been using to keep that warehouse up to date and run reports for us and move that work in-house and we've been working on that for about a year and a half talking about it for probably two and a half years now so as you know you can go to the next slide with this project really there's been two big challenges earlier this spring and summer we had network connectivity issues which was preventing us from loading the data warehouse with production data so that we could fully test it and this is what we just heard correct yes so it's very hard to know how far along you are in the project we have real data in there and actually start testing it and we really needed four months of full testing before go live so when we knew that was happening we triggered a contingency earlier in the summer to essentially delay the Oracle system upgrades that we had planned for September and push them to February to give the team more time to finish and the reason why the Oracle upgrades are significant is because we were upgrading everything in the DHC system and we made the determination when we pursued the business intelligence and enterprise content management projects that those would be across the finish line for the upgrades so we didn't need to install those pieces of Oracle software in the new Oracle package so when you go live with the new Oracle the new Oracle upgrades we would not include Oracle business intelligence and we would not include VCU web center that we used for document imaging and scanning because we would have transitioned to new systems so obviously we couldn't do make those Oracle upgrades happen if we weren't done with the warehouse so we got pushed to February and so when we talked back in September we said alright we have some critical milestones that the team needs to meet in order for us to feel comfortable that we're going to hit the February timeline and not trigger any further contingencies and so that's really what we want to update you on today so this is a recap of the contingencies that we've triggered in so here's just a recap of what the critical milestones are so there were it could still in the weeds in terms of what the things actually are but I want you to see the big milestones we're looking at so there was milestones for October 15 milestones for November 30 a big testing phase in December and January then we would do the Oracle upgrades in February and then there would be some phase 3 deliverables like there's some reports that we could go for some period of time without if we needed to and so those could come after the Oracle upgrades so back in September the team basically laid this out and said alright each one of these phases are major contingency trigger points for us and so the decisions we're making today are all about if we hit those October 15 items or not did you? no so you can go to the next slide so may I ask you questions if you call back another oh well if in fact business intelligence gets delayed beyond February then you would have to install the Oracle upgrades for that module which you were hoping to avoid so you think in fact it's not going to be possible to avoid installing those upgrades that's essentially the recommendation we're making but I can walk you through this and there's a cost to having to do the upgrades oh well I shouldn't look ahead on my slides okay so so you can see where by 1015 we landed with a milestone so the first criteria was there were 33 what we call priority 1 reports that needed to be completed in testing tested and by 1015 85% of them still needed some work so completed testing testing finding issues with them the team needs to remediate some of those defects the second one was around interfaces and some of this gets in even more in the weeds for me than I'm comfortable with so but the bottom line is that there's still some integration work that was supposed to be finished that's not finished yet and there's some the data the replication of the data into the warehouse that's happening every day there's still some manual steps being done and at times problems or challenges with that replication and some changes need to be made to the code to fix that and the best case scenario is that gets fixed by the end of October so the short version is that there's still work to be done to hit those October 15 milestones on the WEX interface I thought WEX was the premium processor in that we were going to move away so I'm confused you need to develop an interface with WEX which is a if in fact it is the premium processing vendor which we're going to replace right not until so this is about enrollment reporting that has to go to the federal government and has to go to the insurance carriers but why is that interface not already in place I guess I'm just concerned what needs to be developed so this is replacing the existing interface with the new data warehouse so essentially there's integration so there's already an interface but you have to replace it so that our enrollment reports work so so basically we considered three different contingencies option one was just to delay the Oracle upgrades further and give the team more time to finish the warehouse you can see these are just rough estimates of costs the cost of hosting the existing data warehouse and the new data warehouse like in tandem I think Darren actually said they negotiated down to $20,000 a month so a little under that $400,000 number but still significant for every month that we delay those Oracle upgrades and then we as long as we keep the current system up and running we need to pay archetype that contractor to continue to run that so there are some costs there again those are gross numbers anytime we're talking about development this is 9010 funded and anytime we're talking about operations it's 75-25 so the state share is anywhere from 10 to 25% of these costs option I mean so option two which that we talked about was install the Oracle software so that if we need to in the new version of the Oracle system so that if we need to we can keep doing business as usual but we need to what we're trying to figure out now is whether this also requires the delay of the Oracle upgrades by some period of time so the question we have out for Optum and archetype our contractors is how much time do we need to install the new software and fully test it before we can go live don't forget we're in the middle of open enrollment and we need to install the new version and test all of the reports end to end before we can go live so there is some question as to whether that can happen till February or does the Oracle upgrades have to be delayed to March or April so that we can get the new version of the software in place so there's the costs there still TBD but actually installing the software is $145,000 that's not where the costs are but I think from a business perspective this is certainly what made the business most comfortable because we know how to handle what we're doing today so and then option three was back to option two I'm not sure I understand what it means so it's what you said delay the upgrades but what does it mean to install existing Oracle warehouse solution into the new environment it's exactly what you said so we have Oracle software today Oracle Business Intelligence is our reporting software we had not intended to include it in the new Oracle upgrades option two is included so that we can I understand now but the way it was written sorry I know but so it's continue to do what we're doing today but using upgraded Oracle software could I ask a question the eye-popping $400,000 a month for hosting has that been our cost historically or is that extra expensive because this is a product that Oracle doesn't really want isn't that part of the issue it's extra because we're essentially paying to host two packages of software simultaneously so as soon as we go live with the Oracle upgrades that cost goes away because right now we're hosting the new Oracle system and the existing one and you know it's so frustrating to learn that our BI system is one that we own control already and we have for a while Microsoft SQL and you know but I understand that's the reality but I guess I'm just you know what do we have it's more than a dollar per person per month than we have in the database and I wonder if the analysis has been done of like what it might mean to not have to pay that for six months versus could we staff up take that money that we would not pay and jam it into staff to get this through the cross finish line you know what I mean or what we're what we're recommending is doing both of those things so I think so the reality is that if the risk calculation is that if we were to do option one and just staff up and delay the Oracle upgrades until May and then we get to February and and it doesn't look like the warehouse is going to get done then we're in a position to push out the Oracle upgrades until the next open enrollment which means you're paying that $400,000 a month every month and you're operating longer with software being out of support and there's just risks there from a security perspective so at some point I think that's why you know the conversations have been looked like we need a safeguard and we can't just keep pushing out like the longer you wait to make a decision the more risk you're adding and that's why the recommendation is to install the business intelligence software so that we don't have to keep delaying the Oracle upgrades at the same time ADS is going to put some additional resources on the team contracted and otherwise to try to speed up the development of the alternative warehouse so that you know we don't have to keep doing this in perpetuity we're going to take two business analysts out of other projects and then we're going to hire the three additional database administration developers like what budget actually we as ADS we as ADS start back model through an MOU to diva but to your point to your point if you can get it done faster and avoid the costs which we're paying that I mean we're paying those costs now at least on the archetype side that really does I think say that it's beneficial to invest more resources to get it done faster so the fiscal year 20 budget right now is predicated on getting this done by February so the fact that we decided I think at like 4.15 yesterday to trigger this contingency there's some financial