Florida Senate - 2012 SENATOR AMENDMENT
Bill No. SB 1984
Senate . House
Floor: WD/2R .
02/23/2012 06:30 PM .
Senator Ring moved the following:
1 Senate Amendment (with title amendment)
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. (1) The Agency for Enterprise Information
6 Technology is abolished.
7 (2) All of the powers, duties, functions, records,
8 personnel, and property; funds, trust funds, and unexpended
9 balances of appropriations, allocations, and other funds;
10 administrative authority; administrative rules; pending issues;
11 and existing contracts of the Agency for Enterprise Information
12 Technology are transferred by a type two transfer, pursuant to
13 s. 20.06(2), Florida Statutes, to the Agency for State
15 Section 2. (1) The portions of the Technology Program
16 established under section 20.22(2), Florida Statutes and
17 identified in the approved plan defined in s. 282.0055(2),
18 Florida Statutes shall transfer by a type one transfer, as
19 defined in s. 20.06(1), Florida Statutes, from the Department of
20 Management Services to the Agency for State Technology no later
21 than June 30, 2014.
22 (2) The Northwood Shared Resource Center is transferred by
23 a type one transfer, as defined in s. 20.06(1), Florida
24 Statutes, from the Department of Management Services to the
25 Agency for State Technology
26 (a) Any binding contract or interagency agreement entered
27 into between the Northwood Shared Resource Center or an entity
28 or agent of the center and any other agency, entity, or person
29 continues as a binding contract or agreement for the remainder
30 of the term of such contract or agreement on the Agency for
31 State Technology.
32 (b) The rules of the Northwood Shared Resource Center which
33 were in effect at 11:59 p.m. on June 30, 2012, become rules of
34 the Agency for State Technology and remain in effect until
35 amended or repealed in the manner provided by law.
36 (3) The Southwood Shared Resource Center is transferred by
37 a type one transfer, as defined in s. 20.06(1), Florida
38 Statutes, from the Department of Management Services to the
39 Agency for State Technology.
40 (a) Any binding contract or interagency agreement entered
41 into between the Southwood Shared Resource Center or an entity
42 or agent of the center and any other agency, entity, or person
43 continues as a binding contract or agreement for the remainder
44 of the term of such contract or agreement on the Agency for
45 State Technology.
46 (b) The rules of the Southwood Shared Resource Center which
47 were in effect at 11:59 p.m. on June 30, 2012, become rules of
48 the Agency for State Technology and remain in effect until
49 amended or repealed in the manner provided by law.
50 Section 3. Section 14.204, Florida Statutes, is repealed.
51 Section 4. Section 14.206, Florida Statutes, is created to
53 14.206 Agency for State Technology.—The Agency for State
54 Technology is created .
55 (1) The head of the agency shall be the Governor and
57 (2) The agency shall have an executive director who is the
58 state’s Chief Information Officer and who must:
59 (a) Have at least a bachelor’s degree in computer science,
60 information systems, business or public administration, or a
61 related field, or equivalent work experience;
62 (b) Have 10 or more years of experience working in the
63 field of information technology;
64 (c) Have 5 or more years of experience in related industry
65 managing multiple, large, cross-functional teams or projects,
66 and influencing senior-level management and key stakeholders;
67 (d) Have at least 5 years of executive-level leadership
69 (e) Have performed an integral role in enterprise-wide
70 information technology consolidations;
71 (f) Be appointed by the Governor, subject to confirmation
72 by the Cabinet and the Senate, and shall serve at the pleasure
73 of the Governor and Cabinet.
74 (3) The executive director:
75 (a) Shall be responsible for developing and administering a
76 comprehensive long-range plan for the state’s information
77 technology resources, ensuring the proper management of such
78 resources, and delivering services.
79 (b) Shall appoint a Chief Technology Officer to lead the
80 divisions of the agency dedicated to the operation and delivery
81 of enterprise information technology services.
82 (c) Shall appoint a Chief Operations Officer to lead the
83 divisions of the agency dedicated to enterprise information
84 technology policy, planning, standards and procurement.
85 (d) Shall designate a state Chief Information Security
87 (e) May appoint all employees necessary to carry out the
88 duties and responsibilities of the agency.
89 (4) The Agency for State Technology is prohibited from
90 using, and executives of the agency are prohibited from
91 directing spending from, operational information technology
92 trust funds, as defined in 282.0041, F.S., for any purpose for
93 which the Strategic Information Technology Trust Fund was
95 (5) The following officers
, and divisions , of the agency
96 are established:
97 (a) Under the Chief Technology Officer:
98 1. Upon transfer any portion of the Technology Program from
99 the Department of Management Services to the agency, there shall
100 be a The Division of Telecommunications once the migration of
101 DivTel from DMS is accomplished.
102 2. The Division of Data Center Operations which includes,
103 but is not limited to, any shared resource center established or
104 operated by the agency.
107 (b) Under the Chief Operations Officer:
108 1. Strategic Planning.
109 2. Enterprise Information Technology Standards.
110 a. Enterprise Information Technology Procurement.
111 b. Information Technology Security and Compliance.
112 3. Enterprise Services Planning and Consolidation.
113 4. Enterprise Project Management.
114 (c) Under the Director of Administration:
115 1. Accounting and Budgeting.
116 2. Personnel.
117 3. Procurement and Contracts.
118 (d) Under the Office of the Executive Director:
119 1. Inspector General.
120 2. Legal.
121 3. Governmental Affairs.
122 (6) The agency shall operate in a manner that ensures the
123 participation and representation of state agencies.
124 (7) The agency shall have the following duties and
125 responsibilities. The agency shall:
126 (a) Develop and publish a long-term State Information
127 Technology Resources Strategic Plan.
128 (b) Initiate, plan, design, implement, and manage
129 enterprise information technology services.
130 (c) Beginning October 1, 2012, and every 3 months
131 thereafter, provide a status report on its initiatives. The
132 report shall be presented at a meeting of the Governor and
134 (d) Beginning September 1, 2013, and every 3 months
135 thereafter until enterprise information technology service
136 consolidations are complete, provide a status report on the
137 implementation of the consolidations that must be completed
138 during the fiscal year. The report shall be submitted to the
139 Executive Office of the Governor, the Cabinet, the President of
140 the Senate, and the Speaker of the House of Representatives. At
141 a minimum, the report must describe:
142 1. Whether the consolidation is on schedule, including
143 progress on achieving the milestones necessary for successful
144 and timely consolidation of scheduled agency data centers and
145 computing facilities; and
146 2. The risks that may affect the progress or outcome of the
147 consolidation and how such risks are being mitigated or managed.
148 (e) Set technical standards for information technology,
149 including, but not limited to, desktop computers, printers, and
150 mobile devices; review major information technology projects and
151 procurements; establish information technology security
152 standards; provide for the procurement of information technology
153 resources, excluding human resources; and deliver enterprise
154 information technology services as defined in s. 282.0041.
155 (f) Designate primary data centers and shared resource
157 (g) Operate shared resource centers in a manner that
158 promotes energy efficiency.
159 (h) Establish and deliver enterprise information technology
160 services to serve state agencies on a cost-sharing basis,
161 charging each state agency its proportionate share of the cost
162 of maintaining and delivering a service based on a state
163 agency’s use of the service.
164 (i) Use the following principles to develop a means of
165 chargeback for primary data center services:
166 1. The customers of the primary data center shall provide
167 payments to the primary data center which are sufficient to
168 maintain the solvency of the primary data center operation for
169 all costs not directly funded through the General Appropriations
171 2. Per unit cost of usage shall be the primary basis for
172 pricing, and usage must be accurately measurable and
173 attributable to the appropriate customer.
174 3. The primary data center shall combine the aggregate
175 purchasing power of large and small customers to achieve
176 collective savings opportunities to all customers.
177 4. Chargeback methodologies shall be devised to consider
178 restrictions on grants to customers.
179 5. Chargeback methodologies should establish incentives
180 that lead to customer usage practices that result in lower costs
181 to the state.
182 6. Chargeback methodologies must consider technological
183 change when:
184 a. New services require short-term investments before
185 achieving long-term, full cost recovery for the service.
186 b. Customers of antiquated services may not be able to bear
187 all of the costs for the antiquated services during periods when
188 customers are migrating to replacement services.
189 7. Prices may be established which allow for accrual of
190 cash balances for the purpose of maintaining contingent
191 operating funds and funding planned capital investments. Accrual
192 of the cash balances shall be considered costs for the purposes
193 of this section.
194 8. Flat rate charges may be used only if there are
195 provisions for reconciling charges to comport with actual costs
196 and use.
