| 1 | A bill to be entitled |
| 2 | An act relating to the Agency for Enterprise Information |
| 3 | Technology; amending s. 14.204, F.S.; revising duties and |
| 4 | responsibilities of the agency; removing provisions for |
| 5 | the Office of Information Security and the Agency Chief |
| 6 | Information Officers Council; amending s. 20.315, F.S., |
| 7 | relating to the Department of Corrections; providing for |
| 8 | the department's data system to be managed through the |
| 9 | department's Office of Information Technology; removing |
| 10 | reference to the Justice Data Center; amending s. |
| 11 | 282.0041, F.S.; removing the definitions of the terms |
| 12 | "agency chief information officer" and "Agency Chief |
| 13 | Information Officers Council"; revising the definition of |
| 14 | the term "primary data center"; amending s. 282.0056, |
| 15 | F.S.; revising requirements for development of an annual |
| 16 | work plan by the agency; amending s. 282.201, F.S.; |
| 17 | revising duties of the agency; providing for submission of |
| 18 | certain recommendations to the Executive Office of the |
| 19 | Governor, the Legislature, and primary data centers; |
| 20 | removing a provision for an overall consolidation plan; |
| 21 | revising provisions for adoption of rules by the agency; |
| 22 | requiring publication of notice; revising duties of state |
| 23 | agencies; providing a schedule for state agency data |
| 24 | center consolidation; providing conditions for |
| 25 | consolidations; requiring the agency to make certain |
| 26 | reports; requiring development of transition plans; |
| 27 | amending s. 282.203, F.S.; revising duties of primary data |
| 28 | centers; revising provisions for service-level agreements; |
| 29 | revising provisions for membership of boards of trustees |
| 30 | of primary data centers; creating s. 282.206, F.S.; |
| 31 | designating the Northwest Regional Data Center as a |
| 32 | primary data center; repealing s. 282.3055, F.S., relating |
| 33 | to agency chief information officers; repealing s. |
| 34 | 282.315, F.S., relating to the Agency Chief Information |
| 35 | Officers Council; amending s. 282.318, F.S., relating to |
| 36 | enterprise security of data and information technology; |
| 37 | conforming to changes made by the act; deleting an |
| 38 | obsolete provision; amending ss. 282.34 and 287.042, F.S., |
| 39 | relating to statewide e-mail service and powers, duties, |
| 40 | and functions of the Department of Management Services, |
| 41 | respectively; conforming provisions to changes made by the |
| 42 | act; providing an effective date. |
| 43 |
|
| 44 | Be It Enacted by the Legislature of the State of Florida: |
| 45 |
|
| 46 | Section 1. Paragraphs (a), (g), (h), (i), (j), and (k) of |
| 47 | subsection (4) and subsections (5) and (6) of section 14.204, |
| 48 | Florida Statutes, are amended to read: |
| 49 | 14.204 Agency for Enterprise Information Technology.-The |
| 50 | Agency for Enterprise Information Technology is created within |
| 51 | the Executive Office of the Governor. |
| 52 | (4) The agency shall have the following duties and |
| 53 | responsibilities: |
| 54 | (a) Develop strategies for the planning, design, delivery, |
| 55 | implementation, and management of the enterprise information |
| 56 | technology services established in law, including the state data |
| 57 | center system services established pursuant to s. 282.201, the |
| 58 | information technology security service established in s. |
| 59 | 282.318, and the statewide e-mail service established in s. |
| 60 | 282.34. |
| 61 | (g) Coordinate technology resource acquisition planning |
| 62 | and assist the Division of Purchasing of the Department of |
| 63 | Management Services in procurement negotiations for technology |
| 64 | hardware and software products and services in order to improve |
| 65 | the efficiency and reduce the cost of enterprise information |
| 66 | technology services. |
| 67 | (h) In consultation with the Division of Purchasing in the |
| 68 | Department of Management Services, coordinate procurement |
| 69 | negotiations for information technology products as defined in |
| 70 | s. 282.0041 which will be used by multiple agencies. |
| 71 | (h)(i) In coordination with, and through the services of, |
| 72 | the Division of Purchasing in the Department of Management |
| 73 | Services, establish best practices for the procurement of |
| 74 | information technology products as defined in s. 282.0041 in |
| 75 | order to achieve savings for the state. |
| 76 | (i)(j) Develop information technology standards for |
| 77 | enterprise information technology services as defined in s. |
| 78 | 282.0041. |
| 79 | (j)(k) Provide annually, by December 31, recommendations |
| 80 | to the Legislature relating to techniques for consolidating the |
| 81 | purchase of information technology commodities and services, |
| 82 | which result in savings for the state, and for establishing a |
| 83 | process to achieve savings through consolidated purchases. |
| 84 | (5) The Office of Information Security shall be created |
| 85 | within the agency. The agency shall designate a state Chief |
| 86 | Information Security Officer who shall oversee the office and |
| 87 | report directly to the executive director. |
| 88 | (6) The agency shall operate in a manner that ensures the |
| 89 | participation and representation of state agencies and the |
| 90 | Agency Chief Information Officers Council established in s. |
| 91 | 282.315. |
| 92 | Section 2. Subsection (10) of section 20.315, Florida |
| 93 | Statutes, is amended to read: |
| 94 | 20.315 Department of Corrections.-There is created a |
| 95 | Department of Corrections. |
| 96 | (10) SINGLE INFORMATION AND RECORDS SYSTEM.-There shall be |
| 97 | only one offender-based information and records computer system |
| 98 | maintained by the Department of Corrections for the joint use of |
| 99 | the department and the Parole Commission. This data system shall |
| 100 | be managed through the department's Office of Information |
| 101 | Technology Justice Data Center. The department shall develop and |
| 102 | maintain, in consultation with the Criminal and Juvenile Justice |
| 103 | Information Systems Council under s. 943.08, such offender-based |
| 104 | information, including clemency administration information and |
| 105 | other computer services to serve the needs of both the |
| 106 | department and the Parole Commission. The department shall |
| 107 | notify the commission of all violations of parole and the |
| 108 | circumstances thereof. |
| 109 | Section 3. Subsections (4) through (30) of section |
| 110 | 282.0041, Florida Statutes, are renumbered as subsections (2) |
| 111 | through (28), respectively, and present subsections (2), (3), |
| 112 | and (19) of that section are amended to read: |
| 113 | 282.0041 Definitions.-As used in this chapter, the term: |
| 114 | (2) "Agency chief information officer" means the person |
| 115 | employed by the agency head to coordinate and manage the |
| 116 | information technology functions and responsibilities applicable |
| 117 | to that agency, to participate and represent the agency in |
| 118 | developing strategies for implementing enterprise information |
| 119 | technology services established pursuant to this part, and to |
| 120 | develop recommendations for enterprise information technology |
| 121 | policy. |
| 122 | (3) "Agency Chief Information Officers Council" means the |
| 123 | council created in s. 282.315. |
| 124 | (17)(19) "Primary data center" means a state or nonstate |
| 125 | agency data center that is a recipient entity for consolidation |
| 126 | of nonprimary data centers and computing facilities and is |
