Vermont Agency of Digital Services

The Council discussed legislative updates, including the status of Senate Bill 213 and its implications for water system operators. Sector-specific reports were provided for the energy, healthcare, and water/wastewater sectors. Challenges regarding membership recruitment in certain sectors were highlighted. The Council also considered moving their next meeting to coincide with the state's upcoming digital summit in order to foster greater engagement with stakeholders.

This report details the establishment and initial work of the Cybersecurity Advisory Council, mandated by Act 71, to assess and enhance the cybersecurity posture of critical infrastructure entities in Vermont. It outlines the council's legislative background, membership, and activities through January 25, 2024, including the development of a cybersecurity preparedness survey. The council's planned activities for Fiscal Year 2024 focus on reviewing legislative definitions, administering the survey, compiling results, and developing future plans to safeguard the State's public and private sector against cyberattacks.

The council discussed legislative updates regarding Senate Bill 213, noting a shift toward non-binding guidance for water systems. Membership updates confirmed no changes for the current year. Sector-specific working groups provided updates on energy, healthcare, water/wastewater, and essential supply chain activities. The council reviewed the Cybersecurity Pillars strategic framework, which utilizes a maturity model for municipal cybersecurity. Additionally, the group addressed federal funding status for municipal cybersecurity and examined the economic and operational implications of the Cybersecurity Maturity Model Certification (CMMC) for the state's defense industrial base.

This document presents the Cybersecurity Advisory Council's strategic plan for enhancing the cybersecurity of critical infrastructure and essential supply chains within the State. The plan addresses different levels of organizational maturity through three tiers: training and planning, risk management, and information sharing and collaboration. Key objectives include increasing cybersecurity awareness, improving preparedness, fostering a collaborative community for information sharing, developing a universal incident response plan template, and promoting continuous improvement. The plan's implementation is phased, with initial efforts beginning in 2025 and extending into 2026, focusing on organizations supporting Vermont hospitals.

The tenth meeting of the Council focused on the advancement of sector-specific cybersecurity plans, moving away from a one-size-fits-all assessment approach. Key discussions involved developing customized roadmaps reflecting unique cyber risk profiles for sectors such as healthcare, water, energy, and manufacturing. The council unanimously adopted a motion to pursue a sector-specific approach for sub-plan development. Discussions also covered effective engagement of sector representatives, leveraging state and federal partners like CISA, and promoting pragmatic steps such as using CIS Controls version 8.1. Insights were shared from a tabletop exercise involving the Town of Brandon, highlighting challenges for smaller systems. The next meeting is scheduled for November, with progress reports expected.