197 (i) Exercise technical and fiscal prudence in determining
198 the best way to deliver enterprise information technology
200 (j) Collect and maintain an inventory of the information
201 technology resources in the state agencies.
202 (k) Assume ownership or custody and control of information
203 processing equipment, supplies, and positions required in order
204 to thoroughly carry out the agency’s duties and
206 (l) Adopt rules and policies for the efficient, secure, and
207 economical management and operation of the shared resource
208 centers and state telecommunications services.
209 (m) Provide other public sector organizations as defined in
210 s. 282.0041 with access to the services provided by the agency.
211 Access shall be provided on the same cost basis that applies to
212 state agencies.
213 (n) Ensure that data that is confidential under state or
214 federal law may not be entered into or processed through any
215 shared resource center or network established under the agency
216 until safeguards for the data’s security satisfactory to the
217 agency head and the executive director of the agency have been
218 designed, installed, and tested and are fully operational. This
219 paragraph does not prescribe what actions necessary to satisfy a
220 state agency’s objectives are to be undertaken or to remove from
221 the control and administration of the state agency the
222 responsibility for working with the agency to implement
223 safeguards, regardless of whether such control and
224 administration are specifically required by general law or
225 administered under the general program authority and
226 responsibility of the state agency. If the agency head and
227 executive director of the agency cannot reach agreement on
228 satisfactory safeguards, the issue shall be decided by the
229 Governor and Cabinet.
230 (o) Conduct periodic assessments of state agencies for
231 compliance with statewide information technology policies and
232 recommend to the Governor and Cabinet statewide policies for
233 information technology.
234 (8) The agency may not use or direct the spending of
235 operational information technology trust funds to study and
236 develop enterprise information technology strategies, plans,
237 rules, reports, policies, proposals, budgets, or enterprise
238 information technology initiatives that are not directly related
239 to developing information technology services for which usage
240 fees reimburse the costs of the initiative. As used in this
241 subsection, the term “operational information technology trust
242 funds” means funds into which deposits are made on a fee-for
243 service basis or a trust fund dedicated to a specific
244 information technology project or system.
245 (9) The portions of the agency’s activities described in
246 subsection (8) for which usage fees do not reimburse costs of
247 the activity shall be funded at a rate of 0.55% of the total
248 identified information technology spend through
250 (10) The agency may adopt rules to carry out its duties and
252 Section 5. Section 282.0041, Florida Statutes, is reordered
253 and amended to read:
254 282.0041 Definitions.—As used in this chapter, the term:
255 (1) “Agency” has the same meaning as in s. 216.011 (1)(qq),
256 except that for purposes of this chapter, “agency” does not
257 include university boards of trustees or state universities.
258 (1) (2) “Agency for State Enterprise Information Technology”
259 or “agency” means the agency created in s. 14.206 14.204.
260 (2) (3) “Agency information technology service” means a
261 service that directly helps a state an agency fulfill its
262 statutory or constitutional responsibilities and policy
263 objectives and is usually associated with the state agency’s
264 primary or core business functions.
265 (4) “Annual budget meeting” means a meeting of the board of
266 trustees of a primary data center to review data center usage to
267 determine the apportionment of board members for the following
268 fiscal year, review rates for each service provided, and
269 determine any other required changes.
270 (3) (5) “Breach” has the same meaning as in s. 817.5681(4).
271 (4) (6) “Business continuity plan” means a plan for disaster
272 recovery which provides for the continued functioning of a
273 primary data center during and after a disaster.
274 (5) “Collocation” means the method by which a state
275 agency’s data center occupies physical space within a shared
276 resource center where physical floor space, bandwidth, power,
277 cooling, and physical security are available for an equitable
278 usage rate and minimal complexity, and allow for the sustained
279 management and oversight of the collocating agency’s information
280 technology resources as well as physical and logical database
281 administration by the collocating agency’s staff.
282 (6) (7) “Computing facility” means a state agency site space
283 containing fewer than a total of 10 physical or logical servers,
284 any of which supports a strategic or nonstrategic information
285 technology service, as described in budget instructions
286 developed pursuant to s. 216.023, but excluding
287 telecommunications and voice gateways and a clustered pair of
288 servers operating as a single logical server to provide file,
289 print, security, and endpoint management services single,
290 logical-server installations that exclusively perform a utility
291 function such as file and print servers.
292 (7) “Computing service” means an information technology
293 service that is used in all state agencies or a subset of
294 agencies and is, therefore, a candidate for being established as
295 an enterprise information technology service. Examples include
296 e-mail, service hosting, telecommunications, and disaster
298 (8) “Customer entity” means an entity that obtains services
299 from a primary data center.
300 (8) (9) “Data center” means a state agency site space
301 containing 10 or more physical or logical servers any of which
302 supports a strategic or nonstrategic information technology
303 service, as described in budget instructions developed pursuant
304 to s. 216.023.
305 (10) “Department” means the Department of Management
307 (10) (11) “Enterprise information technology service” means
308 an information technology service that is used in all state
309 agencies or a subset of state agencies and is designated by the
310 agency is established in law to be designed, delivered, and
311 managed at the enterprise level. Current enterprise information
312 technology services include data center services, e-mail, and
314 (11) (12) “E-mail, messaging, and calendaring service” means
315 the enterprise information technology service that enables users
316 to send, receive, file, store, manage, and retrieve electronic
317 messages, attachments, appointments, and addresses. The e-mail,
318 messaging, and calendaring service must include e-mail account
319 management; help desk; technical support and user provisioning
320 services; disaster recovery and backup and restore capabilities;
321 antispam and antivirus capabilities; archiving and e-discovery;
322 and remote access and mobile messaging capabilities.
323 (12) (13) “Information-system utility” means an information
324 processing a full-service information-processing facility
325 offering hardware, software, operations, integration,
326 networking, floor space, and consulting services.
327 (13) (14) “Information technology resources” means
328 equipment, hardware, software, firmware, programs, systems,
329 networks, infrastructure, media, and related material used to
330 automatically, electronically, and wirelessly collect, receive,
331 access, transmit, display, store, record, retrieve, analyze,
332 evaluate, process, classify, manipulate, manage, assimilate,
333 control, communicate, exchange, convert, converge, interface,
334 switch, or disseminate information of any kind or form, and
335 includes the human resources to perform such duties, but
336 excludes application developers and logical database
338 (14) “Local area network” means any telecommunications
339 network through which messages and data are exchanged strictly
340 within a single building or contiguous campus.
341 (12) (15) “Information technology policy” means statements
342 that describe clear choices for how information technology will
343 deliver effective and efficient government services to residents
344 and improve state agency operations. A policy may relate to
345 investments, business applications, architecture, or
346 infrastructure. A policy describes its rationale, implications
347 of compliance or noncompliance, the timeline for implementation,
348 metrics for determining compliance, and the accountable
349 structure responsible for its implementation.
350 (15) “Logical database administration” means the resources
351 required to build and maintain database structure, implement and
352 maintain role-based data access controls, and perform
353 performance optimization of data queries and includes the
354 manipulation, transformation, modification, and maintenance of
355 data within a logical database. Typical tasks include schema
356 design and modifications, user provisioning, query tuning, index
357 and statistics maintenance, and data import, export, and
359 (16) “Memorandum of understanding” means a written
360 agreement between a shared resource center or the Division of
361 Telecommunications in the agency and a state agency which
362 specifies the scope of services provided, service level,
363 duration of the agreement, responsible parties, and service
364 costs. A memorandum of understanding is not a rule pursuant to
365 chapter 120.
366 (17) “Operational information technology trust funds” means
367 funds into which deposits are made on a fee for service bases,
368 or a trust fund dedicated to a specific information technology
369 project or system.
370 (18) “Other public sector organizations” means entities of
371 the legislative and judicial branches, the State University
372 System, the Florida Community College System, counties, and
373 municipalities. Such organizations may elect to participate in
374 the information technology programs, services, or contracts
375 offered by the Agency for State Technology, including
376 information technology procurement, in accordance with general
377 law, policies, and administrative rules.
378 (19) (16) “Performance metrics” means the measures of an
379 organization’s activities and performance.
380 (20) “Physical database administration” means the resources
381 responsible for installing, maintaining, and operating an
382 environment within which a database is hosted. Typical tasks
383 include database engine installation, configuration, and
384 security patching, as well as performing backup and restoration
385 of hosted databases, setup and maintenance of instance-based
386 data replication, and monitoring the health and performance of
387 the database environment.
