 This is for all fiscal officers. At the same presentation, 18F, which is a federal government IT group, and they're working with integrated eligibility, they gave this presentation and they handed out this workbook called De-Risking Custom IT Projects. And their target audience was exactly people who are making these decisions, funding them. How do you manage these enormous projects? And a lot of what they recommend is what integrated eligibility is doing smaller, trying to buy smaller pieces. But it's about this big. I brought in my hard copy. They talk about user-centered design, agile software. Who owns it? They're like states should own the product. You don't let the vendor take it when they leave. Modular contracting. They also had this thing, require demos, not memos. I mean, it's really, is demos not memos? Good. So they're saying like, don't let the contractor come in and say this is what we did. Have them come in and show you what they did. Because I think a lot of times contractors come in, demos, memos. And so this, it's not a hard reading. And even if you just read the bold, it's a really interesting thing. And as you all review projects and move forward, like I said, integrated eligibility is doing chunks of this. So you will recognize it, but it's certainly not, it's a hard, it's a real transformation in how you think about funding and managing big IT projects. It's hard for, you know, to change people's ways of doing it. Procurement's a big part of it. So it's, I highly, when you're born. Is that on NCSL's website? Or the conference uses it? I'll send the link. And we've actually posted it on this committee page. It's not on the NCSL because it wasn't part of the major agenda. Because it was just the fiscal officer program. But you do have it. And there's a press release also that I can send to you if you want it. But it's really, it's fun reading. I mean, it's fun reading. It's more fun than some other things I'm reading. So I, you know, even when you're not bored, it would be useful for you all to read. It's because you're gonna be getting continuing to get projects. And I think Dan Smith found, I think he uses a lot of this also. And it's a useful way for him to think about analyzing projects. One thing that was really important that you mentioned was the notion of looking at true demos of what it is you're buying. Because I remember in dissecting the Vermont Health Connect, there were actual demos of things that involve software that had not yet been written. So the demonstration that was actually presented was fraudulent. So demos. It's not just demos, it's basically, you've got to have some impact on what you're getting to make sure that you're not getting a black box that looks as though it's working, but it actually is not. Katherine, I wanted to just clarify the audience for that is legislative. It is the legislative branch. Is it state government in general? State budgeting and oversight is what? So it's for people, it's not for the IT specialist. I mean, it is in this big picture, but it's really written for people like you for finance management, people who are being asked to fund and think about projects. How do you, what are the right questions to ask? How do you want to manage it? One of the other things I want to mention, they do talk about is you need to hire in good IT staff. You need to have people in your business or in your city, government who are good also. You can't just outsource everything. Like you need some people inside who are good. So that speaks to hiring, budgeting for that kind of thing as well. That again was one of the things I know that we talked about a bit the last time and that was the ability to hire people at the levels that you need given the salaries that the state was paying. And again, if you take the Vermont Health Connect as an example, the lowest paid person from any of the contractors was earning more than the people who were providing the oversight at the state and state government level. And I just remain concerned as to whether or not in the hiring structure that we do without some sort of an override, a market factor adjustment, if we're actually able to hire people at the competency levels we need to provide the oversight that's required. That has been a perennial issue since the 70s. Although we see that wage disparity between state government and even nonprofits. Look at hospital salaries, look at variety. So it is a challenge for government. It is absolutely challenging. I will say that one of the things, so this group, 18F is a little bit like the Peace Corps. They go and work for this federal agency for four years and then they're out. It's like a short term like losing it. But they said, you know, people wanna do some good service in their life, so they may be willing to come. You know, it's not always just about money. Obviously money matters, but sometimes there are other reasons that people will come and do if they feel like they can help out in some way, do something, feel good about what they're doing. That is a piece of it also. Because that's a problem, I think for every fiscal officer who was there, it was like, you know, who has the money to compete with California, right? Or... So that was a different workshop than the one that we went to. Yeah, because here's, did you go to this cybersecurity one? Is that what you had? Yeah, the task force, which I'm really happy that we went to that, so it was good. It was a one day effort and they had a single program that they did on Monday. It was about two hours or thereabouts. It was word for word, a dental. Oh, good, I'm glad I didn't say. Except the audio-visual didn't work. I mean, probably the biggest takeaway that I took from that task force was, you know, most legislatures are behind. This is really expensive and you have to prioritize. There you go. There we go. Everything. So anyway, you have access to this and I'm happy to get you hard copies if you want. And then the other thing I wanted to... Katherine, if you can get hard copies, I would love a hard copy. Okay, we'll just get the workbook, the handbook. I already have, I already asked for one, so you don't need to make a copy for me. It's already... I'll look at it online. I can't look online. I like... I know. You can't feel it online, is that what you're saying, Senator? I mean, I can't feel it online, but I can see this, see right here. I can touch it. I can look at it. So don't make me a copy, is what I'm saying. I already got one. One of the other interesting things that he talked about was Waldo, is his name Waldo and Robin. And Waldo was talking about in his presentation, you know how we all have all these things that plug into the wall, the outlet is a standardized thing. Really, you should be designing systems so that you can unplug pieces and plug in different pieces so that you're not locked into one person who manages everything and is customized. I think not. That doesn't always work because you had beta versus VHS, right? When you did the videos at first. But the concept is that you really are... You need to control vendors and you need to make sure that they can make it accessible in a timely way, which is a good lesson for all of us as we learn that it hasn't worked. The last thing I'm gonna talk to you about is Integrated Eligibility Funding. And in the capital bill, the Integrated Eligibility Project is funded in installments. And September 1st, AHS and ADS have to deliver a report. And then at the September Joint Fiscal Committee, the Joint Fiscal Committee has to approve it, give them authority to have the next chunk of money. Joint Fiscal is supposed to get recommendation from the chair and vice chair of this committee, the chairs of the institutions committees and the chair of the house health care and the Senate Health and Welfare Committee. And so you're gonna get the report September 1st, Joint Fiscal's meeting September 16th. There's not a lot of... It's a pretty short turnaround time. Dan Smith is going to his plan is to turn around a memo recommendation within a few days of getting the report. So you all will have that in your hands. For those of you who have to provide a recommendation and Joint Fiscal will have it also. Do you wanna talk about what you were thinking for the process? We talked about trying to get that to turn around pretty quickly, so getting a report, the recommendation and then having Becky draft a letter and then sending those three things out to the committee to see if there were additional edits or... And then that recommendation would go to the Joint Fiscal. Some time before the 16th. Yes. I may be in Comunicato, so if you don't get a response from me. Okay, just... Yes. That one. A little winter. Sounds like you're incarcerated. Bolivia, is that it? Bolivia? Yeah. Where? All over. Oh my God, I was in Bolivia. Well, we'll talk later. Yeah, we should. Hello. So this same thing if this works, we'll probably have... Well, it needs to happen again in November because you have the same process. So if this works, that's great. If it doesn't work, you won't have a different plan in November. I'm sorry, November. You won't have it because the Joint Fiscal meet again in November and have to prove it next and so on. So this report is supposed to be presented, completed and presented by... I just want to get the date. September 1st. September 1st. All right, so we're only days away from when that report is supposed to be. So I would assume the update today is going to be pretty much give us what would be in that report. So the timing is kind of helpful in terms of the quick turnaround. I think the only other alternative to the plan that we've kind of talked about in terms of that letter is if the committee wants to convene on the phone or in person, which... Can we reserve the right if the report is sort of shocking? Or what we hear today somehow says that they're way over budget and way behind, then perhaps we would want to meet. All right, I think that's it for me. Do you have any questions or anything? Okay. That's great, thanks. Cass, you ready? Sure, can you set it to there? Wherever you'd like to set your hand on it. You've extended our cable anywhere you want now. Thanks. And I think we have your materials. Yes. Great. Okay. So for the record, Cassandra Madison, Deputy Commissioner at BEVA and Program Sponsor for Integrated Eligibility and Enrollment. So I'm here just wanting to... Is that a new program sponsor? Yes. Oh, is that a new title? No. I'm sorry to say it again. She's Program Sponsor. Program Sponsor, business lead, person who cares the most about this thing. Is that an ADS term? It's a project management term. That I've heard, I would say. Is that consistent for all of our IT projects? Yes. Okay. So I wanted to present an interim update. You're right that we're gonna have the written report ready for you on September 1st. So a lot of what you hear today will be reflected in that report, although there are some things that we're working on from an IT perspective. They're kind of late-breaking, which will be, you know, need to be updated in the final report. I will say just briefly touching on what Catherine said on ATNF. They are an advisor, as she said, to IE&E, we're working really closely with them. Basically what they've laid out in that workbook is the heart and soul of what IE&E is trying to do. And some parts of it are harder than others. It's a large-scale transformation project. It's not just about delivering the technology. It's about changing the way we deliver technology. And I'm sure that if you all were interested in hearing more from ATNF directly, they would be happy to make a trip here and talk to you. So that's offers on the table if you want more information about their work. So the focus of this, I think we can look at, I just tried to make it really simple to look at our in-flight projects and understand their status. So if we, I know we only have 15 minutes, so I'm gonna focus on the places where we have risks. The places where we're doing well, you can see healthcare paper application, that project's in its phased rollout. We've met our first two CMS mitigation items. That's also in green on there, third from the bottom. And the two new projects that we started, our online application and premium processing projects have started off really well and we expect to have a vendor on the ground in September. The places where we're having challenges, so business intelligence, this is our reporting and analytics projects. We talked about this last time we all met. It's basically we're sunsetting the Vermont Health Connect standalone solution for reporting and analytics and moving to SQL Server, which is a solution that is already owned and maintained by ADS staff. When we talked last time, we talked about state network issues that were preventing us from loading that database with production data so that we could start testing and that really delayed this project by three and a half months. Those issues have since mostly been resolved and the data is in the database, but as we started testing, we're seeing that there's a lot more work that needs to be done on the database itself for it to be functional. So we've had to trigger a couple contingencies. One is to delay some critical Oracle upgrades that we were gonna do in September of this year. We're delaying them until February so that we can maintain the existing data warehouse for the next through open enrollments. We don't pose any risk to open enrollment. You mentioned that as a contingency last time. I did, and we're triggering it. We are also going, moving to actually contract out for 1095 and enrollment reporting instead of bringing it in house because at this point, we don't believe that the state staff are in a position to handle the complexity of that reporting. So for at least the next year, we're gonna need to contract out for that. Why? Why? Is the state. I think that that reporting is very complex and we wanna narrow the focus of what the state staff are working on and have them focus on setting up the core warehouse and setting up operational reporting and not pose any threat to our ability to accurately produce 1095s and enrollment reporting to meet federal obligations. I have a similar question. Have we been, is this a process that's been in house and we're gonna start contracting or have we always had it handled by a contractor? We have always had it handled by a contractor. This project was an attempt to bring it in house as a part of our overall reporting solution. And just given where we are, we need to get this done by February. We need to get the core data warehouse built by February. That's the form people need for their tax. Yes. So that. It's really important. We would hear the phones would ring. The number one priority is to protect operations. So what we're trying to do is narrow the focus of what the state staff, the ADS staff need to work on and we're focusing on them on finishing the build of the core data warehouse and getting just regular operational day to day reporting up and running. 