| 127 | established. A primary data center may be authorized in law or |
| 128 | designated by the Agency for Enterprise Information Technology |
| 129 | pursuant to s. 282.201. |
| 130 | Section 4. Subsection (1) of section 282.0056, Florida |
| 131 | Statutes, is amended to read: |
| 132 | 282.0056 Development of work plan; development of |
| 133 | implementation plans; and policy recommendations.- |
| 134 | (1) For the purposes of carrying out its responsibilities |
| 135 | under s. 282.0055, the Agency for Enterprise Information |
| 136 | Technology shall develop an annual work plan within 60 days |
| 137 | after the beginning of the fiscal year describing the activities |
| 138 | that the agency intends to undertake for that year, including |
| 139 | proposed outcomes and completion timeframes for the planning and |
| 140 | implementation of all enterprise information technology |
| 141 | services. The work plan must be presented at a public hearing |
| 142 | and that includes the Agency Chief Information Officers Council, |
| 143 | which may review and comment on the plan. The work plan must |
| 144 | thereafter be approved by the Governor and Cabinet and submitted |
| 145 | to the President of the Senate and the Speaker of the House of |
| 146 | Representatives. The work plan may be amended as needed, subject |
| 147 | to approval by the Governor and Cabinet. |
| 148 | Section 5. Subsections (2) through (5) of section 282.201, |
| 149 | Florida Statutes, are amended to read: |
| 150 | 282.201 State data center system; agency duties and |
| 151 | limitations.-A state data center system that includes all |
| 152 | primary data centers, other nonprimary data centers, and |
| 153 | computing facilities, and that provides an enterprise |
| 154 | information technology service as defined in s. 282.0041, is |
| 155 | established. |
| 156 | (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.- |
| 157 | The Agency for Enterprise Information Technology shall: |
| 158 | (a) Collect and maintain information necessary for |
| 159 | developing policies relating to the data center system, |
| 160 | including, but not limited to, an inventory of facilities. |
| 161 | (b) Annually approve cost-recovery mechanisms and rate |
| 162 | structures for primary data centers which recover costs through |
| 163 | charges to customer entities. |
| 164 | (c) By September December 31 of each year, submit to the |
| 165 | Legislature, the Executive Office of the Governor, and the |
| 166 | primary data centers recommendations to improve the efficiency |
| 167 | and cost-effectiveness effectiveness of computing services |
| 168 | provided by state data center system facilities. Such |
| 169 | recommendations may include, but need not be limited to: |
| 170 | 1. Policies for improving the cost-effectiveness and |
| 171 | efficiency of the state data center system and the projected |
| 172 | cost savings resulting from their implementation. |
| 173 | 2. Infrastructure improvements supporting the |
| 174 | consolidation of facilities or preempting the need to create |
| 175 | additional data centers or computing facilities. |
| 176 | 3. Standards for an objective, credible energy performance |
| 177 | rating system that data center boards of trustees can use to |
| 178 | measure state data center energy consumption and efficiency on a |
| 179 | biannual basis. |
| 180 | 4. Uniform disaster recovery standards. |
| 181 | 5. Standards for primary data centers to provide cost- |
| 182 | effective services and providing transparent financial data to |
| 183 | user agencies. |
| 184 | 6. Consolidation of contract practices or coordination of |
| 185 | software, hardware, or other technology-related procurements and |
| 186 | the projected cost savings. |
| 187 | 7. Improvements to data center governance structures. |
| 188 | (d) By October 1 of each year beginning in 2011 2009, |
| 189 | provide recommendations recommend to the Governor and |
| 190 | Legislature regarding changes to the schedule for agency data |
| 191 | center consolidation established in subsection (4) at least two |
| 192 | nonprimary data centers for consolidation into a primary data |
| 193 | center or nonprimary data center facility. |
| 194 | 1. The consolidation proposal must provide a transition |
| 195 | plan that includes: |
| 196 | a. Estimated transition costs for each data center or |
| 197 | computing facility recommended for consolidation; |
| 198 | b. Detailed timeframes for the complete transition of each |
| 199 | data center or computing facility recommended for consolidation; |
| 200 | c. Proposed recurring and nonrecurring fiscal impacts, |
| 201 | including increased or decreased costs and associated budget |
| 202 | impacts for affected budget entities; |
| 203 | d. Substantive legislative changes necessary to implement |
| 204 | the transition; and |
| 205 | e. Identification of computing resources to be transferred |
| 206 | and those that will remain in the agency. The transfer of |
| 207 | resources must include all hardware, software, staff, contracted |
| 208 | services, and facility resources performing data center |
| 209 | management and operations, security, backup and recovery, |
| 210 | disaster recovery, system administration, database |
| 211 | administration, system programming, job control, production |
| 212 | control, print, storage, technical support, help desk, and |
| 213 | managed services but excluding application development. |
| 214 | 1.2. Recommendations shall be based on the goal of |
| 215 | maximizing current and future cost savings by. The agency shall |
| 216 | consider the following criteria in selecting consolidations that |
| 217 | maximize efficiencies by providing the ability to: |
| 218 | a. Consolidating Consolidate purchase decisions; |
| 219 | b. Leveraging Leverage expertise and other resources to |
| 220 | gain economies of scale; |
| 221 | c. Implementing Implement state information technology |
| 222 | policies more effectively; and |
| 223 | d. Maintaining Maintain or improving improve the level of |
| 224 | service provision to customer entities; and |
| 225 | e. Make progress towards the state's goal of consolidating |
| 226 | data centers and computing facilities into primary data centers. |
| 227 | 2.3. The agency shall establish workgroups as necessary to |
| 228 | ensure participation by affected agencies in the development of |
| 229 | recommendations related to consolidations. |
| 230 | (e) By December 31, 2010, the agency shall develop and |
| 231 | submit to the Legislature an overall consolidation plan for |
| 232 | state data centers. The plan shall indicate a timeframe for the |
| 233 | consolidation of all remaining nonprimary data centers into |
| 234 | primary data centers, including existing and proposed primary |
| 235 | data centers, by 2019. |
| 236 | (e)(f) Develop and establish rules relating to the |
| 237 | operation of the state data center system which comply with |
| 238 | applicable federal regulations, including 2 C.F.R. part 225 and |
| 239 | 45 C.F.R. The agency shall provide notice of the development of |
| 240 | its proposed rules by publication of a notice of development in |
| 241 | the Florida Administrative Weekly no later than October 1, 2011. |
| 242 | The rules shall may address: |
| 243 | 1. Ensuring that financial information is captured and |
| 244 | reported consistently and accurately. |
| 245 | 2. Implementing standards for hardware, operations |
| 246 | software, including security, and network infrastructure for the |
| 247 | primary data centers Requiring the establishment of service- |
| 248 | level agreements executed between a data center and its customer |
| 249 | entities for services provided. |