analysis that needs to be done to figure out how we absorb that in the IE budget for fiscal year 20 again it's 90-10 so you know even if you end up spending a million dollars on something it's a hundred thousand dollars out of the capital budget but we're running a tight ship so that analysis has to be done I would say by the end of the month we're waiting on information from contractors to tell us estimated costs for certain things we'll be done before we have to make our recommendations I would hope so joint fiscal we've done notes before so like I said the contingency decision was made yesterday I anticipate that that information will be available certainly by that meeting we need some information from our contractors about level of effort to install the software, rebuild the reports testing and things like that you said it was Lori Collins yes but I think from a technical perspective I would look to Darren to be able to provide information on technical pieces rather than a level of effort on the contingency you've outlined three options contingency options yes so essentially we're choosing option two plus it's two plus two plus meaning adding some additional staff to try to get it done faster is there any okay is there any pretty much convinced that the February date is not going to work based on where we are now based on where we are today the consensus from the team on the ground is that we're not going to hit February but that could change I just think it's going to take a while to hire people and get them up to speed so do you have a new estimated timeline no because the February to what the question well no so now that we're going to add additional staff the project team has to retool its project plan based on the timing of additional resources so in terms of getting the the data based on we'll have to see what that does so that project plan is definitely be updated and then the outstanding question we have for Optum and Archetype is what is the level of effort and how much development has to happen to install the new version of the Oracle software because we don't I don't know how much has changed between the old version and the new version if there are not a lot of changes then you don't have to do a lot of report rewriting and it should go pretty quickly if Oracle changed some things then some of the code or the reports might need to be rewritten to get them to function appropriately in the new version of the software that's what we need Optum to tell us and that will let us know like can they get it installed by February or is it March or is it April so we have a couple of things that we're going to be seeing prior to taking our recommendations but I think the I think it's always really important to be extremely transparent with you all obviously about things that are difficult I think when you still look at IE as a whole the important takeaway of that first chart is essentially seven projects in flight there's a lot of green on that chart so in considering that recommendation I think it's just important to see the things that are going well as well really dig into the things that are more difficult so I'm just going to remind the committee this is pretty important what we're dealing with we do have Department of Public Service sitting for us as well I can just do a quick two minutes on finances I think that's that's the last slide so again the big takeaway in the financials is that while the cost of some of the individual products were higher than initially estimated overall spending is within budget I already mentioned budget for 19 our projections are still to remain in budget for 20 for 21 as I said we're projecting to be over by about $218,000 but based on our historical spend we feel like we can manage that and then on the cost allocation side I mentioned last time that we had proposed an alternative cost allocation methodology to CMS they have approved that cost allocation methodology which is now accounted for in all of our budget projections so that's really positive news and they've approved the next two years of federal fiscal year funding for IE did the cost allocation actually have a preserved that level of Medicaid contribution or did it reduce it it reduced it but not as much as they had originally counter proposed so it was a good middle ground so when you look at the projections of overall spend for example in 21 it's actually lower than 20 but the state share is higher so if Medicaid is paying less because they say that their share was too high does that mean that the food stamp the snap cost allocated portion is going to go up yeah it goes up across all the other programs so it increases the state share the cost of any one project essentially more concerned about like TANF and general assistance because those are all general fund we're all tapped out on the right and so essentially when you look I mean there will be collateral impacts correct so for 21 for example we had hoped to do three major projects you can really only do two because of the cost allocation so that's all stuff that will have to be talked about in terms of the future roadmap what does that change in ratio it depends on the project I don't have that off the top of my head and then the last one is just that you know we haven't successfully been able to draw down snap funds to support IE so snap will reimburse 50-50 for any portion of functionality that benefits the snap program if the state could figure out how to get those funds from FNS it would help significantly to the tune of like a million dollars and $970,000 a year it's just it's very it's been very difficult to bring them into the fold so can you tell me why we should recommend the release of the second funds sure I mean I think that overall when you look at how IE is doing even today with some of the challenges we are still delivering more technology that's benefiting Vermonters spending less than has been done historically and so you know when I think about IE and what we're trying to accomplish it's as much about what we're delivering as it is about how we're delivering it and the approach is very different and so when you look at what's green on these pieces of paper this represents actual technology that's either making Vermonters lives better or staffs lives better so that's one piece the other piece is there's there's components of this roadmap that are not optional for us to do and so when you think about the online application for example that's something we have to do to be in compliance with age blind and disabled roles for Medicaid and at some point there will be costs of non-compliance and so I think the challenge of technology in general for government is that it isn't optional the question is are is the strategy we're using doing a good enough job at delivering value and reducing risk for the state and I think when you look overall what we're able to do the fact that we're able to deliver this technology and stay within budget is a significant improvement on where we were two years ago or four years ago or six years ago what would be the consequence of the Joint Fiscal Committee not giving you this knowledge I mean the project would essentially stop and there's a risk that CMS would start to levy financial penalties against the state of Vermont for non-compliance just quickly is it fair to say that the challenges we face now all stem back to the challenges that we talked about in the summer when we you know that it's basically this database challenge right it's just showing up in an ongoing tension that is cost and requiring contingencies is that fair you mean the delay it's not like this is a new issue that's cropped up or a new so as we try to figure out yeah that's right the same thing that we yes I think that's fair I think the thing is you're never going to get the uncertainty out of an IT project and untangling system that it was a monolith that uses Oracle software that is really troubled is going to be difficult and their unanticipated things will happen and so the value of breaking the projects into smaller pieces and parts is that when there's a project with a problem with one project it doesn't tank all of the projects so if this were three years ago and we were having a problem with the data warehouse everything would stop in this scenario you have six projects that are able to continue and do you know deliver value while you manage a problem with one single piece of a system and so the problem that we're having today is the same problem that we've been having since the summer on one project but it hasn't impacted the other projects which is it's really about managing risk effectively it's not about saying everything's going to go perfect all the time and not reality especially given that we have a system that we're entangling from that we don't really understand so just we'll be getting another memo assessment from Dan Smith Dan is going to write another memo after he gets to work ok thank you thank you very much for all your work thank you very much let's make sure Mike that we can actually pass on the various items that we want to we have three items that I think we had asked for an update on coverage though implementation of F79 and the readiness to complete the 2020 telecom plant so we're going to hear about that from you all we originally scheduled you for an hour we do need to spend some time with Becky Wasserman so we will give you as much time as you need but thank you very much for having us I actually don't think we'll need that much time we'll try to be as concise and quick as possible so thank you very much for having us we're happy to be here it's been a while since we've come to talk and spoken to you so this time last year so I want to talk about the three items that you asked us to report on the first being act 79 implementation we were very happy with many of the aspects of act 79 it's been a great bill I think for many reasons the first being the the emphasis back on broadband and telecom there's been a lot of discussion leading up to the last legislative session I think through many of the items programs created by act 79 the first item is the broadband innovation grant we have started that process we've issued a solicitation for grant applications and we are expecting grant applications for the first round in our office next week we've had a lot of interest nearly a