SB 1984                                          First Engrossed
    1                        A bill to be entitled                      
    2         An act relating to state technology; abolishing the
    3         Agency for Enterprise Information Technology;
    4         transferring the personnel, functions, and funds of
    5         the Agency for Enterprise Information Technology to
    6         the Agency for State Technology; transferring
    7         specified personnel, functions, and funds relating to
    8         technology programs from the Department of Management
    9         Services to the Agency for State Technology;
   10         transferring the Northwood Shared Resource Center and
   11         the Southwood Shared Resource Center to the agency;
   12         repealing s. 14.204, F.S., relating to the Agency for
   13         Enterprise Information Technology; creating s. 20.70,
   14         F.S.; creating the Agency for State Technology;
   15         providing for an executive director who shall be the
   16         state’s Chief Information Officer; providing for
   17         organization of the agency; providing duties and
   18         responsibilities of the agency and of the executive
   19         director; requiring certain status reports to the
   20         Governor, the Cabinet, and the Legislature;
   21         authorizing the agency to adopt rules; reordering and
   22         amending s. 282.0041, F.S.; revising and providing
   23         definitions of terms as used in the Enterprise
   24         Information Technology Services Management Act;
   25         amending s. 282.0055, F.S.; revising provisions for
   26         assignment of information technology services;
   27         directing the agency to create a road map for
   28         enterprise information technology service
   29         consolidation and a comprehensive transition plan;
   30         requiring the transition plan to be submitted to the
   31         Governor and Cabinet and the Legislature by a certain
   32         date; providing duties for state agencies relating to
   33         the transition plan; prohibiting state agencies from
   34         certain technology-related activities; providing for
   35         exceptions; amending s. 282.0056, F.S.; providing for
   36         development by the agency executive director of a
   37         biennial State Information Technology Strategic
   38         Resources Plan for approval by the Governor and the
   39         Cabinet; directing state agencies to submit their own
   40         information technology plans and any requested
   41         information to the agency; revising provisions for
   42         development of work plans and implementation plans;
   43         revising provisions for reporting on achievements;
   44         amending s. 282.201, F.S.; revising provisions for a
   45         state data center system; providing legislative
   46         intent; directing the agency to provide
   47         recommendations to the Governor and Legislature
   48         relating to changes to the schedule for the
   49         consolidations of state agency data centers; providing
   50         duties of a state agency consolidating a data center
   51         into a primary data center; revising the scheduled
   52         consolidation dates for state agency data centers;
   53         amending s. 282.203, F.S.; revising duties of primary
   54         data centers; removing provisions for boards of
   55         trustees to head primary data centers; requiring a
   56         memorandum of understanding between the primary data
   57         center and the participating state agency; limiting
   58         the term of the memorandum; providing for failure to
   59         enter into a memorandum; repealing s. 282.204, F.S.,
   60         relating to Northwood Shared Resource Center;
   61         repealing s. 282.205, F.S., relating to Southwood
   62         Shared Resource Center; creating s. 282.206, F.S.;
   63         establishing the Fletcher Shared Resource Center
   64         within the Department of Financial Services to provide
   65         enterprise information technology services; directing
   66         the center to collaborate with the agency; directing
   67         the center to provide collocation services to the
   68         Department of Legal Affairs, the Department of
   69         Agriculture and Consumer Services, and the Department
   70         of Financial Services; directing the Department of
   71         Financial Services to continue to use the center and
   72         provide service to the Office of Financial Regulation
   73         and the Office of Insurance Regulation and host the
   74         Legislative Appropriations System/Planning and
   75         Budgeting Subsystem; providing for governance of the
   76         center; providing for a steering committee to ensure
   77         adequacy and appropriateness of services; directing
   78         the Department of Legal Affairs and the Department of
   79         Agriculture and Consumer Services to move data center
   80         equipment to the center by certain dates; repealing s.
   81         282.33, F.S., relating to objective standards for data
   82         center energy efficiency; amending s. 282.34, F.S.;
   83         revising provisions for a statewide e-mail service to
   84         meet the needs of executive branch agencies; requiring
   85         state agencies to receive e-mail services through the
   86         agency; authorizing the Department of Agriculture and
   87         Consumer Services, the Department of Financial
   88         Services, the Office of Financial Regulation, and the
   89         Office of Insurance Regulation to receive e-mail
   90         services from the Fletcher Shared Resource Center or
   91         the agency; amending s. 282.702, F.S.; directing the
   92         agency to develop a plan for statewide voice-over
   93         Internet protocol services; requiring certain content
   94         in the plan; requiring the plan to be submitted to the
   95         Governor, the Cabinet, and the Legislature by a
   96         certain date; amending s. 364.0135, F.S.; providing
   97         for the agency’s role in the promotion of broadband
   98         Internet service; providing an additional duty;
   99         amending ss. 20.22, 110.205, 215.22, 215.322, 216.292,
  100         282.318, 282.604, 282.703, 282.704, 282.705, 282.706,
  101         282.707, 282.709, 282.7101, 282.711, 287.012, 287.057,
  102         318.18, 320.0802, 328.72, 365.171, 365.172, 365.173,
  103         365.174, 401.013, 401.015, 401.018, 401.021, 401.024,
  104         401.027, 401.465, 445.011, 445.045, and 668.50, F.S.,
  105         relating to a financial and cash management system
  106         task force, career service exemptions, trust funds,
  107         payment cards and electronic funds transfers, the
  108         Communications Working Capital Trust Fund, the
  109         Enterprise Information Technology Services Management
  110         Act, adoption of rules, the Communication Information
  111         Technology Services Act, procurement of commodities
  112         and contractual services, the Florida Uniform
  113         Disposition of Traffic Infractions Act, surcharge on
  114         vehicle license tax, vessel registration, broadband
  115         Internet service, the emergency communications number
  116         E911, regional emergency medical telecommunications,
  117         the Workforce Innovation Act of 2000, and the Uniform
  118         Electronic Transaction Act; conforming provisions and
  119         cross-references to changes made by the act; revising
  120         and deleting obsolete provisions; providing an
  121         effective date.
  123  Be It Enacted by the Legislature of the State of Florida:
  125         Section 1. (1) The Agency for Enterprise Information
  126  Technology is abolished.
  127         (2) All of the powers, duties, functions, records,
  128  personnel, and property; funds, trust funds, and unexpended
  129  balances of appropriations, allocations, and other funds;
  130  administrative authority; administrative rules; pending issues;
  131  and existing contracts of the Agency for Enterprise Information
  132  Technology are transferred by a type two transfer, pursuant to
  133  s. 20.06(2), Florida Statutes, to the Agency for State
  134  Technology.
  135         Section 2. (1) The portions of the Technology Program
  136  established under section 20.22(2), Florida Statutes, and
  137  identified in the approved plan defined in s. 282.0055(2),
  138  Florida Statutes, shall transfer by a type one transfer, as
  139  defined in s. 20.06(1), Florida Statutes, from the Department of
  140  Management Services to the Agency for State Technology no later
  141  than June 30, 2014.
  142         (2) The Northwood Shared Resource Center is transferred by
  143  a type one transfer, as defined in s. 20.06(1), Florida
  144  Statutes, from the Department of Management Services to the
  145  Agency for State Technology.
  146         (a) Any binding contract or interagency agreement entered
  147  into between the Northwood Shared Resource Center, or an entity
  148  or agent of the center, and any other agency, entity, or person
  149  is binding on the Agency for State Technology for the remainder
  150  of the term of such contract or agreement.
