Meetings
Transcript: Select text below to play or share a clip
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Good
[Senator Anne Watson (Chair)]: morning, this is Natural Resources and Energy. It is Tuesday, February 24, and we are starting with a new draft of S-two 23, hopefully up for a vote here this morning. So, welcome.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Thank you. Thank you.
[Senator Anne Watson (Chair)]: Okay. So we'll simply just walk through the changes and see And
[Michael O’Grady (Legislative Counsel)]: I'll overview anything that has changed. Okay. That's fantastic.
[Senator Anne Watson (Chair)]: Yeah. That's
[Michael O’Grady (Legislative Counsel)]: great. This is my integrated website. The council has asked me, you heard some testimony from interested parties about amending the substance of 02/23, and that's what this draft does. First, change is in the creation of the group, the water quality lake classification and impact degradation study group, and it's going to do all of the things. Its purpose is to do what you tell it to do in the powers and duties, which is reviewing existing classified waters of the state of Canada waters and water quality data, supporting reclassifications, assessment of anti degradation requirements, examination of the regulatory framework for Class A waters, and examination of the adequacy of the current water classification system for lacinoptic. That's a summary of what you actually tell them to do and self secrecy. So that is their authority and their power, And then based on their evaluations, they recommend to you legislative or policy changes to strengthen environmental protection, provide regulatory certainty, and support public key citizens of state law. There are 11 persons on the work group. Two house, two senate secretary of health resources are designated to CDC water quality scientists, two representatives of business that interact with water barley permitting, two persons representing nonprofit environmental advocacy group, and one person from the Federation of Lays and Bonds. Then you get to that specific list of what their powers and duties are. First, they're going to develop an inventory of waters of the state with the existing classifications, including those counted as high quality waters that could meet or exceed the minimum criteria for reclassification. Then page three, line three, and four, the change that you discussed last week assess the state's obligation under the federal Clean Water Act with respect to adoption of an anti degradation rule. You wanted to freeze that reference to the Clean Water Act as it was enacted as of 01/01/2026. So if it it's changed significantly, you are still referencing those sectors twelve fifteen under thirteen eighty eight and thirty three USC. And what are you gonna do with that? You're gonna look at the adoption of an anti degradation rule to implement the state's anti degradation policy, including an evaluation of what the state and federal parties are for that and whether there are practical or legal barriers for compliance. Then page three minuteus nine and thirteen, you're going identify and evaluate the statutory and regulatory framework rules, policies, procedures of the government of that state waters, including whether modifications are needed to facilitate the reclassification of the water, adequate and detached and support designated in the existing water. You have a new subdivision, not really new, it's just the rewording to evaluate whether the existing water classification in the state, the latest statutory and regulatory frameworks, provides regulatory security and actively addresses current consented threats for the water quality and that's lot of integrity in the state's latest government.
[Senator Anne Watson (Chair)]: Can I ask the question? I believe you wanted them switched, that you wanted potential threats first and regulatory stat surgery second.
[Michael O’Grady (Legislative Counsel)]: That's what I knew what that was. Oh, okay.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: We knew it was some different part
[Michael O’Grady (Legislative Counsel)]: of the No. Can I just related statutory and regulatory frameworks provide ecological integrity? So what's your Protect ecological integrity. Decide ecological integrity, provide regulatory certainty. Well, I think and then I put second, but I could drop the court on the hypothetical question then, like, towards some certainty. Okay. Alright. I'm sorry. And then the rest of it is largely the administrative requirements for work groups and study committees, has the assistance of ANR and the council. The change of date for the report is 12/15/2026. The first meeting is called by the Secretary of Natural Resources, but at the first meeting, there's going to be a chair elected from one of the four legislators. Study group ceases to exist on 02/15/2027, and both you and the members of the public that are not otherwise compensating get compensation for eight meetings. Then the act gets back on passage, first meetings by August 1. Okay.