dozen entities I think have expressed intent to bid either in this round or a subsequent round so there's a lot of interest out there and we're looking forward to getting some of those projects off the ground we anticipate issuing three rounds as your call it's $705,000 in grant funding for broadband innovation grants this first round that we issued at the beginning of September could I just go back Clay you used the term grants and then you used the term vendors I'm sorry my apologies there would not be vendors there and so okay I don't usually consider thank you these are mostly municipalities like what we had at the Lindenville meeting the possible I don't know if that ever moved forward but that's what we're talking about but when you used the term vendor it kind of confused my simple my apologies that was a mischaracterization so I didn't intend to use that term there are mostly community groups municipalities communication union districts we wanted to do three grant rounds we wanted to get one off the ground right away because we knew that there were entities there that were waiting for this opportunity and were ready to apply we anticipate getting out three grants this fall the legislation allows us to award up to two grants to distribution utilities these are electric utilities after we complete our electric utility feasibility study which I'll talk about in a second so in February after we're done with that we anticipate issuing a second round that will be for distribution utilities interested in studying a broadband project within their DU territory and then the third round we are waiting until April with anticipation that at town meeting day in March many communities will debate and possibly form communication union districts the law that allows towns to band together to build broadband and so we certainly want to encourage communication union districts and want to give out the bulk of the money after towns have had time to form have their first meeting and be ready to to apply in addition in anticipation of of receiving grant applications we've also met with many communities, Wyndham County being one quite a few counties or two counties in Franklin County several in LaMoyle we have a meeting in Hyde Park coming up towns all over are interested so we're trying to meet with towns in person if that's what they want and talk about how they can take advantage of this program and our other broadband programs the next item that or well in our way to completing is the broadband utility study, this is a study whether electric DUs should be in the broadband business how they could get into the broadband business we've hired a consultant so there was a budget associated with that I think of $50,000 we've hired a consultant Magellan they've done a lot of work in Vermont they're well aware of Vermont law energy policies broadband policies they've done a lot of work with Velco and their fiber and how the Velco could leverage their fiber so they're well placed to write this report if we can also introduce Scott Reiler from our electric finance division this is a real manifestation of how we've integrated the thinking at the department in telecom and the electric utility regulatory space because the study correctly addresses a phenomenon that is slowly gaining traction in the country of convergence where the work of the electric space is converging with the work of the telecom space and people are increasingly recognizing that renewable energy and the transformation of the energy landscape very much depends on having robust broadband so this is a promising development and Scott here is working he's directing the feasibility study that we're doing that Clay was talking about we also should note in hiring Magellan had to spend a little more money than the legislature appropriated for this because their bid came in higher than the authorized amount of carbon is picking up out of its breast receipts funds yes ma'am you're asking for a name okay by all means I'm sorry June Charity I'm the commissioner of the department of public service and this is Clay Pervas the telecommunications director I thought I introduced myself I was going to introduce our crew but I'm standing here I'm trying to take what you said commissioner for example so much of energy policy is going to actually take smart meters and internet connection like you know you're charging of your EVs so that's really what you're that's the convergence that you're referencing there were two national governor's association studies done in the summer of 2018 they had front pages on those studies pictures on them one of them was about transportation and the other was about renewable energy deployment both of them had symbols on them they dealt with broadband and telephones and smart phones and they had substantial chapters in both reports as well about broadband and that's where you can really see convergence happening so you've hit it right on the nail so as a part of that we are we've issued surveys to every DU well 17 of them a lengthy survey collecting information we're meeting with every DU with several telecom carriers in the next couple of months to talk about this study so I think we're well placed to complete that study and I think it'll have I think it'll take us in a good direction and who will be receiving that study rights it is a legislative report so the legislature will will receive that study I believe on January 1st which committees which committees house energy senate finance Scott I think there's natural resources it may have stumped me that's okay at least those three but there may be others and certainly we'll share with anyone interested in receiving that study we shall also note the study that we're reaching out to the PC so that it's not just the policy folks on the ground who are working on this but the folks who make regulatory decisions as well in order to spread the knowledge about the report the PUC has been doing a lot on the transportation sector last year we were full-time it's all good and necessary work the VEDA loan program is underway received its first application so that's available and taking loan applications we're working closely with VEDA where our duties and errors intersect which is to advise them on which locations within the application are eligible under our program which have broadband which do not so that's that seems to be going well as well there are numerous other items within Act 79 battery backup we've had three workshops we have another workshop on Monday on the battery backup issue the PUC is in charge of our responsible for writing that final report we've been participating well I think that's going well and I think the report will reflect some good ideas the PEG study is another one coverage code telecom planner is certainly part of Act 79 and I'll talk about that now? you've had a significant part of that though bringing in additional human resource thank you very much I forgot to mention we have that resource starting I hate to refer to a human being as a resource but that employee is starting November 4th and he will be taking the lead on all of the community outreach with big and connectivity initiative and advising on towns on all matters of the broadband he's got as I mentioned before he's got a full play to add to them already we have a dozen meetings I think between now and the end of the year he's coming to Bennington County he'll come to Bennington anything after November 4th you'll be there I appreciate it too we were lucky to steal him from Paul Costello and the rural council they do work on his done prior community outreach so he's very well versed in the lot and I see that as a huge strength for this hire okay anything else on Act 79 implementation that you want to update us on? I think these are the big items if you have any other questions questions on Act 79 implementation at this point? are we good? I guess I'm trying to remember the other big piece was the grants to build out and will you just remind me was that in another phase after sort of the small planning grants or there was increased funding for the connectivity initiative that's something that continues we I'm thinking more of the loans up to 4 million or whatever that wasn't was that through the connectivity? that has been established Vita and we worked with Vita they've established their program they've received their first loan application for a project in LaMoyle and Franklin so it's exciting you know this just points out how we are making we all are concerned about economic development and our legislative economists said if there's one thing that we can do for the rural economy it's broadband and often times what we look at like in commerce is the budget for ACCD without really looking in the aggregate where investments being made in a more comprehensive way years ago was a report and like all reports it became about that thick and it died of its own weight and didn't have very much utility but I think we constantly need to say you know how we're supporting the economic development of this state whether it's through this kind of initiative to workforce or whatever we might be funding and we see it in to some extent in appropriations but I just think that often times people don't connect what might happen in one bill and sort of the way it complements what is happening in other parts of state government so I just wanted to say I view this as you know this progress is really so much a part of what is key to the economic development of the state Senator I could not agree with you more I also think when we talk about this issue with economic development it is important to not let it be defined by economic development I think our communities won't grow if they don't have this but we've moved into a place where this is also critical for access to public safety access to government, access to education opportunities, healthcare so all of those things John Muir said everything is connected to everything else there we go it's just a matter of seeing all those connecting points I see it both ways actually it's economic development and it's also economic preservation and then it's also, this is what convergence is about you can have a strong heart, you have a strong brain but you don't have anything if you don't have a strong circulatory system in a body and that's what broadband to me is all about