  151         (b) The rules of the Northwood Shared Resource Center which
  152  were in effect at 11:59 p.m. on June 30, 2012, become rules of
  153  the Agency for State Technology and remain in effect until
  154  amended or repealed in the manner provided by law.
  155         (3) The Southwood Shared Resource Center is transferred by
  156  a type one transfer, as defined in s. 20.06(1), Florida
  157  Statutes, from the Department of Management Services to the
  158  Agency for State Technology.
  159         (a) Any binding contract or interagency agreement entered
  160  into between the Southwood Shared Resource Center or an entity
  161  or agent of the center and any other agency, entity, or person
  162  is binding on the Agency for State Technology for the remainder
  163  of the term of such contract or agreement.
  164         (b) The rules of the Southwood Shared Resource Center which
  165  were in effect at 11:59 p.m. on June 30, 2012, become rules of
  166  the Agency for State Technology and remain in effect until
  167  amended or repealed in the manner provided by law.
  168         Section 3. Section 14.204, Florida Statutes, is repealed.
  169         Section 4. Section 20.70, Florida Statutes, is created to
  170  read:
  171         20.70 Agency for State Technology.—The Agency for State
  172  Technology is created.
  173         (1) The head of the agency shall be the Governor and
  174  Cabinet.
  175         (2) The agency shall have an executive director who is the
  176  state’s Chief Information Officer and who must:
  177         (a) Have at least a bachelor’s degree in computer science,
  178  information systems, business or public administration, or a
  179  related field, or equivalent work experience;
  180         (b) Have 10 or more years of experience working in the
  181  field of information technology;
  182         (c) Have 5 or more years of experience in related industry
  183  managing multiple, large, cross-functional teams or projects,
  184  and influencing senior-level management and key stakeholders;
  185         (d) Have at least 5 years of executive-level leadership
  186  responsibilities;
  187         (e) Have performed an integral role in enterprise-wide
  188  information technology consolidations;
  189         (f) Be appointed by the Governor, subject to confirmation
  190  by the Cabinet and the Senate, and shall serve at the pleasure
  191  of the Governor and Cabinet.
  192         (3) The executive director:
  193         (a) Shall be responsible for developing and administering a
  194  comprehensive long-range plan for the state’s information
  195  technology resources, ensuring the proper management of such
  196  resources, and delivering services.
  197         (b) Shall appoint a Chief Technology Officer to lead the
  198  divisions of the agency dedicated to the operation and delivery
  199  of enterprise information technology services.
  200         (c) Shall appoint a Chief Operations Officer to lead the
  201  divisions of the agency dedicated to enterprise information
  202  technology policy, planning, standards, and procurement.
  203         (d) Shall designate a state Chief Information Security
  204  Officer.
  205         (e) May appoint all employees necessary to carry out the
  206  duties and responsibilities of the agency.
  207         (4) The Agency for State Technology is prohibited from
  208  using, and executives of the agency are prohibited from
  209  directing spending from, operational information technology
  210  trust funds, as defined in 282.0041, F.S., for any purpose for
  211  which the Strategic Information Technology Trust Fund was
  212  established.
  213         (5) The following officers and divisions of the agency are
  214  established:
  215         (a) Under the Chief Technology Officer:
  216         1. Upon transfer any portion of the Technology Program from
  217  the Department of Management Services to the agency, there shall
  218  be a Division of Telecommunications.
  219         2. The Division of Data Center Operations which includes,
  220  but is not limited to, any shared resource center established or
  221  operated by the agency.
  222         (b) Under the Chief Operations Officer:
  223         1. Strategic Planning.
  224         2. Enterprise Information Technology Standards.
  225         a. Enterprise Information Technology Procurement.
  226         b. Information Technology Security and Compliance.
  227         3. Enterprise Services Planning and Consolidation.
  228         4. Enterprise Project Management.
  229         (c) Under the Director of Administration:
  230         1. Accounting and Budgeting.
  231         2. Personnel.
  232         3. Procurement and Contracts.
  233         (d) Under the Office of the Executive Director:
  234         1. Inspector General.
  235         2. Legal.
  236         3. Governmental Affairs.
  237         (6) The agency shall operate in a manner that ensures the
  238  participation and representation of state agencies.
  239         (7) The agency shall have the following duties and
  240  responsibilities. The agency shall:
  241         (a) Develop and publish a long-term State Information
  242  Technology Resources Strategic Plan.
  243         (b) Initiate, plan, design, implement, and manage
  244  enterprise information technology services.
  245         (c) Beginning October 1, 2012, and every 3 months
  246  thereafter, provide a status report on its initiatives. The
  247  report shall be presented at a meeting of the Governor and
  248  Cabinet.
  249         (d) Beginning September 1, 2013, and every 3 months
  250  thereafter until enterprise information technology service
  251  consolidations are complete, provide a status report on the
  252  implementation of the consolidations that must be completed
  253  during the fiscal year. The report shall be submitted to the
  254  Executive Office of the Governor, the Cabinet, the President of
  255  the Senate, and the Speaker of the House of Representatives. At
  256  a minimum, the report must describe:
  257         1. Whether the consolidation is on schedule, including
  258  progress on achieving the milestones necessary for successful
  259  and timely consolidation of scheduled agency data centers and
  260  computing facilities; and
  261         2. The risks that may affect the progress or outcome of the
  262  consolidation and how such risks are being mitigated or managed.
  263         (e) Set technical standards for information technology,
  264  including, but not limited to, desktop computers, printers, and
  265  mobile devices; review major information technology projects and
  266  procurements; establish information technology security
  267  standards; provide for the procurement of information technology
  268  resources, excluding human resources; and deliver enterprise
  269  information technology services as defined in s. 282.0041.
  270         (f) Designate primary data centers and shared resource
  271  centers.
  272         (g) Operate shared resource centers in a manner that
  273  promotes energy efficiency.
  274         (h) Establish and deliver enterprise information technology
  275  services to serve state agencies on a cost-sharing basis,
  276  charging each state agency its proportionate share of the cost
  277  of maintaining and delivering a service based on a state
  278  agency’s use of the service.
  279         (i) Use the following criteria to develop a means of
  280  chargeback for primary data center services:
  281         1. The customers of the primary data center shall provide
  282  payments to the primary data center which are sufficient to
  283  maintain the solvency of the primary data center operation for
  284  the costs not directly funded through the General Appropriations
  285  Act.
  286         2. Per unit cost of usage shall be the primary basis for
  287  pricing, and usage must be accurately measurable and
  288  attributable to the appropriate customer.
  289         3. The primary data center shall combine the aggregate
  290  purchasing power of large and small customers to achieve
  291  collective savings opportunities to all customers.
  292         4. Chargeback methodologies shall be devised to consider
  293  restrictions on grants to customers.
  294         5. Chargeback methodologies should establish incentives
  295  that lead to customer usage practices that result in lower costs
  296  to the state.
  297         6. Chargeback methodologies must consider technological
  298  change when:
  299         a. New services require short-term investments before
  300  achieving long-term, full cost recovery for the service.
  301         b. Customers of antiquated services may not be able to bear
  302  the costs for the antiquated services during periods when
  303  customers are migrating to replacement services.
  304         7. Prices may be established which allow for accrual of
  305  cash balances for the purpose of maintaining contingent
  306  operating funds and funding planned capital investments. Accrual
  307  of the cash balances shall be considered costs for the purposes
  308  of this section.