| 250 | 3. Requiring annual full cost recovery on an equitable |
| 251 | rational basis. The cost-recovery methodology must ensure that |
| 252 | no service is subsidizing another service and may include |
| 253 | adjusting the subsequent year's rates as a means to recover |
| 254 | deficits or refund surpluses from a prior year. |
| 255 | 4. Requiring that any special assessment imposed to fund |
| 256 | expansion is based on a methodology that apportions the |
| 257 | assessment according to the proportional benefit to each |
| 258 | customer entity. |
| 259 | 5. Requiring that rebates be given when revenues have |
| 260 | exceeded costs, that rebates be applied to offset charges to |
| 261 | those customer entities that have subsidized the costs of other |
| 262 | customer entities, and that such rebates may be in the form of |
| 263 | credits against future billings. |
| 264 | 6. Requiring that all service-level agreements have a |
| 265 | contract term of up to 3 years, but may include an option to |
| 266 | renew for up to 3 additional years contingent on approval by the |
| 267 | board, and require at least a 180-day notice of termination. |
| 268 | 7. Designating any nonstate data center as a primary data |
| 269 | center if the center: |
| 270 | a. Has an established governance structure that represents |
| 271 | customer entities proportionally. |
| 272 | b. Maintains an appropriate cost-allocation methodology |
| 273 | that accurately bills a customer entity based on the actual |
| 274 | direct and indirect costs to the customer entity, and prohibits |
| 275 | the subsidization of one customer entity's costs by another |
| 276 | entity. |
| 277 | c. Has sufficient raised floor space, cooling, and |
| 278 | redundant power capacity, including uninterruptible power supply |
| 279 | and backup power generation, to accommodate the computer |
| 280 | processing platforms and support necessary to host the computing |
| 281 | requirements of additional customer entities. |
| 282 | 8. Removing a nonstate data center from primary data |
| 283 | center designation if the nonstate data center fails to meet |
| 284 | standards necessary to ensure that the state's data is |
| 285 | maintained pursuant to subparagraph 7. |
| 286 | (3) STATE AGENCY DUTIES.- |
| 287 | (a) For the purpose of completing its work activities as |
| 288 | described in subsection (1), each state agency shall provide to |
| 289 | the Agency for Enterprise Information Technology all requested |
| 290 | information and any other information relevant to the agency's |
| 291 | ability to effectively transition its computer services into a |
| 292 | primary data center. The agency shall also participate as |
| 293 | required in workgroups relating to specific consolidation |
| 294 | planning and implementation tasks as assigned by the Agency for |
| 295 | Enterprise Information Technology and determined necessary to |
| 296 | accomplish consolidation goals. |
| 297 | (b) Each state agency shall submit to the Agency for |
| 298 | Enterprise Information Technology information relating to its |
| 299 | data centers and computing facilities as required in |
| 300 | instructions issued by July 1 of each year by the Agency for |
| 301 | Enterprise Information Technology. The information required may |
| 302 | include: |
| 303 | 1. Amount of floor space used and available. |
| 304 | 2. Numbers and capacities of mainframes and servers. |
| 305 | 3. Storage and network capacity. |
| 306 | 4. Amount of power used and the available capacity. |
| 307 | 5. Estimated expenditures by service area, including |
| 308 | hardware and software, numbers of full-time equivalent |
| 309 | positions, personnel turnover, and position reclassifications. |
| 310 | 6. A list of contracts in effect for the fiscal year, |
| 311 | including, but not limited to, contracts for hardware, software |
| 312 | and maintenance, including the expiration date, the contract |
| 313 | parties, and the cost of the contract. |
| 314 | 7. Service-level agreements by customer entity. |
| 315 | (c) The chief information officer of each state agency |
| 316 | shall assist the Agency for Enterprise Information Technology at |
| 317 | the request of the Agency for Enterprise Information Technology. |
| 318 | (c)(d) Each state agency customer of a primary data center |
| 319 | shall notify the data center, by May 31 and November 30 of each |
| 320 | year, of any significant changes in anticipated utilization of |
| 321 | data center services pursuant to requirements established by the |
| 322 | boards of trustees of each primary data center. |
| 323 | (4) SCHEDULE FOR AGENCY DATA CENTER CONSOLIDATION.- |
| 324 | (a) State agency data center consolidations shall be made |
| 325 | in accordance with budget adjustments contained in the General |
| 326 | Appropriations Act no later than the date provided and to the |
| 327 | specified primary data center as provided in this subsection. |
| 328 | (b) For consolidation during fiscal year 2011-2012 into |
| 329 | the Northwest Regional Data Center: |
| 330 | 1. College Center for Library Automation (CCLA) no later |
| 331 | than December 31, 2011. |
| 332 | 2. Florida Center for Library Automation (FCLA) no later |
| 333 | than December 31, 2011. |
| 334 | 3. Department of Education no later than December 31, |
| 335 | 2011, including the computing services and resources of: |
| 336 | a. The Knott Data Center located in the Turlington |
| 337 | Building. |
| 338 | b. The Division of Blind Services. |
| 339 | c. The Division of Vocational Rehabilitation. |
| 340 | d. FCAT Explorer. |
| 341 | e. FACTS.org. |
| 342 |
|
| 343 | Such consolidations are contingent upon the Agency for |
| 344 | Enterprise Information Technology's completion of a cost-benefit |
| 345 | analysis to determine whether additional savings can be |
| 346 | achieved. The cost-benefit analysis shall compare the costs and |
| 347 | savings estimates provided by the Northwest Regional Data |
| 348 | Center, the Northwood Shared Resource Center, and the Southwood |
| 349 | Shared Resource Center for the consolidation of the College |
| 350 | Center for Library Automation, the Florida Center for Library |
| 351 | Automation, and the Department of Education to their respective |
| 352 | data centers. The cost-benefit analysis shall be submitted no |
| 353 | later than August 1, 2011, to the Executive Office of the |
| 354 | Governor and the chairs of the House Appropriations Committee |
| 355 | and the Senate Budget Committee. Any actions recommended as a |
| 356 | result of the cost-benefit analysis are subject to the notice, |
| 357 | review, and objection requirements of s. 216.177. |
| 358 | (c) For consolidation during fiscal year 2011-2012 into |
| 359 | the Southwood Shared Resource Center: |
| 360 | 1. The Department of Corrections no later than September |
| 361 | 30, 2011. |
| 362 | 2. The Department of Transportation Survey and Mapping |
| 363 | Office no later than March 31, 2012. |
| 364 | 3. The Department of Transportation Burns Office Building |
| 365 | no later than March 31, 2012. |
| 366 | (d) For consolidation during fiscal year 2011-2012 into |
| 367 | the Northwood Shared Resource Center: |
| 368 | 1. The Department of Transportation Motor Carrier |
| 369 | Compliance Office no later than July 1, 2011. |
| 370 | 2. The Department of Highway Safety and Motor Vehicles no |
| 371 | later than March 31, 2012. |
| 372 | (e) For consolidation during fiscal year 2012-2013 into |
| 373 | the Southwood Shared Resource Center: |
| 374 | 1. The Department of Community Affairs, including the |
| 375 | Division of Emergency Management, no later than September 30, |
| 376 | 2012. |
| 377 | 2. The Department of Revenue Carlton Building and Taxworld |