[Senator Anne Watson (Chair)]: I'm okay with this language pending this change of order. Any other thoughts from the committee?
[Michael O’Grady (Legislative Counsel)]: If you want, you can vote contingent on that change.
[Senator Anne Watson (Chair)]: I am okay with that. I know sometimes it's it's good to see the language. How long would you say it would take you to swap that out?
[Michael O’Grady (Legislative Counsel)]: And fifteen minute stops.
[Senator Anne Watson (Chair)]: Can What dinner? Are you busy? Are you are you
[Michael O’Grady (Legislative Counsel)]: No. I'm good. Stick around for the next testimony, but you can all tell me what that has to say. But so Okay.
[Senator Anne Watson (Chair)]: Alright. Okay. So maybe if we can have you back whenever Sure. Whenever you're ready, it will come back perhaps between commissioner Hughes, Brett Hughes, and Joan Goldstein. We'll see if we can. I don't want you to vote online unless I see it. Yeah, I think that it was fair. So we'll hold off on that vote for now. Okay. I think we should do. Are you ready? Yes. Okay. So we're going to switch topics to S213. Currently labeled as relating to SmartAssist, but I think the
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: name may be changed. Yeah. Okay.
[Senator Anne Watson (Chair)]: Don't formally know to be Yes. Smart
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Hey. Hi. How are you? Hello. I'm really hot.
[Senator Anne Watson (Chair)]: Chat please.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: It is. Great. Welcome. Thank you.
[Senator Anne Watson (Chair)]: Yeah, for sure. Thank you for being here. And I know you have Oh, sorry, we're on S213 now, which is about Like, strap. Oh. Well, I do grab it. We don't have a hand to the truck. It's still 1.1. Michael had questions. So he was raised. Yes. I believe it's 1.1. I guess there's another one. That's the most recent one, but I think if I'm not mistaken, Richard has some suggestions for So I'm
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: going to
[Senator Anne Watson (Chair)]: turn it over to you.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Thank you. Senator Robert, I am Denise Rutland District. I'm the Secretary for the Agency Digital Services. I'm also the state's Chief Executive Officer. And I had the pleasure of having a couple of conversations and was invited to testify specifically to the cybersecurity language, but also governance concepts in general. So I provided an in mouth to meeting members and to Madam Chair, I'm assuming there's not. Not posted yet. I didn't know what she had. I will post it now. 1.1. Perfect. And I wanted to provide the memo just as a brief explanation as far as what the changes are that were proposed under ADS. I want to talk a little bit about the cyber advisory council and the work it's done over the last few years and the importance of this council when it comes to statewide cyber preparedness for critical infrastructure. And would be happy to start in any place.
[Senator Anne Watson (Chair)]: I think it might make some sense to start too broadly, about cybersecurity, how that is working, then we can narrow down to your suggested language. Does that sound good? So I'm
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: going to go really, really high level and talk about Cyber Advisory Council specifically, and this was a council that was put into law a few years ago, and it was at the, with the focus of ensuring a of silo preparedness for group infrastructure sectors across the state. So we've got a lot of representation and have issued a report each year. The very first year, we issued a report on the intent of what we would be doing, the membership that we had convened, and then we issued a survey across the state. Although we could have thousands of respondents, we ended up having a couple 100 respondents participate and were able to share the varying degrees of both cyber cybersecurity awareness, awareness and preparedness in each of their sectors. And it was done anonymously because the committee is, or the council rather, is not there to be regulatory, it is there to be a guidance advisory placed. The council meets, at this point we're meeting every other month because we've broken up into subcommittees. And ironically enough, yesterday, the water sector met, the subcommittee met and did bring up this topic and talked