  309         8. Flat rate charges may be used only if there are
  310  provisions for reconciling charges to comport with actual costs
  311  and use.
  312         (i) Exercise technical and fiscal prudence in determining
  313  the best way to deliver enterprise information technology
  314  services.
  315         (j) Collect and maintain an inventory of the information
  316  technology resources in the state agencies.
  317         (k) Assume ownership or custody and control of information
  318  processing equipment, supplies, and positions required in order
  319  to thoroughly carry out the agency’s duties and
  320  responsibilities.
  321         (l) Adopt rules and policies for the efficient, secure, and
  322  economical management and operation of the shared resource
  323  centers and state telecommunications services.
  324         (m) Provide other public sector organizations as defined in
  325  s. 282.0041 with access to the services provided by the agency.
  326  Access shall be provided on the same cost basis that applies to
  327  state agencies.
  328         (n) Ensure that data that is confidential under state or
  329  federal law is not entered into or processed through any shared
  330  resource center or network established under the agency until
  331  the agency head and the executive director of the agency are
  332  satisfied that safeguards for the data’s security have been
  333  properly designed, installed, and tested and are fully
  334  operational. This paragraph does not prescribe what actions
  335  necessary to satisfy a state agency’s objectives are to be
  336  undertaken or remove from the control and administration of the
  337  state agency the responsibility for working with the agency to
  338  implement safeguards, whether such control and administration
  339  are specifically required by general law or administered under
  340  the general program authority and responsibility of the state
  341  agency. If the agency head and executive director of the agency
  342  cannot reach agreement on satisfactory safeguards, the issue
  343  shall be decided by the Governor and Cabinet.
  344         (o) Conduct periodic assessments of state agencies for
  345  compliance with statewide information technology policies and
  346  recommend to the Governor and Cabinet statewide policies for
  347  information technology.
  348         (8) The agency may not use or direct the spending of
  349  operational information technology trust funds to study and
  350  develop enterprise information technology strategies, plans,
  351  rules, reports, policies, proposals, budgets, or enterprise
  352  information technology initiatives that are not directly related
  353  to developing information technology services for which usage
  354  fees reimburse the costs of the initiative. As used in this
  355  subsection, the term “operational information technology trust
  356  funds” means funds into which deposits are made on a fee-for
  357  service basis or a trust fund dedicated to a specific
  358  information technology project or system.
  359         (9) The portions of the agency’s activities described in
  360  subsection (8) for which usage fees do not reimburse costs of
  361  the activity shall be funded at a rate of 0.55% of the total
  362  identified information technology spend through
  363  MyFloridaMarketPlace.
  364         (10) The agency may adopt rules to carry out its duties and
  365  responsibilities.
  366         Section 5. Section 282.0041, Florida Statutes, is amended
  367  to read:
  368         282.0041 Definitions.—As used in this chapter, the term:
  369         (1) “Agency” has the same meaning as in s. 216.011(1)(qq),
  370  except that for purposes of this chapter, “agency” does not
  371  include university boards of trustees or state universities.
  372         (1)(2) “Agency for State Enterprise Information Technology”
  373  or “agency” means the agency created in s. 20.70 14.204.
  374         (2)(3) “Agency information technology service” means a
  375  service that directly helps a state an agency fulfill its
  376  statutory or constitutional responsibilities and policy
  377  objectives and is usually associated with the state agency’s
  378  primary or core business functions.
  379         (4) “Annual budget meeting” means a meeting of the board of
  380  trustees of a primary data center to review data center usage to
  381  determine the apportionment of board members for the following
  382  fiscal year, review rates for each service provided, and
  383  determine any other required changes.
  384         (3)(5) “Breach” has the same meaning as in s. 817.5681(4).
  385         (4)(6) “Business continuity plan” means a plan for disaster
  386  recovery which provides for the continued functioning of a
  387  primary data center during and after a disaster.
  388         (5) “Collocation” means the method by which a state
  389  agency’s data center occupies physical space within a shared
  390  resource center where physical floor space, bandwidth, power,
  391  cooling, and physical security are available for an equitable
  392  usage rate and minimal complexity, and allow for the sustained
  393  management and oversight of the collocating agency’s information
  394  technology resources as well as physical and logical database
  395  administration by the collocating agency’s staff.
  396         (6)(7) “Computing facility” means a state agency site space
  397  containing fewer than a total of 10 physical or logical servers,
  398  any of which supports a strategic or nonstrategic information
  399  technology service, as described in budget instructions
  400  developed pursuant to s. 216.023, but excluding
  401  telecommunications and voice gateways and a clustered pair of
  402  servers operating as a single logical server to provide file,
  403  print, security, and endpoint management services single,
  404  logical-server installations that exclusively perform a utility
  405  function such as file and print servers.
  406         (7) “Computing service” means an information technology
  407  service that is used in all state agencies or a subset of
  408  agencies and is, therefore, a candidate for being established as
  409  an enterprise information technology service. Examples include
  410  e-mail, service hosting, telecommunications, and disaster
  411  recovery.
  412         (8) “Customer entity” means an entity that obtains services
  413  from a primary data center.
  414         (8)(9) “Data center” means a state agency site space
  415  containing 10 or more physical or logical servers any of which
  416  supports a strategic or nonstrategic information technology
  417  service, as described in budget instructions developed pursuant
  418  to s. 216.023.
  419         (10) “Department” means the Department of Management
  420  Services.
  421         (9)(11) “Enterprise information technology service” means
  422  an information technology service that is used in all state
  423  agencies or a subset of state agencies and is designated by the
  424  agency or established in law to be designed, delivered, and
  425  managed at the enterprise level. Current enterprise information
  426  technology services include data center services, e-mail, and
  427  security.
  428         (10)(12) “E-mail, messaging, and calendaring service” means
  429  the enterprise information technology service that enables users
  430  to send, receive, file, store, manage, and retrieve electronic
  431  messages, attachments, appointments, and addresses. The e-mail,
  432  messaging, and calendaring service must include e-mail account
  433  management; help desk; technical support and user provisioning
  434  services; disaster recovery and backup and restore capabilities;
  435  antispam and antivirus capabilities; archiving and e-discovery;
  436  and remote access and mobile messaging capabilities.
  437         (11)(13) “Information-system utility” means an information
  438  processing a full-service information-processing facility
  439  offering hardware, software, operations, integration,
  440  networking, floor space, and consulting services.
  441         (12)(14) “Information technology resources” means
  442  equipment, hardware, software, firmware, programs, systems,
  443  networks, infrastructure, media, and related material used to
  444  automatically, electronically, and wirelessly collect, receive,
  445  access, transmit, display, store, record, retrieve, analyze,
  446  evaluate, process, classify, manipulate, manage, assimilate,
  447  control, communicate, exchange, convert, converge, interface,
  448  switch, or disseminate information of any kind or form, and
  449  includes the human resources to perform such duties, but
  450  excludes application developers and logical database
  451  administrators.
  452         (13) “Local area network” means any telecommunications
  453  network through which messages and data are exchanged strictly
  454  within a single building or contiguous campus.
  455         (14)(15) “Information technology policy” means statements
  456  that describe clear choices for how information technology will
  457  deliver effective and efficient government services to residents
  458  and improve state agency operations. A policy may relate to
  459  investments, business applications, architecture, or
  460  infrastructure. A policy describes its rationale, implications
  461  of compliance or noncompliance, the timeline for implementation,
  462  metrics for determining compliance, and the accountable
  463  structure responsible for its implementation.
