§ 3303. Reporting, records, and review requirements
(a) Annual report and budget.
(1) The Secretary shall submit to the General Assembly, concurrent with the Governor's annual budget request required under 32 V.S.A. § 306, an annual report for information technology and cybersecurity. The report shall reflect the priorities of the Agency, and shall include:
(A) performance metrics and trends, including baseline and annual measurements, for each division of the Agency;
(B) a financial report of revenues and expenditures to date for the current fiscal year;
(C) costs avoided or saved as a result of technology optimization for the previous fiscal year;
(D) an outline summary of information, including scope, schedule, budget, and status for information technology projects with a total costs of $500,000.00 or greater;
(E) an annual update to the strategic plan prepared pursuant to subsection (c) of this section;
(F) a summary of independent reviews as required by subsection (d) of this section; and
(G) the Agency budget submission.
(b) Records. The Agency shall maintain the following records for information technology projects with a total cost of $500,000.00 or greater:
(1) A business case, including life-cycle costs and sources of funds for design, development, and implementation, as well as maintenance and operations. The business case shall include expected benefits, including cost savings and service delivery improvements.
(2) Detailed project plans and status reports, including risk identification and risk mitigation plans.
(c) Strategic plan. Biennially, on or before January 15, the Secretary shall prepare and submit a strategic plan for information technology and cybersecurity. The strategic plan shall include:
(1) the Agency's vision, mission, objectives, strategies, and overarching action plans for information technology within State government; and
(2) an update on the information technology goals for State government for the following fiscal year.
(d) Independent expert review.
(1) The Agency shall obtain independent expert review of any new information technology projects with a total cost of $1,000,000.00 or greater or when required by the Chief Information Officer.
(2) The independent review shall include:
(A) an acquisition cost assessment;
(B) a technology architecture and standards review;
(C) an implementation plan assessment;
(D) a cost analysis and a model for benefit analysis;
(E) an analysis of alternatives;
(F) an impact analysis on net operating costs for the agency carrying out the activity; and
(G) a security assessment.
(3) The requirement to obtain independent expert review described in subdivision (1) of this subsection (d) may be waived by the Chief Information Officer if, in his or her judgment, such a review would be duplicative of one or more reviews that have been, or will be, conducted under a separate federal or State requirement. If waived, such waiver shall be in writing and in accordance with procedures established by the Chief Information Officer. (Added 2019, No. 49, § 5, eff. June 10, 2019.)