388 (21) (17) “Primary data center” means a data center that is
389 a recipient entity for consolidation of state agency information
390 technology resources nonprimary data centers and computing
391 facilities and that is established by law.
392 (22) (18) “Project” means an endeavor that has a defined
393 start and end point; is undertaken to create or modify a unique
394 product, service, or result; and has specific objectives that,
395 when attained, signify completion.
396 (23) (19) “Risk analysis” means the process of identifying
397 security risks, determining their magnitude, and identifying
398 areas needing safeguards.
399 (24) (20) “Service level” means the key performance
400 indicators (KPI) of an organization or service which must be
401 regularly performed, monitored, and achieved.
402 (21) “Service-level agreement” means a written contract
403 between a data center and a customer entity which specifies the
404 scope of services provided, service level, the duration of the
405 agreement, the responsible parties, and service costs. A
406 service-level agreement is not a rule pursuant to chapter 120.
407 (25) “Shared resource center” means a primary data center
408 that has been designated and assigned specific duties under this
409 chapter or by the Agency for State Technology under s. 14.206.
410 (26) (22) “Standards” means required practices, controls,
411 components, or configurations established by an authority.
412 (27) “State agency” means any official, officer,
413 commission, board, authority, council, committee, or department
414 of the executive branch of state government. The term does not
415 include university boards of trustees or state universities.
416 (28) “State agency site” means a single, contiguous local
417 area network segment that does not traverse a metropolitan area
418 network or wide area network.
419 (29) (23) “SUNCOM Network” means the state enterprise
420 telecommunications system that provides all methods of
421 electronic or optical telecommunications beyond a single
422 building or contiguous building complex and used by entities
423 authorized as network users under this part.
424 (30) (24) “Telecommunications” means the science and
425 technology of communication at a distance, including electronic
426 systems used in the transmission or reception of information.
427 (31) (25) “Threat” means any circumstance or event that may
428 cause harm to the integrity, availability, or confidentiality of
429 information technology resources.
430 (32) (26) “Total cost” means all costs associated with
431 information technology projects or initiatives, including, but
432 not limited to, value of hardware, software, service,
433 maintenance, incremental personnel, and facilities. Total cost
434 of a loan or gift of information technology resources to a state
435 an agency includes the fair market value of the resources.
436 (33) (27) “Usage” means the billing amount charged by the
437 primary data center, less any pass-through charges, to the state
438 agency customer entity.
439 (34) (28) “Usage rate” means a state agency’s customer
440 entity’s usage or billing amount as a percentage of total usage.
441 (35) “Wide area network” means any telecommunications
442 network or components thereof through which messages and data
443 are exchanged outside of a local area network.
444 Section 6. Section 282.0055, Florida Statutes, is amended
445 to read:
446 (Substantial rewording of section. See
447 s. 282.0055, Florida Statutes, for current text.)
448 282.0055 Assignment of enterprise information technology.—
449 (1) The establishment of a systematic process for the
450 planning, design, implementation, procurement, delivery, and
451 maintenance of enterprise information technology services shall
452 be the responsibility of the Agency for State Technology for
453 executive branch agencies that are created or authorized in
454 statute to perform legislatively delegated functions. The
455 agency’s duties shall be performed in collaboration with the
456 state agencies. The supervision, design, development, delivery,
457 and maintenance of state-agency specific or unique software
458 applications shall remain within the responsibility and control
459 of the individual state agency or other public sector
461 (2) During the 2012-2013 fiscal year, the Agency for State
462 Technology shall, in collaboration with the state agencies and
463 other stakeholders, create a road map for enterprise information
464 technology service consolidation. The road map shall be
465 presented for approval by the Governor and Cabinet by August 30,
466 2013. At a minimum, the road map must include:
467 (a) An enterprise architecture that provides innovative,
468 yet pragmatic and cost-effective offering, and which
469 contemplates the consolidated delivery of services based on
470 similar business processes and functions that span across all
471 executive and cabinet agencies.
472 (b) A schedule for the consolidation of state agency data
474 (c) Cost-saving targets and timeframes for when the savings
475 will be realized.
476 (d) Recommendations, including cost estimates, for
477 improvements to the shared resource centers, which will improve
478 the agency’s ability to deliver enterprise information
479 technology services.
480 (e) A transition plan for the transfer of portions of the
481 Technology Program established under s. 20.22(2), Florida
482 Statutes that provide an enterprise information technology
484 (3) By October 15th of each year beginning in 2013, the
485 Agency for State Technology shall develop a comprehensive
486 transition plan for scheduled consolidations occurring in the
487 next fiscal year. This plan shall be submitted to the Governor,
488 the Cabinet, the President of the Senate, and the Speaker of the
489 House of Representatives. The transition plan shall be developed
490 in consultation with other state agencies submitting state
491 agency transition plans. The comprehensive transition plan must
493 (a) Recommendations for accomplishing the proposed
494 transitions as efficiently and effectively as possible with
495 minimal disruption to state agency business processes.
496 (b) Strategies to minimize risks associated with any of the
497 proposed consolidations.
498 (c) A compilation of the state agency transition plans
499 submitted by state agencies scheduled for consolidation for the
500 following fiscal year.
501 (d) An estimate of the cost to provide enterprise
502 information technology services for each state agency scheduled
503 for consolidation.
504 (e) An analysis of the cost effects resulting from the
505 planned consolidations on existing state agencies.
506 (f) The fiscal year adjustments to budget categories in
507 order to absorb the transfer of state agency information
508 technology resources pursuant to the legislative budget request
509 instructions provided in s. 216.023.
510 (g) A description of any issues that must be resolved in
511 order to accomplish as efficiently and effectively as possible
512 all consolidations required during the fiscal year.
513 (4) State agencies have the following duties:
514 (a) For the purpose of completing its work activities, each
515 state agency shall provide to the Agency for State Technology
516 all requested information and any other information relevant to
517 the state agency’s ability to effectively transition its
518 information technology resources into the agency.
519 (b) For the purpose of completing its work activities, each
520 state agency shall temporarily assign staff to assist the agency
521 with designated tasks as negotiated between the agency and the
522 state agency.
523 (c) Each state agency identified for consolidation into an
524 enterprise information technology service offering must submit a
525 transition plan to the Agency for State Technology by September
526 1 of the fiscal year before the fiscal year in which the
527 scheduled consolidation will occur. Transition plans shall be
528 developed in consultation with the agency and must include:
529 1. An inventory of the state agency data center’s resources
530 being consolidated, including all hardware, software, staff, and
531 contracted services, and the facility resources performing data
532 center management and operations, security, backup and recovery,
533 disaster recovery, system administration, database
534 administration, system programming, mainframe maintenance, job
535 control, production control, print, storage, technical support,
536 help desk, and managed services, but excluding application
538 2. A description of the level of services needed to meet
539 the technical and operational requirements of the platforms
540 being consolidated and an estimate of the primary data center’s
541 cost for the provision of such services.
542 3. A description of expected changes to its information
543 technology needs and the timeframe when such changes will occur.
544 4. A description of the information technology resources
545 proposed to remain in the state agency.
546 5. A baseline project schedule for the completion of the
548 6. The specific recurring and nonrecurring budget
549 adjustments of budget resources by appropriation category into
550 the appropriate data processing category pursuant to the
551 legislative budget instructions in s. 216.023 necessary to
552 support state agency costs for the transfer.
553 (5)(a) Unless authorized by the Legislature or the agency
554 as provided in paragraphs (b) and (c), a state agency may not:
555 1. Create a new computing service or expand an existing
556 computing service if that service has been designated as an
557 enterprise information technology service.
558 2. Spend funds before the state agency’s scheduled
559 consolidation to an enterprise information technology service to
560 purchase or modify hardware or operations software that does not
561 comply with hardware and software standards established by the
562 Agency for State Technology.
563 3. Unless for the purpose of offsite disaster recovery
564 services, transfer existing computing services to any service
565 provider other than the Agency for State Technology.
566 4. Terminate services with the Agency for State Technology
567 without giving written notice of intent to terminate or transfer
568 services 180 days before such termination or transfer.
569 5. Initiate a new computing service with any service
570 provider other than the Agency for State Technology if that
571 service has been designated as an enterprise information
572 technology service.
573 (b) Exceptions to the limitations in subparagraphs (a)1.,
574 2., 3., and 5. may be granted by the Agency for State Technology
575 if there is insufficient capacity in the primary data centers to
576 absorb the workload associated with agency computing services,
577 expenditures are compatible with the scheduled consolidation and
578 established standards, or the equipment or resources are needed
579 to meet a critical state agency business need that cannot be
580 satisfied from surplus equipment or resources of the primary
581 data center until the state agency data center is consolidated.