  464         (15) “Logical database administration” means the resources
  465  required to build and maintain database structure, implement and
  466  maintain role-based data access controls, and perform
  467  performance optimization of data queries and includes the
  468  manipulation, transformation, modification, and maintenance of
  469  data within a logical database. Typical tasks include schema
  470  design and modifications, user provisioning, query tuning, index
  471  and statistics maintenance, and data import, export, and
  472  manipulation.
  473         (16) “Memorandum of understanding” means a written
  474  agreement between a shared resource center or the Division of
  475  Telecommunications in the agency and a state agency which
  476  specifies the scope of services provided, service level,
  477  duration of the agreement, responsible parties, and service
  478  costs. A memorandum of understanding is not a rule pursuant to
  479  chapter 120.
  480         (17) “Other public sector organizations” means entities of
  481  the legislative and judicial branches, the State University
  482  System, the Florida Community College System, counties, and
  483  municipalities. Such organizations may elect to participate in
  484  the information technology programs, services, or contracts
  485  offered by the Agency for State Technology, including
  486  information technology procurement, in accordance with general
  487  law, policies, and administrative rules.
  488         (18)(16) “Performance metrics” means the measures of an
  489  organization’s activities and performance.
  490         (19) “Physical database administration” means the resources
  491  responsible for installing, maintaining, and operating an
  492  environment within which a database is hosted. Typical tasks
  493  include database engine installation, configuration, and
  494  security patching, as well as performing backup and restoration
  495  of hosted databases, setup and maintenance of instance-based
  496  data replication, and monitoring the health and performance of
  497  the database environment.
  498         (20)(17) “Primary data center” means a data center that is
  499  a recipient entity for consolidation of state agency information
  500  technology resources nonprimary data centers and computing
  501  facilities and that is established by law.
  502         (21)(18) “Project” means an endeavor that has a defined
  503  start and end point; is undertaken to create or modify a unique
  504  product, service, or result; and has specific objectives that,
  505  when attained, signify completion.
  506         (22)(19) “Risk analysis” means the process of identifying
  507  security risks, determining their magnitude, and identifying
  508  areas needing safeguards.
  509         (23)(20) “Service level” means the key performance
  510  indicators (KPI) of an organization or service which must be
  511  regularly performed, monitored, and achieved.
  512         (21) “Service-level agreement” means a written contract
  513  between a data center and a customer entity which specifies the
  514  scope of services provided, service level, the duration of the
  515  agreement, the responsible parties, and service costs. A
  516  service-level agreement is not a rule pursuant to chapter 120.
  517         (24) “Shared resource center” means a primary data center
  518  that has been designated and assigned specific duties under this
  519  chapter or by the Agency for State Technology under s. 20.70.
  520         (25)(22) “Standards” means required practices, controls,
  521  components, or configurations established by an authority.
  522         (26) “State agency” means any official, officer,
  523  commission, board, authority, council, committee, or department
  524  of the executive branch of state government. The term does not
  525  include university boards of trustees or state universities.
  526         (27) “State agency site” means a single, contiguous local
  527  area network segment that does not traverse a metropolitan area
  528  network or wide area network.
  529         (28)(23) “SUNCOM Network” means the state enterprise
  530  telecommunications system that provides all methods of
  531  electronic or optical telecommunications beyond a single
  532  building or contiguous building complex and used by entities
  533  authorized as network users under this part.
  534         (29)(24) “Telecommunications” means the science and
  535  technology of communication at a distance, including electronic
  536  systems used in the transmission or reception of information.
  537         (30)(25) “Threat” means any circumstance or event that may
  538  cause harm to the integrity, availability, or confidentiality of
  539  information technology resources.
  540         (31)(26) “Total cost” means all costs associated with
  541  information technology projects or initiatives, including, but
  542  not limited to, value of hardware, software, service,
  543  maintenance, incremental personnel, and facilities. Total cost
  544  of a loan or gift of information technology resources to a state
  545  an agency includes the fair market value of the resources.
  546         (32)(27) “Usage” means the billing amount charged by the
  547  primary data center, less any pass-through charges, to the state
  548  agency customer entity.
  549         (33)(28) “Usage rate” means a state agency’s customer
  550  entity’s usage or billing amount as a percentage of total usage.
  551         (34) “Wide area network” means any telecommunications
  552  network or components thereof through which messages and data
  553  are exchanged outside of a local area network.
  554         Section 6. Section 282.0055, Florida Statutes, is amended
  555  to read:
  556         (Substantial rewording of section. See
  557         s. 282.0055, Florida Statutes, for current text.)
  558         282.0055 Assignment of enterprise information technology.—
  559         (1) The establishment of a systematic process for the
  560  planning, design, implementation, procurement, delivery, and
  561  maintenance of enterprise information technology services shall
  562  be the responsibility of the Agency for State Technology for
  563  executive branch agencies that are created or authorized in
  564  statute to perform legislatively delegated functions. The
  565  agency’s duties shall be performed in collaboration with the
  566  state agencies. The supervision, design, development, delivery,
  567  and maintenance of state-agency specific or unique software
  568  applications shall remain within the responsibility and control
  569  of the individual state agency or other public sector
  570  organization.
  571         (2) During the 2012-2013 fiscal year, the Agency for State
  572  Technology shall, in collaboration with the state agencies and
  573  other stakeholders, create a road map for enterprise information
  574  technology service consolidation. The road map shall be
  575  presented for approval by the Governor and Cabinet by August 30,
  576  2013. At a minimum, the road map must include:
  577         (a) An enterprise architecture that provides innovative,
  578  yet pragmatic and cost-effective offering, and which
  579  contemplates the consolidated delivery of services based on
  580  similar business processes and functions that span across all
  581  executive and cabinet agencies.
  582         (b) A schedule for the consolidation of state agency data
  583  centers.
  584         (c) Cost-saving targets and timeframes for when the savings
  585  will be realized.
  586         (d) Recommendations, including cost estimates, for
  587  improvements to the shared resource centers, which will improve
  588  the agency’s ability to deliver enterprise information
  589  technology services.
  590         (e) A transition plan for the transfer of portions of the
  591  Technology Program established under s. 20.22(2), Florida
  592  Statutes, that provide an enterprise information technology
  593  service.
  594         (3) By October 15th of each year beginning in 2013, the
  595  Agency for State Technology shall develop a comprehensive
  596  transition plan for scheduled consolidations occurring in the
  597  next fiscal year. This plan shall be submitted to the Governor,
  598  the Cabinet, the President of the Senate, and the Speaker of the
  599  House of Representatives. The transition plan shall be developed
  600  in consultation with other state agencies submitting state
  601  agency transition plans. The comprehensive transition plan must
  602  include:
  603         (a) Recommendations for accomplishing the proposed
  604  transitions as efficiently and effectively as possible with
  605  minimal disruption to state agency business processes.
  606         (b) Strategies to minimize risks associated with any of the
  607  proposed consolidations.
  608         (c) A compilation of the state agency transition plans
  609  submitted by state agencies scheduled for consolidation for the
  610  following fiscal year.
  611         (d) An estimate of the cost to provide enterprise
  612  information technology services for each state agency scheduled
  613  for consolidation.
  614         (e) An analysis of the cost effects resulting from the
  615  planned consolidations on existing state agencies.