1095s and enrollment reporting to the federal government are very complex. And so moving to contract that out, we feel like it's just safer. Let's not mess with that. Not moving. It's keeping it. It's keeping it. Yeah, but we're gonna like, we're looking at moving a different vendor. Yeah. Of course. Yes. So not to get too far on. And this is probably a John question. The network issue, the network delay was at a high level because of. We don't know. We have four different vendors working on it, including us. And, you know, we don't know that it's a network issue or a big configuration issue of the system, but we have the vendor on site for that product. They're not seeing anything. We have network vendors here. We have C2 here. We have everyone looking at it. We're doing line captures from the network. So for those of us that aren't like network engineers, how did that manifest? Like what did that look like? Like we weren't able to move from one place to another. Yeah, it was disconnecting partway through the move. So as we move files, it disconnects and stops. Okay. And then we have to start over. And that was a three and a half month problem. Yes. Okay. On and off. Which for business intelligence is mostly addressed. We have the data in the warehouse now, and it's replicating with a reasonable speed. But now we are seeing a network issue in a new project. Our enterprise content management project, which is document imaging and scanning is another project where we were sunsetting the standalone VHC solution and moving to on base, which is owned and maintained by the state. That project is green, green, green. Everything's looking good. We went to move the data, the files into production three days ago, and it times out at 150 files. And we need to be able to move 10,000 a day. And so we're in the same situation where there's teams trying to figure out what the problem is and we can't seem to figure out what the problem is. And so it's impacting go live for that project and it's also impacting go live for the document uploader, which is because the document uploader, when people take pictures with their phone, it uploads to the document imaging and scanning system. So if the document imaging and scanning system can't move the files, then neither can the document uploader. So we can't go statewide with that project without these issues being resolved. So I think Secretary Quinn is the best person to be able to explain what is happening on the tech side. I think on the business side, we are trying to figure out what our contingencies are. Like I said, we've set ourselves up the value of doing smaller modular projects is that we have isolated risk. So we're gonna be fine with open enrollment. There's no risk to the existing system today. What it does mean is more time and more money as these projects get delayed. And at some point we're gonna have to have conversations like at what point can this be addressed? I don't know if the technical issue that Secretary Quinn really has to talk about. And if not, what are our other options for this capability? I don't wanna take really much more of your time and ask any question, but I am gonna ask one more question, which is, and we can talk about this later, John, at the end of the meeting, maybe more. But are we seeing that kind of a delay or a problem with any other IT projects in terms of? Yeah. Okay. No, not that I'm aware of. This is the one area that we're seeing and that's the puzzle. When we look at our network, it looks like traffic's closed just fine. And that's why we brought in so many vendors is because we can't identify where the problem is. Okay. Okay, thanks. Sorry. Are we gonna have time with Secretary Quinn or what? We have 15 minutes and I don't know how long Secretary Quinn's available. I'm happy to stay past that at the end to just talk about where we're at. He's with us for an hour and a half at the end of the meeting, but we have a presentation. Whoa. So is it appropriate to just ask questions now? I mean, to me, this is, I'm trying to get my head around and Secretary, you're always in such dangerous territory because somebody like me knows very little, but I sat through it with the exchange. And these are the kinds of reports that just are sort of hard to digest. So I remember from a couple of meetings ago learning about this data transfer and that's a big chunk of data moving through our network and we were watching that. And so I guess I don't understand how how do these produce months of delay? Like I download movies, you know what I mean? It's just so hard to fathom what is going on. What I would like to ask is if we can keep those types of questions towards the end so that we can stay, so we can make sure that Cass has enough time to tell us what she needs to tell us, that sounds more like an EDS kind of oversight. A general EDS oversight, would you agree? I agree with that. But it's not in the cybersecurity discussion. So I mean, it is, to me it directly relates to the question we're about to be asked, which is how do we review the September 1 report? And so I don't, as long as we get to have that discussion, how does that begin? I mean, do you have a brief kind of answer on that or is this, do you have an answer for that? Brief one? I'll try to make it brief, yeah. You know, when the problem was identified, we immediately started working on it, but as I've testified before, our network was never documented as it was put together. We don't know how things are connected. We have VHC, which was put together without any real thought based on the federal guidelines that we had to follow, and it's a complicated system. Now we've had issues with AHS systems overall because they're in very, very poor condition, and so is the network. I mean, we took that over and we've been working on it, but this is a long, complicated process. This isn't like changing the tire on a car. This isn't something that's easily repetitive. This is technology that's fairly complicated. I mean, we have four vendors on site trying to help us with this issue. So it's not a skills issue with ADS necessarily because we have outside vendors. We have vendors outside of Vermont working on it. We have, you know, product owners working on it. When I say product owners, like the PCM, the Highland OnBase contractor or company is looking at their logs and looking at the products. It's not a trivial situation. I mean, it's not for a lack of trying by any means or lack of, you know. But are we talking about sort of wiring or servers or the whole mix of it? Or, you know, can you just paint a picture other than this is all, then we're trying to figure it out? Yeah, so we don't know whether it's the servers, the data center, or the, you know, packet transmission that's happening. So, you know, we have stuff living in one data center that has to go to a different data center. So one of the things we're doing is moving it all to one data center to try to stop some of the network issues between or potential for that is a way to rule things out. We've looked at the product. It looks configured correctly. Highland has, which is the company for the enterprise content management has looked at the configurations that everything looks pretty good. You know, we don't understand why it's timing out at 150 files, which means it's not a firewall issue because some of the packets are getting through. It's, you know, there's several areas that it could be and I think that's why it takes so long. The other part I would say about this whole entire thing was, you know, when we talk about an agile process, not supposed to have a drop dead date at the end of it. It's supposed to be iterative. It's supposed to look at the problem, work the problem. And here, we're, you know, in this, you know, we call it an agile process, but it's only, you know, we're trying at state government to move to this agile process, but we still have those hard deadlines that we're trying to meet. So every time we get close to one, it's, you know, uh-oh, we're falling way behind when really when you're doing an agile project and you're developing something for the first time like this, it's not supposed to be a drop dead date. I also say, so we take a step back and just look at the approach that we're trying to take. User-centered design is working really well for us. Working in a more agile way is working really well for us. I think approaching things modularly and having smaller procurements is a really positive thing is like I said, even when we go into the red or the yellow on some of these projects, the ramifications of that are contained, right? It's not disrupting our operations the way it would have when we were working on Vermont Health Connect. So we have successfully reduced risk. The projects that are in green and even to some extent the ones that are in yellow are already making people's lives better. So for example, we know the document uploader is out there at at least several district offices and working with the sisters and people are really excited about it. I think where we have a challenge here is it seemed logical to take a technology that was already used and owned and maintained by the state and to expand the use of that technology. So in the case of on base and in the case of SQL Server these are not new technologies to the state. We have state teams that use them. That's where all of our data is already for the other integrated eligibility programs. So there was logic in expanding that. I don't know if there is something we could have done ahead of time to analyze our network capacity, for example, or staffing capacity to make sure that we were equipped to expand it in the way we were trying to expand it. And maybe we couldn't. Maybe this is just part of the agile process and we're gonna find out about this stuff as we pick pieces of it apart. But I think that's what we're facing now because of the places where we're having problems or the places where we're trying to expand existing state technology, it's not the new stuff that we're trying to go out and procure. Okay. Well, I'm having a hard time sorting this all out because you're talking about the AHS network not documented, even the state's network is not documented. So it sounds like in fact inherent in this project is a need to examine and start documenting and formalizing the network. So we're in some ways not only doing integrated eligibility, we're doing a lot of house keeping, so to speak. And it's hard to sort out how much of this is, maybe this gets to Senator Pearson's question. We've got the work that's being done on the agency side, then we have the hardware and the responsibility that floats into your shop. And they are interrelated and obviously Cassandra's efforts are very much contingent on how the ADS side works. If we look at the summary, for those of us who are trying to sort this out, would you say your work from on your side is pretty well ahead and that what we're really dealing with is a very complicated tech issue that needs to be solved. And are we going to end up with a network that is documented and I'm not sure what happens to the AHS network, is that going to be subsumed, is that going to be replaced? Because that is more than Medicaid, it's all benefit programs. So could you just help me understand how much of it is going to fall to you and we're going to hold your shop responsible and how much it is because Cassandra's folks aren't getting the work done. I can take responsibility certainly for the technical side of things, being delayed and being behind. This is a complicated project. We're going to continue to see, this is just the way I see it. Future reports will have yellow areas and we may even have red areas. We should expect it. I think with a project like this, I mean, look at it from a health connect, right? I mean, and then you step back and you look at the way we're doing it now in a modular way, short, small pieces of work developing as we go, there's going to be slips in time. I mean, that's all part of the learning process of Agile and continuing to learn, but the network piece, we are doing that work but it affects our cybersecurity as well when we see an issue. When we see, you know, it give us an address. We don't necessarily know where that address is at this time, right? So we're doing that work behind the scenes and some of the money that you all appropriated to us for some of the network replacement is helping with that. Okay. The date that is on there for target delivery date, is that a date that slipped from its original date because of the delays? The only one that has slept at this point for sure is business intelligence. Something may happen today to, if the network issue gets cleared on enterprise content management today, our goal now is to be able to go live on the 29th and there are war rooms going on. That's February? No, sorry. For enterprise content management and document uploader, those are the dates, those are original targets. Okay. We would like to, right now, our next target is to try to go live with enterprise content management on the 29th of August if we can get these network issues cleared. If that happens, those projects both flip to green and we are fine. If that doesn't happen, we are likely to be in a position where they're not going to go live till after open enrollment because October 1st, we have to have a code freeze and so it's either this stuff gets in in September or it waits until end of January. Does that mean that business intelligence has to be cleared or only the other two? Business intelligence will not be cleared because the database still, the testing revealed issues with the core data warehouse. So