about cybersecurity overall. Now, when we look at cybersecurity in state government, the Agency of Digital Services provides a level of cybersecurity operations response and support to all of the state government. And then when it comes to any of the outside of state government, we find that our partners, who are Vic or Homeland Security or FBI, they are our adjacent partners in support of each of those areas. You think of water treatment facilities, water distribution organizations, electric fuel utilities, school, some school districts would be part of that critical infrastructure sector too, hospitals, healthcare, and state government. So we are our own critical infrastructure sector. So when we look at state, many times each of the sectors are supporting and providing support and services to the same residents and the same providers. So having that level of consistency is really important. And when we look at cybersecurity in general, the philosophy is zero trust and assume breach. So we know that it's not a foolproof, there's nothing perfect. And the attorney general's office has some strong cyber breach language around reporting notifications, protection, it is an evolving space overall. So the advancements of artificial intelligence and the changes that are happening within that area of technology, it is putting some more heightened awareness on cybersecurity as well, because it's all touching the same data. And when it comes to how organizations prepare, there's varying differences depending on what it is that they're supporting. So if we were to look specifically at the water sector, and before we get further into the details, I'm not sure if this committee has had the opportunity to meet with members of the water sector, but there are municipalities and users, owners, if it's not the word I'm in before, that's amazing. That word just went, the people who run those facilities across the state. Operators, thank you so much. That is such an easy word. I would highly recommend to give them the opportunity to come in here and also share because they have been working both with the council and among each other to create some of those best practices that is influencing other sectors, but also allowing the level of operations that is in support of residents and users of water.
[Senator Anne Watson (Chair)]: They have been in. Yeah. Perfect. So when we talk about smart metering,
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: one of the things that I wanted to focus on in the recommended language changes that we sent over is that concept of future proofing. Technology is advancing at a rapid rate. So if, let's just make some assumptions. If this bill passed through, Senate went to house, passed through, got approved and went into law, say July 1. By December, that language from a technology perspective would likely already update. And so that's a high risk to being super specific in bill language when it comes to technology, but also when it comes to the advancements of cyber governance and cyber framework too. So we use NIST standards, we just recently updated language within the standards. And so as those standards continue to improve and if new standards come out, that changes the expectation and the requirements at a higher rate and at a faster rate than what law language can keep up with. And so one of the recommendations I had was to not create a distinction between wired and wireless because it would be irrelevant, likely in a short frame of time, and allows you to keep that fundamental concept of a meter as a technology device itself. And so I know it seems a little messy in how the bill draft is, but it was basically a cross out and rewrite of the definitions.
[Senator Anne Watson (Chair)]: Thank you for posting the bill. Secretary Riley also sent, and I forwarded it to you over the weekend, this memo that she's referring to and her suggested amendments to the draft, and I'm wondering if we could post those so everybody else in the committee can see them.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Do you want a copy to the committee?
[Senator Anne Watson (Chair)]: I don't know if people want paper copies or not, Sure, but sure.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: And I really apologize because my wonderful legislative support resource has been out sick, and so all that magic that usually happens did not.