  616         (f) The fiscal year adjustments to budget categories in
  617  order to absorb the transfer of state agency information
  618  technology resources pursuant to the legislative budget request
  619  instructions provided in s. 216.023.
  620         (g) A description of any issues that must be resolved in
  621  order to accomplish as efficiently and effectively as possible
  622  all consolidations required during the fiscal year.
  623         (4) State agencies have the following duties:
  624         (a) For the purpose of completing its work activities, each
  625  state agency shall provide to the Agency for State Technology
  626  all requested information and any other information relevant to
  627  the state agency’s ability to effectively transition its
  628  information technology resources into the agency.
  629         (b) For the purpose of completing its work activities, each
  630  state agency shall temporarily assign staff to assist the agency
  631  with designated tasks as negotiated between the agency and the
  632  state agency.
  633         (c) Each state agency identified for consolidation into an
  634  enterprise information technology service offering must submit a
  635  transition plan to the Agency for State Technology by September
  636  1 of the fiscal year before the fiscal year in which the
  637  scheduled consolidation will occur. Transition plans shall be
  638  developed in consultation with the agency and must include:
  639         1. An inventory of the state agency data center’s resources
  640  being consolidated, including all hardware, software, staff, and
  641  contracted services, and the facility resources performing data
  642  center management and operations, security, backup and recovery,
  643  disaster recovery, system administration, database
  644  administration, system programming, mainframe maintenance, job
  645  control, production control, print, storage, technical support,
  646  help desk, and managed services, but excluding application
  647  development.
  648         2. A description of the level of services needed to meet
  649  the technical and operational requirements of the platforms
  650  being consolidated and an estimate of the primary data center’s
  651  cost for the provision of such services.
  652         3. A description of expected changes to its information
  653  technology needs and the timeframe when such changes will occur.
  654         4. A description of the information technology resources
  655  proposed to remain in the state agency.
  656         5. A baseline project schedule for the completion of the
  657  consolidation.
  658         6. The specific recurring and nonrecurring budget
  659  adjustments of budget resources by appropriation category into
  660  the appropriate data processing category pursuant to the
  661  legislative budget instructions in s. 216.023 necessary to
  662  support state agency costs for the transfer.
  663         (5)(a) Unless authorized by the Legislature or the agency
  664  as provided in paragraphs (b) and (c), a state agency may not:
  665         1. Create a new computing service or expand an existing
  666  computing service if that service has been designated as an
  667  enterprise information technology service.
  668         2. Spend funds before the state agency’s scheduled
  669  consolidation to an enterprise information technology service to
  670  purchase or modify hardware or operations software that does not
  671  comply with hardware and software standards established by the
  672  Agency for State Technology.
  673         3. Unless for the purpose of offsite disaster recovery
  674  services, transfer existing computing services to any service
  675  provider other than the Agency for State Technology.
  676         4. Terminate services with the Agency for State Technology
  677  without giving written notice of intent to terminate or transfer
  678  services 180 days before such termination or transfer.
  679         5. Initiate a new computing service with any service
  680  provider other than the Agency for State Technology if that
  681  service has been designated as an enterprise information
  682  technology service.
  683         (b) Exceptions to the limitations in subparagraphs (a)1.,
  684  2., 3., and 5. may be granted by the Agency for State Technology
  685  if there is insufficient capacity in the primary data centers to
  686  absorb the workload associated with agency computing services,
  687  expenditures are compatible with the scheduled consolidation and
  688  established standards, or the equipment or resources are needed
  689  to meet a critical state agency business need that cannot be
  690  satisfied from surplus equipment or resources of the primary
  691  data center until the state agency data center is consolidated.
  692         1. A request for an exception must be submitted in writing
  693  to the Agency for State Technology. The agency must accept,
  694  accept with conditions, or deny the request within 60 days after
  695  receipt of the written request. The agency’s decision is not
  696  subject to chapter 120.
  697         2. The Agency for State Technology may not approve a
  698  request unless it includes, at a minimum:
  699         a. A detailed description of the capacity requirements of
  700  the state agency requesting the exception.
  701         b. Documentation from the state agency head demonstrating
  702  why it is critical to the state agency’s mission that the
  703  expansion or transfer must be completed within the fiscal year
  704  rather than when capacity is established at a primary data
  705  center.
  706         3. Exceptions to subparagraph (a)4. may be granted by the
  707  Agency for State Technology if the termination or transfer of
  708  services can be absorbed within the current cost-allocation
  709  plan.
  710         Section 7. Section 282.0056, Florida Statutes, is amended
  711  to read:
  712         282.0056 Strategic plan, development of work plan, and;
  713  development of implementation plans; and policy
  714  recommendations.—
  715         (1) In order to provide a systematic process for meeting
  716  the state’s technology needs, the executive director of the
  717  Agency for State Technology shall develop a biennial state
  718  Information Technology Resources Strategic Plan. The Governor
  719  and Cabinet shall approve the plan before transmitting it to the
  720  Legislature, biennially, starting October 1, 2013. The plan must
  721  include the following elements:
  722         (a) The vision, goals, initiatives, and targets for state
  723  information technology for the short term of 2 years, midterm of
  724  3 to 5 years, and long term of more than 5 years.
  725         (b) An inventory of the information technology resources in
  726  state agencies and major projects currently in progress and
  727  planned. This does not imply that the agency has approval
  728  authority over major projects. As used in this section, the term
  729  “major project” means projects that cost more than $1 million to
  730  implement.
  731         (c) An analysis of opportunities for statewide initiatives
  732  that would yield efficiencies, cost savings, or avoidance or
  733  improve effectiveness in state programs. The analysis must
  734  include:
  735         1. Information technology services that should be designed,
  736  delivered, and managed as enterprise information technology
  737  services.
  738         2. Techniques for consolidating the purchase of information
  739  technology commodities and services that may result in savings
  740  for the state and for establishing a process to achieve savings
  741  through consolidated purchases.
  742         3. A cost-benefit analysis of options, such as
  743  privatization, outsourcing, or insourcing, to reduce costs or
  744  improve services to agencies and taxpayers.
  745         (d) Recommended initiatives based on the analysis in
  746  paragraph (c).
  747         (e) Implementation plans for enterprise information
  748  technology services designated by the agency. The implementation
  749  plans must describe the scope of service, requirements analyses,
  750  costs and savings projects, and a project schedule for statewide
  751  implementation.
  752         (2) Each state agency shall, biennially, provide to the
  753  agency the inventory required under paragraph (1)(b). The agency
  754  shall consult with and assist state agencies in the preparation
  755  of these inventories. Each state agency shall submit its
  756  inventory to the agency biennially, starting January 1, 2013.
  757         (3) For the purpose of completing its work activities, each
  758  state agency shall provide to the agency all requested
  759  information, including, but not limited to, the state agency’s
  760  costs, service requirements, staffing, and equipment
  761  inventories.
  762         (4)(1)For the purpose of ensuring accountability for the
  763  duties and responsibilities of the executive director and the
  764  agency under ss. 20.70 and 282.0055, the executive director For
  765  the purposes of carrying out its responsibilities under s.