582 1. A request for an exception must be submitted in writing
583 to the Agency for State Technology. The agency must accept,
584 accept with conditions, or deny the request within 60 days after
585 receipt of the written request. The agency’s decision is not
586 subject to chapter 120.
587 2. The Agency for State Technology may not approve a
588 request unless it includes, at a minimum:
589 a. A detailed description of the capacity requirements of
590 the state agency requesting the exception.
591 b. Documentation from the state agency head demonstrating
592 why it is critical to the state agency’s mission that the
593 expansion or transfer must be completed within the fiscal year
594 rather than when capacity is established at a primary data
596 3. Exceptions to subparagraph (a)4. may be granted by the
597 Agency for State Technology if the termination or transfer of
598 services can be absorbed within the current cost-allocation
600 Section 7. Section 282.0056, Florida Statutes, is amended
601 to read:
602 282.0056 Strategic plan, development of work plan, and ;
603 development of implementation plans; and policy
605 (1) In order to provide a systematic process for meeting
606 the state’s technology needs, the executive director of the
607 Agency for State Technology shall develop a biennial state
608 Information Technology Resources Strategic Plan. The Governor
609 and Cabinet shall approve the plan before transmitting it to the
610 Legislature, biennially, starting October 1, 2013. The plan must
611 include the following elements:
612 (a) The vision, goals, initiatives, and targets for state
613 information technology for the short term of 2 years, midterm of
614 3 to 5 years, and long term of more than 5 years.
615 (b) An inventory of the information technology resources in
616 state agencies and major projects currently in progress and
617 planned. This does not imply that the agency has approval
618 authority over major projects. As used in this section, the term
619 “major project” means projects that cost more than $1 million to
621 (c) An analysis of opportunities for statewide initiatives
622 that would yield efficiencies, cost savings, or avoidance or
623 improve effectiveness in state programs. The analysis must
625 1. Information technology services that should be designed,
626 delivered, and managed as enterprise information technology
628 2. Techniques for consolidating the purchase of information
629 technology commodities and services that may result in savings
630 for the state and for establishing a process to achieve savings
631 through consolidated purchases.
632 3. A cost-benefit analysis of options, such as
633 privatization, outsourcing, or in-sourcing, to reduce costs or
634 improve services to agencies and taxpayers.
635 (d) Recommended initiatives based on the analysis in
636 paragraph (c).
637 (e) Implementation plans for enterprise information
638 technology services designated by the agency. The implementation
639 plans must describe the scope of service, requirements analyses,
640 costs and savings projects, and a project schedule for statewide
642 (2) Each state agency shall, biennially, provide to the
643 agency the inventory required under paragraph (1)(b). The agency
644 shall consult with and assist state agencies in the preparation
645 of these inventories. Each state agency shall submit its plan
646 inventory to the agency biennially, starting January 1, 2013.
647 (3) For the purpose of completing its work activities, each
648 state agency shall provide to the agency all requested
649 information, including, but not limited to, the state agency’s
650 costs, service requirements, staffing, and equipment
652 (4) (1) For the purpose of ensuring accountability for the
653 duties and responsibilities of the executive director and the
654 agency under ss. 14.206 and 282.0055, the executive director For
655 the purposes of carrying out its responsibilities under s.
656 282.0055 , the Agency for Enterprise Information Technology shall
657 develop an annual work plan within 60 days after the beginning
658 of the fiscal year describing the activities that the agency
659 intends to undertake for that year and identify the critical
660 success factors, risks, and issues associated with the work
661 planned. The work plan must also include planned including
662 proposed outcomes and completion timeframes for the planning and
663 implementation of all enterprise information technology
664 services. The work plan must align with the state Information
665 Technology Resources Strategic Plan, be presented at a public
666 hearing, and be approved by the Governor and Cabinet; , and,
667 thereafter, be submitted to the President of the Senate and the
668 Speaker of the House of Representatives. The work plan may be
669 amended as needed, subject to approval by the Governor and
671 (2) The agency may develop and submit to the President of
672 the Senate, the Speaker of the House of Representatives, and the
673 Governor by October 1 of each year implementation plans for
674 proposed enterprise information technology services to be
675 established in law.
676 (3) In developing policy recommendations and implementation
677 plans for established and proposed enterprise information
678 technology services, the agency shall describe the scope of
679 operation, conduct costs and requirements analyses, conduct an
680 inventory of all existing information technology resources that
681 are associated with each service, and develop strategies and
682 timeframes for statewide migration.
683 (4) For the purpose of completing its work activities, each
684 state agency shall provide to the agency all requested
685 information, including, but not limited to, the state agency’s
686 costs, service requirements, and equipment inventories.
687 (5) For the purpose of ensuring accountability for the
688 duties and responsibilities of the executive director and the
689 agency under ss. 14.206 and 282.0055, within 60 days after the
690 end of each fiscal year, the executive director agency shall
691 report to the Governor and Cabinet, the President of the Senate,
692 and the Speaker of the House of Representatives on what was
693 achieved or not achieved in the prior year’s work plan.
694 Section 8. Section 282.201, Florida Statutes, is amended to
696 (Substantial rewording of section. See
697 s. 282.201, Florida Statutes, for current text.)
698 282.201 State data center system; agency duties and
699 limitations.—A state data center system that includes all
700 primary data centers, other nonprimary data centers, and
701 computing facilities, and that provides an enterprise
702 information technology service, is established.
703 (1) INTENT.—The Legislature finds that the most efficient
704 and effective means of providing quality utility data processing
705 services to state agencies requires that computing resources be
706 concentrated in quality facilities that provide the proper
707 security, infrastructure, and staff resources to ensure that the
708 state’s data is maintained reliably and safely and is
709 recoverable in the event of a disaster. Efficiencies resulting
710 from such consolidation include the increased ability to
711 leverage technological expertise and hardware and software
712 capabilities; increased savings through consolidated purchasing
713 decisions; and the enhanced ability to deploy technology
714 improvements and implement new policies consistently throughout
715 the consolidated organization.
716 (2) AGENCY FOR STATE TECHNOLOGY DUTIES.—(a) The agency
717 shall by October 1, 2013, provide to the Governor and Cabinet,
718 recommendations for approving, confirming and removing primary
719 data center designation. The recommendations shall consider the
720 recommendations from the Law Enforcement Consolidations Task
721 Force. Upon approval of the Governor and Cabinet of primary data
722 center designations, existing primary data center designations
723 are repealed by operation of law, and therefore, obsolete.
724 (b) Establish a schedule for the consolidation of state
725 agency data centers or a transition plan for outsourcing data
726 center services, subject to review by the Governor and Cabinet.
727 The schedule or transition plan must be provided by October 1,
728 2013, and be updated annually until the completion of
729 consolidation. The schedule must be based on the goals of
730 maximizing the efficiency and quality of service delivery and
731 cost savings.
732 (3) STATE AGENCY DUTIES.—
733 (a) Any state agency that is consolidating agency data
734 centers into a primary data center must execute a new or update
735 an existing memorandum of understanding or service level
736 agreement within 60 days after the specified consolidation date,
737 as required by s. 282.203, in order to specify the services and
738 levels of service it is to receive from the primary data center
739 as a result of the consolidation. If a state agency is unable to
740 execute a memorandum of understanding by that date, the state
741 agency shall submit a report to the Executive Office of the
742 Governor, the Cabinet, the President of the Senate, and the
743 Speaker of the House of Representatives within 5 working days
744 after that date which explains the specific issues preventing
745 execution and describes its plan and schedule for resolving
746 those issues.
747 (b) On the date of each consolidation specified in general
748 law or the General Appropriations Act, each state agency shall
749 retain the least-privileged administrative access rights
750 necessary to perform the duties not assigned to the primary data
752 (4) SCHEDULE FOR CONSOLIDATIONS OF STATE AGENCY DATA
753 CENTERS.—Consolidations of state agency data centers are
754 suspended for the 2012-2013 fiscal year. Consolidations shall
755 resume during the 2013-2014 fiscal year based upon a revised
756 schedule developed by the agency. The revised schedule shall
757 consider the recommendations from the Law Enforcement
758 Consolidation Task Force. State agency data centers and
759 computing facilities shall be consolidated into the agency by
760 June 30, 2018.
761 Section 9. Section 282.203, Florida Statutes, is amended to
763 (Substantial rewording of section. See
764 s. 282.203, Florida Statutes, for current text.)
765 282.203 Primary data centers; duties.—
766 (1) Each primary data center shall:
767 (a) Serve participating state agencies as an information
768 system utility.