[Senator Anne Watson (Chair)]: That's okay. And I think our legislative council attorney had some questions for you and unfortunately we had to just send him out of the room to do something else, but If I take
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: my time to talk to them. Yeah, maybe. So that was the intent and purpose behind modifying and changing. So you would have said that the units metering, I removed wireless wired meters or meters. I had an opportunity, so I lived in a small town that services just over 500 residents with water. We're getting the opportunity to speak with Ruth Chambers who also the water operations for Springfield Town at point in time. Springfield is a town manager, but gave me some background around the longevity of these devices. Currently right now, I believe it is recommended to replace every twenty years and most towns are well past that at this point. When you look at twenty years being for operational support, now you're looking at allowing these devices to make out the bat. I anticipate with about 500 users that it's going take them over two years to do that because it's everything outside of the house. So that concept is going be really important when we look at cybersecurity data and operations, is the metering devices sit outside of the home. And if there is anything with the plumbing or the wiring on the backside of the device forward into the home, the meter has nothing to do with that. So that would be on a homeowner and that's likely why some of that multi meter effort timeframe has been scheduled for them. The meter itself is built with technology that listens and it doesn't listen at the data side, it actually listens for vibration. So it's listening for data flow and these devices are touching the operating technology, the OT. They're touching the water flow, but it's tracking water flow on the outside of the home, not on the inside of
[Senator Anne Watson (Chair)]: the home. So that's
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: a really important distinction when we start looking at cybersecurity is that if the cyber considerations of these devices, whether or not it's radio technology, and I believe that there's even ways of putting radio towers up to be able to do more real time monitoring, Bluetooth. There's different types of frequencies to use on that front side of the house. And when it picks up certain vibrations, it can identify leaks and it can identify where those leaks are depending on where it's hearing the sounds on those smart meter devices. So that's what they care about. What it's not listening to is whether you flushed that day, and how many times that you did, and whether or not they were using the water. And I think that's really the distinctions because the technology is simple. It's monitoring the water distribution in the pipes, and it's monitoring for sound in the pipes because of the high risk, especially of aging infrastructure, you'll be able to isolate and identify where it is without waiting for water pooling into a road or road degrading or something is the worst happening. And so that is from a technology lens that definitely explains at least to us in ADS where the technology is sourced information and data. When we say from a radio frequency standpoint, you can drive by a road, and because you have the receiver, you're on almost like a two way radio, you can pick up the rear knee. And again, that's not on the inside of the house, it's on the outside. So it's all that exterior to the water connection at the home. And it is looking at that number alone. And that number goes to the town office and it syncs up to a resident account. What it never does is it never touches water distribution. So it's not actually touching the operating system of the water treatment facility. And so that, I think is a big distinction when we look at all of what we're trying to solve in putting cyber language into a permitting section of, because that's a high risk as well, is that what happens if they're two years delayed and they're rolling out that their permit renews and all of a sudden they put cider's prudent language around in conditions of authorizing permitting principles for towns. And so that's an area where I can tell you we're not equipped to handle that
[Michael O’Grady (Legislative Counsel)]: in
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: supporting ANR. And I know that they don't necessarily have those expertise to make those determinations because going back to that zero trust and assumed reach is that what's our risk acceptance level in this space? And that's why it's really important that we look at the work that the cyber advisory council is doing, because the cyber preparedness allows towns and municipalities who are delivering these types of services an opportunity to assess their preparedness and their readiness, which when they have infrastructure like this, that would be inclusive of their assistance, but not necessarily permanent violence.
[Senator Anne Watson (Chair)]: But you do have language suggestions to keep it sort of, as I've said on
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: the call, we've had some really great conversations around, I know that this committee would like to not see this language removed, that you want to add cyber security as an intentional effort when you're talking about modern technology on critical infrastructure systems. And I can appreciate that. And so you will see my recommendations on page five, starting on line seven. And this is where I'm way over my sleeves on this one. I'm a lawyer, I'm a CIO, I'm a technologist, but when I look at bills, thinking like a technologist, look at the applicable use and how we can make this happen, kind of similar how we look at projects and solutioning projects and how do you apply the technology to the business intent. And so there is a section sixteen seventy two, which is the authority of the Secretary of ANR that would allow us to focus on the work of the Cybersecurity Council, but allow whoever the secretary is at the time, but secretary more now, in engaging the cyber advisory council, which also has the representation of that critical infrastructure sector, and focus around those best practices and also targets the relevant information around metering systems and customer data so that the language now in, if you were to adopt this language, would focus on the integrity and security of customer information. It would focus on the advancements of technology, calling out metering specifically, but not limiting it to metering because you couldn't put devices in other places at some point in time, but it also puts some oathens on the council to ensure that state has a level of center preparedness in this space and that the secretary has the authority to require the council to work with her partners in
[Senator Anne Watson (Chair)]: that space.
[Bryan Redmond (Director, Drinking Water and Groundwater Protection Division, VT DEC)]: Yes, ahead.