  766  282.0055, the Agency for Enterprise Information Technology shall
  767  develop an annual work plan within 60 days after the beginning
  768  of the fiscal year describing the activities that the agency
  769  intends to undertake for that year and identify the critical
  770  success factors, risks, and issues associated with the work
  771  planned. The work plan must also include planned including
  772  proposed outcomes and completion timeframes for the planning and
  773  implementation of all enterprise information technology
  774  services. The work plan must align with the state Information
  775  Technology Resources Strategic Plan, be presented at a public
  776  hearing, and be approved by the Governor and Cabinet;, and,
  777  thereafter, be submitted to the President of the Senate and the
  778  Speaker of the House of Representatives. The work plan may be
  779  amended as needed, subject to approval by the Governor and
  780  Cabinet.
  781         (2) The agency may develop and submit to the President of
  782  the Senate, the Speaker of the House of Representatives, and the
  783  Governor by October 1 of each year implementation plans for
  784  proposed enterprise information technology services to be
  785  established in law.
  786         (3) In developing policy recommendations and implementation
  787  plans for established and proposed enterprise information
  788  technology services, the agency shall describe the scope of
  789  operation, conduct costs and requirements analyses, conduct an
  790  inventory of all existing information technology resources that
  791  are associated with each service, and develop strategies and
  792  timeframes for statewide migration.
  793         (4) For the purpose of completing its work activities, each
  794  state agency shall provide to the agency all requested
  795  information, including, but not limited to, the state agency’s
  796  costs, service requirements, and equipment inventories.
  797         (5) For the purpose of ensuring accountability for the
  798  duties and responsibilities of the executive director and the
  799  agency under ss. 20.70 and 282.0055, within 60 days after the
  800  end of each fiscal year, the executive director agency shall
  801  report to the Governor and Cabinet, the President of the Senate,
  802  and the Speaker of the House of Representatives on what was
  803  achieved or not achieved in the prior year’s work plan.
  804         Section 8. Section 282.201, Florida Statutes, is amended to
  805  read:
  806         (Substantial rewording of section. See
  807         s. 282.201, Florida Statutes, for current text.)
  808         282.201 State data center system; agency duties and
  809  limitations.—A state data center system that includes all
  810  primary data centers, other nonprimary data centers, and
  811  computing facilities, and that provides an enterprise
  812  information technology service, is established.
  813         (1) INTENT.—The Legislature finds that the most efficient
  814  and effective means of providing quality utility data processing
  815  services to state agencies requires that computing resources be
  816  concentrated in quality facilities that provide the proper
  817  security, infrastructure, and staff resources to ensure that the
  818  state’s data is maintained reliably and safely and is
  819  recoverable in the event of a disaster. Efficiencies resulting
  820  from such consolidation include the increased ability to
  821  leverage technological expertise and hardware and software
  822  capabilities; increased savings through consolidated purchasing
  823  decisions; and the enhanced ability to deploy technology
  824  improvements and implement new policies consistently throughout
  825  the consolidated organization.
  827         (a) The agency shall by October 1, 2013, provide to the
  828  Governor and Cabinet, recommendations for approving, confirming
  829  and removing primary data center designation. The
  830  recommendations shall consider the recommendations from the Law
  831  Enforcement Consolidations Task Force. Upon approval of the
  832  Governor and Cabinet of primary data center designations,
  833  existing primary data center designations are repealed by
  834  operation of law, and therefore, obsolete.
  835         (b) Establish a schedule for the consolidation of state
  836  agency data centers or a transition plan for outsourcing data
  837  center services, subject to review by the Governor and Cabinet.
  838  The schedule or transition plan must be provided by October 1,
  839  2013, and be updated annually until the completion of
  840  consolidation. The schedule must be based on the goals of
  841  maximizing the efficiency and quality of service delivery and
  842  cost savings.
  843         (3) STATE AGENCY DUTIES.—
  844         (a) Any state agency that is consolidating agency data
  845  centers into a primary data center must execute a new or update
  846  an existing memorandum of understanding or service level
  847  agreement within 60 days after the specified consolidation date,
  848  as required by s. 282.203, in order to specify the services and
  849  levels of service it is to receive from the primary data center
  850  as a result of the consolidation. If a state agency is unable to
  851  execute a memorandum of understanding by that date, the state
  852  agency shall submit a report to the Executive Office of the
  853  Governor, the Cabinet, the President of the Senate, and the
  854  Speaker of the House of Representatives within 5 working days
  855  after that date which explains the specific issues preventing
  856  execution and describes its plan and schedule for resolving
  857  those issues.
  858         (b) On the date of each consolidation specified in general
  859  law or the General Appropriations Act, each state agency shall
  860  retain the least-privileged administrative access rights
  861  necessary to perform the duties not assigned to the primary data
  862  centers.
  864  CENTERS.—Consolidations of state agency data centers are
  865  suspended for the 2012-2013 fiscal year. Consolidations shall
  866  resume during the 2013-2014 fiscal year based upon a revised
  867  schedule developed by the agency. The revised schedule shall
  868  consider the recommendations from the Law Enforcement
  869  Consolidation Task Force. State agency data centers and
  870  computing facilities shall be consolidated into the agency by
  871  June 30, 2018.
  872         Section 9. Section 282.203, Florida Statutes, is amended to
  873  read:
  874         (Substantial rewording of section. See
  875         s. 282.203, Florida Statutes, for current text.)
  876         282.203 Primary data centers; duties.—
  877         (1) Each primary data center shall:
  878         (a) Serve participating state agencies as an information
  879  system utility.
  880         (b) Cooperate with participating state agencies to offer,
  881  develop, and support the services and applications.
  882         (c) Provide transparent financial statements to
  883  participating state agencies.
  884         (d) Assume the least-privileged administrative access
  885  rights necessary to perform the services provided by the data
  886  center for the software and equipment that is consolidated into
  887  a primary data center.
  888         (2) Each primary data center shall enter into a memorandum
  889  of understanding with each participating state agency to provide
  890  services. A memorandum of understanding may not have a term
  891  exceeding 3 years but may include an option to renew for up to 3
  892  years. Failure to execute a memorandum within 60 days after
  893  service commencement shall, in the case of a participating state
  894  agency, result in the continuation of the terms of the
  895  memorandum of understanding from the previous fiscal year,
  896  including any amendments that were formally proposed to the
  897  state agency by the primary data center within the 3 months
  898  before service commencement, and a revised cost-of-service
  899  estimate. If a participating state agency fails to execute a
  900  memorandum of understanding within 60 days after service
  901  commencement, the data center may cease providing services.
  902         Section 10. Section 282.204, Florida Statutes, is repealed.
  903         Section 11. Section 282.205, Florida Statutes, is repealed.
  904         Section 12. Section 282.33, Florida Statutes, is repealed.
  905         Section 13. Section 282.34, Florida Statutes, is amended to
  906  read:
  907         282.34 Statewide e-mail service.—A statewide e-mail service
  908  that includes the delivery and support of e-mail, messaging, and
  909  calendaring capabilities is established as an enterprise
  910  information technology service as defined in s. 282.0041. The
  911  service shall be provisioned designed to meet the needs of all
  912  executive branch agencies and may also be used by other public
  913  sector nonstate agency entities. The primary goals of the
  914  service are to provide a reliable collaborative communication
  915  service to state agencies; minimize the state investment
  916  required to establish, operate, and support the statewide
  917  service; reduce the cost of current e-mail operations and the
  918  number of duplicative e-mail systems; and eliminate the need for
  919  each state agency to maintain its own e-mail staff.