| 378 | Building L locations no later than September 30, 2012. |
| 379 | 3. The Department of Health Test and Development Lab and |
| 380 | all remaining data center resources no later than December 31, |
| 381 | 2012. |
| 382 | (f) For consolidation during fiscal year 2012-2013 into |
| 383 | the Northwood Shared Resource Center: |
| 384 | 1. The Agency for Health Care Administration no later than |
| 385 | July 1, 2012. |
| 386 | 2. The Department of Environmental Protection no later |
| 387 | than December 31, 2012. |
| 388 | 3. The Department of Law Enforcement no later than March |
| 389 | 30, 2013. |
| 390 | (g) The following agencies shall work with the Agency for |
| 391 | Enterprise Information Technology to begin preliminary planning |
| 392 | for consolidation of their data centers into a primary data |
| 393 | center during fiscal year 2013-2014: |
| 394 | 1. The Department of the Lottery. |
| 395 | 2. The Department of Legal Affairs. |
| 396 | 3. The Fish and Wildlife Conservation Commission. |
| 397 | 4. The Executive Office of the Governor, excluding all |
| 398 | resources, equipment, and applications supported within the |
| 399 | Legislative Appropriations System/Planning and Budget Subsystem. |
| 400 | 5. The Department of Veterans' Affairs. |
| 401 | 6. The Department of Elderly Affairs. |
| 402 | 7. The Department of Financial Services Hartman, Larson, |
| 403 | and Fletcher Buildings data centers. |
| 404 | 8. The Department of Agriculture and Consumer Services |
| 405 | Agriculture Management Information Center in the Mayo Building |
| 406 | and the Division of Licensing. |
| 407 | (h) The following agencies shall work with the Agency for |
| 408 | Enterprise Information Technology to begin preliminary planning |
| 409 | for consolidation of their data centers into a primary data |
| 410 | center during fiscal year 2014-2015: |
| 411 | 1. The Department of Health Jacksonville Lab Data Center. |
| 412 | 2. The Department of Transportation District, Toll, |
| 413 | Materials Office. |
| 414 | 3. The Department of Military Affairs Camp Blanding Joint |
| 415 | Training Center, Starke. |
| 416 | 4. The Department of Community Affairs Camp Blanding |
| 417 | Emergency Operations Center, Starke. |
| 418 | 5. The Department of Education Division of Blind Services, |
| 419 | Disaster Recovery site, Daytona Beach. |
| 420 | 6. The Department of Education Disaster Recovery site, |
| 421 | Sante Fe College. |
| 422 | 7. The Department of the Lottery Disaster Recovery Backup |
| 423 | Data Center, Orlando. |
| 424 | 8. The Fish and Wildlife Conservation Commission Research |
| 425 | Institute, St. Petersburg. |
| 426 | 9. The Department of Children and Family Services Suncoast |
| 427 | Data Center, Tampa. |
| 428 | 10. The Department of Children and Family Services Florida |
| 429 | State Hospital, Chattahoochee. |
| 430 | (i) All computing facilities as defined in s. 282.0041 or |
| 431 | groups of servers remaining in an agency shall be transferred to |
| 432 | a primary data center for consolidation during fiscal year 2015- |
| 433 | 2016 unless required to remain in the agency for specific |
| 434 | business reasons. |
| 435 | (j) All agencies consolidating data centers into a primary |
| 436 | data center shall execute a new or update an existing service- |
| 437 | level agreement no later than 60 days after the identified |
| 438 | consolidation date, as required by s. 282.203, that specifies |
| 439 | the services and levels of services the agency is to receive |
| 440 | from the primary data center as a result of the consolidation. |
| 441 | Any agency that is unable to execute the service-level agreement |
| 442 | by the required date must submit a report to the Executive |
| 443 | Office of the Governor and to the chairs of the House |
| 444 | Appropriations Committee and the Senate Budget Committee within |
| 445 | 5 working days after such date that explains the specific issues |
| 446 | preventing execution and describing the agency's plan and |
| 447 | schedule for resolving the issues. |
| 448 | (k) Beginning September 1, 2011, and every 6 months |
| 449 | thereafter, until all data center consolidations are complete, |
| 450 | the Agency for Enterprise Information Technology shall provide a |
| 451 | status report on the implementation of consolidation required to |
| 452 | be completed during the fiscal year. The report shall be |
| 453 | submitted to the Executive Office of the Governor and the chairs |
| 454 | of the House Appropriations Committee and the Senate Budget |
| 455 | Committee. The status report shall describe: |
| 456 | 1. Whether the consolidation is on schedule, including the |
| 457 | progress on achieving milestones necessary for successful and |
| 458 | timely consolidation of scheduled agency data centers and |
| 459 | computing facilities; and |
| 460 | 2. Risks that may affect the progress or outcomes of the |
| 461 | consolidation and how such risks are being addressed, mitigated, |
| 462 | or managed. |
| 463 | (l) Each agency identified in this subsection for |
| 464 | consolidation into a primary data center must submit a |
| 465 | transition plan to the Agency for Enterprise Information |
| 466 | Technology not later than September 1 of the fiscal year prior |
| 467 | to its scheduled consolidation. Transition plans shall be |
| 468 | developed in consultation with the appropriate primary data |
| 469 | center and the Agency for Enterprise Information Technology and |
| 470 | must include: |
| 471 | 1. An inventory of all resources of the agency data center |
| 472 | being consolidated, including all hardware, software, staff, |
| 473 | contracted services, and facility resources performing data |
| 474 | center management and operations, security, backup and recovery, |
| 475 | disaster recovery, system administration, database |
| 476 | administration, system programming, job control, production |
| 477 | control, print, storage, technical support, help desk, and |
| 478 | managed services, excluding application development. |
| 479 | 2. A description of the level of services needed to meet |
| 480 | the technical and operational requirements of the platforms |
| 481 | being consolidated and a cost estimate for the primary data |
| 482 | center's provision of such services. |
| 483 | 3. A description of resources for computing services |
| 484 | proposed to remain in the department. |
| 485 | 4. A timetable with significant milestones for the |
| 486 | completion of the consolidation. |
| 487 | 5. The fiscal year adjustments to budget categories |
| 488 | currently supporting agency costs to accomplish the transfer of |
| 489 | sufficient budget resources into the appropriate data processing |
| 490 | category pursuant to the legislative budget request instructions |
| 491 | provided in s. 216.023. |
| 492 | (m) Each primary data center shall develop a transition |
| 493 | plan for absorbing the transfer of agency data center resources |
| 494 | based upon the timetables for transition as provided in this |
| 495 | subsection. The plan shall be submitted to the Agency for |
| 496 | Enterprise Information Technology no later than September 30 of |
| 497 | the fiscal year prior to the scheduled consolidation. Each plan |
| 498 | shall include: |
| 499 | 1. An estimate of the cost of providing data center |
| 500 | services for each agency scheduled for consolidation. |
| 501 | 2. A staffing plan that identifies the projected staffing |
| 502 | needs and requirements based on the estimated workload |
| 503 | identified in the agency transition plans. |
| 504 | 3. An analysis of the cost impacts to existing agency |
| 505 | customers resulting from the planned consolidations. |