[Senator Anne Watson (Chair)]: So I don't know if this is what Michael's question was, the language, and I think I'm the only one who might be saving. But it says the secretary may allow the cybersecurity advisory council to issue non binding guidance, etcetera, etcetera. I, both Senator Watson and I worked on this, the creation of the Cybersecurity Advisory Council, but I can't remember. I don't think the secretary has authority over that council. I do. You do. This is the secretary of ANR, I think.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: So it would be applying under the sector. So as the secretary under ADS, what the council falls under, I don't have authority across critical infrastructure sectors, nor should I. I do have authority in the work that the council is doing to support all of the critical infrastructure areas. When I look at cybersecurity as a team sport, now puts language in there where another secretary who is responsible for one of the critical infrastructure sectors has to recognize the cyber advisory council, but also understands where that cyber advisory and where that cyber guidance would need to come from. So may allow could be not the right legal language to use.
[Senator Anne Watson (Chair)]: Yeah, it might be request instead of allow, but may request a cybersecurity advisory council because allow is kind of a weird word in the statute, but- I defer to the experts. Yeah, Michael might have other suggestions here. Don't want to speak for him because he didn't specifically tell me what his questions were, but that was one thing that popped up for me is we kind of made one, I always want to make sure that the sort of lines of authority are clear in statute. And if you're the secretary that has oversight, it might be a little confusing for the council, but And I think it's important to, this would
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: be the first time that we would see language in, that we have visibility into a DES, where it really enforces that cyber security support contract without unintentionally distributing the authority in the wrong places so that we then don't lose cover. But it also creates some onus on the cyber advisory council in our regular reporting to start getting a little bit more specific in each one of the sectors around where there were some advancement or preparedness to avoid cyber response efforts to have to take place.
[Senator Anne Watson (Chair)]: And then the other sector that- it's Hey, Michael, I was just asking a question about the sled. It's four years, right? 02/13. I'm not sure if it was the same question to you, Kenneth, but
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: And actually while we're paused, so it's it's not on the website yet. Which? Oh, the suggested language. Put Yes. I put the suggested language on the website. So I don't have a physical copy. Okay. That's I don't
[Michael O’Grady (Legislative Counsel)]: Is anybody else having trouble getting to the the modern legislature?
[Senator Anne Watson (Chair)]: I'm not. My my You are? Okay. Alright. Okay. I'm I'm on paper, but Okay. That tells you forwardness.
[Michael O’Grady (Legislative Counsel)]: Think I'm gonna do something.
[Senator Anne Watson (Chair)]: You don't have it. You're not able to look at it. I apologize. No, that's okay. I'm gonna just forward this. You're already gonna forward it? Okay. Cool. But the language sorry, Michael. I
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: don't want to do this before you're ready.
[Senator Anne Watson (Chair)]: Send a few people to Michael here. Well, this isn't her is this oh, yeah, it is.
[Michael O’Grady (Legislative Counsel)]: So what is it possible?
[Senator Anne Watson (Chair)]: So in the suggested language, which is right, On the cybersecurity guidance, she was suggesting this language about the secretary may allow the cybersecurity advisory council, and that seemed a lot to me.
[Michael O’Grady (Legislative Counsel)]: So I regret it. I apologize.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: I'm not the expert in legal language.
[Michael O’Grady (Legislative Counsel)]: So it says upon the request of the secretary, the secretary is to bind as the secretary of natural resources. Cybersecurity advisory council shall develop nonbinding guidance for public water systems regarding generally accepted cybersecurity practices, including information relevant to metering systems and customer data. The council may issue this guidance as part of its annual report and any other outreach method utilized by the council specific to public water systems or other critical infrastructure systems. That sounds great.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: So I just would love to see that in more. So I know shall is the big one because I don't want to limit the capacity of all of what they would report on necessarily.
[Michael O’Grady (Legislative Counsel)]: But it's upon secretary's request.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Yes. And that was flagged before you change your affairs. Allow is a terrible word and that will never use it again. And I think the intent too was to not create a unintentional locker to service interruption by putting it under the permit section. And so this is where this has an opportunity to repeat itself year over year in the reporting, but also the work of the council membership too, and committees, subcommittees rather.