  920         (1) Except as specified in subsection (2), all state
  921  agencies shall receive their primary e-mail services exclusively
  922  through the Agency for State Technology. The Southwood Shared
  923  Resource Center, a primary data center, shall be the provider of
  924  the statewide e-mail service for all state agencies. The center
  925  shall centrally host, manage, operate, and support the service,
  926  or outsource the hosting, management, operational, or support
  927  components of the service in order to achieve the primary goals
  928  identified in this section.
  929         (2) The Department of Legal Affairs shall work with the
  930  agency to develop a plan to migrate to the enterprise e-mail
  931  service. The plan shall identify the time frame for migration,
  932  the associated costs, and the risks. The plan shall be presented
  933  to the Governor and Cabinet by December 1, 2014. The Agency for
  934  Enterprise Information Technology, in cooperation and
  935  consultation with all state agencies, shall prepare and submit
  936  for approval by the Legislative Budget Commission at a meeting
  937  scheduled before June 30, 2011, a proposed plan for the
  938  migration of all state agencies to the statewide e-mail service.
  939  The plan for migration must include:
  940         (a) A cost-benefit analysis that compares the total
  941  recurring and nonrecurring operating costs of the current agency
  942  e-mail systems, including monthly mailbox costs, staffing,
  943  licensing and maintenance costs, hardware, and other related e
  944  mail product and service costs to the costs associated with the
  945  proposed statewide e-mail service. The analysis must also
  946  include:
  947         1. A comparison of the estimated total 7-year life-cycle
  948  cost of the current agency e-mail systems versus the feasibility
  949  of funding the migration and operation of the statewide e-mail
  950  service.
  951         2. An estimate of recurring costs associated with the
  952  energy consumption of current agency e-mail equipment, and the
  953  basis for the estimate.
  954         3. An identification of the overall cost savings resulting
  955  from state agencies migrating to the statewide e-mail service
  956  and decommissioning their agency e-mail systems.
  957         (b) A proposed migration date for all state agencies to be
  958  migrated to the statewide e-mail service. The Agency for
  959  Enterprise Information Technology shall work with the Executive
  960  Office of the Governor to develop the schedule for migrating all
  961  state agencies to the statewide e-mail service except for the
  962  Department of Legal Affairs. The Department of Legal Affairs
  963  shall provide to the Agency for Enterprise Information
  964  Technology by June 1, 2011, a proposed migration date based upon
  965  its decision to participate in the statewide e-mail service and
  966  the identification of any issues that require resolution in
  967  order to migrate to the statewide e-mail service.
  968         (c) A budget amendment, submitted pursuant to chapter 216,
  969  for adjustments to each agency’s approved operating budget
  970  necessary to transfer sufficient budget resources into the
  971  appropriate data processing category to support its statewide e
  972  mail service costs.
  973         (d) A budget amendment, submitted pursuant to chapter 216,
  974  for adjustments to the Southwood Shared Resource Center approved
  975  operating budget to include adjustments in the number of
  976  authorized positions, salary budget and associated rate,
  977  necessary to implement the statewide e-mail service.
  978         (3) Contingent upon approval by the Legislative Budget
  979  Commission, the Southwood Shared Resource Center may contract
  980  for the provision of a statewide e-mail service. Executive
  981  branch agencies must be completely migrated to the statewide e
  982  mail service based upon the migration date included in the
  983  proposed plan approved by the Legislative Budget Commission.
  984         (4) Notwithstanding chapter 216, general revenue funds may
  985  be increased or decreased for each agency provided the net
  986  change to general revenue in total for all agencies is zero or
  987  less.
  988         (5) Subsequent to the approval of the consolidated budget
  989  amendment to reflect budget adjustments necessary to migrate to
  990  the statewide e-mail service, an agency may make adjustments
  991  subject to s. 216.177, notwithstanding provisions in chapter 216
  992  which may require such adjustments to be approved by the
  993  Legislative Budget Commission.
  994         (6) No agency may initiate a new e-mail service or execute
  995  a new e-mail contract or amend a current e-mail contract, other
  996  than with the Southwood Shared Resource Center, for nonessential
  997  products or services unless the Legislative Budget Commission
  998  denies approval for the Southwood Shared Resource Center to
  999  enter into a contract for the statewide e-mail service.
 1000         (7) The Agency for Enterprise Information Technology shall
 1001  work with the Southwood Shared Resource Center to develop an
 1002  implementation plan that identifies and describes the detailed
 1003  processes and timelines for an agency’s migration to the
 1004  statewide e-mail service based on the migration date approved by
 1005  the Legislative Budget Commission. The agency may establish and
 1006  coordinate workgroups consisting of agency e-mail management,
 1007  information technology, budget, and administrative staff to
 1008  assist the agency in the development of the plan.
 1009         (8) Each executive branch agency shall provide all
 1010  information necessary to develop the implementation plan,
 1011  including, but not limited to, required mailbox features and the
 1012  number of mailboxes that will require migration services. Each
 1013  agency must also identify any known business, operational, or
 1014  technical plans, limitations, or constraints that should be
 1015  considered when developing the plan.
 1016         Section 14. Section 282.702, Florida Statutes, is amended
 1017  to read:
 1018         282.702 Powers and duties.—The Department of Management
 1019  Services shall have the following powers, duties, and functions:
 1020         (1) To publish electronically the portfolio of services
 1021  available from the department, including pricing information;
 1022  the policies and procedures governing usage of available
 1023  services; and a forecast of the department’s priorities for each
 1024  telecommunications service.
 1025         (2) To adopt technical standards by rule for the state
 1026  telecommunications network which ensure the interconnection and
 1027  operational security of computer networks, telecommunications,
 1028  and information systems of agencies.
 1029         (3) To enter into agreements related to information
 1030  technology and telecommunications services with state agencies
 1031  and political subdivisions of the state.
 1032         (4) To purchase from or contract with information
 1033  technology providers for information technology, including
 1034  private line services.
 1035         (5) To apply for, receive, and hold authorizations,
 1036  patents, copyrights, trademarks, service marks, licenses, and
 1037  allocations or channels and frequencies to carry out the
 1038  purposes of this part.
 1039         (6) To purchase, lease, or otherwise acquire and to hold,
 1040  sell, transfer, license, or otherwise dispose of real, personal,
 1041  and intellectual property, including, but not limited to,
 1042  patents, trademarks, copyrights, and service marks.
 1043         (7) To cooperate with any federal, state, or local
 1044  emergency management agency in providing for emergency
 1045  telecommunications services.
 1046         (8) To control and approve the purchase, lease, or
 1047  acquisition and the use of telecommunications services,
 1048  software, circuits, and equipment provided as part of any other
 1049  total telecommunications system to be used by the state or its
 1050  agencies.
 1051         (9) To adopt rules pursuant to ss. 120.536(1) and 120.54
 1052  relating to telecommunications and to administer the provisions
 1053  of this part.
 1054         (10) To apply for and accept federal funds for the purposes
 1055  of this part as well as gifts and donations from individuals,
 1056  foundations, and private organizations.
 1057         (11) To monitor issues relating to telecommunications
 1058  facilities and services before the Florida Public Service
 1059  Commission and the Federal Communications Commission and, if
 1060  necessary, prepare position papers, prepare testimony, appear as
 1061  a witness, and retain witnesses on behalf of state agencies in
 1062  proceedings before the commissions.
 1063         (12) Unless delegated to the state agencies by the
 1064  department, to manage and control, but not intercept or
 1065  interpret, telecommunications within the SUNCOM Network by:
 1066         (a) Establishing technical standards to physically
 1067  interface with the SUNCOM Network.