| 506 | 4. The fiscal year adjustments to budget categories to |
| 507 | absorb the transfer of agency data center resources pursuant to |
| 508 | the legislative budget request instructions provided in s. |
| 509 | 216.023. |
| 510 | 5. A description of any issues that must be resolved to |
| 511 | accomplish all consolidations required during the fiscal year as |
| 512 | efficiently and effectively as possible. |
| 513 | (n) The Agency for Enterprise Information Technology shall |
| 514 | develop a comprehensive transition plan, which shall be |
| 515 | submitted no later than October 15 of the fiscal year prior to |
| 516 | the scheduled consolidations to the Executive Office of the |
| 517 | Governor and the chairs of the House Appropriations Committee |
| 518 | and the Senate Budget Committee. The comprehensive transition |
| 519 | plan shall be developed in consultation with the agencies |
| 520 | submitting their agency transition plans and the affected |
| 521 | primary data center. The comprehensive transition plan shall |
| 522 | include: |
| 523 | 1. Recommendations for accomplishing the proposed |
| 524 | consolidations as efficiently and effectively as possible with |
| 525 | minimal disruption to the agency's business processes. |
| 526 | 2. Strategies to minimize risks associated with any of the |
| 527 | proposed consolidations. |
| 528 | 3. A compilation of the agency transition plans scheduled |
| 529 | for consolidation in the following fiscal year. |
| 530 | 4. Revisions to any budget adjustments provided in the |
| 531 | agency or primary data center transition plans pursuant to the |
| 532 | legislative budget request instructions provided in s. 216.023. |
| 533 | (5)(4) AGENCY LIMITATIONS.- |
| 534 | (a) Unless authorized by the Legislature or as provided in |
| 535 | paragraphs (b) and (c), a state agency may not: |
| 536 | 1. Create a new computing facility or data center, or |
| 537 | expand the capability to support additional computer equipment |
| 538 | in an existing computing facility or nonprimary data center, or |
| 539 | purchase equipment or other resources necessary to expand the |
| 540 | capabilities of the agency data center; |
| 541 | 2. Expend funds prior to the agency's scheduled |
| 542 | consolidation into a primary data center for the purchase or |
| 543 | modification of hardware or operations software that do not |
| 544 | comply with the standards established for efficient |
| 545 | consolidation and without consultation with the primary data |
| 546 | center; |
| 547 | 3.2. Transfer existing computer services to a nonprimary |
| 548 | data center or computing facility, including outsourced computer |
| 549 | service providers; |
| 550 | 4.3. Terminate services with a primary data center or |
| 551 | transfer services between primary data centers without giving |
| 552 | written notice of intent to terminate or transfer services 180 |
| 553 | days before such termination or transfer and completing a cost- |
| 554 | benefit analysis that documents that the requested transfer will |
| 555 | not increase the agency's data center costs; or |
| 556 | 5.4. Initiate a new computer service if it does not |
| 557 | currently have an internal data center except with a primary |
| 558 | data center. |
| 559 | (b) Exceptions to the limitations in subparagraphs (a)1., |
| 560 | 2., 3., and 5. 4. may be granted by the Agency for Enterprise |
| 561 | Information Technology if there is insufficient capacity in a |
| 562 | primary data center to absorb the workload associated with |
| 563 | agency computing services. |
| 564 | 1. A request for an exception must be submitted in writing |
| 565 | to the Agency for Enterprise Information Technology. The agency |
| 566 | must accept, accept with conditions, or deny the request within |
| 567 | 60 days after receipt of the written request. The agency's |
| 568 | decision is not subject to chapter 120. |
| 569 | 2. At a minimum, the agency may not approve a request |
| 570 | unless it includes: |
| 571 | a. Documentation approved by the primary data center's |
| 572 | board of trustees which confirms that the center cannot meet the |
| 573 | capacity requirements of the agency requesting the exception |
| 574 | within the current fiscal year. |
| 575 | b. A description of the capacity requirements of the |
| 576 | agency requesting the exception. |
| 577 | c. Documentation from the agency demonstrating why it is |
| 578 | critical to the agency's mission that the expansion or transfer |
| 579 | must be completed within the fiscal year rather than when |
| 580 | capacity is established at a primary data center. |
| 581 | (c) Exceptions to subparagraph (a)4.3. may be granted by |
| 582 | the board of trustees of the primary data center if the |
| 583 | termination or transfer of services can be absorbed within the |
| 584 | current cost-allocation plan. |
| 585 | (d) Upon the termination of or transfer of agency |
| 586 | computing services from the primary data center, the primary |
| 587 | data center shall require information sufficient to determine |
| 588 | compliance with this section. If a primary data center |
| 589 | determines that an agency is in violation of this section, it |
| 590 | shall report the violation to the Agency for Enterprise |
| 591 | Information Technology. |
| 592 | (6)(5) RULES.-The Agency for Enterprise Information |
| 593 | Technology is authorized to adopt rules pursuant to ss. |
| 594 | 120.536(1) and 120.54 to administer the provisions of this part |
| 595 | relating to the state data center system including the primary |
| 596 | data centers. |
| 597 | Section 6. Subsection (1) and paragraph (a) of subsection |
| 598 | (2) of section 282.203, Florida Statutes, are amended to read: |
| 599 | 282.203 Primary data centers.- |
| 600 | (1) DATA CENTER DUTIES.-Each primary data center shall: |
| 601 | (a) Serve customer entities as an information-system |
| 602 | utility. |
| 603 | (b) Cooperate with customer entities to offer, develop, |
| 604 | and support the services and applications as defined and |
| 605 | provided by the center's board of trustees and customer |
| 606 | entities. |
| 607 | (c) Comply with standards and rules adopted by the Agency |
| 608 | for Enterprise Information Technology, pursuant to this section, |
| 609 | and coordinate with the agency in the consolidation of data |
| 610 | centers. |
| 611 | (d) Provide transparent financial statements to customer |
| 612 | entities, the center's board of trustees, and the Agency for |
| 613 | Enterprise Information Technology. The financial statements |
| 614 | shall be provided as follows: |
| 615 | 1. Annually, by July 30 for the current fiscal year and by |
| 616 | December 1 for the subsequent fiscal year, the data center must |
| 617 | provide the total annual budgeted costs by major expenditure |
| 618 | category, including, but not limited to, salaries, expense, |
| 619 | operating capital outlay, contracted services, or other |
| 620 | personnel services, which directly relate to the provision of |
| 621 | each service and which separately indicate the administrative |
| 622 | overhead allocated to each service. |
| 623 | 2. Annually, by July 30 for the current fiscal year and by |
| 624 | December 1 for the subsequent fiscal year, the data center must |
| 625 | provide total projected billings for each customer entity which |
| 626 | are required to recover the costs of the data center. |
| 627 | 3. Annually, by January 31, the data center must provide |
| 628 | updates of the financial statements required under subparagraphs |
| 629 | 1. and 2. for the current fiscal year. |
| 630 | 4. By February 15, for proposed legislative budget |
| 631 | increases, the data center must provide updates of the financial |