there's still work that needs to be done to build, finish building that core data warehouse between now and February. So that won't go before February. Dependencies, if any, are driven by business intelligence. In other words, if business intelligence is not completed and if those network issues are not timely resolved, what's the net impact to the rest of the project, if any? So right now it's a cost issue because we're basically maintaining two warehouses. We're continuing to maintain the Oracle one that exists today so that we can use it for day-to-day operations and we're working on building this new one. So right now, like until February, we're just spending more money. When February comes, we're gonna have some really big decisions about there's Oracle upgrades that are set to happen in February that we delayed from September. And so when those Oracle upgrades go in, at this point, we lose the existing data warehouse. So we have set a drop dead date for ourselves in February that we need to contingency plan around now. And so there isn't really an option to push the Oracle upgrades out anymore. If we don't think we can hit February, we either need to find a different data warehouse between now and February, or we need to pay to install the existing data warehouse in the new Oracle environment in February. So we are trying to work on some contingencies but right now there's no operational impact. It's just financial. In terms of financial, though the September one reports will drive, I'm assuming JFO to fund additional amounts to continue the project. And if additional monies are needed by virtue of these contingencies, does that impact JFO's decision at this point? I can't speak to what will impact JFO's decision. I can say that there are two places where there is a financial impact. The fact that the project is taking longer will certainly impact the capital budget and what other projects we can start given the financial constraints we have. So it may mean a later start to other projects because we're still trying to finish this out because we have a strained dollar amount. The other place where the bigger impact here is in the operating budget. Because the DBA operating budget is where the funds are to continue to maintain the existing data warehouse. So that is five, it's gonna be three to $5 million gross. 75% of that is covered by the feds right now is the hit to the operating budget. Three to five million is the hit is gross. And then it's really 25% of that is what would hit the DBA operating budget. So a million and a half bucks. That's an unexpected and planned forecast. Yeah, because of the business intelligence delay. So I think that that's critical information in terms of what would be those potential collateral impacts in the delay. And even though it's articulating the gross but also what would be the general fund impact whether it's capital bill or your operating budget to understand. I think closing your eyes and hoping it will go well. We've tried that in the past and that's not. So I'm not anxious to repeat that and it's better to take time than be rushed by artificial deadlines but we need to and certainly those deadlines are not set in stone and obviously have to have some flexibility but in terms of what would be the implication, what would be the revised timeframe, what would be the impact on other projects and what would be the fiscal impact. I think for me as a member of Joint Fiscal it's kind of key information. Yes, and those are all the contingencies that we're working on now. I think we had contingencies, we've triggered a couple. Now we're looking ahead at the next milestone and thinking about how do we protect ourselves if we can't hit the next milestone. So expect as much information as we have about that today in the September 1st report and that information will continue to grow as we do additional planning over the next couple months. So I want to be clear that we already have a 1.5 million direct impact. Yes, on the DEVA operating budget. And that is because of the delay. The delay in the business intelligence project, yes. And there are potential additional financial impacts. I'd like to understand that. Yes, so I think on enterprise content management if we have to maintain, so again, that was an Oracle solution that was supposed to sunset at the end of September, if we can't sunset that we will have to pay Optum to maintain that and host that solution again through open enrollment. So there will be some financial impact to that as well. I'll know that shortly. Yes. And your written report will have this information. It's hard to hear it, retain it. So what you're telling us today would be reflected in that report in terms of, it's sort of, you know, if this does not occur, then the impacts are this, this is the price tag. I mean, that's really what I think. With as much clarity as we can give, I just, I think the important thing to know is this, that like this enterprise content management issue is about three and a half days old. So we, the information is changing every day. So as much as we have, we'll get in the September 1st report. If it makes sense to give you like a weekly report out after that on some of these key issues, we're happy to do that as we have additional information. Okay. I think, so one of the things I think is we want to make sure we have a, we schedule more time for you in September. Yes. So that will definitely be happening. Yeah. Are there additional items that are important for this committee to know in advance of your September 1st report and our need to make a recommendation? There's one other thing that I want to give you a heads up on are some conversations that we've had with our federal partners at CMS about our cost allocation. And this is going to be most impactful on the financial side. They, we have had an agreed, so cost allocation is basically when you build a technology project, how do you spread the cost across all the programs that are going to benefit from that piece of technology. So if you're just doing healthcare, the Feds funded at roughly 90, 10, 90% federal, 10% state dollars. With the introduction of integrated eligibility in all these other programs, we have to distribute some of the cost across other programs like LIHEAP and SNAP and TANF. And the only other federal agency that helps reimburse is the Food Nutrition Services, which does it at a rate of 50-50. So the rest would all be on the state dime. The GAs, and TANF is already maxed out and in terms of the block grant, there's no matching. So food stamps is the only one where you think. And you pony up 50 cents, they'll match it. Right, and we've had some trouble getting, actually drawing down that money from FNS. So we've had a cost allocation with CMS that's been approved for the past year and a half that in our capital bill request was based on that cost allocation that approved cost allocation. And we've stayed within that budget. And that was 90-10? No, it roughly turns out to about, it's about 70, 30, or you know, 68, whatever, 34, when it's all said and done. But that's all accounted for. About three weeks ago, we got on the phone with CMS and they told us they no longer like our cost allocation. And they've had a lot of turnover and they are the changes that they would like us to make to the cost allocation. It's to their advantage, I'm sure. Yes, would make it more expensive for the state, for projects that include all of the programs. So our capital bill ask was 4.5 per year. It would roughly put us a little over six, which is a lot of money in the capital bill. We are making a counter proposal to CMS on cost allocation that we feel really, we feel makes logical sense. And if they accept our counter proposal, we will be fine with the 4.5. If they do not accept our counter proposal, when we come to talk to you in September, we'll have more information and we're just gonna have to talk about what that means and then there's gonna be a decision. Like, are we gonna continue, does the state want to continue to put in the extra money to continue to move forward with the vision of integrated eligibility so that all of those customers have an integrated experience? Or are there places where, because there's not enough funding, you want to pull back and do just healthcare? So can you tell me what the difference in, so you're, tell me again, when you expect to hear back from them, with regard to whether or not they'll accept that proposal? I have been eagerly trying to schedule a meeting with them. I was just in, just came back from a conference where that they were at and talked to them about it a little bit in person. So I'm trying every week to get on the phone with them. It's been hard to get a clear response but we're aggressively trying to get on the phone with them. So when we think about the recommendation to join FISCO in September? My goal is to have an answer for you by then but of course, I don't control their timeline. So I can, all I can say is that we're doing our absolute best. I don't, I'm just whether. It seems like a big change. Yes. That we're talking about. And so what is the difference between making that decision in September when join FISCO needs to make that, we need to make that recommendation or their next point, which is when? Is it November? What is, what will be the difference between September and November? I think November will be fine. I think like we have projects in flight that are already going. It's not going to impact any of these in flight projects. It's really about the next round of things that we're going to start up. So our next project that we're talking about starting up is what, it was master data management in October and quite honestly, until some of this stuff clears I don't recommend that we pick up anything new. And then after that, our next project doesn't really start until May of next year. It seems like. So we have some time. We are really getting into a policy and a fiscal issue and not a tech issue. For cost allocation? For cost allocation. Because then the question is, well, do you want to do a Medicaid only standalone health care and pick up all the 9010? Or do you want to give Vermonters back what they've had previously and that is one application would provide the data to determine that you get your health care, you get your food stamps, you get your LIHEAP benefit, et cetera. And to me, then we have to, as the policy is, do we want to provide that level of integrated services to Vermonters and what that price tag would be? And I think that we, I think that even if CMS were to force us into this worst cost allocation, we can do the online application that is integrated for everyone. We can achieve Vermonters going online and filling out an application for all programs. Making it any more integrated than that on the back end is what would be significantly more expensive. So I think that's where the choice comes in is how much more do you want to do beyond that initial application experience? Because that initial application is likely to create the economic services data is going to go into the access system and the health care data is going to go into Vermont Health Connector Access, depending on the program. And the workers are still going to process things separately. So it's not an end-to-end integrated experience. People would still get separate notices. But you could at least, we can at least for sure, make sure that they fill out one online application and that their information is routed to the right place. I think it's the question for the committees are going to be what investments do you want to make on everything after that? Again, I feel like my job is to bring risks forward. And so there is a possibility that we're going to be able to solve this. And by the next time we talk, it's not a problem. But I want to make sure that you understand that these conversations are happening and I don't know what the outcome of it is going to be. Just quickly, I want to say obviously, we wish this was sort of more green and less red. But to me, this seems like proof that this new approach is the smart one. We're not totally dangling out there. My question though is about the Oracle updates. And is it a case where Oracle insists on because of security and other things, these updates, and that's where we get in trouble? Like there's no, are we trying to say to Oracle, can you just give us another six months on your old system because that would be, sounds like really a lot smoother? Is it a case of them putting pressure on us because they don't want to have sort of outdated stuff out there, or how does that work? I mean, from the business side, as I understand it, is a question of these things being out of support. And you have to pay extra dollars to get support on outdated software. And so there are also some things on our security assessment, our poem, those of you are familiar with that, that these Oracle upgrades will resolve. So there's some critical security reasons to move forward with it. But I will tell you, this is again, one of the reasons why we're approaching IE in this way and why we want to move to modularity because on the Oracle side, it's like, it's all or nothing. You have to upgrade everything and it takes a lot of time and money, or you do nothing. Like you can't do anything piecemeal. So a lot of this, to Secretary Quinn's point, these artificial deadlines are artifacts of this old monolith that we have. It's not about these new projects. It's like we're up against a wall with some of these support issues because it is one monolithic system that we have to update. I'm gonna try and wrap this up after Seth's question and we can come back to your suggestion that maybe we need to meet again. Same, worst case, if we do need to decide between the four point, whatever, and the six point, whatever, an important piece of information would be the opportunity cost, how much extra is the Oracle support gonna cost us? What's the extra labor for not having this stuff integrated in state labor costs and third overall, what's the impact to the Vermonters, the quality of service? Because it's not just a four point something versus six point something to say, there's other factors. Yeah, that makes sense. I also just know that our current Oracle contract expires, I think on February 17th. So that's another, what we can