[Senator Anne Watson (Chair)]: So ten BSA sixteen seventy two is the cybersecurity advisory council.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Sixteen seventy two is the authority of the secretary of the agency of natural resources. Oh, which is why I didn't assess by natural resources. And having it be a new section doesn't, you know, this is where the experts would be able to better, you know.
[Senator Anne Watson (Chair)]: So you get to one of your earlier points, this framing of it decouples the requirement for cybersecurity as a condition for permitting.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Correct. Okay. Correct. But also when you couple it with permitting, you are creating regulation for cybersecurity, which will outgrow itself very, very, very fast. You will be in this committee updating that language every year.
[Senator Anne Watson (Chair)]: You feel that this language does not create a net bump?
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: No. A couple of them. I want to take a little bit of time with the appreciative rewrite to see, but this is what the cyber advisory council meets on regularly. Is, like I said, there are representation in the operators to its service as well. And so this doesn't block residents from not receiving their water because cybersecurity is tied to their permit. Yes. So one
[Senator Anne Watson (Chair)]: thing is that you did draft it as part of 1675, which is the permits conditions. I think I'm not going to speak for you, but I think I just heard you say you'd prefer it, Secretary Riley, to be in the sort of duties of the secretary instead of in the permitting section, just so it doesn't create some ties for a thing.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Which subsection is six months ago?
[Michael O’Grady (Legislative Counsel)]: It's a new subsection in that language. It's not a permanent condition, and it is part of what would be necessary for them to operate. Not It's not a permanent condition, it's not a permanent requirement, it wouldn't prevent service of water, but it is part of their conditions for operation.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: So I think this is where, when I have my technology hat on, I want to respectfully disagree with that because the permitting is irrelevant of cybersecurity. So we could be running into cybersecurity if this is where our job is to protect all of you so that you don't know how bad it really is or could be. And when you create the authority or the responsibility under the secretary's authority, it is creating internal cross agency collaboration as a requirement, but it also creates a level of responsibility of cybersecurity in the work that the agency of natural resources is doing specifically for water operators as a critical infrastructure area. There are cyber risks all the way around. We look at calling out smart metering specifically and independently of all of the cyber risks that could exist across that sector, the technology is not touching the OT. It's not touching the operating environment, and that's not what it is meant to do. So the meter itself, like I said, the vibrations piece is really important to look at what it's listening for, is flow and vibrations. Which by the way
[Senator Anne Watson (Chair)]: is fascinating. I'm not, like just from a physics perspective, oh gosh, I'm so quirky.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Yes, know what sound,
[Senator Anne Watson (Chair)]: yeah, It's amazing. Senator Hardy. I'm just I'm just looking at the statutes right now to see the, because this is If we put it in 1672, that's the authority of the secretary as related to public water supplies. Does that not make sense, Michael, to put it there? Or are you looking
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: We do have an expert from the ANR who can kind of speak to the audience that we have with water operators, if that helps in this is that I believe you're in the high 90 plus percent range of water operators being municipal. Applies.
[Michael O’Grady (Legislative Counsel)]: I think it's fine.
[Senator Anne Watson (Chair)]: Sorry. I apologize. This otherwise engaged with what is the question?
[Michael O’Grady (Legislative Counsel)]: I said I think it's fine to include it in 10 BSA sixteen seventy two, the authority of the Institute of Natural Resources.
[Senator Anne Watson (Chair)]: Okay. You're comfortable with that? Okay.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: I'm looking at ANR. I at UDF comfortable with that when it comes to the Cyber Advisory Council, we would be prepared to support. Okay.
[Senator Anne Watson (Chair)]: Would you mind just introducing yourself briefly for the record? If you would like to comment on that at all.