769 (b) Cooperate with participating state agencies to offer,
770 develop, and support the services and applications.
771 (c) Provide transparent financial statements to
772 participating state agencies.
773 (d) Assume the least-privileged administrative access
774 rights necessary to perform the services provided by the data
775 center for the software and equipment that is consolidated into
776 a primary data center.
777 (2) Each primary data center shall enter into a memorandum
778 of understanding with each participating state agency to provide
779 services. A memorandum of understanding may not have a term
780 exceeding 3 years but may include an option to renew for up to 3
781 years. Failure to execute a memorandum within 60 days after
782 service commencement shall, in the case of a participating state
783 agency, result in the continuation of the terms of the
784 memorandum of understanding from the previous fiscal year,
785 including any amendments that were formally proposed to the
786 state agency by the primary data center within the 3 months
787 before service commencement, and a revised cost-of-service
788 estimate. If a participating state agency fails to execute a
789 memorandum of understanding within 60 days after service
790 commencement, the data center may cease providing services.
791 Section 10. Section 282.204, Florida Statutes, is repealed.
792 Section 11. Section 282.205, Florida Statutes, is repealed.
793 Section 12. Section 282.33, Florida Statutes, is repealed.
794 Section 13. Section 282.34, Florida Statutes, is amended to
796 282.34 Statewide e-mail service.—A statewide e-mail service
797 that includes the delivery and support of e-mail, messaging, and
798 calendaring capabilities is established as an enterprise
799 information technology service as defined in s. 282.0041. The
800 service shall be provisioned designed to meet the needs of all
801 executive branch agencies and may also be used by other public
802 sector nonstate agency entities. The primary goals of the
803 service are to ; provide a reliable collaborative communication
804 service to state agencies; minimize the state investment
805 required to establish, operate, and support the statewide
806 service; reduce the cost of current e-mail operations and the
807 number of duplicative e-mail systems; and eliminate the need for
808 each state agency to maintain its own e-mail staff.
809 (1) Except as specified in subsection (2), all state
810 agencies shall receive their primary email services exclusively
811 through the Agency for State Technology. The Southwood Shared
812 Resource Center, a primary data center, shall be the provider of
813 the statewide e-mail service for all state agencies. The center
814 shall centrally host, manage, operate, and support the service,
815 or outsource the hosting, management, operational, or support
816 components of the service in order to achieve the primary goals
817 identified in this section.
818 (2) The Department of Legal Affairs shall work with the
819 agency to develop a plan to migrate to the enterprise email
820 service. The plan shall identify the time frame for migration,
821 the associated costs, and the risks. The plan shall be presented
822 to the Governor and Cabinet by December 1, 2014. The Agency for
823 Enterprise Information Technology, in cooperation and
824 consultation with all state agencies, shall prepare and submit
825 for approval by the Legislative Budget Commission at a meeting
826 scheduled before June 30, 2011, a proposed plan for the
827 migration of all state agencies to the statewide e-mail service.
828 The plan for migration must include:
829 (a) A cost-benefit analysis that compares the total
830 recurring and nonrecurring operating costs of the current agency
831 e-mail systems, including monthly mailbox costs, staffing,
832 licensing and maintenance costs, hardware, and other related e
833 mail product and service costs to the costs associated with the
834 proposed statewide e-mail service. The analysis must also
836 1. A comparison of the estimated total 7-year life-cycle
837 cost of the current agency e-mail systems versus the feasibility
838 of funding the migration and operation of the statewide e-mail
840 2. An estimate of recurring costs associated with the
841 energy consumption of current agency e-mail equipment, and the
842 basis for the estimate.
843 3. An identification of the overall cost savings resulting
844 from state agencies migrating to the statewide e-mail service
845 and decommissioning their agency e-mail systems.
846 (b) A proposed migration date for all state agencies to be
847 migrated to the statewide e-mail service. The Agency for
848 Enterprise Information Technology shall work with the Executive
849 Office of the Governor to develop the schedule for migrating all
850 state agencies to the statewide e-mail service except for the
851 Department of Legal Affairs. The Department of Legal Affairs
852 shall provide to the Agency for Enterprise Information
853 Technology by June 1, 2011, a proposed migration date based upon
854 its decision to participate in the statewide e-mail service and
855 the identification of any issues that require resolution in
856 order to migrate to the statewide e-mail service.
857 (c) A budget amendment, submitted pursuant to chapter 216,
858 for adjustments to each agency’s approved operating budget
859 necessary to transfer sufficient budget resources into the
860 appropriate data processing category to support its statewide e
861 mail service costs.
862 (d) A budget amendment, submitted pursuant to chapter 216,
863 for adjustments to the Southwood Shared Resource Center approved
864 operating budget to include adjustments in the number of
865 authorized positions, salary budget and associated rate,
866 necessary to implement the statewide e-mail service.
867 (3) Contingent upon approval by the Legislative Budget
868 Commission, the Southwood Shared Resource Center may contract
869 for the provision of a statewide e-mail service. Executive
870 branch agencies must be completely migrated to the statewide e
871 mail service based upon the migration date included in the
872 proposed plan approved by the Legislative Budget Commission.
873 (4) Notwithstanding chapter 216, general revenue funds may
874 be increased or decreased for each agency provided the net
875 change to general revenue in total for all agencies is zero or
877 (5) Subsequent to the approval of the consolidated budget
878 amendment to reflect budget adjustments necessary to migrate to
879 the statewide e-mail service, an agency may make adjustments
880 subject to s. 216.177 , notwithstanding provisions in chapter 216
881 which may require such adjustments to be approved by the
882 Legislative Budget Commission.
883 (6) No agency may initiate a new e-mail service or execute
884 a new e-mail contract or amend a current e-mail contract, other
885 than with the Southwood Shared Resource Center, for nonessential
886 products or services unless the Legislative Budget Commission
887 denies approval for the Southwood Shared Resource Center to
888 enter into a contract for the statewide e-mail service.
889 (7) The Agency for Enterprise Information Technology shall
890 work with the Southwood Shared Resource Center to develop an
891 implementation plan that identifies and describes the detailed
892 processes and timelines for an agency’s migration to the
893 statewide e-mail service based on the migration date approved by
894 the Legislative Budget Commission. The agency may establish and
895 coordinate workgroups consisting of agency e-mail management,
896 information technology, budget, and administrative staff to
897 assist the agency in the development of the plan.
898 (8) Each executive branch agency shall provide all
899 information necessary to develop the implementation plan,
900 including, but not limited to, required mailbox features and the
901 number of mailboxes that will require migration services. Each
902 agency must also identify any known business, operational, or
903 technical plans, limitations, or constraints that should be
904 considered when developing the plan.
905 Section 14. Section 282.702, Florida Statutes, is amended
906 to read:
907 282.702 Powers and duties.—The Department of Management
908 Services shall have the following powers, duties, and functions:
909 (1) To publish electronically the portfolio of services
910 available from the department, including pricing information;
911 the policies and procedures governing usage of available
912 services; and a forecast of the department’s priorities for each
913 telecommunications service.
914 (2) To adopt technical standards by rule for the state
915 telecommunications network which ensure the interconnection and
916 operational security of computer networks, telecommunications,
917 and information systems of agencies.
918 (3) To enter into agreements related to information
919 technology and telecommunications services with state agencies
920 and political subdivisions of the state.
921 (4) To purchase from or contract with information
922 technology providers for information technology, including
923 private line services.
924 (5) To apply for, receive, and hold authorizations,
925 patents, copyrights, trademarks, service marks, licenses, and
926 allocations or channels and frequencies to carry out the
927 purposes of this part.
928 (6) To purchase, lease, or otherwise acquire and to hold,
929 sell, transfer, license, or otherwise dispose of real, personal,
930 and intellectual property, including, but not limited to,
931 patents, trademarks, copyrights, and service marks.
932 (7) To cooperate with any federal, state, or local
933 emergency management agency in providing for emergency
934 telecommunications services.
935 (8) To control and approve the purchase, lease, or
936 acquisition and the use of telecommunications services,
937 software, circuits, and equipment provided as part of any other
938 total telecommunications system to be used by the state or its
940 (9) To adopt rules pursuant to ss. 120.536(1) and 120.54
941 relating to telecommunications and to administer the provisions
942 of this part.
943 (10) To apply for and accept federal funds for the purposes
944 of this part as well as gifts and donations from individuals,
945 foundations, and private organizations.