ask of Oracle to help us with is wrapped up in the contract. Oracle, yeah. Oracle's not the most friendly vendor to work with either or the most forgiving by any means. Well, we did have a love affair with them. Yeah, it's in our best interest to move away. And everyone has their eye on the ball watching that day and working towards it too. We'll continue to bring in more and more network vendors until we have this fixed. We know those dates out there. Are they gonna present some real problems if we get to them? What'd you say? Are they better or worse than Cisco? Well, Cass, I wanna make sure, is there anything else that you want the committee to know today? Okay, and so we will get that report from, who is that report gonna come from? It's gonna come from you. Yeah, it's a brilliant report. Yeah, great. Okay, thank you. I think the fundamental question is, do we really have any options? We've got this old, not really, not well functioning from on Health Connect. We're dealing with some delays. We know that we're probably gonna have to have some, I love all this new terminology, war rooms, agility, in-flight, you know. Sorry. I gotta, so in some ways, I sort of feel like we know that we've got a system that for Randy, you understand it better because you really looked at, you know, how Health Connect got created. And if we agree that we've got to replace it and we gotta migrate from that, then I sort of feel like, we can't just say, well, we're not on track, we got too much read, we're gonna stop. I think we've really got to figure out and understand what the delays will be and what the impact will be. And what the impact will be. Because, and don't forget we have the CMS Medicaid mitigation plan, which is driving delivery of a lot of things. So part of me is saying, gee, this is all interesting. I wanna know what the implications of this, but I sort of feel like our options are somewhat narrow. Well hostage, I get it, right? So we're making progress out from under it. It's just, it's a slog. In this modular approach, I mean, you saw a lot of green things on there. If we were following the monolithic approach, it'd probably all be stopped to some degree, right? So we're making progress and that's part of the reason we're doing it this way. So yeah. We will have you back in September and we will probably schedule an hour of time just to make sure that we're staying right with you. Thank you very much. Yeah, I appreciate it. And so we thank you, Jeff and Pat, for your patience and Tanya, I see you're in the back. So we're just gonna have to shift a little bit in terms of time and we may be able to have you come back. We have someone from other state that we have a part of the staff. We have to move at 10.45 to have them start testifying. So if we could have you folks come on us. Thanks. We all have these presentations in their packets and we're gonna, while they're getting ready, just to myself, this is the ending presentation for today. The cyber security. They're all online as well. Good morning. Good morning. I'm Jeff Lauer. I'm the Chief Information Officer for the G.J. Sherry. I'm Patricia Gabel. I'm the Vermont State Court Administrator. Thanks for seeing us today. We're gonna talk mainly about giving an update on our next generation case management system and also about how we're working on cyber security for the G.J. Sherry. I included in the presentation some slides about I.T. of the G.J. Sherry. Some of that might be reviewed. So we'll go through that quickly and stop us again with questions. So we always like to start with a slide that sort of talks about I.T. in Vermont State Government and where we sit here. The judicial branch, the Court Administrator works for the Supreme Court and we in research and information services work for the Court Administrator's office. And you'll see we have colleagues both in the executive branch and the legislative branch who have similar functions that we work with. And we have an I.T. team called RIS or Research and Information Services. We have a help desk that we support the needs of the courts. You know the courts operations are somewhat unique in state government. So our folks in our help desk know how courts work and know what kind of questions they get. They then interface with other parts of state government including ADS as needed. We also support systems. Our main system is called the Court Case Management System. We have a legacy system today that's I think about 28 years old that's providing that function. We'll talk about how we're replacing that in a moment. We also do a lot of statistics, business analysis and forms. Many statistical requests, many media requests were very busy, seemingly very busy this summer with information requests from the external world. Media records. Yeah, so we're just, I don't know if other parts of government are experiencing this. Request for information? We're experiencing an explosion of requests for information, it's challenging. I don't think you're like public records requests. Public records requests, formal, official, a data request from various organizations, state and national wanting more information. Just media requests, a lot more media requests, people interested again in trying to analyze data. And as Jeff will explain in a minute, our current case management system is really not, was it designed? It was really designed just to run cases. It wasn't really designed to provide reports. And so that's one of the reasons we're working on a transfer issue, is that? One, back in the cobwebs, seems like 4D actually helped do some funding with the case management system 27 years ago because of the child support connection. But there's no 4D, there's no other funding source in the development of this much larger than in more the technical management of individual cases. This is all being funded with state dollars. That's correct. Okay. I don't know if it's in our slide. It's not, but we can talk about it a little later as to how we're funding our new case management system. It's either general funds or tech funds, which is a lot. Yeah, okay. And the capital fund. Well, I understand, but it's not, there's no federal dollars involved. No. Okay. And just to follow up on the information requests, one of our challenges is we not only have to have the bandwidth to fulfill them, we have to make sure they comply with our rules for electronic access to case records or public access to case records. So there's vetting that has to happen and then there's a can we do it question. Are we allowed to do it? What parts are we allowed to do or not? So, I guess you need legal, the judiciary needs work. Yes, we do. The judiciary needs work. The judiciary needs work. The judiciary needs work. And this is a slide you may have seen before too, but we are close partners with agency digital services. And although my terminology may differ from theirs, I always break that up into two pieces. Sort of the allocated per employee services that they provide us and the on demand or more a la carte services they provide us and we utilize both. One item I have starred here is Office 365. And I have that starred because one of our budget challenges right now is that that moved from being allocated to being by demand. And our allocated services are basically a pass through for the general fund. When it moved to demand, it's created a challenge that our team's working with ADS on right now, but it's something that we'll probably be having to revisit later as well. And this I realize is not easy to read, but this is a technology roadmap we did in 2015 showing the breadth of services. Can I just stop you for one second, Jeff? Yes. I'm sorry. So just to go back to the allocated versus on demand, when did that change the line with budget years and budgets? We first were made aware this spring of this problem. Is it a problem or just a budget gap because it wasn't built into either our BAA or our budget? So that's what it is. Right, so it was an unexpected change. Well, do you roughly how big is that, I'm sorry, how big is that gap roughly? I believe it's about a $400,000 gap for us. So it moved from allocated to demand. Yes. And in doing that, I would think actually demand would be a more accurate billing mechanism because it would be based on actual. Yeah, the problem for us became that our allocated services are funded as a pass through right. So if we're being charged $500,000, we get that pass through our demand services. We fund through. So it's a matter of how the budget is handled, yeah. All right. So you'll save somebody over here. I know which pocket, right? All right, good. Would this be what they would call a Gantt chart? A little bit. Tell us you can't read it. But really what it's meant to show is, we did this chart in 2015 showing all the kinds of things we support. But you'll see moving to 2018, 2019, how our new case management system really takes a lot of these functions and consolidates it. So we're on track here and I would anticipate in 2020 we'll refresh this roadmap and get another view for the next five years. The colors are beautiful. Yeah. So talking about our case management system project, which we call NGCMS or Next Generation Case Management System. As I mentioned, the courts run on a system called VTEDS that is between 25 and 30 years old. The principal resource that supports that just past its 30 year anniversary with the judiciary. It served us really well and it's very customized, but it was developed for a world 30 years ago where we weren't interconnected very well and it's very county based. So even though we have the same system in each county, they're a little different and the data sources are different. We've worked overcome that over the years, but the system has really been an impediment for the courts moving forward. So in 2015, we kicked off an initiative to replace that and went through a pretty extensive request for information, request for proposals, lots of study, lots of looking at what other states doing. Lots of work with the legislature and the Joint Fiscal Office through that process and selected a vendor to implement our Next Generation Case Management System. One of the key drivers for that vendor selection was that we felt as a state and the legislature was certainly advising us that as well that Vermont could not be up front in this, that we needed to pick a system that was tried and proven in other states. That really limited our selection, but we chose a vendor called Tyler Technology, who's now in 14 states statewide and in thousands of counties around the country. And Tyler is now working with us on implementing the Next Generation Case Management System. If you look at the project timeline for this, we're really proud to say that the Geocial Bureau, which is our statewide bureau that does traffic, municipal violations, our fishing and wildlife, that went live on Tyler Odyssey, June 3rd. So that was, as they talked about earlier, we broke up our project into smaller deliverables and started our Geocial Bureau. So that GoLive has been successful. It's really exciting to go through. We've got a punched list of issues that have resolved that we're working through, but we've got a team doing that and are moving forward. So we're happy that we've got the first piece of the system in place. Our next chunk of functionality is going to be trial courts, and we're implementing the trial courts for all the dockets regionally. So we're starting with Wyndham Orange and Wyndham Counties, excuse me, Windsor Orange and Wyndham Counties. Someone has called that wow and that sort of stuck. But we're starting with that group to implement our first trial courts. And we're on trial. The two would be bar and... Yes, yes, we have chosen bar too, yeah. So we're on track for that as well, but one thing we're working through right now is when to go live with that first rollout. Even though I would consider the Geocial Bureau a success, I think that our schedule really short changed a few pieces, mainly around training. These are acceptance testing and making sure that the technical infrastructure was frozen. I think that Tyler came in with really short time frames for their recommendations and all that, and we want to stretch those a little bit. So we're looking at doubling all those times to make sure that we put less stress on the user base as we go live. So I have a question in that regard. Would that have a fiscal impact? It mainly doesn't. The Tyler contract is deliverable space, so they would get no different money. But the only real fiscal impact is our staffing internally. But those staff are really... But you're having to pay them anyway. They're committed for the project and moving deliverables around really doesn't change the finished day of the project at all. But I would say, you might recall that, what we do is we have backup people coming in as we put our operations people on the project. So that one delay, it's not part of a capital bill, it comes out of our tech fund. We have a small tech fund. But because we're deliverable space, we're able to manage the budget issue much better. So there's not going to be a staffing... No, and there will be no additional requests for funding for the project. And we really want to do better. We think we did well for the additional bureau. We really want to do better. Could you just... I'm reconciling the dates here with your comment. You might be asking for more time. What you have here reflects taking that more time. Yeah, so I... I just wanted to take that comment and relate it to this document. As of today, we have not had the project sponsor, Pat and the steering board ratify this decision to change the schedule. We're going to do that the first week in September. So is this... So what I... The schedule change or the old schedules that I'm asking for. What I'm going to anticipate is this is the while rollout. I put a little dotted line here saying that's probably going to move to February of 2020. To begin. Right. To be rolled out, to be done. So I put this block in here to show where we've got some room. Okay, so the arrow is... You can see that we've got ample spaces here that everything can shift a little bit without affecting that end date. Will everything shift? We think that we will shift a little bit for the... As in Rutland, Huntington. You know, if you think about the way the vendor wants