| 632 | statements required under subparagraphs 1. and 2. for the |
| 633 | subsequent fiscal year. |
| 634 |
|
| 635 | The financial information required under subparagraphs 1., 2., |
| 636 | and 3. must be based on current law and current appropriations. |
| 637 | (e) Annually, by October 1, submit to the board of |
| 638 | trustees cost-reduction proposals, including strategies and |
| 639 | timetables for lowering customer entities' costs without |
| 640 | reducing the level of services. |
| 641 | (f) By December 31, 2010, submit organizational plans that |
| 642 | minimize the annual recurring cost of center operations and |
| 643 | eliminate the need for state agency customers to maintain data |
| 644 | center skills and staff within their agency. The plans shall: |
| 645 | 1. Establish an efficient organizational structure |
| 646 | describing the roles and responsibilities of all positions and |
| 647 | business units in the centers; |
| 648 | 2. Define a human resources planning and management |
| 649 | process that shall be used to make required center staffing |
| 650 | decisions; and |
| 651 | 3. Develop a process for projecting staffing requirements |
| 652 | based on estimated workload identified in customer agency |
| 653 | service level agreements. |
| 654 | (f)(g) Maintain the performance of the facility, which |
| 655 | includes ensuring proper data backup, data backup recovery, an |
| 656 | effective disaster recovery plan, and appropriate security, |
| 657 | power, cooling and fire suppression, and capacity. |
| 658 | (g)(h) Develop a business continuity plan and conduct a |
| 659 | live exercise of the plan at least annually. The plan must be |
| 660 | approved by the board and the Agency for Enterprise Information |
| 661 | Technology. |
| 662 | (h)(i) Enter into a service-level agreement with each |
| 663 | customer entity to provide services as defined and approved by |
| 664 | the board in compliance with rules of the Agency for Enterprise |
| 665 | Information Technology. A service-level agreement may not have a |
| 666 | term exceeding 3 years but may include an option to renew for up |
| 667 | to 3 years contingent on approval by the board. |
| 668 | 1. A service-level agreement, at a minimum, must: |
| 669 | a. Identify the parties and their roles, duties, and |
| 670 | responsibilities under the agreement; |
| 671 | b. Identify the legal authority under which the service- |
| 672 | level agreement was negotiated and entered into by the parties; |
| 673 | c. State the duration of the contractual term and specify |
| 674 | the conditions for contract renewal; |
| 675 | d. Prohibit the transfer of computing services between |
| 676 | primary data center facilities without at least 180 days' notice |
| 677 | of service cancellation; |
| 678 | e. Identify the scope of work; |
| 679 | f. Identify the products or services to be delivered with |
| 680 | sufficient specificity to permit an external financial or |
| 681 | performance audit; |
| 682 | g. Establish the services to be provided, the business |
| 683 | standards that must be met for each service, the cost of each |
| 684 | service, and the process by which the business standards for |
| 685 | each service are to be objectively measured and reported; |
| 686 | h. Identify applicable funds and funding streams for the |
| 687 | services or products under contract; |
| 688 | i. Provide a timely billing methodology for recovering the |
| 689 | cost of services provided to the customer entity; |
| 690 | j. Provide a procedure for modifying the service-level |
| 691 | agreement to address changes in projected costs of service; |
| 692 | k. Provide that a service-level agreement may be |
| 693 | terminated by either party for cause only after giving the other |
| 694 | party and the Agency for Enterprise Information Technology |
| 695 | notice in writing of the cause for termination and an |
| 696 | opportunity for the other party to resolve the identified cause |
| 697 | within a reasonable period; and |
| 698 | l. Provide for mediation of disputes by the Division of |
| 699 | Administrative Hearings pursuant to s. 120.573. |
| 700 | 2. A service-level agreement may include: |
| 701 | a. A dispute resolution mechanism, including alternatives |
| 702 | to administrative or judicial proceedings; or |
| 703 | b. The setting of a surety or performance bond for |
| 704 | service-level agreements entered into with nonstate agency |
| 705 | primary data centers, which may be designated by the Agency for |
| 706 | Enterprise Information Technology; or |
| 707 | b.c. Additional terms and conditions as determined |
| 708 | advisable by the parties if such additional terms and conditions |
| 709 | do not conflict with the requirements of this section or rules |
| 710 | adopted by the Agency for Enterprise Information Technology. |
| 711 | 3. The failure to execute a service-level agreement within |
| 712 | 60 days after service commencement shall, in the case of an |
| 713 | existing customer entity, result in a continuation of the terms |
| 714 | of the service-level agreement from the prior fiscal year, |
| 715 | including any amendments that were formally proposed to the |
| 716 | customer entity by the primary data center within the 3 months |
| 717 | before service commencement, and a revised cost-of-service |
| 718 | estimate. If a new customer entity fails to execute an agreement |
| 719 | within 60 days after service commencement, the data center may |
| 720 | cease services. |
| 721 | (i)(j) Plan, design, establish pilot projects for, and |
| 722 | conduct experiments with information technology resources, and |
| 723 | implement enhancements in services if such implementation is |
| 724 | cost-effective and approved by the board. |
| 725 | (j)(k) Enter into a memorandum of understanding with the |
| 726 | agency where the primary data center is administratively located |
| 727 | which establishes the services to be provided by that agency to |
| 728 | the primary data center and the cost of such services. |
| 729 | (k)(l) Be the custodian of resources and equipment that |
| 730 | are located, operated, supported, and managed by the center for |
| 731 | the purposes of chapter 273, except resources and equipment |
| 732 | located, operated, supported, and managed by Northwest Regional |
| 733 | Data Center. |
| 734 | (l) Assume administrative access rights to the resources |
| 735 | and equipment, such as servers, network components, and other |
| 736 | devices, that are consolidated into the primary data center. |
| 737 | Upon the date of each consolidation specified in s. 282.201 or |
| 738 | as provided in the General Appropriations Act, each agency shall |
| 739 | relinquish all administrative access rights. Each primary data |
| 740 | center shall provide its customer agencies with the appropriate |
| 741 | level of access to applications, servers, network components, |
| 742 | and other devices necessary for the agency to perform core |
| 743 | business activities and functions. |
| 744 | (2) BOARD OF TRUSTEES.-Each primary data center shall be |
| 745 | headed by a board of trustees as defined in s. 20.03. |
| 746 | (a) The members of the board shall be appointed by the |
| 747 | agency head or chief executive officer of the representative |
| 748 | customer entities of the primary data center and shall serve at |
| 749 | the pleasure of the appointing customer entity. |
| 750 | 1. During the fiscal year prior to its consolidation into |
| 751 | a primary data center and for the following full fiscal year, an |
| 752 | agency shall have a single trustee having one vote on the board |
| 753 | of the primary data center into which it is to consolidate, |