[Bryan Redmond (Director, Drinking Water and Groundwater Protection Division, VT DEC)]: For the record, Brad Rutland, the director for the Drinking Water and Grower Protection Division. Secretary Riley, he's not talked about this on Friday. I do think that they originally had come over in the rule making section 1672B, and I think a new subsection under sixteen seventy two, given that aspirational nature, we don't intend to approve these requirements in the rule for all the reasons the secretary described. So I think that that makes sense to me. I'm glad you're here
[Senator Anne Watson (Chair)]: to talk about it, but I think that would be something. Thank you. Okay. Anything else that you wanna point out from your recommended language?
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: The only other thing I want to say is this section after I get a chance to read the recommended changes of my changes, this is language that I've been able to see repeated across the other sectors that are in there so that we truly do look at the repeatability piece. I think we had an opportunity to talk through that where 2016 was the last law change for public service department when it came to electrical and gas utilities using smart metering. And so the language is very, very different. The intent of that language versus the use versus the authority even of that language is vastly different. And so when we look at operating for the same resources and the same residents, way that this language is drafted, my hope would be, it would be repeatable in other secretary authorities to say that we need to create some heightened awareness and that the cyber advisory council's work becomes more consistent across sectors around cyber preparedness for real estate. Interesting. There's also, I do want
[Senator Anne Watson (Chair)]: to just share too, and
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: this is not something that the committee is going to want to take up now, but it is something that you're going to want to hear about as we continue on is there is homeland security grant funding that is, we call it a state local cyber grant program. The state of Vermont is going into our second year and it is actually targeting this to be of use for municipalities, specifically to the work that they're doing across the critical infrastructure area. So when we talk about the resource they needed to do assessments, to do reviews, to influence the data that goes into the report, but also allow municipalities to have levels of cyber preparedness for water systems, for electric systems, which also municipalities are running, or the use of that at other critical infrastructure sectors like hospitals or schools, that work is really important. This opens up the door for that grant funding to be used more broadly across the state for meetings about these two, so that HRAS would become a big cost burden for tax breach.
[Senator Anne Watson (Chair)]: So to your point about this language being replicated in other areas, the bill does the water, but also electric meters. So are you suggesting putting the same language in Title 30 about for the secretary of the department of public service room?
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: The language that you have listed in the bill here doesn't align to what 1672 would do for the Secretary of Agency of Agencies Resources Authority. So this would be, that's something separate. So I would just wanna go back and revisit that for The USA 2811.
[Senator Anne Watson (Chair)]: Oh, just see whether it makes sense there. So you're not recommending it at this point, but-
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: I'm not recommending it for 2811 necessarily, but I do wanna go back to look at where in that authority, if we can reuse likely the redrafted language, but the the cybersecurity guidance language in working with the council so that the sector is represented consistently across different sectors. Okay. I'm
[Senator Anne Watson (Chair)]: confused. So what I am hearing you say is that you may come back with yet another set of suggested language or, I mean, that's one possibility. Another possibility is that we ask the house to fix that.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: I love that idea. I think that's really wonderful.
[Senator Anne Watson (Chair)]: Okay. Yeah. A little bit more complicated there because of the federal cybersecurity requirements for electric and gas utilities, and the interaction with the PUC. I don't know for sure, but I'm going to guess it's going be more complicated, and we wanted to get this bill out this week.
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: Yeah, no, really support your plan, and really my thought was is that just this language that would be going into 1672 is written in a way that's repeatable when necessary. When ready, yes. Okay. And so that's all, is the repeatability thing is, and allows consistency. Do I want to have this?
[Michael O’Grady (Legislative Counsel)]: Sure. Can I ask a question?
[Senator Anne Watson (Chair)]: Yes.
[Michael O’Grady (Legislative Counsel)]: In your suggested edits that you said, as Senator Hardy sent me, you changed the term electric company to Utility Distribution Service Organization, which is much
[Denise Reilly-Hughes (Secretary, Agency of Digital Services; State CIO)]: broad