to work, they really want to get out of here. Right? And I think we do too. So I believe we'll be able to make up the time. And just you said through our earlier discussion, I just want to make sure I'm hearing this right. This is not a technical issue. This is really about making sure the training and the people who are using the new system have a little slower on ramp. It is. It's about taking the time to really get them better up to speed before we go live. That's probably smart. It's interesting, the Judicial Bureau is unique in that it has a huge volume. Oh, I'm sure it does. But it's also simple in that it doesn't have a lot of case times. As we get into Windsor, Orange, and Wyndham, the volume is much smaller, but they're doing a lot more things. So we really want to make sure we give them the tools to do that successfully. The question regarding the e-filing dates, they all are essentially the same date as the project dates in each category, except when it comes to rollout number four, where it's a year later. Is that a typo? No, winter 2020. So we plan on staggering the e-filing four to eight weeks after the go live. This goes winter 2020 year to winter 2020. Yeah, so it means December to January, so I should make that clear. Thank you. And it might be helpful just to mention, because I'm not sure everybody would understand how the court system is organized, the Judicial Bureau is a kind of a standalone court. Our superior court, which is a statewide court, is divided into five divisions. And so the trial court rollout, like regional rollout one, is going to be much more complex because we're dealing with different divisions and we're also dealing with different stakeholders with whom we interact. And so part of our planning, like just yesterday I met with Annie Noonan and Scott Woodward, who's a project manager, to start talking about what they're doing and what we're doing and how we're gonna work together. And so adding a little more time there is not only helping us with testing and all the rest of it, but I think it's also giving us more time now that we've had some experience with our first rollout to get people together. So where is probate in this? They're part of the rollout. They're one of the five divisions. That's all, I just wanted to. They'll be in each regional rollout. And so I'm clear an attorney that works across counties will have a time when they're in the old system in one county and starting to learn the new system. They will, depending on how their work breaks and the important thing there isn't just an attorney. Judges, the whole truth, right. And that will, I've often said when I've come to sort of talk about our project, the most vulnerable time for us as an organization is right now, which means that we will, as an organization, without a lot of additional resources, be running both on the old system and on the new system. And because we're kind of leanly staffed, it's just very challenging. So for Jeff's shop, he's got technical people still carrying that old system, technical people starting to learn how to carry the new system, including a really a more robust development of our help desk staff, where people out in the courts will be calling on the help desk, not just for, gee, my computer doesn't work today, but really making sure that they understand how to work it. And does Tyler come with built-in support staff, I mean, or do we have temp come online to help with that? So for the roll-outs, Tyler came with a tremendous amount of people. I think at the GeoShop Reo, there was a one-to-one ratio. So essentially what they do is they take people from their other projects around the country and they all descend on the state that's going live. So they've been great there. For ongoing support, they have a help desk as well and all of our calls and emails for support will be funneled through our help desk and then if we need to escalate to Tyler, we will. So next slide starts to talk about information security and I've tried to break this up and do a couple of pieces, policies, training and then the cybersecurity spot. And on the policy side, you know, the GeoShop has some legacy policies around electronic communications and passwords and personal devices and mobile devices. You know, they're a little old right now but we've got them in place. What we would like to do moving forward is take a combination of our policies and refer to the new state information security policy that Executive Branch and Secretary Quinn's team is developing and be able to reference that as we need to and put together our own set. That's what other state judiciers have done successfully where we're not reinventing the whole wheel but we're just doing what we need to do to be needed. I believe there's only a draft of that in place. I'm not sure when the final one will be done from the Executive Branch but we're looking forward to be able to incorporate that with our staff as we need it. On training, similarly, we have leveraged what the Executive Branch has to offer and we had judiciary folks this spring go through securing the human. We had, I think, 83% attended that class so we're happy to be able to move forward that way. Then as we get into the cybersecurity spot, I think I mentioned during our last meeting that we do partner with ADS in some areas on this and then are unique in other areas and I tried to lay this out as to who does what. Our work with ADS, they're providing us sort of network and perimeter security through their firewalls, virtual private network, certificates and internet border intrusion security. So they're able to do that. We also went through an effort last year where we took our desktop environment and migrated it all into a managed environment that we work with ADS on. So as part of that, they're providing desktop and laptop security through the local operating system with BitLocker, Windows Defender and security patches. Judiciary also utilizes OneDrive and Outlook which both have built-in encryption and we have implemented multi-factor authentication. We had an old version of that before. We've gone with a new version with ADS that essentially lets us secure people as they're off of the state network and we utilize that both for Microsoft Office and OpenVPN to get to our network's drives remotely. It's been a very successful implementation working with ADS. Then on the RIS side, we're responsible for our server operating systems and making sure they're updated with antivirus and security patching. We have 115 servers we host with ADS at their tech vault site but they do the hosting, we do the operating system management and we're working to improve some of our management tools on that. We also have 60 servers over that 115 that are just running this NGCMS, Tyler's Odyssey. And we're working with Tyler a lot to make sure that's secure. One of the interesting parts about going with a tried and true vendor is their architecture is tried and true but some what are chaotic in some spots. So we've really had to push on them to make sure we're implementing the right security items and we've worked with the ADS information security team to make sure we're doing the right things there. That's gonna be a continuing effort to make sure Tyler is providing us the right configurations to keep it safe. We do have a public portal and website hosted that go through to the Tyler system so there are special areas we need to focus on. What you read in the news lately about particularly cities, small cities that have had their data ransomed and I guess I'm curious if something like that happened does Tyler hold liability or do we hold it? How does that sort of work? Our data is held by state of Vermont so Tyler would not have liability for that data so we need to make sure that any tools they provide are secured through the firewalls. But we do, we have like a 1,000 page contract with Tyler and they do have certain responsibilities in that contract related to security issues that do relate back to Vermont laws regarding consumers and the government. And one other thing I might add and I might have said this the last time, because so many states use Tyler, my counterparts in other states and I are in a special user group and we have been in the last year become much more active in trying to improve Tyler's performance and asking them to continue to improve. And I think we hope that that will help balance the fact that they're kind of a monopoly and for state judiciary in the country. So these kinds of things, as you know those attacks will get more sophisticated. Our responses will get more sophisticated. It's likely, we'll be attacked all the time and you'd like not to be attacked but if you are attacked then what's your response and we realize that that's just gonna be an ongoing and growing aspect of the work that we've gotta do. Yeah, as Secretary Quinn has talked in earlier sessions we do like the other parts of state government get attacks and we've had both phishing attacks and spear phishing attacks that have gone on after specific people in the Supreme Court, so. Do you have any notification protocols or procedures that you follow in those types of events that are established and set up? We work with the ADS security department. Are you talking about notifications, external? So if there's phishing or spear, are there people like who would you notify? How would you notify them? Secretary Quinn has his hand up, do you want me to defer to him? Let me start and then throw it over to John. So what has happened in practice is we are notified by ADS that they have noticed and we then work tightly with our team to make sure it's resolved. We have not had any resulting loss of data so we have been fortunate to have caught things quickly. We have a system set up where when we see emails come in if there's a particular spear phishing type of email that gets delivered to us, we alert everyone on our email servers that we saw this. Please don't click on the link. If there is a breach or if there is some kind of attempt on our network or some kind of data loss, we follow from our state statutes and then notify the attorney general's office. So they have statutes pertaining to notification of the public. I'm reflecting back, I think Secretary Quinn referenced. We have a few servers that are not part of the ADS network in the state. And you say you have 115 servers within the ADS network. You have anything out free-floating that is not part of the ADS network that poses risk? Oh, you're gonna talk about it. Oh, okay. So are you looking at some? I just like a question back on the notification system because we have a similar system in the legislative branch where we get an email that says please don't look at that email that you just got. And I guess my question maybe is for Secretary Quinn, that always strikes me. I sort of look at my email in a crudely chronologically. So I would have approached the scary email and maybe active, maybe not, and then looked at the... And I guess I don't... Why wouldn't we, and is there not a way to suck that email back into the server? Is that a safety and a privacy issue? Or it just always seems sort of weak to me. Hey, we really hope you didn't open that email. It's the, you know what I mean? So we just don't want to be set up that way. Yeah, I think it's twofold. In some cases, we do pull the email back. In other cases, people have already clicked on it. We want to notify them and alert them. Hey, don't, and if you did, here's the number to call. If you're on travel, just let us know. Don't open the attachment. Yeah. So if you already did, Jeff and Pat, will it be possible for you to finish your presentation within the next five to six minutes? Okay, great. Yes. Okay. So Senator, your question about other servers. We have five servers that aren't hosted at Techball by ADS. And they're legacy servers that mainly run, we have a system called FTR for the record that does courtroom reporting that we've always supported. And they're running that. They're also, we have two servers that are developer issues. Those right now are in right over junction. We have an effort underway to move those to Costello courthouse to a better environment. We've been working with ADS to look at that move. They've done some security scans, helped us with improving those servers. And we want to spend the time to re-architect those to be more secure. So there are a few outliers as well. I should have just read ahead. Quickly focused. I know this committee has talked in the past about websites. The Vermont Judiciary.org website is hosted on Amazon Web Services Government Cloud. It's running Drupal. We have a vendor in Maine, Portland, Webworks. We have gone through an RFP process for that host that does all the work to keep that up to date and secure. It's notable that that is really an informational website. It's not holding any private data. So the risk is minimal. It also doesn't have any direct connections back into our network. But nonetheless, it is, we do the work to make it sure it's secure. We also utilize Vic for some legacy solutions. Vic is largely being replaced by our NGCMS project. The Judicial Bureau part of Vic has already been replaced by NGCMS. But we've got from outcourts online some criminal division payments and attorney licensing still on Vic. And just to real quickly talk about next steps, it's become clear to us that Judiciary staff alone and our partnership with ADS isn't enough here. So we're working to establish a relationship with an external cybersecurity partner. The first step of that will be an assessment, a risk assessment that we're going to do to see how we're doing and what gaps we have and really come up with essentially the next 10 steps to improve our security posture. So is this partner one that's specialized in cybersecurity? We're not naming them because the contract's not done. But we're now talking to a partner who's worked with the state. They have worked Secretary of State's office. They've worked with the Department of Tax and Health Connect as well as a lot of other states. There would be someone specifically bringing this to the table here. We're also working and Pat can talk more about an MOU between the Geosher and ADS so we can smooth our collaboration in this area. Yes, and all I would say because I know you're so short of time is that Secretary Quinn and I met