| 754 | unless in the second year it is entitled to a greater number of |
| 755 | votes as provided in subparagraphs 3. and 4. For each of the |
| 756 | first 2 fiscal years that a center is in operation, membership |
| 757 | shall be as provided in subparagraph 3. based on projected |
| 758 | customer entity usage rates for the fiscal operating year of the |
| 759 | primary data center. However, at a minimum: |
| 760 | a. During the Southwood Shared Resource Center's first 2 |
| 761 | operating years, the Department of Transportation, the |
| 762 | Department of Highway Safety and Motor Vehicles, the Department |
| 763 | of Health, and the Department of Revenue must each have at least |
| 764 | one trustee. |
| 765 | b. During the Northwood Shared Resource Center's first |
| 766 | operating year, the Department of State and the Department of |
| 767 | Education must each have at least one trustee. |
| 768 | 2. Board After the second full year of operation, |
| 769 | membership shall be as provided in subparagraph 3. based on the |
| 770 | most recent estimate of customer entity usage rates for the |
| 771 | prior year and a projection of usage rates for the first 9 |
| 772 | months of the next fiscal year. Such calculation must be |
| 773 | completed before the annual budget meeting held before the |
| 774 | beginning of the next fiscal year so that any decision to add or |
| 775 | remove board members can be voted on at the budget meeting and |
| 776 | become effective on July 1 of the subsequent fiscal year. |
| 777 | 3. Each customer entity that has a projected usage rate of |
| 778 | 4 percent or greater during the fiscal operating year of the |
| 779 | primary data center shall have one trustee on the board. |
| 780 | 4. The total number of votes for each trustee shall be |
| 781 | apportioned as follows: |
| 782 | a. Customer entities of a primary data center whose usage |
| 783 | rate represents 4 but less than 15 percent of total usage shall |
| 784 | have one vote. |
| 785 | b. Customer entities of a primary data center whose usage |
| 786 | rate represents 15 but less than 30 percent of total usage shall |
| 787 | have two votes. |
| 788 | c. Customer entities of a primary data center whose usage |
| 789 | rate represents 30 but less than 50 percent of total usage shall |
| 790 | have three votes. |
| 791 | d. A customer entity of a primary data center whose usage |
| 792 | rate represents 50 percent or more of total usage shall have |
| 793 | four votes. |
| 794 | e. A single trustee having one vote shall represent those |
| 795 | customer entities that represent less than 4 percent of the |
| 796 | total usage. The trustee shall be selected by a process |
| 797 | determined by the board. |
| 798 | Section 7. Section 282.206, Florida Statutes, is created |
| 799 | to read: |
| 800 | 282.206 Northwest Regional Data Center.-Northwest Regional |
| 801 | Data Center is designated as a primary data center as defined in |
| 802 | s. 282.0041. The center shall be managed by a board of trustees |
| 803 | as provided in s. 282.203, who shall comply with all |
| 804 | requirements of that section related to the operation of the |
| 805 | center and with the rules of the Agency for Enterprise |
| 806 | Information Technology relating to primary data centers. |
| 807 | Section 8. Sections 282.3055 and 282.315, Florida |
| 808 | Statutes, are repealed. |
| 809 | Section 9. Subsections (3) through (7) of section 282.318, |
| 810 | Florida Statutes, are amended to read: |
| 811 | 282.318 Enterprise security of data and information |
| 812 | technology.- |
| 813 | (3) The Office of Information Security within the Agency |
| 814 | for Enterprise Information Technology is responsible for |
| 815 | establishing rules and publishing guidelines for ensuring an |
| 816 | appropriate level of security for all data and information |
| 817 | technology resources for executive branch agencies. The Agency |
| 818 | for Enterprise Information Technology office shall also perform |
| 819 | the following duties and responsibilities: |
| 820 | (a) Develop, and annually update by February 1, an |
| 821 | enterprise information security strategic plan that includes |
| 822 | security goals and objectives for the strategic issues of |
| 823 | information security policy, risk management, training, incident |
| 824 | management, and survivability planning. |
| 825 | (b) Develop enterprise security rules and published |
| 826 | guidelines for: |
| 827 | 1. Comprehensive risk analyses and information security |
| 828 | audits conducted by state agencies. |
| 829 | 2. Responding to suspected or confirmed information |
| 830 | security incidents, including suspected or confirmed breaches of |
| 831 | personal information or exempt data. |
| 832 | 3. Agency security plans, including strategic security |
| 833 | plans and security program plans. |
| 834 | 4. The recovery of information technology and data |
| 835 | following a disaster. |
| 836 | 5. The managerial, operational, and technical safeguards |
| 837 | for protecting state government data and information technology |
| 838 | resources. |
| 839 | (c) Assist agencies in complying with the provisions of |
| 840 | this section. |
| 841 | (d) Pursue appropriate funding for the purpose of |
| 842 | enhancing domestic security. |
| 843 | (e) Provide training for agency information security |
| 844 | managers. |
| 845 | (f) Annually review the strategic and operational |
| 846 | information security plans of executive branch agencies. |
| 847 | (4) To assist the Agency for Enterprise Information |
| 848 | Technology Office of Information Security in carrying out its |
| 849 | responsibilities, each agency head shall, at a minimum: |
| 850 | (a) Designate an information security manager to |
| 851 | administer the security program of the agency for its data and |
| 852 | information technology resources. This designation must be |
| 853 | provided annually in writing to the Agency for Enterprise |
| 854 | Information Technology office by January 1. |
| 855 | (b) Submit to the Agency for Enterprise Information |
| 856 | Technology, office annually by July 31, the agency's strategic |
| 857 | and operational information security plans developed pursuant to |
| 858 | the rules and guidelines established by the Agency for |
| 859 | Enterprise Information Technology office. |
| 860 | 1. The agency strategic information security plan must |
| 861 | cover a 3-year period and define security goals, intermediate |
| 862 | objectives, and projected agency costs for the strategic issues |
| 863 | of agency information security policy, risk management, security |
| 864 | training, security incident response, and survivability. The |
| 865 | plan must be based on the enterprise strategic information |
| 866 | security plan created by the Agency for Enterprise Information |
| 867 | Technology office. Additional issues may be included. |
| 868 | 2. The agency operational information security plan must |
| 869 | include a progress report for the prior operational information |
| 870 | security plan and a project plan that includes activities, |
| 871 | timelines, and deliverables for security objectives that, |
| 872 | subject to current resources, the agency will implement during |
| 873 | the current fiscal year. The cost of implementing the portions |
| 874 | of the plan which cannot be funded from current resources must |
| 875 | be identified in the plan. |
| 876 | (c) Conduct, and update every 3 years, a comprehensive |
| 877 | risk analysis to determine the security threats to the data, |
| 878 | information, and information technology resources of the agency. |
| 879 | The risk analysis information is confidential and exempt from |
