The Vermont Statutes Online
NOTE: The Vermont Statutes Online is an unofficial copy of the Vermont Statutes Annotated that is provided as a convenience.
NOTE: The online version of the Vermont Statutes does NOT yet include the actions of the 2023 legislative session. The 2023 updates should be available by the end of October.
§ 3303. Reporting, records, and review requirements
(a) Annual report and budget. The Secretary shall submit to the General Assembly, concurrent with the Governor’s annual budget request required under 32 V.S.A. § 306, an annual report for information technology and cybersecurity. The report shall reflect the priorities of the Agency and shall include:
(1) performance metrics and trends, including baseline and annual measurements, for each division of the Agency;
(2) a financial report of revenues and expenditures to date for the current fiscal year;
(3) costs avoided or saved as a result of technology optimization for the previous fiscal year;
(4) an outline summary of information, including scope, schedule, budget, and status for information technology projects with total costs of $500,000.00 or greater;
(5) an annual update to the strategic plan prepared pursuant to subsection (c) of this section;
(6) a summary of independent reviews as required by subsection (d) of this section;
(7) the Agency budget submission;
[Subdivision (a)(8) as added by Act 132]
(8) an annual update to the inventory required by section 3305 of this title; and.
[Subdivision (a)(9) as added by Act No. 185]
(9) a report on the expenditures of the Technology Modernization Special Fund, a list of projects receiving funding from the Fund in the prior fiscal year, and a list of prioritized recommendations for projects to be funded from the Fund in the next fiscal year.
(b) Records. The Agency shall maintain the following records for information technology projects with a total cost of $500,000.00 or greater:
(1) A business case, including life-cycle costs and sources of funds for design, development, and implementation, as well as maintenance and operations. The business case shall include expected benefits, including cost savings and service delivery improvements.
(2) Detailed project plans and status reports, including risk identification and risk mitigation plans.
(c) Strategic plan. The Secretary shall prepare and submit a strategic plan for information technology and cybersecurity, concurrent with the Governor’s annual budget request required under 32 V.S.A. § 306. The strategic plan shall include:
(1) the Agency’s vision, mission, objectives, strategies, and overarching action plans for information technology within State government; and
(2) an update on the information technology goals for State government for the following fiscal year.
(d) Independent expert review.
(1) The Agency shall obtain independent expert review of any new information technology projects with a total cost of $1,000,000.00 or greater or when required by the Chief Information Officer.
(2) The independent review shall include:
(A) an acquisition cost assessment;
(B) a technology architecture and standards review;
(C) an implementation plan assessment;
(D) a cost analysis and a model for benefit analysis;
(E) an analysis of alternatives;
(F) an impact analysis on net operating costs for the agency carrying out the activity; and
(G) a security assessment.
(3) The requirement to obtain independent expert review described in subdivision (1) of this subsection (d) may be waived by the Chief Information Officer if, in his or her judgment, such a review would be duplicative of one or more reviews that have been, or will be, conducted under a separate federal or State requirement. If waived, such waiver shall be in writing and in accordance with procedures established by the Chief Information Officer. (Added 2019, No. 49, § 5, eff. June 10, 2019; amended 2019, No. 131 (Adj. Sess.), § 5; 2021, No. 74, § E.105; 2021, No. 132 (Adj. Sess.), § 2, eff. July 1, 2022; 2021, No. 185 (Adj. Sess.), § E.105, eff. July 1, 2022.)