with our respective council and we're working on an MOU that will supplement existing service level agreement to account for the fact we're a separate branch of government but we're part of an enterprise technology solution and so how we work with them. And so Pat, you and I spoke briefly about that and I think in the future when that agreement has worked out we would love to have a presentation. I'm really interested in how the branches of government are collaborating around these issues. So when you agree we'll have that. Yeah, we're happy to talk about that. I also am working closely with Maine and New Hampshire judiciary CIOs and we're actually going to have a meeting early fall to talk about not only what we're doing in our branches but how they work with their executive branch because Maine especially has a similar relationship and working a little bit differently so we want to learn from each other. We also see that as an opportunity to share resources to scan and do some risk assessment across these three states. Are they Tyler? Yes. The states as well. So that's what we had. Thank you for the time. Do you have questions? So the takeaway is that it's moving well. You just want more time not because of technology but for training and to make a more reasonable implementation timeframe. For NGCMS, correct. And the money except for some little things that you talked about, it's pretty on target. So we should say leave here saying things are going satisfactory. Things are in our view satisfactory, NGCMS. Cyber security will always be a work in progress so I will never pretend that we're on track or down in that topic. We're always going to have to be getting better. Is it important that the systems that contain sensitive information are publicly accessible internet connected or would it make sense to have a private win for the court system that's air gapped from the public just for that additional layer? So yes to both those. The public portal that's part of our NGCMS has limited information about cases. It follows our court rules and we'll have a gap between it and the court case management data. And maybe one parting final leave with you. We've always been along with the rest of government really part of open accessible accountable and transparent. Recent trends with the weaponization of personal information and data has really had me pause about that and think about policies we've always taken for granted. So I don't have anything more to put on the table except it feels like that's not just a little glitch or a bump in the road. It feels like that there may be the need to sort of step back and maybe have a little quiet group that takes a look at how we're doing that right now and thinks about information and data slightly differently. It's really important that we report data that shows accountability and transparency and in the judiciary that people understand why cases are decided. People have to have enough information. At the same time, we don't want the experience of exposing people's personal information to be so broad now that they stop coming to the judiciary to have their cases decided. So that's just a thought. One of the things that I notice a lot in doing record searches, searches for information across states is the states are very, very different in terms of the court information that's available. If you go to Florida, for example, and you pick a particular county, you can do a search for name of any individual who's been involved in any kind of litigation and in effect bring up that case and the case results and indeed the documents that go to that case in Vermont is virtually impossible to find anything. And in fact, it's even difficult when you go to the courthouse and ask for records to be able to get records. How do we, as you look particularly, working with other states and how they do things, on the one hand, I get the sense that Vermont almost treats record information in the courts as if it was the court's information rather than the public's information. Other states deal with it very, very differently in which it's considered a public record that the public has a right to deal with. So our records laws are rules because we have court rules on that. Actually, with the exception of legislative policy are very open. And so legislative policy has certain divisions that cannot be online. But our public records laws and rules are pretty similar to other states. Florida is known as a huge outlier. There are a couple of, like maybe one or two other states like Florida. California, for example, is very similar. Right, where personal information is not protected at all. Other states are much more conservative than Vermont and really protect personal information, which I, again, I want to distinguish from data. But things where you can actually look in people's personal lives and they restrict it more. And so Vermont just went through a rewrite of the access to public records laws because we now that we're online and not on paper, it's changed quite dramatically in terms of people's ability to access. So one of the issues you would find in trying to get court records is we're not online right now. But as court records go online, it will become easier technically to access them. And then the question is, what is the state's policy and what is the court's policy about what shouldn't be accessed? And we're actually in the conference of state court administrators, we're actually looking at those issues right now. Do the states overall want to have a policy or is it so unique to states that we can't do that? So we'll be able to report more about that in the company. I think what I was getting at with the comment is that once we go to what essentially is an online system in which the information is there, as the way and I would be available to the public, will the public, for example, be able to go into the court record system and say, give me all the cases in which John Smith has been involved and show me where they are and then indeed go to the extent of being able to provide documents associated with that case. The same kind of information that might be present if you were to go to the courtroom and sit there and listen to the record. So right now, the legislature has adopted policies that mean data mining companies could not just do that. And so the real pressure that's on states right now is that data mining companies who take this public information and they turn it into money. And we do not make information available that way. Right now. And so there will be certain things that one could do. Let's use civil because the legislature has not protected the civil docket for electronic access. So there will be access to certain information on civil cases, but even in other kinds of cases, people can go to the courthouse and get on a portal and get that information. What we don't do is we are not designed either, unlike some states who make money by selling to data mining companies, up to this point, we have not considered ourselves. And yes, they do. That's a revenue source for them. The courts do that. Yes. But in other states, that information is publicly available without charge. Yes, so you've got, it's all over the map. That's what I'm saying. Can I give a quick example, Senator? So we talk with the people in Maryland often. In Maryland, for a long time, has had criminal case information openly available on the internet. We, as Pat said, it's only available by going to the courthouse purposefully. In Maryland, many data aggregators have taken that information and created their own databases of criminal cases. Maryland, like Vermont, is very active in expungements, right? What should be expunged? What shouldn't? So they're challenged right now as they're expunging cases in the courts. Other people have copies of this that the courts have no authority to have them get rid of it. So it's created a real challenge for them. And they're talking about backing down on all of that public access to criminal records because of this. So it's a very active topic amongst the courts and very important. So all that to say if the legislature decides to have a little thought group about that, I'd love to be part of it. Okay. And I think we would like to just continue this conversation with you all as you're thinking about it as well. Thank you. Thank you for your flexibility and your report. Tanya, thank you for your flexibility as well. And I am hoping that we can get you to go to about 30 minutes. We've given you about an hour. I'm Tanya Marshall, I'm the Chief Records Officer in the state office for the state of Vermont and the director of the Vermont State Archives and Records Administration. I'm probably the only person in statute that has three titles on. I'm gonna talk to more on information governance. And I just do a little overop on cybersecurity because all the conversation that actually just ended with the judiciary is really about the larger picture. And that's the role that the Vermont State Archives and Records Administration plays. Just for background, there is a statute, the statewide records and information management program and that is done by the Vermont State Archives and Records Administration. We are in the Secretary of State's office. We're charged with administering it for all public agencies. So it goes across all different branches. It goes out local government as well. To really espouse the industry standards in terms of generally accepted record keeping principles. So if you're familiar with general accepted accounting principles, there are some for record keeping as well. Industry standards across the board and best practices and our citation is in Title III, 117. The specifics within that mandate that we have is to provide assistance to public agencies in grading the records and information management program and work format independent. So all the policies that come out of that, which I'll talk in terms of governance, are format independent. It breaks down everything from the people involved to the processes involved and then the infrastructure that supports the management of information. Our other charge is related to having and ensuring that there is repositories across the state that can effectively manage each public agency's records and information regardless of format and that they're operating in compliance with the law, the standards as well as the Public Records Act. So the Vermont State Archives and Records Administration actually administers three enterprise-wide repositories right now. We operate the record center, which is used by all three branches of state government. We operate the state archives, physical state archives, which is used by all three branches of state government and we also do a digital archives and that is currently government and then parts of local government. When an agency's day-to-day operations around a record that has continuing value or a piece of information that has continuing value succeeds so that they can continue with their regular work, they can transfer legal custody of those documents in that record and information to the Vermont State Archives and Records Administration and the Secretary of State's Office becomes the legal custodian. Are there any agencies, branches, entities of state government that you are not the receiver of their records? That we're working? No, we have. So within the state archives, we have all three branches in the legislature for each biennium, committee records, legislative audio, everything comes into the State Archives and Records Administration. We are the custodian after that point and the legislature is able to move on to the next session. We're assessing different records and records and there's a process that that happens and it's about two or 3% of all records graded across the board are archival and we meet this criteria of being legally transferred. We also are the holder, which means we are not the legal custodian but we have a state record center. That's in terms of paper records and agencies and permits will transfer into state record center. We manage them in accordance with the records management processes and procedures that have been uniformly developed and then the records are disposed when they're legally required to go. And so in terms of the three that we operate, the other ones would be operated by agency of digital services or they could be within their own branches. Like your case management system, legislative systems would be, it's not necessarily enterprise wide but it's still within your own branch. And then our last charge and there's a couple more related to this but for this context, it is information management standards. We have done a number of those over the years, have been in collaboration with Department of Information Innovation when they existed and then information governance frameworks which is what we're really gonna talk about today within the context of what we look at when we're looking at protection of records and information across the state and how well agencies and departments and branches are able to do that. So what is information governance? There's a number of different definitions but the end is really about managing your records and information that's inclusive of data so it's regardless of format in a discipline and coordinated in a measurable manner. So do we know are we being affected with it? It's a combination of people processes and infrastructure which is nothing new. I know the focus of cyber security so I always like to go back to what the definition so cyber security is really focused on electronic and internet and computer so to speak. At the end of the day though we want all our public records to be effectively protected. So when it comes to the statewide records and information management program we are not format specific, we cover all formats. So that's just the big difference between cyber security and what we would say as protection as a whole. Of course we're looking at electronic records and wanting to ensure that those are protected but paper records have the same kind of risk. Other kind of formats whether it's logs or other forms of data that even or something that someone can read are at equal risk too. So we really cover the whole part of it in terms of scope. When we look at people processes and infrastructure these probably look like the classic