that's an interesting analogy the nerve alright so if we have no other questions on act 79 do you have a question for me do you have a question for me I'm trying to link back we had Randy helped me on this we actually had an amendment on the floor that there's equipment that had been purchased the coverage co-equipment and Senator Hooker was the sponsor of the amendment that basically said make that equipment available even though it's kind of there's some obsolete aspects to it at least it was something when you had nothing available to me to make it available so is this what you're going to talk about because I have my memory is like a junkyard I just didn't like it's not what we're talking about except your memory is not like a junkyard your memory is my memory has much more of this junk yes and with regard to coverage co we had action in place prior to the passage of act 79 so I'm hopeful that we're going to hear let's start at the beginning at least start I can start all the way at the beginning I can go back to 2012 where I can start after they go out of business plan alright the VTA which used to exist invested in this project and putting up micro cells these are very small cellular units that would go on telephone poles they partnered with a company called Coverage Co Coverage Co is a subsidiary of the manufacturer of the equipment so you can see the benefit to the manufacturer there and it cost about five million dollars in total these went up on telephone poles they completed about a third of the the total project and then went out of business the reason they went out of business was because they had agreements with the large carriers to carry their traffic for them so if you had a cell phone you were out in Stockbridge and you had a Verizon cell phone you could connect to one of these units and Verizon would pay Coverage Co four cents a minute to carry your call what they found out was in places like Stockbridge there isn't enough cell traffic out there to cover the cost of maintaining these units which were largely deployed on roadways and not centers correct so if you were driving down the road at 60 miles an hour making a cell phone call you would connect one of these boxes for a minute at the most and the idea was that they would be handoff and they would be on the road and you would be able to carry a call as you go down the road and some of these sites made a whopping $5 to $10 a month they had costs of about $300 a month so they were quickly upside down they went out of business wasn't there a shift in there or some 9-1-1 fees or something that also played into that well there a cell carrier is required to follow FCC rules we call the Phase 2 rules which require the carrier is carrying the call to transmit to 9-1-1 database information of your exact location and there are rules with I think it's within 50 meters or 25 meters I can't remember of your actual location so that the police is exactly where you are and can find you if you're unable to state your location every carrier complies with that coverage co-hat to comply with that as well it does cost a significant amount of money so the the the largest fee I think that coverage co-hat to cover was a cost for this service which is handled by a third party there's a couple companies in the United States that handle this service one of them being in Trotto Trotto is in New England I don't remember it's a 9-1-1 out of Colorado vendor isn't it that's right yes and they they provide a multitude of 9-1-1 services one is this database service so that's an expense the average site cost about 300 well between 150 and 300 on the site so wasn't there a change in some of that dynamic coverage co-hat went out 9-1-1 coverage went out too no what happened was at the time the coverage co-hat did their financial projections the geolocation thin piece was they had planned to have all of the carriers the major carriers involved connect with them all of them did except AT&T declined to do so and it was a substantial amount of calls that came through AT&T that were unreimbursed all cell carriers are required to carry all 9-1-1 traffic which are capable regardless but not non 9-1-1 travel connection and that's where the cost breakdown came through by not having AT&T as available it was not appropriated $100,000 you asked for that was later $100,000 was to provide a resource for the public service department to be able to provide support to municipalities that wanted to to get these coverage co-buses we'll get there so after they went out of business we were reappropriated the remainder of the VTA capital budget for this project we issued an RFP to find a new network operator we received two bids we weren't completely satisfied with those bids there's still a possibility they're still hanging out there we had not made a definitive decision on those bids but in response to those bids we decided to change tapped and figure out I'm just going to stop you for a second so a new network operator would have just operated what would have had to figure out the cost of connection not necessarily we made our RFP broad enough that if an operator came in and said I can do this sell coverage a different way better then we would have accepted that and did anybody come in and say this is a different way better we received two bids one was more in line with the coverage co-model of deploying small cells the second better was going to deploy macro sites where we call big sites through the use of limps with equipment inside that's something that is being tested in other parts of the country but it's not commercially deployed yet although as I recall that project is under way it is under way it's battle-tested technology that the military has used but the question is whether we would be willing to accept large aerostat balloons sounds funny but it works sounds great yesterday it's fair to say rail back in and put them back up immediately as opposed to having the system down because it's blown down there's a resiliency factor here so after the results of that RFP we decided to change tact and to help sustain the coverage co-model of having an operator support the operations of these microcells survey towns to see if they would be willing to support some of the cost of the microcells in their communities we surveyed all towns with the help of the League of Cities and Towns and Regional Planning Commissions we found that 35 towns would be willing to provide some sort of financial support the average being for two sites in their town at an average cost of $900 per site per year the total cost of a site can range to $1,400 and $1,800 a year so that really does change the dynamics so with that in hand we've issued a new RFP results are due back next week that would obligate an operator to use the capital appropriation to put up a restore coverage co-equipment the towns would pay yep require them to use the or their own if they can do it better but there's no obligation that they have to use their own the reason for that is because there may not be a fiber connection where many of these are deployed so this is going to rely on a DSL connection this may be the right technology for now I'm not going to go down that bunny hole okay it is quite a hole could I ask a question so 35 towns said they'd pony up some money that'll change does that mean that if in fact you get a vendor and you have the installation and the towns that didn't pony up they in fact have the benefit in other words are they free loader towns and you'd have to pay to have this no but I didn't know if in fact it would having that site would provide benefits beyond the geographic they're pretty they can go about a quarter of a mile in either direction there may be that on a border I was just, thank you I don't think there would be any cross-subsidization in that just thought I would ask in terms of who pays and who gets correct me if I'm wrong but this would likely be most ideally used in rural village centers that have no cell service and that's not how they were originally deployed largely on rural roadways yes that is correct with the idea that you would have continuous uninterrupted cell coverage between village A and village B and the spots between the villages would be supported by sites that were making more than their costs and more urban areas I imagine that with this setup there's going to be a natural of course since the towns are paying for they can choose where they want to put them if they have a specific public safety concern there's this one bend on such and such road where people are always going off maybe we should put one there and they can support that but I imagine with the towns choosing where they want to put it they're going to tend toward village areas where or maybe gaps or gaps everyone drops a call yes correct I think this whole issue of the coverage code being in this bill was just a function of the fact that A we had the stuff and it was clear that there wasn't a vendor that was going to replicate what coverage code had done and the choice was to find some use for this that would be practical on the one hand or get these for sale before they become even more obsolete than they are and I think the one thing that struck many of us was the fact that in the last year that coverage code was up there were 1200 E911 calls that were made through these boxes so that in itself suggested that there was value in having them now the fact though that with what we're doing putting them in village centers is opposed to along highways suggested the use has changed and we still may not have solved that E911 problem and that goes to the larger question of the need and that is to figure out a way to get cell phone coverage throughout Vermont which we still haven't quite done yet and I can't disagree with you Senator I would only say in response that with towns if the towns are funding this they should have some decisional control as to where they go but in addition we've reached out to public safety and this believes that there may be use for these boxes except we might have surplus equipment for their two-way radio systems so they could do a coverage co-lake but a micro cell like probably with two-way radios using sites that coverage code had established but aren't being used currently and then the third avenue we're exploring is state parks many of which do not have cell phone