946 (11) To monitor issues relating to telecommunications
947 facilities and services before the Florida Public Service
948 Commission and the Federal Communications Commission and, if
949 necessary, prepare position papers, prepare testimony, appear as
950 a witness, and retain witnesses on behalf of state agencies in
951 proceedings before the commissions.
952 (12) Unless delegated to the state agencies by the
953 department, to manage and control, but not intercept or
954 interpret, telecommunications within the SUNCOM Network by:
955 (a) Establishing technical standards to physically
956 interface with the SUNCOM Network.
957 (b) Specifying how telecommunications are transmitted
958 within the SUNCOM Network.
959 (c) Controlling the routing of telecommunications within
960 the SUNCOM Network.
961 (d) Establishing standards, policies, and procedures for
962 access to and the security of the SUNCOM Network.
963 (e) Ensuring orderly and reliable telecommunications
964 services in accordance with the service level agreements
965 executed with state agencies.
966 (13) To plan, design, and conduct experiments for
967 telecommunications services, equipment, and technologies, and to
968 implement enhancements in the state telecommunications network
969 if in the public interest and cost-effective. Funding for such
970 experiments must be derived from SUNCOM Network service revenues
971 and may not exceed 2 percent of the annual budget for the SUNCOM
972 Network for any fiscal year or as provided in the General
973 Appropriations Act. New services offered as a result of this
974 subsection may not affect existing rates for facilities or
976 (14) To enter into contracts or agreements, with or without
977 competitive bidding or procurement, to make available, on a
978 fair, reasonable, and nondiscriminatory basis, property and
979 other structures under departmental control for the placement of
980 new facilities by any wireless provider of mobile service as
981 defined in 47 U.S.C. s. 153(27) or s. 332(d) and any
982 telecommunications company as defined in s. 364.02 if it is
983 practical and feasible to make such property or other structures
984 available. The department may, without adopting a rule, charge a
985 just, reasonable, and nondiscriminatory fee for the placement of
986 the facilities, payable annually, based on the fair market value
987 of space used by comparable telecommunications facilities in the
988 state. The department and a wireless provider or
989 telecommunications company may negotiate the reduction or
990 elimination of a fee in consideration of services provided to
991 the department by the wireless provider or telecommunications
992 company. All such fees collected by the department shall be
993 deposited directly into the Law Enforcement Radio Operating
994 Trust Fund, and may be used by the department to construct,
995 maintain, or support the system.
996 (15) Establish policies that ensure that the department’s
997 cost-recovery methodologies, billings, receivables,
998 expenditures, budgeting, and accounting data are captured and
999 reported timely, consistently, accurately, and transparently and
1000 are in compliance with all applicable federal and state laws and
1001 rules. The department shall annually submit to the Governor, the
1002 President of the Senate, and the Speaker of the House of
1003 Representatives a report that describes each service and its
1004 cost, the billing methodology for recovering the cost of the
1005 service, and, if applicable, the identity of those services that
1006 are subsidized.
1007 (16) Develop a plan for statewide voice-over-Internet
1008 protocol services. The plan shall include cost estimates and the
1009 estimated return on investment. The plan shall be submitted to
1010 the Governor, the Cabinet, the President of the Senate, and the
1011 Speaker of the House of Representatives by June 30, 2013.
1012 (17) The department shall produce a feasibility analysis by
1013 January 1, 2013, of the options for procuring end-to-end network
1014 services, including services provided by the statewide area
1015 network, metropolitan area networks, and local area networks,
1016 which may be provided by each state agency. The scope of this
1017 service does not include wiring or file and print server
1018 infrastructure. The feasibility analysis must determine the
1019 technical and economic feasibility of using existing resources
1020 and infrastructure that are owned or used by state entities in
1021 the provision or receipt of network services in order to reduce
1022 the cost of network services for the state.
1023 (a) At a minimum, the feasibility analysis must include:
1024 1. A definition and assessment of the current portfolio of
1025 services, the network services that are provided by each state
1026 agency, and a forecast of anticipated changes in network service
1027 needs which considers specific state agency business needs and
1028 the implementation of enterprise services established under this
1030 2. A description of any limitations or enhancements in the
1031 network, including any technical or logistical challenges
1032 relating to the central provisioning of local area network
1033 services currently provided and supported by each state agency.
1034 The analysis must also address changes in usage patterns which
1035 can reasonably be expected due to the consolidation of state
1036 agency data centers or the specific business needs of state
1037 agencies and other service customers.
1038 3. An analysis and comparison of the risks associated with
1039 the current service delivery models and at least two other
1040 options that leverage the existing resources and infrastructure
1041 identified in this subsection. Options may include multi-vendor
1042 and segmented contracting options. All sourcing options must
1043 produce a service that can be used by schools and other
1044 qualified entities that seek federal grants provided through the
1045 Universal Service Fund Program.
1046 4. A cost-benefit analysis that estimates all major cost
1047 elements associated with each sourcing option, focusing on the
1048 nonrecurring and recurring life-cycle costs of the proposal in
1049 order to determine the financial feasibility of each sourcing
1050 option. The cost-benefit analysis must include:
1051 a. The total recurring operating costs of the proposed
1052 state network service including estimates of monthly charges,
1053 staffing, billing, licenses and maintenance, hardware, and other
1054 related costs.
1055 b. An estimate of nonrecurring costs associated with
1056 construction, transmission lines, premises and switching
1057 hardware purchase and installation, and required software based
1058 on the proposed solution.
1059 c. An estimate of other critical costs associated with the
1060 current and proposed sourcing options for the state network.
1061 5. Recommendations for reducing current costs associated
1062 with statewide network services. The department shall consider
1063 the following in developing the recommendations:
1064 a. Leveraging existing resources and expertise.
1065 b. Standardizing service-level agreements to customer
1066 entities in order to maximize capacity and availability.
1067 6. A detailed timeline for the complete procurement and
1068 transition to a more efficient and cost-effective solution.
1069 Section 15. Paragraph (e) of subsection (2) of section
1070 110.205, Florida Statutes, is amended to read:
1071 110.205 Career service; exemptions.—
1072 (2) EXEMPT POSITIONS.—The exempt positions that are not
1073 covered by this part include the following:
1074 (e) The executive director of Chief Information Officer in
1075 the Agency for State Enterprise Information Technology. Unless
1076 otherwise fixed by law, the Governor and Cabinet Agency for
1077 Enterprise Information Technology shall set the salary and
1078 benefits of this position in accordance with the rules of the
1079 Senior Management Service.
1080 Section 16. Subsections (2) and (9) of section 215.322,
1081 Florida Statutes, are amended to read:
1082 215.322 Acceptance of credit cards, charge cards, debit
1083 cards, or electronic funds transfers by state agencies, units of
1084 local government, and the judicial branch.—
1085 (2) A state agency as defined in s. 216.011, or the
1086 judicial branch, may accept credit cards, charge cards, debit
1087 cards, or electronic funds transfers in payment for goods and
1088 services with the prior approval of the Chief Financial Officer.
1089 If the Internet or other related electronic methods are to be
1090 used as the collection medium, the Agency for State Enterprise
1091 Information Technology shall review and recommend to the Chief
1092 Financial Officer whether to approve the request with regard to
1093 the process or procedure to be used.
1094 (9) For payment programs in which credit cards, charge
1095 cards, or debit cards are accepted by state agencies, the
1096 judicial branch, or units of local government, the Chief
1097 Financial Officer, in consultation with the Agency for State
1098 Enterprise Information Technology, may adopt rules to establish
1099 uniform security safeguards for cardholder data and to ensure
1100 compliance with the Payment Card Industry Data Security
1102 Section 17. Subsections (3), (4), (5), and (6) of section
1103 282.318, Florida Statutes, are amended to read:
1104 282.318 Enterprise security of data and information
1106 (3) The Agency for State Enterprise Information Technology
1107 is responsible for establishing rules and publishing guidelines
1108 for ensuring an appropriate level of security for all data and
1109 information technology resources for executive branch agencies.
1110 The agency shall also perform the following duties and
1112 (a) Develop, and annually update by February 1, an
1113 enterprise information security strategic plan that includes
1114 security goals and objectives for the strategic issues of
1115 information security policy, risk management, training, incident
1116 management, and survivability planning.
1117 (b) Develop enterprise security rules and published
1118 guidelines for:
1119 1. Comprehensive risk analyses and information security
1120 audits conducted by state agencies.
1121 2. Responding to suspected or confirmed information
1122 security incidents, including suspected or confirmed breaches of
1123 personal information or exempt data.
1124 3. Agency security plans, including strategic security
1125 plans and security program plans.