service domains or the business domains of business architecture, information data architecture, application technology, strategy. When we put on the Vermont State or Christenburg administration hat and looking at it in terms of legal requirements the strategy is really what the legislature enacts. Your goal is to try to provide services to citizens through legislation and that is the public agencies that are responsible for figuring out how to apply that and how what is the most critical needs that they have. And that comes into why we receive for great information and then we're looking for applications to really service that and we're looking for the technology to support it. So that's really the goal within that program. So what we've implemented over the last couple of years is there's a standard to say maturity model. Like where are we? And we can do this at a small level with a particular office or division. We can do this with the agencies. We've worked with the agency of human services that actually is working through a large scale kind of overhaul of their records and information management right now based on the information governance maturity model. So it's three levels, very basic. It's used at the corporate sector as well as the public and private sector. Level one is basically saying that things are kind of ad hoc across the board. When you're talking about business, when you're talking about people understanding the information and records that they receive. If there are policies, procedures, infrastructure, technology, ad hoc, kind of working in some areas, not always level one is really substandard. Development, more awareness. Level three is basically the essentials are being met at all levels. Level four is really being able to integrate into operations so we're maximizing our information because the reason we create and receive all this to make the decision, right? And provide the services that we need to provide. So our goal as a state and any entity is always to be a transformational that we're really having the right information at the right time given to the right people which is at the same time as making sure the information that we don't want to the wrong people is occurring. But we also want accurate and reliable information. So each of these can be measured at different levels and it can be done at a technology level. It can be done as a business process level. It can be done as a record keeping level. And so we have been working with the agencies and departments on having them walk through an assessment of what that looks like. So I'm gonna ask you a question. So how does an agency experience you working with them on information governance and ADS, like how do those things kind of... How do they work together? I mean the Agency of Human Services probably the best example. When we work with an agency we require four disciplines to be around the table at all times. And that includes information technology, business operations, records and information management which tends to be our staff mentoring individual within the staff of the agency because most agencies don't have records and information managers as a full-time position or and then the last is legal. So in terms of like ADS collaboration those agencies already have representation from whoever has been assigned to be the liaison for the technology piece. Success rate just to let you know if those four disciplines aren't around the same table and working together is the same as that architecture model they just said here. If you don't have those together you're not gonna see success because you're gonna end up with more risks. So I'm just gonna walk through these. These are the generally accepted record keeping principles and I actually like what Pat had just said because she said transparency, accountability, all those buzzwords. That's actually what record keeping requirements are. So they walk through it's independent in terms of format. Each principle though is as important as the other. So if you're picturing building something like a platform if you have one pillar that's much higher than the other it's an unstable environment or if something's shorter but looks you know that it's gonna start falling apart at some point because it's not stable. These equally have to be there for functioning governance component and to be have very successful in terms of managing records and information across the board. Accountability. So where we ended, are you getting to the place where we ended with Pat? Yeah, it's kind of, it was a nice segue. Yeah, okay. If you would have said, well here's what we can do or here's what we're thinking. Yeah, and we actually have an active collaboration with the judiciary as well and when we're staffing. So yeah, accountability is the biggest thing is having ironically most agencies and departments actually fall at a sub level on this one which means that there isn't one particular entity person who is familiar with the records and information of that agency or department across the board and is at a high enough level to really motivate change. So that's kind of a key thing and it can't sit with somebody who's just there to move but really having that background. My background just for context is information science. So I disciplined in all four areas had a sense of education and training. That's the ideal because you do want someone who understands the technology piece of it as well as the business operations as well as the information management needs and the legal because that's where compliance level comes through. So when we do an assessment and walk through with the agencies we really ask them where are you on this and this is the one that is the most highly recognized of not having that particular, even an FTE. I'm just trying to see how technology is influencing. I'm back years ago for example with child welfare cases more public assistance cases after three years they'd be sent to public record and of course they were confidential. Now we have a kind of a combination of paper and a lot of it is online in a database. How do you reconcile what's, and then there was a, obviously you had a, after a period of X number of years those records were disposed. How do you reconcile if you've got both paper and you've got digital or are you making everything digital now? So it's not so much on the format but we're really starting with the Vermont State Archives and Records Administration just to back up a little bit was created in 2008 by the legislature and part of it was to dissolve what was the public records division underneath buildings and general services. So up until that point records management was really just about assigning retention period and then disposing it in very labor based. There was a public records advisory board that was a point T's. None of the individuals on the board were actually had a background in records and information management and so when we took over. Well the less you know the easier it is. But it also meant that we're making a lot of decisions on records that were not great. So sometimes holding records too long which I'll show here is a risk. So all the policies now they have to run through a record schedule which is the life cycle management. And whether it's paper or electronic the life cycle is still the same responsibilities. Accountability is still there. The management controls are still there. They're just a little bit different if they're paper based versus electronic. But you'd expect these things to execute because it is, if you have a retention for three years of something doesn't matter if it's electronic or paper it doesn't. You just have to be in the right repository to make sure that that can execute correctly. So we don't do anything format when we write the policies and we do a collaboration with the agency department that set the management plan. Also set the retention and disposition which are two of the principles here. That's the high level policy of accountability of what's expected in terms of the life cycle management of that information. The next layer down is okay from an operation standpoint how is this going to work? Can you actually delete or dispose of digital information? With a paper record you can shred it. Yeah it seems like Ollie North discovered that in fact that record's out there somewhere. Well when we get into- I'm just wondering how you deal with- There is and that's where our collaboration is with ADS on if they stand off the systems. The digital archives obviously we don't want to destroy anything out of that because those are records that are expected to come in and be permanently preserved. But electronic records management systems exist and they do, they run through a purge cycle and then there's a different depending on the system and how the infrastructure's been set up. I always worry because we do know this within the state of Vermont. It can look and feel like it's been destroyed but the agencies is not aware that it's still sitting on another server maybe as a backup or some other thing in the past. And now responding to public records requests and stating because from the business operation they believe that it has been deleted or discovery request that happens more often than not. But if we are in a good state and at least being at say level three which is essential in terms of governance that likelihood should be less because everyone knows where their information is actually stored and happening. They don't need to know the details of how it's been working behind the scenes but at very high level we need to know where our information is stored because that becomes a risk on the cybersecurity part. We don't know where to protect and we don't know what we're protecting at a certain level and it's a little ad hoc. That's where we end up not only risk on having information get out that we do not want to be accessible to other individuals but we also end up with risk from a management perspective falling into a nightmare with legal discovery, public records requests. We also end up paying a whole lot of money to store things that maybe we didn't need to do. So that is a collaboration component but it is based on the statewide records and information management program. And so if we really just walk through the agency starting from a policy to an implementation then to a decision making of what those applications really need to be and then what kind of platform and then they work with their partners which include agency and digital services as well as any other vendor to really execute that. Transparency, this is really getting into the documentation. We have a huge transparency in government about but it's transparency about knowing what we're managing and why we're doing that and which level everyone is in terms of business processes being documented as well as the records and information management processes is a key part. Obviously we want our software and our applications to match the requirements that we're trying to meet. So having that transparency is where an agency feels confident to be able to say, I feel that we're effective in managing these child welfare cases and here's the system documentation about where those records go in the life cycle and what happens to them. So it's not just someone's own memory or it's kind of add, we don't want the ad hoc approach to that. So system documentation as well as process documentation, integrity and keepers, we want good information. One of the things that are reliable and authentic. Best example of this where we have that is like when you have an electronic version to not knowing which version it is and we have just from a business process standpoint when you have an agency that might be scrambling to figure out if they have the latest copy or the individual, that's where this is, we end up finding the integrity is pretty low. So there may be one that is the final draft that everyone wants to share but the way that's being managed or where the business process is, we have to spend some more time to try to find that. That's when we get concerned about integrity. So when we look at that maturity model and we ask the agencies, give us an example or an office, this is where we're able to rate where they are. Does that help? Yeah, I'm thinking about the video that Secretary of State posted a couple of days ago, the deepfake video and thinking about this integrity and if you are doing anything about with the integrity of records and deepfakes and that sort of thing. Right, so in terms of, I'm not really sure what video they posted the other day. Who was it on their Twitter account? Yeah, it was one showing this, I can't remember his name after. Really it's an elections component. I don't turn it into Tom Cruise, I mean it was in a deep fake. Oh, Michael is an information professional is when that life cycle is not working the way that it is in terms of either business process operations or even electronic and the applications aren't supporting integrity ends up being very difficult for an agency to say I have the best information, I have the right information and I have that. So, I actually am noticing the time but I am actually pretty curious about this and Secretary Quinn, maybe I will ask you as well, who is responsible for, who would we turn to that could confirm that this is an actual record? Do you know what I'm talking about in terms of the deepfake? I can see our guess is maybe it's something we could talk about later but it's something I'm definitely interested in the future. How do we? Well, sorry, you're looking at that someone has falsified like basically has corrupted information. Yeah, so the integrity piece, there's two different checks, like even in one of the things that we've been watching Secretary of State's office authenticates documents which means we're responsible for authenticating that something has actually is what it reports to be. In an actual technical role that's easier and better to do than it is in the paper world. It's ironic but paper processes for that. So, I think what, if I was looking at what from a technical standpoint, we can say that was there and it hasn't changed depending on the system and what's capable. But it's still, when this comes to integrity it also talks about, we get to protection after this but it talks about the fact that we may not have