service we had a great success actually Barnard Silver Lake that was probably the hottest site as far as traffic goes and replicating that at other state parks like Maidstone all over I mean most state parks have a cell issue so there's an opportunity there as well sorry but I go to state park at least once a year and not having cell services okay just curious if we have any consumer data on whether or not it really is wanted in state park it's just a stretch the only data point we have is that the Barnard site was used a lot and I don't know if that was by park hours necessarily or people in the village on the other side of the lake but again going back to public safety maybe that rowdy camp party gets out of control I don't know you certainly don't have to use your cell phone but there may be you can leave it at home then you don't know so the third component is the $100,000 I'm sorry the third component of Covered Co is the $100,000 that we can deploy to help towns we've issued another RFP for a consultant that we would make available to towns if we do not get results that we like from that we have to a grant system where we provide a grant directly to towns so they can hire a consultant of their choice but we thought it would be helpful to towns to have a person that they can reach out to immediately so once we have that we'll provide notice to the towns with the help of regional planning commissions and refresh my memory what will that consultant be helping the towns with that consultant would be assisting the towns with ways that they could use this equipment to either create their own system or decide where if we have a network operator in place decide where they should be putting systems to get the most benefit from that and I see we have Becky Regent so one last issue is I'm sorry are you done readiness to complete the 2020 telecom so we're currently assessing our readiness to complete the plan I think we're in a much better position today to have that plan delivered by December 1 2020 okay so the legislation has changed the requirements of what should be in the telecom plan which would at the very least necessitate a comprehensive overhaul of what we already have essentially a new plan the legislation also changed the way public comments are handled as well as sets a finite number of hearings so the plan is due December 1 working back from there it's a pretty aggressive schedule we would have to conduct the hearings in October and November so having a final draft before then and a public comments draft probably at least two months before that so that gives us the winter and half the summer to issue the public comments draft of the plan in the legislation you were asked to come to the legislature by a date certain that it would suffice us if for any reason you did not feel that you would be able to comply with producing the plan on time and I think one of the purposes we had for including this in this agenda today is to just get a sense from you whether you felt that you were comfortable being able to produce it without having to come back to us for anything additional in the next year is that how you feel right now accessing our ability one thing we're doing is we've issued a request for information to see if an outside consultant should write this plan so gauge what the cost is what that would look like whether that's an avenue to explore so I would say we're exploring our different options for meeting that deadline the legislation I believe asks us to come to the legislature with sufficient time for the legislature to act which would necessarily be this session particularly on financial resources is my memory and the RFI has intended to give a surprise tag for what it would take to have an outside consultant prepare the plan because it is a resource issue but our thinking today is very much intent on how do we succeed with this mission and so if it comes back that this is an affordable thing to do to have somebody come and do the plan that would be great I may be writing to you then to ask for the money for that because others are aware on the committee the department has been under severe financial pressure and this is an unfunded mandate we are also trying to aim for success without that they gave us perfectly candid there are many things competing for the department's attention particularly telecom divisions so that's a careful juggling thing but certainly meeting the assigned deadline is the intent of the department however we can get there with all these pressures this seems like it's such a critical area but I think it's a great expertise to put together a plan like this my question is would it actually be to the state's benefit to have that external horsepower so to speak in the plan development versus just in-house project I'm trying to approach this how does this the product that we delivered last time around was not satisfactory to the legislature and so our thinking was then we need to go to a new approach which would be to see what an external resource might tell us we should be doing or proposed by way of plan coupled with the new requirements in the statute so that's our thinking we want to get a plan done that is acceptable to the legislature and that is useful to the folks who turn to this plan guidance in doing any number of activities in the state I will say that I'm proud of the work we've done but I understand that others see it differently okay do we have any other questions great thank you very much thank you for the remaining time that we have wanted to pick up on the conversation we started the last meeting items of recommendations that would be coming out of this committee potential recommendations for legislation potential proposed legislation and so Becky maybe the thing to start with for the committee are just going over making sure we're all clear what we have so far identified as issues we want to focus on this is very high level so Becky was with my legislative council so I'm handing out a draft memo of list of recommendations for next session and this list was taken from the end of the last meeting when the committee was putting together some ideas so it's just a very rough draft at this point so I'll just go through the list and I think there might be some questions on what was meant by certain items so that maybe we can get clarification on it so the first one was create workforce development initiatives in the information technology profession why don't we go through all of these and then come back okay so refer an evaluation to the judiciary committees to look at both federal and state statutory provisions relating to cyber crimes and the idea there I think was to look at whether there were any deficiencies in both federal or state law that needed to be addressed um developing a risk assessment process within the agency of digital services then there was discussion of having some legislation relating to various reporting requirements the first that was mentioned was the level 3, 4 and 5 risks and had to let the legislature know about those a system for identifying the legislature and the judiciary um for when ADS or the executive branch is doing audits and system testing and then the last one relates to any state data backup requirements the next one on the list deals with local government cyber security risks I think you heard more about that today the next is evaluating progress and compatibility between existing and proposed technologies so I think that one might need some clarification next is creating some sort of inter branch council to oversee cooperation on cyber security issues then I think Kevin discussed this earlier assessing the vulnerability of legislators and conducting legislator training on cyber security and the next one, number 9 is looking at whether there is a need for a legislative expert on cyber security who can provide technical assistance to the legislature and this would be a similar role to what Dan Smith plays right now except on a different topic and the last one is looking at system vulnerabilities and what actions can be taken to address them in this state system so shall we start from the top when I start from the top end I think what I'd like to do is to see first if there's consensus that yes we want to make a recommendation in this general area and then start putting a little flesh on it bone for Becky so many of these would apply back to the policy committees so what we would be doing is recommending that as part of their committee work in the ensuing year they look at these areas for further examination yes so with regard to workforce development initiatives in the IT profession so Senator Brock has asked I'm not even sure what the I think both of you had talked about the ability to raise the pay if that's a recommendation that we want to make if we want to make a recommendation market factor adjustment market factor adjustment I know we had Beth Faustigian on that and I think she indicated that she was looking at that and they have the capacity to do that so there's no law that would be required for them to do that I think what we can do is just indicating our report that we do see that there are perhaps deficiencies in the amount that we pay folks in certain IT functions and to request that the Commissioner of Human Resources look at the appropriate use of market factor adjustments based on if their evaluation support it in these areas I think in addition to that we were thinking of at least I was thinking more in terms of promotion of information technology as a profession, as an industry in terms of high school community college, college curriculum apprenticeships career pathway that sort of thing I mean we certainly put a lot of money into workforce training and to put additional among the amount of money we have maybe put some additional emphasis on information technology in terms of a preferred suggested area for students to look at so not just salary information but just promotion of recruiting and encouraging young people to go into that well I know certainly in some of our economic development programs as we're looking at everything from internships to supporting education to particular professions that be the occupation that represent need that we've talked about in legislation such as nursing and health care professions construction and so on is to ensure that information technology