1126 4. The recovery of information technology and data
1127 following a disaster.
1128 5. The managerial, operational, and technical safeguards
1129 for protecting state government data and information technology
1131 (c) Assist agencies in complying with the provisions of
1132 this section.
1133 (d) Pursue appropriate funding for the purpose of enhancing
1134 domestic security.
1135 (e) Provide training for agency information security
1137 (f) Annually review the strategic and operational
1138 information security plans of executive branch agencies.
1139 (4) To assist the Agency for State Enterprise Information
1140 Technology in carrying out its responsibilities, each state
1141 agency head shall, at a minimum:
1142 (a) Designate an information security manager to administer
1143 the security program of the state agency for its data and
1144 information technology resources. This designation must be
1145 provided annually in writing to the Agency for State Enterprise
1146 Information Technology by January 1.
1147 (b) Annually submit to the Agency for State Enterprise
1148 Information Technology annually by July 31, the state agency’s
1149 comprehensive strategic and operational information security
1150 plans developed pursuant to the rules and guidelines established
1151 by the Agency for State Enterprise Information Technology.
1152 1. The state agency comprehensive strategic information
1153 security plan must cover a 3-year period and define security
1154 goals, intermediate objectives, and projected agency costs for
1155 the strategic issues of agency information security policy, risk
1156 management, security training, security incident response, and
1157 survivability. The plan must be based on the enterprise
1158 strategic information security plan created by the Agency for
1159 State Enterprise Information Technology. Additional issues may
1160 be included.
1161 2. The state agency operational information security plan
1162 must include a progress report for the prior operational
1163 information security plan and a project plan that includes
1164 activities, timelines, and deliverables for security objectives
1165 that, subject to current resources, the state agency will
1166 implement during the current fiscal year. The cost of
1167 implementing the portions of the plan which cannot be funded
1168 from current resources must be identified in the plan.
1169 (c) Conduct, and update every 3 years, a comprehensive risk
1170 analysis to determine the security threats to the data,
1171 information, and information technology resources of the state
1172 agency. The risk analysis information is confidential and exempt
1173 from the provisions of s. 119.07(1), except that such
1174 information shall be available to the Auditor General and the
1175 Agency for State Enterprise Information Technology for
1176 performing postauditing duties.
1177 (d) Develop, and periodically update, written internal
1178 policies and procedures that , which include procedures for
1179 notifying the Agency for State Enterprise Information Technology
1180 when a suspected or confirmed breach, or an information security
1181 incident, occurs. Such policies and procedures must be
1182 consistent with the rules and guidelines established by the
1183 Agency for State Enterprise Information Technology to ensure the
1184 security of the data, information, and information technology
1185 resources of the state agency. The internal policies and
1186 procedures that, if disclosed, could facilitate the unauthorized
1187 modification, disclosure, or destruction of data or information
1188 technology resources are confidential information and exempt
1189 from s. 119.07(1), except that such information shall be
1190 available to the Auditor General and the Agency for State
1191 Enterprise Information Technology for performing postauditing
1193 (e) Implement appropriate cost-effective safeguards to
1194 address identified risks to the data, information, and
1195 information technology resources of the state agency.
1196 (f) Ensure that periodic internal audits and evaluations of
1197 the state agency’s security program for the data, information,
1198 and information technology resources of the state agency are
1199 conducted. The results of such audits and evaluations are
1200 confidential information and exempt from s. 119.07(1), except
1201 that such information shall be available to the Auditor General
1202 and the Agency for State Enterprise Information Technology for
1203 performing postauditing duties.
1204 (g) Include appropriate security requirements in the
1205 written specifications for the solicitation of information
1206 technology and information technology resources and services ,
1207 which are consistent with the rules and guidelines established
1208 by the Agency for State Enterprise Information Technology.
1209 (h) Provide security awareness training to employees and
1210 users of the state agency’s communication and information
1211 resources concerning information security risks and the
1212 responsibility of employees and users to comply with policies,
1213 standards, guidelines, and operating procedures adopted by the
1214 state agency to reduce those risks.
1215 (i) Develop a process for detecting, reporting, and
1216 responding to suspected or confirmed security incidents,
1217 including suspected or confirmed breaches consistent with the
1218 security rules and guidelines established by the Agency for
1219 State Enterprise Information Technology.
1220 1. Suspected or confirmed information security incidents
1221 and breaches must be immediately reported to the Agency for
1222 State Enterprise Information Technology.
1223 2. For incidents involving breaches, agencies shall provide
1224 notice in accordance with s. 817.5681 and to the Agency for
1225 State Enterprise Information Technology in accordance with this
1227 (5) Each state agency shall include appropriate security
1228 requirements in the specifications for the solicitation of
1229 contracts for procuring information technology or information
1230 technology resources or services which are consistent with the
1231 rules and guidelines established by the Agency for State
1232 Enterprise Information Technology.
1233 (6) The Agency for State Enterprise Information Technology
1234 may adopt rules relating to information security and to
1235 administer the provisions of this section.
1236 Section 18. Subsection (14) of section 287.012, Florida
1237 Statutes, is amended to read:
1238 287.012 Definitions.—As used in this part, the term:
1239 (14) “Information technology” means, but is not limited to,
1240 equipment, hardware, software, mainframe maintenance, firmware,
1241 programs, systems, networks, infrastructure, media, and related
1242 material used to automatically, electronically, and wirelessly
1243 collect, receive, access, transmit, display, store, record,
1244 retrieve, analyze, evaluate, process, classify, manipulate,
1245 manage, assimilate, control, communicate, exchange, convert,
1246 converge, interface, switch, or disseminate information of any
1247 kind or form has the meaning ascribed in s. 282.0041.
1248 Section 19. Subsection (22) of section 287.057, Florida
1249 Statutes, is amended to read:
1250 287.057 Procurement of commodities or contractual
1252 (22) The department, in consultation with the Agency for
1253 State Enterprise Information Technology and the Chief Financial
1254 Officer Comptroller, shall develop a program for online
1255 procurement of commodities and contractual services. To enable
1256 the state to promote open competition and to leverage its buying
1257 power, agencies shall participate in the online procurement
1258 program, and eligible users may participate in the program. Only
1259 vendors prequalified as meeting mandatory requirements and
1260 qualifications criteria may participate in online procurement.
1261 (a) The department, in consultation with the agency, may
1262 contract for equipment and services necessary to develop and
1263 implement online procurement.
1264 (b) The department, in consultation with the agency, shall
1265 adopt rules, pursuant to ss. 120.536(1) and 120.54, to
1266 administer the program for online procurement. The rules shall
1267 include, but not be limited to:
1268 1. Determining the requirements and qualification criteria
1269 for prequalifying vendors.
1270 2. Establishing the procedures for conducting online
1272 3. Establishing the criteria for eligible commodities and
1273 contractual services.
1274 4. Establishing the procedures for providing access to
1275 online procurement.
1276 5. Determining the criteria warranting any exceptions to
1277 participation in the online procurement program.
1278 (c) The department may impose and shall collect all fees
1279 for the use of the online procurement systems.
1280 1. The fees may be imposed on an individual transaction
1281 basis or as a fixed percentage of the cost savings generated. At
1282 a minimum, the fees must be set in an amount sufficient to cover
1283 the projected costs of the services, including administrative
1284 and project service costs in accordance with the policies of the
1286 2. If the department contracts with a provider for online
1287 procurement, the department, pursuant to appropriation, shall
1288 compensate the provider from the fees after the department has
1289 satisfied all ongoing costs. The provider shall report
1290 transaction data to the department each month so that the
1291 department may determine the amount due and payable to the
1292 department from each vendor.
1293 3. All fees that are due and payable to the state on a
1294 transactional basis or as a fixed percentage of the cost savings
1295 generated are subject to s. 215.31 and must be remitted within
1296 40 days after receipt of payment for which the fees are due. For
1297 fees that are not remitted within 40 days, the vendor shall pay
1298 interest at the rate established under s. 55.03(1) on the unpaid
1299 balance from the expiration of the 40-day period until the fees
1300 are remitted.
1301 4. All fees and surcharges collected under this paragraph
1302 shall be deposited in the Operating Trust Fund as provided by
1304 Section 20. Subsection (4) of section 445.011, Florida
1305 Statutes, is amended to read:
1306 445.011 Workforce information systems.—
1307 (4) Workforce Florida, Inc., shall coordinate development
1308 and implementation of workforce information systems with the
1309 executive director of the Agency for State Enterprise
1310 Information Technology to ensure compatibility with the state’s
1311 information system strategy and enterprise architecture.