the best information or we might be able to. We may need to have you come back up all of that. I'll be taking some of your time once we've already. No, ask as many questions. I mean, I live and breathe this every day. Protection, so this is really where you get into your area of security on that. For the principle here, it's about what's reasonable and suitable. So, the sense is that if there's something that an agency is publishing out and wants to be there, obviously we don't want people to be able to change the content, that's the integrity issue of it. But we're not as worried about it getting into the hand because we do want that publicly out there. So, it's about suitable and reasonable guarantee and there's a number of different things and when you think about people and processes and infrastructure, one of the greatest risks on the protection standpoint isn't always just the technology, it's about the people. We all, you know, we're in Vermont, we want to be friendly, we want to help people out. Oftentimes it's the security issue ends up being more on an individual per se than necessarily opposite technology. But this is really about having an agency assess. So, where are they, do they feel like there's a lot of emphasis on information security, that they feel that it's across the board no matter what the format of the record is, do they know that, can they audit it, is it continuously looked at and improved then at all levels, or is it kind of maybe it's really good here but not so good there, maybe we have the best kind of network for that electronic information but the paper information is going out the door. We look at it holistically, but that's the protection category. Do you have a schedule, like if we mandated that you go in and work with agencies and entities or are they inviting you in on this, like how is that happening? Title one, in the Public Records Act, it does require all eight public agencies to manage their records in accordance with standards that are provided by the Vermont State Archives and Records Administration. It also states to cannot destroy a record without authority, which is a throwback from a 1937 law, but we've continued it. There was more emphasis in the past session with a revision to the law to try to make sure that there's collaboration. We work with everyone. I can't force an entity to. So it's at their invitation. Yeah, I mean, not that I want to because it's supposed to be a collaborative thing, so we wouldn't be very successful for forcing somebody who didn't want to be there. But this to me is just, this is just good government and it's about having all the right people at the right time and really working together as a team to move forward. Compliance, this is not only just with legal requirements across the board and this can be related to exemptions, obviously if information you want to have though is protected at a different level, but also the agency's own policies and procedures and how is that actually working when it comes to records and information management? So are the things identified and do the employees actually know what their responsibilities are within the particular sets of information they're working with? Is it really kind of emphasized in having different kind of auditing, different controls as being reviewed? Compliance is a really big one. The legal community obviously likes this one, but do they always know when the process isn't working very well or do they know where the loopholes are? So having that as being part of the governance component is required. Availability, effort and retrieval information are running out of time. So you're running out of time? No, I'm almost out of time. We'll give you a break, we'll shorten our break. This is a challenge. Yes. Hours are spent going through. Yes. But these are records that aren't necessarily archived. Right. I mean, we live the legacy of, I always say even the state record center which was just to digress a little bit. You know, it wasn't managed as well and so it ended up being a place where agencies just would kind of offload paper that they didn't know what to do with and offloaded and it's become a huge liability. So walking through availability, right now we actually have something from DCF scouring old records that are sitting in the records and they're re-responsive lawsuits. So availability is really a key part. We're doing all this and we're supposed to be managing our records and information in a way that not only do we have accurate and reliable information but it's available to the right people at the right time and it's not a struggle to find. Of course we all have the legacy of what we're trying to do. And so does Secretary Quinn. I always say we're the original server where it's like you don't know until you open up the box. I mean, it's supposed to be something and you open it up in office supplies. That wasn't what it was reported to be. The same thing happens on the electronic environment as well. From a library of science and information science background, it's about recall and precision. You know, if someone's doing a search they should be able to recall everything, get everything that's available for that search and it should be precise for what they're looking for. That's the goal for this availability. But it needs to be equally balanced with all the other pillars for that. And the last one is retention and disposition. So they go hand in hand. How long do we have to keep this information and why? And that's what the Vermont State Archives and Recreation Administration has actually charged with making sure that we set the retention requirement. And we do that in collaboration with all the public agencies that we work with. So it's not something that I just send out because we really have to understand the bigger picture. We collect every single legal requirement around all that information. It's encoded in part of the schedule. We do metadata classification so that they can manage them inside a repository that's gonna be reading that information, make sure the records are managed. So retention and last disposition. So they're actually disposed when they're required. We have the business processes and the infrastructure in place to actually do that. And disposal, it means two different things. One, if it's a retention and it's appraised as being something that should be destroyed that is effectively destroyed at all levels, right? And it's effectively destroyed everywhere. If the goal is to not have it there, we need to know where everything is. And that's the availability factor, right? We don't always know where everything is. Disposition in the state of Vermont also can mean disposing for permanent records that they actually get disposed into the state archives. And so that's where we become the legal custodian and we continue them because they have continuing value. Fine records, great example, continuing value. So those come into the state archives and we administer them depending on the age and so forth when the Department of Health deals with will be no corrections or amendments anymore than those. And we do electronic and paper. And so just last part is unified governance is really all these disciplines together including security and risk which is kind of a new factor in here. Associated costs just kind of enclosing. This is one that came out of the electronic discovery because they're expending so much time and attorneys trying to find stuff that they can't find is walking through the information governance. So this is actually a really good model to figure out. Like when you hear, oh, we had unexpected costs and they're really surprised we didn't know this was gonna happen. It's not just on certain IT fronts. It could be, well, we didn't know we're gonna expend for attorneys to go look for this or we didn't know that we're gonna have this other human capital cost. When things are surprising and people are reacting to something that tends to lead to what we usually see as a very low information governance. And then overbruns and some unexpected costs because it's ill-fitting. Oh, we bought this technology and it turned out not to really work very well. That seems to be a lot. There's awareness but not really quite where we wanna be. And when you get to essential, what we're seeing is there's a lot of control costs. There's a lot of re-use of information so we don't need the same, we don't need 20 agencies compiling the same kind of data. They should be able to leverage the data that we have as a state and go across these. So information exchange gets much stronger and the product is when you see these integrations and it can be in a business process as well as technology. And you're seeing more targeted reductions like how can we actually streamline this and get it more efficient. And then transformations were really shared across the board and we're really using technology as we want to be using it. So those are direct correlations that have come out in terms of information governance model. Sorry, it talks so fast but I'm wondering. No, I'm really appreciate it and we have time for a couple of weeks. So we have 10 minutes before I get us some, I wanna make sure we have a five minute break. So, yeah, that's okay. Yeah. Quick question. Do you have different levels of disposition based on the sensitivity of the information? Yeah, so in terms of, so for disposition there's two different levels that when we code the record schedules, we do it at a high level that goes across. So we'll do a shred versus a recycle. And there's electronic shredding as well as paper shredding. If it's exposed into the archives, there's a whole nother security code that we use on the information. So whether or not we do four different levels. One is that if based on all the requirements, we wouldn't expect something to be in that particular set of information. Like someone throws in a social security number on a record, but there's no reason why they should have done that. We mark those as general, which means like the agency should not expect to have anything that's sensitive or secure in that. Review is a default that we use when there's kind of a mix, but it's not really clear. Redact is another security level that we have when we know that the records themselves or the data related to the registers or databases have information that is exempt from public access and all the different reasons why, all the legal requirements, and then we have outright exams. So those things used together, if it says exempt, it's automatically a shred. If it's redact, it's automatically a shred. If it's review, we really default the shred. And then it's really, if it's general, then the agency can use a normal recycling component and they can use the tools that are available to them from a paper electronic perspective. Forgive me if you covered this at the beginning, but I feel like you've sort of outlined here your grading system. And I'm curious if you have the results for us, I mean, or if you have it measured that way. We do publish them on our website. I'm happy to send that afterwards. We haven't updated them. I mean, first launch that we did across the board and really the first two pill, we started with the first two pillars. And yeah, we do, we publish it on our website for the executive branch. And so the first thing that we look at, especially the accountability just to let you know, so under statute for the executive branch for agencies and departments, specifically underneath the governor, there is a whole separate statute that requires them to have agency records and information management programs and to assign a member of his or her staff as a records officer. We've been monitoring the appointments of those and then monitoring how well the agency can actually succeed in information governance. So if the appointee has always been at a level that's not a senior level of that, then back out at Laura's score. I'm happy to show you where it is on my website before, but I know that you have it. Or just a late group. More than like. Yeah, so I send that to Mike afterwards and then you're able to see that. We haven't updated it. This new version of the law that has a little bit more teeth in it came into effect last July. And so what we've been doing is more, I have a really tiny, I have 17 people for all our operations. So I have four people who are records and information management specialists who are like spread across every single agency right now and local government. So what we're really doing is we actually put a physical person into the agency of human services, which is my staff member in there. And we're really focusing on looking at that modeling that works really well and seeing where we can get the most kind of opportunities that not only the agency of human services can be successful, but the next agency. But that's half of state government. I know, well that's my philosophy. That reminds me we'll start on the big one. We actually have another staff member too that we basically, we actually do take a lot of court records as well. We're the only state, that's a statewide court in the nation, right? We don't have, everyone else is county government and county archives. And we have a person that's dedicated directly to collaborating with the court administrator's office on that. But those are limited resources. So what we haven't done is really tried to push this because we recognize we're limited resources. So are the agencies, but let's continue to collaborate together. That was my question. The evaluation of the various agencies. Yeah, so we do publish it and I will. Okay. Yeah. So that's something that having the agencies do some self-reporting as well and. And so you obviously have an ongoing program. We, oh yeah. This is continuous. The agency of human services is the best example right now of having a very active strategy to do this. Very good collaboration with in there. Diva in particular has been really, they have been way low, but really have having come up and it's about that team, it's that collaboration. When we don't have that, we just know it won't be successful in any area, right? Thank you. Yeah, thank you. Thank you for your flexibility. Oh, yeah. I appreciate it. Okay, let's break till you were kind enough to, Branson, what you hoped was a resource I've been asking you really about.