and information security are included in that and just a referral to the appropriate committees on economic development to consider that so this would be economic development would it also be education or no well actually in the economic development bill for a couple of years ago we put a position into the department of education for the tech because so much of it was really into the tech center and then he left but the position is I don't know, I can't read I'm not sure what's happening in department or agency of that at this point but I think we could it was very much part of the economic development bill into the workforce piece so I think we should that would be a recommendation back the other thing that comes up is that under the federal program she's got this workforce investment board it's got, you know, the board's so big you need an auditorium to house it's over 60 people I think but to me this is the kind of discussion that group should be having because it brings in the educators it brings in the employers and so forth so maybe we could tie this into some kind of recommendation to economic development and how they could identify those structures that are there that can help evaluate and put together some kind of plan so this is commerce this is commerce however I think the so making that recommendation is that a legislative that's not a legislative it's going to be gov ops because it's state employees gov ops Becky do you have questions do you have a sense of what the committee is looking for there back to the workforce thing for a minute that the are we just sort of encouraging commerce or economic development to ask these questions and poke around I guess I'm not clear what work I think what we're doing perhaps is just emphasizing to them our perspective that there represents a need for additional resources in information technology and information security in particular as part of a critical need in our workforce and encouraging them to perhaps explore this further and I don't think we should go further than that so and I think the frame here is really state I mean it's our state systems so we're having a hard time keeping our high level state security right well I think this is largely I think this is a statewide problem and I think it affects both the private sector as well as the governor's sector in terms of a critical employment need in terms of the state need that's where the salary structure is acute but there's just a critical need for people with that skill set throughout the bond from an economic development standpoint some of our emphasis in what we do with the recruitment training workforce development we recommend that more emphasis be placed in this area good next okay Seth this was you were joining us over the phone so I'm not sure that we got this correct but this evaluation to the judiciary committees to review federal and state statutory provisions on cyber crimes to determine if there are any deficiencies I'd like to just check if I understood what you were talking about so I mean I think what you were saying was does it translate to theft as a cyber crime versus I walk in your front door and steal something we need to modernize our statutes is that what you're saying to reflect cyber crimes and that maybe sometimes sometimes our statutes are outdated for today's environment and do they adequately address the growing rate of cyber crimes right the location of a crime across states you were talking about jurisdictional issues as well as you know weighing it similarly whether it occurs online versus in person kind of thing so I did speak to the attorneys on our judiciary team and I mean we do have a chapter on what we call computer crimes that I think address some of what I address some of what you're thinking of and then their take on it was sort of the elements of a crime are met then it doesn't I don't know that there's necessarily a distinction between the method of the person or whether it's a computer or a gun so I think it might be helpful to I guess be more focused on what we would be referring to the judiciary committee I mean if it's a review of the computer crimes chapter to see if that is sufficient you know if there's anything lacking in that chapter right now one of the common themes across all states is kind of a rubber band effect like technology advances and then 5 or 10 years later the laws catch up with it so trying to structure these things in such a way that it's not tied to any particular technology or method of communication or whatever yeah I guess I, since you have a clear picture in your mind of what you're talking about would it make sense would you be able to talk to Ledge Council who has the knowledge on this and see if there's gaps that stand out because it seems totally plausible to me that there are but I don't know the other question I have to see Attorney General's office as we're talking about cyber crimes I would think they would also could be very helpful to see if in fact there is a need to modernize or revise some of the statutes in this area as well it seems like that's a logical place to explore because it seems like some of that would get into actual situations that they encounter so is that something you're willing to fill up with Becky? Becky do you feel like you have enough information to so next we have developing a risk assessment process within the agency of digital services we don't have one is that correct I just need a little bit more clarity we do risk assessments of projects we keep risk logs during the projects is this a before after during maintenance and operation to what extent I think just more clarity would be able to I think we had talked about three and ten possibly being the same thing referencing the same assessing system vulnerabilities and what actions so I please correct me if I'm wrong I feel like this these two items came out of a desire for us to have a prioritization of where the where risk was and for the legislature to understand prioritization of where risk was in the systems so is DMV a riskier system than the term health I wish I brought the NCSL for what legislators should be you know questions that we should be asking and it may not many of them would probably fall to the policy committees but that might be something to just take a look at to make sure that that we're taking advantage of kind of that work in terms of what how legislators should be thinking and responding and questions that we should ask and knowing what's in place and I didn't regarding their systems NCSL's guide to legislators you know I'd like to go back to that and say let's see how we're doing in those areas or did some recommendations flow from that guide these issues were derived from the question of what are the 10 biggest risks that Vermont faces in information technology and whether or not the efforts that we're spending are aligned with those risks and I think that's really what we're trying to get a sense of is there a process that really defines what are the biggest threats that we have and then you know are we devoting our resources appropriately to deal with those risks or someplace else Mike is calling up that document senator it seems to me that this is sort of already inherent in the budgeting process but having said that ADS is sort of a billback so I mean clearly maybe it's as simple as sort of calling it out as a distinct item but surely ADS brings forward a budget that reflects their own analysis of vulnerability right I'm not sure that it does so I'm not sure that it does at all the thing that I have been really wanting to make sure is that we are not I mean this is such a huge issue that we are you know being careful but also fulfilling our oversight role and then that we have enough knowledge to support appropriations requests right and so in terms of you know I have no reason to believe that is this yeah no reason to believe that ADS is not coming in with you know they have to admit that they're doing what a assessment means I'm sure we put in funding for the staff put money in for the software acquisition so it does translate very directly to some of the requests we've received item 4 on this list talks about create I'm not sure we need legislation to do so but creating some kind of reporting mechanisms on what you call we call level 3 4 and 5 risks to of various parts of state government isn't this tied in as well with what you're talking with system vulnerable abilities and risk assessment I'm sure Quinn had his hand up I just want to make sure do you have something you want to say are you re-contemplating I was just going to say you know when we talked about risk most of the risk that we incur or that's out there is due to lack of funding across you know the technical debt that we have the age of our systems this isn't something specific to the state of Vermont this is something that all 50 states deal with I just left a conference with 49 other peers and we spent hours talking about how do we fund IT going forward because so many of the agencies are in a build back model where we can never get ahead of the curve we can never you know or we haven't figured out a way to how do you create an innovation fund when everything has to be built back how do you how do you have a discussion back when Jim that's the key to the whole thing is where do we get that seed money to build the system that then when agencies are ready we can say we have something ready for you rather than trying to line it up in which fund is where and you know human services goes first a lot of times because they have the money there but then we have to cost allocated afterwards and it gets very messy so across the United States the way we build back and the funding model is really broken so I'd like to add both of you for us to look into which is possibly recommendation of innovation at ADS I'm sure they will not recommend and recommend us so it's getting back to our assessment do we feel so what do we want to do in this let's see right there tell me when to scroll yes I just continue to believe that ADS at some level has that and I think what we're talking about is helping us understand it maybe in a predictive way so that we're not only getting it in their budget reports or whatever so I don't know I hope we won't go too deep in reinventing anything and the house has got a technology committee that is