Cybersecurity statutes (background)
In plain terms. Vermont runs state IT through its Agency of Digital Services and protects personal information by statute.
Who it applies to. State agencies and their IT vendors; the data-protection statutes also reach businesses handling Vermonters' personal information. The state participates in StateRAMP, its baseline for vetting cloud-service security.
What it requires. State law establishes the Agency of Digital Services, sets standards for state contracts (including privatization contracts), and protects personal and personally identifying information.
Why it matters. Vendors serving Vermont must meet the state's contract standards and protect any Vermont personal information they handle.
Citation. Vt. Stat. Ann. tit. 3, §§ 3301-3306 (Agency of Digital Services) and §§ 341-349 (Standards for Contracts); tit. 9, §§ 2430-2447 and tit. 20, §§ 4651-4652 (Protection of Personal Information).
Regulations & policies (background)
In plain terms. Vermont applies its information-security standards and standard IT contract terms to vendors.
Who it applies to. State agencies and their IT vendors.
What it requires. The State of Vermont Information Security Standards, plus standard contract provisions and information-technology terms and conditions, define the security requirements vendors must meet.
Why it matters. Expect Vermont's information-security standards and standard IT terms to govern your contract.
Citation. State of Vermont Information Security Standards; Contract Attachment C (Standard State Provisions) and Attachment D (Information Technology Terms and Conditions).