Vermont Agency of Digital Services

This document presents the Cybersecurity Advisory Council's strategic plan for enhancing the cybersecurity of critical infrastructure and essential supply chains within the State. The plan addresses different levels of organizational maturity through three tiers: training and planning, risk management, and information sharing and collaboration. Key objectives include increasing cybersecurity awareness, improving preparedness, fostering a collaborative community for information sharing, developing a universal incident response plan template, and promoting continuous improvement. The plan's implementation is phased, with initial efforts beginning in 2025 and extending into 2026, focusing on organizations supporting Vermont hospitals.

The tenth meeting of the Council focused on the advancement of sector-specific cybersecurity plans, moving away from a one-size-fits-all assessment approach. Key discussions involved developing customized roadmaps reflecting unique cyber risk profiles for sectors such as healthcare, water, energy, and manufacturing. The council unanimously adopted a motion to pursue a sector-specific approach for sub-plan development. Discussions also covered effective engagement of sector representatives, leveraging state and federal partners like CISA, and promoting pragmatic steps such as using CIS Controls version 8.1. Insights were shared from a tabletop exercise involving the Town of Brandon, highlighting challenges for smaller systems. The next meeting is scheduled for November, with progress reports expected.

The meeting reviewed updates from Meeting 10 and set the 2026 meeting schedule for quarterly sessions (January, April, July, October), expanding the duration to two hours to include sector updates and cyber coordination reviews. Updates were provided on sector-specific plans, noting that the Electric sector has a follow-up scheduled for January, the Essential Supply Chain sector is finalizing working group members, and the Water and Wastewater sector has a second meeting planned for December; no activity was reported for the Healthcare sector. The council plans to address a legislative request to expand membership by adding representation from the Communications and Government services sectors. Furthermore, the group initiated drafting the annual legislative report, soliciting input for review in January. Discussion also focused on gathering ideas from guests, including establishing better information-sharing mechanisms across sectors and making State of Vermont IT contracts available for use by local government entities.

The meeting focused on updating the status of Meeting 12 items, which had no revisions, and the review and approval of the Annual Report. Sector-specific updates were provided, covering Electric Utilities (planning a meeting in February), Healthcare (working group member identification), Essential Supply Chain (first working group meeting held), and Water and Wastewater (ongoing discussions on operator support). The Coordinator reported activities mainly concerning the State and Local Cybersecurity Grant Program (SLCGP). Feedback included a suggestion from CISA regarding funding for basic cybersecurity appliances for a community in need, leading to a follow-up meeting. Discussion occurred regarding moving the July meeting to August 4th to coincide with the Annual Vermont Digital Summit, though no decision was reached. A motion was approved unanimously to officially adjourn the meeting.

This strategic plan, developed by the Cybersecurity Advisory Council, aims to advance the cybersecurity readiness of Critical Infrastructure operators in Vermont. It proposes a tiered approach to support organizations based on their maturity levels, encompassing training, risk management, and information sharing. The plan outlines five core strategies: Outreach and Awareness, Building Strong Partnerships, Multiple Tiers of Support, establishing a Universal Incident Response Plan Template, and fostering a Community of Vermont Organizations for Cyber Information Sharing. Key goals include enhancing cybersecurity awareness and preparedness, building collaborative relationships, and ensuring continuous improvement for critical infrastructure and municipalities.