much more focused on this issue we've got some funding through the capital bill but we don't have the same kind of technology focus but the house has got greater capacity to drill down well I guess the question would be we assume we have this and I would ask the secretary do we have this we do through our different documents that we do as part of a system so our security metrics available across the enterprise yes those are on our website dashboard is data classified by risk data is classified by usually federal standards or federal compliance needs which again speaks to risk because if it's IRS or HIPAA who actually conducts those so they're usually done a number of ways one of the ways which is new is full vulnerability scanning of each system that we have that's a new thing in the past year that we're doing before that we didn't have any visibility into that so yes we do that as well we could it changes every week because new patches new security updates come out so we could have a thousand one week and 400 the next but that's pretty granular but I think you know in my eyes knowing that we have that that's a level of oversight that you'd want to know is knowing we're addressing the risks with these type of scans and these type of assessments I have a question Senator Brock in your former lifetime you were in the whole field of security risk right do you have thoughts and experience from professional work that you've done that could help us because it's got to be transferability in terms of what the private sector is doing private sector is grappling with the same issues that the public sector is tends to be grappling a little faster and they have more money a lot of the financial institutions have more resources to be able to devote to it so do we want to make a recommendation do we want to make a recommendation period do we want to make a recommendation that communities of jurisdiction ask these questions of ADS that they understand that this is happening do we want to take this off the list well I'm just I'm hesitant to create a bureaucratic nightmare in terms of requirements being placed throughout state government I mean clearly every every system related activity that an agency is involved in and that the legislature mandates the issue of what risks does that action create and are they being well managed is certainly there but that's as much an oversight responsibility not just for us but by committees of jurisdiction and the agencies themselves have what I'm probably more interested in is are these things being effectively and independently evaluated in terms of risk and that's as much an audit type responsibility and as you recall we've asked the auditor and we haven't gotten real good answers back on that because it's a capacity issue for them as well in which they need to get outside resources to help them they've only got one real IT auditor in the auditor's office but that to me is the most important thing is to having that oversight be built in to everything that we do throughout state government that we do have an effective risk assessment process that we understand the risks that we're facing and that we have adequate responses to those risks and if we aren't able to that we've identified what we aren't able to do and that's a plan for at least raising it to the legislature's attention for the resources necessary to deal with it. I think you just framed a recommendation. Yeah, I think so. Don't ask me to repeat it. I see you like both. I would also mention any new project of $1 million has to go through an independent review process where they go through these questions and evaluate the risks to the project. So that would be a recommendation for the committees of jurisdiction which would be energy and technology in the house would it be the finance and senate to ask these questions? Well, I mean the questions ought to be asked for people who are building integrated eligibility for example. That's what I'm saying is these kinds of things have to be embedded in everything that you do not just in some committee that has the responsibility for quote security. That's right. It's sort of like how do you legislate good practice? Good health. Everybody's got to practice stuff to be able to be healthy. You don't expect your doctor to deal with your rate loss. I just bought bigger clothes. Elastic waste. Well, I'm going to try and keep us on track here because we're already over. So do we want to do we want to act on this? Do we want to come back to it? Do we want... How about if we get you to write up what you said to Becky? Would you be willing to do that? I think I can try. It's recorded. Of course. I'll read the last months to kind of reframe one of those. So I'm going to assume that's three hands down. So for number four, is the first one related? Well, I think it all fills in. But wasn't that just when an incident occurred? This is a risk. So this is right level 3.5. It wasn't risk. It was incident. Okay. So this is a system for notifying the legislature. So there's three things here. A system for notifying the legislature of those level breaches. Incidents. As well as a system of notifying when there are audits and system testing. Which I understand is quite large. And then state data backup requirements. So I've spent a little bit of time talking with Secretary Quinn about this and Becky about this. One of the things that I've asked Secretary Quinn is if he could propose what might be appropriate. Do you need legislation for this? I don't know. I think actually in terms of how would we how would the legislature do its conduct its be able to conduct its oversight if we are not notified of breaches? So how can we ensure notification of breaches at that level? Do we have an I mean I think we have an obligation to know maybe the committee does not is it something we want to punt? I'm not prepared to make a recommendation that we do it. I'm thinking that there are a variety. We talked about other public safety. We talked about do we have in statute a requirement if you had a riot at a correctional facility. I mean just think about it some of the emergency management kinds of things. There are a host of issues around why this one incident relative to all these other emergency situations. I don't think we've got protocol for every single one to report back to us. I think commissioners as a matter of course would contact the committee chairs or whatever as heads up but these are more internal protocols so I don't feel comfortable that we should propose identifying cyber security breaches elevated above all these other kinds of incidents that we may not address. I have a statutory requirement so that's my concern about putting something in statute and how does this square with other kinds of situations that are potentially out there or out there over time. So that's my concern about singling out one type of incident and saying that rises to the top in terms of some things that are just based on judgment that I think we need to rely on the official judgment to tell us things that we need to know but as a practical matter in terms of the urgency of telling us that it's not anything we can do about it anyway. You're right. Well, you're absolutely right. It is judgment. It is judgment. And it's hard to legislate judgment in common sense. I could save a lot of health money if I could legislate. We live healthy and depart quickly. Okay. For that, I'd be a bit because cybersecurity is a the difference between it and other crimes is it's an emerging market as a word. It's the sort of thing where people are not entirely familiar with the topic. So it might be prudent to keep a closer eye on it than some of the existing criminal activity like drugs and burglary and so forth. And perhaps a sunset or something like that. So it's like, all right, let's keep a closer eye on this topic for, you know, a couple of years or something like that. Do you want some kind of report? I don't know in terms of I know I hate reports too and most of them unfortunately don't get read by very many. The report not exceeding one page. Well, frankly, we do need to be careful about that because legislative attention and capacity is limited. So I think that's a part of making recommendations that we want to have rise to the top for committee attention because there are a lot more bills out there than committees ever can consider. If we want to somehow collect, but that's only within state government that those security breaches we're not talking about the general public we're not talking about, you know, I mean so I'm just thinking in terms of cyber crimes and so forth that would be external in state government. So I don't know how to I agree. In other words, how do we get a better grasp on the magnitude of the of the situations or the inevitable incidents? To your example, since it is related to state government how do we currently compile facility vandalism or a burglary for state property currently? Is that up to the individual committee to review if it's brought to their attention kind of thing? If something needs to change? I mean I was thinking just based on working for the institutions committees I don't think that's something that they regularly hear about unless BGS is asking for money to, you know, repair something. But I don't know as a matter of course they would obviously there's different, you know levels of seriousness but for something small I don't think that's something they would regularly report. You know I think Secretary Quinn had walked us through notifications was it last meeting? Yeah. Was this one at the end of the intro? So what? Excuse me. What was that one? So this is all internal process that they have and so I think that there is a value in making it some sort of articulating some sort of formal can you click on that? Is it this one? Yes. There's a large flow chart in there. So we see where the legislature is and those are informal so this is internal and informal and I don't think we need to be a part of all of that but that place where we have the legislature you know where we're notifying folks you know I think that that is a place where I would like to see is kind of articulate what is that what is it that we're doing how does that happen? And my concern is really around oversight, making sure so I think we've got great partner in Secretary Quinn I think he's pretty