| 880 | the provisions of s. 119.07(1), except that such information |
| 881 | shall be available to the Auditor General and the Agency for |
| 882 | Enterprise Information Technology for performing postauditing |
| 883 | duties. |
| 884 | (d) Develop, and periodically update, written internal |
| 885 | policies and procedures, which include procedures for notifying |
| 886 | the Agency for Enterprise Information Technology office when a |
| 887 | suspected or confirmed breach, or an information security |
| 888 | incident, occurs. Such policies and procedures must be |
| 889 | consistent with the rules and guidelines established by the |
| 890 | Agency for Enterprise Information Technology office to ensure |
| 891 | the security of the data, information, and information |
| 892 | technology resources of the agency. The internal policies and |
| 893 | procedures that, if disclosed, could facilitate the unauthorized |
| 894 | modification, disclosure, or destruction of data or information |
| 895 | technology resources are confidential information and exempt |
| 896 | from s. 119.07(1), except that such information shall be |
| 897 | available to the Auditor General and the Agency for Enterprise |
| 898 | Information Technology for performing postauditing duties. |
| 899 | (e) Implement appropriate cost-effective safeguards to |
| 900 | address identified risks to the data, information, and |
| 901 | information technology resources of the agency. |
| 902 | (f) Ensure that periodic internal audits and evaluations |
| 903 | of the agency's security program for the data, information, and |
| 904 | information technology resources of the agency are conducted. |
| 905 | The results of such audits and evaluations are confidential |
| 906 | information and exempt from s. 119.07(1), except that such |
| 907 | information shall be available to the Auditor General and the |
| 908 | Agency for Enterprise Information Technology for performing |
| 909 | postauditing duties. |
| 910 | (g) Include appropriate security requirements in the |
| 911 | written specifications for the solicitation of information |
| 912 | technology and information technology resources and services, |
| 913 | which are consistent with the rules and guidelines established |
| 914 | by the Agency for Enterprise Information Technology office. |
| 915 | (h) Provide security awareness training to employees and |
| 916 | users of the agency's communication and information resources |
| 917 | concerning information security risks and the responsibility of |
| 918 | employees and users to comply with policies, standards, |
| 919 | guidelines, and operating procedures adopted by the agency to |
| 920 | reduce those risks. |
| 921 | (i) Develop a process for detecting, reporting, and |
| 922 | responding to suspected or confirmed security incidents, |
| 923 | including suspected or confirmed breaches consistent with the |
| 924 | security rules and guidelines established by the Agency for |
| 925 | Enterprise Information Technology office. |
| 926 | 1. Suspected or confirmed information security incidents |
| 927 | and breaches must be immediately reported to the Agency for |
| 928 | Enterprise Information Technology office. |
| 929 | 2. For incidents involving breaches, agencies shall |
| 930 | provide notice in accordance with s. 817.5681 and to the Agency |
| 931 | for Enterprise Information Technology office in accordance with |
| 932 | this subsection. |
| 933 | (5) Each state agency shall include appropriate security |
| 934 | requirements in the specifications for the solicitation of |
| 935 | contracts for procuring information technology or information |
| 936 | technology resources or services which are consistent with the |
| 937 | rules and guidelines established by the Agency for Enterprise |
| 938 | Information Technology Office of Information Security. |
| 939 | (6) The Agency for Enterprise Information Technology may |
| 940 | adopt rules relating to information security and to administer |
| 941 | the provisions of this section. |
| 942 | (7) By December 31, 2010, the Agency for Enterprise |
| 943 | Information Technology shall develop, and submit to the |
| 944 | Governor, the President of the Senate, and the Speaker of the |
| 945 | House of Representatives a proposed implementation plan for |
| 946 | information technology security. The agency shall describe the |
| 947 | scope of operation, conduct costs and requirements analyses, |
| 948 | conduct an inventory of all existing security information |
| 949 | technology resources, and develop strategies, timeframes, and |
| 950 | resources necessary for statewide migration. |
| 951 | Section 10. Subsection (5) of section 282.34, Florida |
| 952 | Statutes, is amended to read: |
| 953 | 282.34 Statewide e-mail service.-A state e-mail system |
| 954 | that includes the delivery and support of e-mail, messaging, and |
| 955 | calendaring capabilities is established as an enterprise |
| 956 | information technology service as defined in s. 282.0041. The |
| 957 | service shall be designed to meet the needs of all executive |
| 958 | branch agencies. The primary goals of the service are to |
| 959 | minimize the state investment required to establish, operate, |
| 960 | and support the statewide service; reduce the cost of current e- |
| 961 | mail operations and the number of duplicative e-mail systems; |
| 962 | and eliminate the need for each state agency to maintain its own |
| 963 | e-mail staff. |
| 964 | (5) In order to develop the implementation plan for the |
| 965 | statewide e-mail service, the Agency for Enterprise Information |
| 966 | Technology shall establish and coordinate a statewide e-mail |
| 967 | project team. The agency shall also consult with and, as |
| 968 | necessary, form workgroups consisting of agency e-mail |
| 969 | management staff, agency chief information officers, agency |
| 970 | budget directors, and other administrative staff. The statewide |
| 971 | e-mail implementation plan must be submitted to the Governor, |
| 972 | the President of the Senate, and the Speaker of the House of |
| 973 | Representatives by July 1, 2011. |
| 974 | Section 11. Paragraph (h) of subsection (3) and paragraph |
| 975 | (b) of subsection (4) of section 287.042, Florida Statutes, are |
| 976 | amended to read: |
| 977 | 287.042 Powers, duties, and functions.-The department |
| 978 | shall have the following powers, duties, and functions: |
| 979 | (3) To establish a system of coordinated, uniform |
| 980 | procurement policies, procedures, and practices to be used by |
| 981 | agencies in acquiring commodities and contractual services, |
| 982 | which shall include, but not be limited to: |
| 983 | (h) Development, in consultation with the Agency Chief |
| 984 | Information Officers Council, of procedures to be used by state |
| 985 | agencies when procuring information technology commodities and |
| 986 | contractual services to ensure compliance with public records |
| 987 | requirements and records retention and archiving requirements. |
| 988 | (4) |
| 989 | (b) To prescribe, in consultation with the Agency Chief |
| 990 | Information Officers Council, procedures for procuring |
| 991 | information technology and information technology consultant |
| 992 | services which provide for public announcement and |
| 993 | qualification, competitive solicitations, contract award, and |
| 994 | prohibition against contingent fees. Such procedures shall be |
| 995 | limited to information technology consultant contracts for which |
| 996 | the total project costs, or planning or study activities, are |
| 997 | estimated to exceed the threshold amount provided for in s. |
| 998 | 287.017, for CATEGORY TWO. |
| 999 | Section 12. This act shall take effect July 1, 2011. |