1312 Section 21. Subsection (2) and paragraphs (a) and (b) of
1313 subsection (4) of section 445.045, Florida Statutes, are amended
1314 to read:
1315 445.045 Development of an Internet-based system for
1316 information technology industry promotion and workforce
1318 (2) Workforce Florida, Inc., shall coordinate with the
1319 Agency for State Enterprise Information Technology and the
1320 Department of Economic Opportunity to ensure links, where
1321 feasible and appropriate, to existing job information websites
1322 maintained by the state and state agencies and to ensure that
1323 information technology positions offered by the state and state
1324 agencies are posted on the information technology website.
1325 (4)(a) Workforce Florida, Inc., shall coordinate
1326 development and maintenance of the website under this section
1327 with the executive director of the Agency for State Enterprise
1328 Information Technology to ensure compatibility with the state’s
1329 information system strategy and enterprise architecture.
1330 (b) Workforce Florida, Inc., may enter into an agreement
1331 with the Agency for State Enterprise Information Technology, the
1332 Department of Economic Opportunity, or any other public agency
1333 with the requisite information technology expertise for the
1334 provision of design, operating, or other technological services
1335 necessary to develop and maintain the website.
1336 Section 22. Paragraph (b) of subsection (18) of section
1337 668.50, Florida Statutes, is amended to read:
1338 668.50 Uniform Electronic Transaction Act.—
1339 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1340 GOVERNMENTAL AGENCIES.—
1341 (b) To the extent that a governmental agency uses
1342 electronic records and electronic signatures under paragraph
1343 (a), the Agency for State Enterprise Information Technology, in
1344 consultation with the governmental agency, giving due
1345 consideration to security, may specify:
1346 1. The manner and format in which the electronic records
1347 must be created, generated, sent, communicated, received, and
1348 stored and the systems established for those purposes.
1349 2. If electronic records must be signed by electronic
1350 means, the type of electronic signature required, the manner and
1351 format in which the electronic signature must be affixed to the
1352 electronic record, and the identity of, or criteria that must be
1353 met by, any third party used by a person filing a document to
1354 facilitate the process.
1355 3. Control processes and procedures as appropriate to
1356 ensure adequate preservation, disposition, integrity, security,
1357 confidentiality, and auditability of electronic records.
1358 4. Any other required attributes for electronic records
1359 which are specified for corresponding nonelectronic records or
1360 reasonably necessary under the circumstances.
1361 Section 23. This act shall take effect July 1, 2012.
1363 ================= T I T L E A M E N D M E N T ================
1364 And the title is amended as follows:
1366 Delete everything before the enacting clause
1367 and insert:
1368 A bill to be entitled
1369 An act relating to ; state technology; abolishing the
1370 Agency for Enterprise Information Technology;
1371 transferring the personnel, functions, and funds of
1372 the Agency for Enterprise Information Technology to
1373 the Agency for State Technology; transferring
1374 specified personnel, functions, and funds relating to
1375 technology programs from the Department of Management
1376 Services to the Agency for State Technology;
1377 transferring the Northwood Shared Resource Center and
1378 the Southwood Shared Resource Center to the agency;
1379 repealing s. 14.204, F.S., relating to the Agency for
1380 Enterprise Information Technology; creating s. 14.206,
1381 F.S.; creating the Agency for State Technology;
1382 providing for an executive director who shall be the
1383 state’s Chief Information Officer; providing for
1384 organization of the agency; providing duties and
1385 responsibilities of the agency and of the executive
1386 director; requiring certain status reports to the
1387 Governor, the Cabinet, and the Legislature;
1388 authorizing the agency to adopt rules; reordering and
1389 amending s. 282.0041, F.S.; revising and providing
1390 definitions of terms as used in the Enterprise
1391 Information Technology Services Management Act;
1392 amending s. 282.0055, F.S.; revising provisions for
1393 assignment of information technology services;
1394 directing the agency to create a road map for
1395 enterprise information technology service
1396 consolidation and a comprehensive transition plan;
1397 requiring the transition plan to be submitted to the
1398 Governor and Cabinet and the Legislature by a certain
1399 date; providing duties for state agencies relating to
1400 the transition plan; prohibiting state agencies from
1401 certain technology-related activities; providing for
1402 exceptions; amending s. 282.0056, F.S.; providing for
1403 development by the agency executive director of a
1404 biennial State Information Technology Strategic
1405 Resources Plan for approval by the Governor and the
1406 Cabinet; directing state agencies to submit their own
1407 information technology plans and any requested
1408 information to the agency; revising provisions for
1409 development of work plans and implementation plans;
1410 revising provisions for reporting on achievements;
1411 amending s. 282.201, F.S.; revising provisions for a
1412 state data center system; providing legislative
1413 intent; directing the agency to provide
1414 recommendations to the Governor and Legislature
1415 relating to changes to the schedule for the
1416 consolidations of state agency data centers; providing
1417 duties of a state agency consolidating a data center
1418 into a primary data center; revising the scheduled
1419 consolidation dates for state agency data centers;
1420 amending s. 282.203, F.S.; revising duties of primary
1421 data centers; removing provisions for boards of
1422 trustees to head primary data centers; requiring a
1423 memorandum of understanding between the primary data
1424 center and the participating state agency; limiting
1425 the term of the memorandum; providing for failure to
1426 enter into a memorandum; repealing s. 282.204, F.S.,
1427 relating to Northwood Shared Resource Center;
1428 repealing s. 282.205, F.S., relating to Southwood
1429 Shared Resource Center; creating s. 282.206, F.S.;
1430 establishing the Fletcher Shared Resource Center
1431 within the Department of Financial Services to provide
1432 enterprise information technology services; directing
1433 the center to collaborate with the agency; directing
1434 the center to provide collocation services to the
1435 Department of Legal Affairs, the Department of
1436 Agriculture and Consumer Services, and the Department
1437 of Financial Services; directing the Department of
1438 Financial Services to continue to use the center and
1439 provide service to the Office of Financial Regulation
1440 and the Office of Insurance Regulation and host the
1441 Legislative Appropriations System/Planning and
1442 Budgeting Subsystem; providing for governance of the
1443 center; providing for a steering committee to ensure
1444 adequacy and appropriateness of services; directing
1445 the Department of Legal Affairs and the Department of
1446 Agriculture and Consumer Services to move data center
1447 equipment to the center by certain dates; repealing s.
1448 282.33, F.S., relating to objective standards for data
1449 center energy efficiency; amending s. 282.34, F.S.;
1450 revising provisions for a statewide e-mail service to
1451 meet the needs of executive branch agencies; requiring
1452 state agencies to receive e-mail services through the
1453 agency; authorizing the Department of Agriculture and
1454 Consumer Services, the Department of Financial
1455 Services, the Office of Financial Regulation, and the
1456 Office of Insurance Regulation to receive e-mail
1457 services from the Fletcher Shared Resource Center or
1458 the agency; amending s. 282.702, F.S.; directing the
1459 agency to develop a plan for statewide voice-over
1460 Internet protocol services; requiring certain content
1461 in the plan; requiring the plan to be submitted to the
1462 Governor, the Cabinet, and the Legislature by a
1463 certain date; amending s. 364.0135, F.S.; providing
1464 for the agency’s role in the promotion of broadband
1465 Internet service; providing an additional duty;
1466 amending ss. 20.22, 110.205, 215.22, 215.322, 216.292,
1467 282.318, 282.604, 282.703, 282.704, 282.705, 282.706,
1468 282.707, 282.709, 282.7101, 282.711, 287.012, 287.057,
1469 318.18, 320.0802, 328.72, 365.171, 365.172, 365.173,
1470 365.174, 401.013, 401.015, 401.018, 401.021, 401.024,
1471 401.027, 401.465, 445.011, 445.045, and 668.50, F.S.,
1472 relating to a financial and cash management system
1473 task force, career service exemptions, trust funds,
1474 payment cards and electronic funds transfers, the
1475 Communications Working Capital Trust Fund, the
1476 Enterprise Information Technology Services Management
1477 Act, adoption of rules, the Communication Information
1478 Technology Services Act, procurement of commodities
1479 and contractual services, the Florida Uniform
1480 Disposition of Traffic Infractions Act, surcharge on
1481 vehicle license tax, vessel registration, broadband
1482 Internet service, the emergency communications number
1483 E911, regional emergency medical telecommunications,
1484 the Workforce Innovation Act of 2000, and the Uniform
1485 Electronic Transaction Act; conforming provisions and
1486 cross-references to changes made by the act; revising
1487 and deleting obsolete provisions; providing an
1488 effective date.