proactive in terms of notifying us he's not going to be in the position forever nor will we be here forever what is that process? I'm really struggling with this because if we look at criminal justice what we're talking about is whenever at a high level breach if we were to say to public safety report to the legislature every time there's a murder or there is a significant you know issue of law enforcement I mean I'm just trying to look at how we set up something here that's consistent that's consistent with our expectations for other areas of crimes or breaches and while we're focusing on the IT I'm just trying to look at how it conforms or aligns with all the other areas of state government in terms of what we expect back to report and so you know I just I maybe if you had something at the end of the year that says to us these are the number of incidents we had in state government these are the ones that are very serious these are the ones that in order to address this we are recommending that we acquire that we acquire you know this would be our recommended response to address that that need that could tie into with the benefit of experience get it to the legislature in terms of what you need for a legislative response to address it and some of that is happening already right in your reporting but it's that there's but we didn't ask for the number of incidents we assume when they said to us we're worried about this risk we we took their word for it we didn't you know ask I called you you're away you know in terms of tell me and I didn't ask for how many levels of risk and so forth that was behind your recommendation I must confess I didn't do it I accepted your assessment that we were a significant risk and we needed to spend the money I mean there's there's so much that we don't know and we're not going to know all of that you know so that is really okay I think we'll maybe come back to this unless folks want to continue to push on it or we want to take it do we feel like there do we feel like this is an area where we need to come to some to come to some recommendation that there's any kind of action warranted I don't think there's I think there's existing reporting already that comes out of certainly out of ADS I don't know about judiciary but certainly comes out of ADS regarding as we talked about you know we had an experience in the last year that's a problem and we want to address it in such a such way so that gives us that assurance that they are following it and now they see something done about it. So breaches or incidents we are how are we providing oversight how are we providing oversight of the executive branch that they are maintaining you know that they're that they're properly protecting Vermonters information if there are breaches I don't know if there is already but you know there could be a suggestion that the annual report should include a paragraph on what has been the status of breaches in the past year and if there are any untoward results that need to be addressed I just see it as being folded into a routine annual report. So adding some sort of additional specificity around breaches into the annual report something along those lines to bear do more bear regrets or whatever. Yeah, it's fine you know it's not like we have a lot of breaches we have a lot of incidents where we further investigate and find that nope it's okay and that's my hesitation with notifying people too early you know if I don't I'm talking about I think what Marty and I are talking about at the end of the year when you're doing your report to give us a sense of the magnitude of the experience of that year in this particular area It's not just breaches incidents in general in other words the squirrel bringing you down all of our systems for a week or whatever the case may be That's why that one was out here but it was fine but incidents might be a better term than breaches but serious issues regarding information technology that should be brought to our attention Which gets into the judgment It's a judgment issue I do think that we're talking largely about ADS but the legislature judiciary are also things that we're interested in for example if the court system has been brought down for a week because it can't use its information technology I think we probably would like to know about it in the dark So for that number four that reporting requirement seems a little different to me than the notification requirement and the data backups I just didn't know if you would like to also make a recommendation on those Do we want to recommend So I think the second one came from when there was the Department of Homeland Security testing that there was the legislative and judicial branches weren't notified ahead of time although I guess But then we also had testimony that they recognized that it should have been done in the future they would have that notification in place which is what I understood was said and Kevin you're not in your head so Well we've got number seven which says talking about cooperation between So it falls in that bucket if we can legislate cooperation Well you know it doesn't mean that it has to translate into a bill it could be just a recommendation that there be protocols established to notify and then we can declare a victory because it's been done but I'm just thinking that it could be as simple as that We had talked about the new senator that had recommended with state data backup requirements John was asking you know that's all over the place and I think was it you or was it Becky that made the suggestion that it was Becky I'll take it Making sure all agencies develop backup requirements as you Becky protocols do they already have it Yes Yes so the backup protocols wouldn't come from us necessarily it's based on what the business needs what the recovery point time is what the recovery point you know what they need to get back so do we need to back up hourly do we need to back up daily do we need to back up weekly all those have cost drivers so each agency picks those based on the classification of the data how sensitive the data is and what they need from the data so we found in most cases that this is a cost driver for agencies so you know we found very few systems across the 1400 applications that we have that require something to be up all the time right so the so you think about you back up every 24 hours maybe but in order to rebuild that system you have that backup of 24 hours ago how quickly does it need to come back up as well right so if the system crashes and it goes down it needs to be rebuilt how quickly does that system need to be rebuilt is it an hour is it a week is it 8 weeks it all depends on each system so this is left up to the agencies with guidance from ADS the criticality of the system and that's how their backups are defined so each agency has already given us input and decides whether we keep the backups for one week two weeks two months two years and that falls in line with their retention periods as well is there a reporting done on that the backups we do thousands of backups there's a reporting done on the standard for backup in terms of is there any record of the standards for backup like to is that some formal process that the agencies adopt through there's an enterprise assessment done with each new system and there's an SLA where we talk about the backups of what the recovery times will be and what the backup schedule would be and that drives the cost so we probably have a lot of the documentation buried down in the technical documents I'm just not I don't look at it myself right so I don't want to tell you yes everything's perfect but we have most of that documentation I would think is there ever a time when an agency might say you don't think that they're doing the right assessment in terms of the criticality of their system are you relying on the people who know what the work is and what that system has to support to make that determination around criticality yeah I think you know that there are times maybe that where with enterprise type system I may disagree but at the end of the day it's their system it's their data they know their customer better than I do and if they're willing to take that risk on you know a system being down for two days and you know only having a backup from a week ago then have to use their judgments their money I think we're going to pause here because it's only a few minutes over so Becky I'm going to ask you to kind of flesh out a little bit on the ones that we were able to work on you know it's certainly Senator Brock and I continue to communicate we'll come back to this I think in November Mike reminds us that we have a change of venue yep so our next meeting is scheduled for the 15th of November it's all in your calendars but the location of the building will most likely still be shut down for the electrical renovations that's going through an optimist would say no but most of the buildings say yes so we've arranged for the next meeting to be in the fourth floor of the board room the fourth floor board room of the tax department it's 133 state you check it at the front desk we'll have everything lined up and ready to go and it should be the same experience that you're used to we'll be there I am not going to be able to attend okay out of the country I am gone as well okay not gonna be again I'll be physically here it's good to know okay and I do have some sending representative chase to audio can you make sure that Senator Pearson I already talked to him he's going to be here so that's fine yep Representative chase the audio from September's meeting just tell me where it is it's a wink I'll send it to you and then President Senator Brock October did you want September also I wanted what I said today October it's like an hour ago you should have bookmarked it you know what I wrote down the time oh good just in terms of next meeting we are going to hear more from ADS and BLCT we'll just continue that conversation we're going to hear from Jill Ramek on the parcel mapping and the assessments that they did with the surveying that they did as part of that we'll hear back from integrated eligibility on a big picture overall financing we heard timeline going forward staffing and financial going forward and all those people have already confirmed that they'll be there for that meeting thank you everybody thank you