 1068         (b) Specifying how telecommunications are transmitted
 1069  within the SUNCOM Network.
 1070         (c) Controlling the routing of telecommunications within
 1071  the SUNCOM Network.
 1072         (d) Establishing standards, policies, and procedures for
 1073  access to and the security of the SUNCOM Network.
 1074         (e) Ensuring orderly and reliable telecommunications
 1075  services in accordance with the service level agreements
 1076  executed with state agencies.
 1077         (13) To plan, design, and conduct experiments for
 1078  telecommunications services, equipment, and technologies, and to
 1079  implement enhancements in the state telecommunications network
 1080  if in the public interest and cost-effective. Funding for such
 1081  experiments must be derived from SUNCOM Network service revenues
 1082  and may not exceed 2 percent of the annual budget for the SUNCOM
 1083  Network for any fiscal year or as provided in the General
 1084  Appropriations Act. New services offered as a result of this
 1085  subsection may not affect existing rates for facilities or
 1086  services.
 1087         (14) To enter into contracts or agreements, with or without
 1088  competitive bidding or procurement, to make available, on a
 1089  fair, reasonable, and nondiscriminatory basis, property and
 1090  other structures under departmental control for the placement of
 1091  new facilities by any wireless provider of mobile service as
 1092  defined in 47 U.S.C. s. 153(27) or s. 332(d) and any
 1093  telecommunications company as defined in s. 364.02 if it is
 1094  practical and feasible to make such property or other structures
 1095  available. The department may, without adopting a rule, charge a
 1096  just, reasonable, and nondiscriminatory fee for the placement of
 1097  the facilities, payable annually, based on the fair market value
 1098  of space used by comparable telecommunications facilities in the
 1099  state. The department and a wireless provider or
 1100  telecommunications company may negotiate the reduction or
 1101  elimination of a fee in consideration of services provided to
 1102  the department by the wireless provider or telecommunications
 1103  company. All such fees collected by the department shall be
 1104  deposited directly into the Law Enforcement Radio Operating
 1105  Trust Fund, and may be used by the department to construct,
 1106  maintain, or support the system.
 1107         (15) Establish policies that ensure that the department’s
 1108  cost-recovery methodologies, billings, receivables,
 1109  expenditures, budgeting, and accounting data are captured and
 1110  reported timely, consistently, accurately, and transparently and
 1111  are in compliance with all applicable federal and state laws and
 1112  rules. The department shall annually submit to the Governor, the
 1113  President of the Senate, and the Speaker of the House of
 1114  Representatives a report that describes each service and its
 1115  cost, the billing methodology for recovering the cost of the
 1116  service, and, if applicable, the identity of those services that
 1117  are subsidized.
 1118         (16) Develop a plan for statewide voice-over-Internet
 1119  protocol services. The plan shall include cost estimates and the
 1120  estimated return on investment. The plan shall be submitted to
 1121  the Governor, the Cabinet, the President of the Senate, and the
 1122  Speaker of the House of Representatives by June 30, 2013.
 1123         (17) The department shall produce a feasibility analysis by
 1124  January 1, 2013, of the options for procuring end-to-end network
 1125  services, including services provided by the statewide area
 1126  network, metropolitan area networks, and local area networks,
 1127  which may be provided by each state agency. The scope of this
 1128  service does not include wiring or file and print server
 1129  infrastructure. The feasibility analysis must determine the
 1130  technical and economic feasibility of using existing resources
 1131  and infrastructure that are owned or used by state entities in
 1132  the provision or receipt of network services in order to reduce
 1133  the cost of network services for the state. At a minimum, the
 1134  feasibility analysis must include:
 1135         (a) A definition and assessment of the current portfolio of
 1136  services, the network services that are provided by each state
 1137  agency, and a forecast of anticipated changes in network service
 1138  needs which considers specific state agency business needs and
 1139  the implementation of enterprise services established under this
 1140  chapter.
 1141         (b) A description of any limitations or enhancements in the
 1142  network, including any technical or logistical challenges
 1143  relating to the central provisioning of local area network
 1144  services currently provided and supported by each state agency.
 1145  The analysis must also address changes in usage patterns which
 1146  can reasonably be expected due to the consolidation of state
 1147  agency data centers or the specific business needs of state
 1148  agencies and other service customers.
 1149         (c) An analysis and comparison of the risks associated with
 1150  the current service delivery models and at least two other
 1151  options that leverage the existing resources and infrastructure
 1152  identified in this subsection. Options may include multi-vendor
 1153  and segmented contracting options. All sourcing options must
 1154  produce a service that can be used by schools and other
 1155  qualified entities that seek federal grants provided through the
 1156  Universal Service Fund Program.
 1157         (d) A cost-benefit analysis that estimates all major cost
 1158  elements associated with each sourcing option, focusing on the
 1159  nonrecurring and recurring life-cycle costs of the proposal in
 1160  order to determine the financial feasibility of each sourcing
 1161  option. The cost-benefit analysis must include:
 1162         1. The total recurring operating costs of the proposed
 1163  state network service including estimates of monthly charges,
 1164  staffing, billing, licenses and maintenance, hardware, and other
 1165  related costs.
 1166         2. An estimate of nonrecurring costs associated with
 1167  construction, transmission lines, premises and switching
 1168  hardware purchase and installation, and required software based
 1169  on the proposed solution.
 1170         3. An estimate of other critical costs associated with the
 1171  current and proposed sourcing options for the state network.
 1172         (e) Recommendations for reducing current costs associated
 1173  with statewide network services. The department shall consider
 1174  the following in developing the recommendations:
 1175         1. Leveraging existing resources and expertise.
 1176         2. Standardizing service-level agreements to customer
 1177  entities in order to maximize capacity and availability.
 1178         (f) A detailed timeline for the complete procurement and
 1179  transition to a more efficient and cost-effective solution.
 1180         Section 15. Paragraph (e) of subsection (2) of section
 1181  110.205, Florida Statutes, is amended to read:
 1182         110.205 Career service; exemptions.—
 1183         (2) EXEMPT POSITIONS.—The exempt positions that are not
 1184  covered by this part include the following:
 1185         (e) The executive director of Chief Information Officer in
 1186  the Agency for State Enterprise Information Technology. Unless
 1187  otherwise fixed by law, the Governor and Cabinet Agency for
 1188  Enterprise Information Technology shall set the salary and
 1189  benefits of this position in accordance with the rules of the
 1190  Senior Management Service.
 1191         Section 16. Subsections (2) and (9) of section 215.322,
 1192  Florida Statutes, are amended to read:
 1193         215.322 Acceptance of credit cards, charge cards, debit
 1194  cards, or electronic funds transfers by state agencies, units of
 1195  local government, and the judicial branch.—
 1196         (2) A state agency as defined in s. 216.011, or the
 1197  judicial branch, may accept credit cards, charge cards, debit
 1198  cards, or electronic funds transfers in payment for goods and
 1199  services with the prior approval of the Chief Financial Officer.
 1200  If the Internet or other related electronic methods are to be
 1201  used as the collection medium, the Agency for State Enterprise
 1202  Information Technology shall review and recommend to the Chief
 1203  Financial Officer whether to approve the request with regard to
 1204  the process or procedure to be used.
 1205         (9) For payment programs in which credit cards, charge
 1206  cards, or debit cards are accepted by state agencies, the
 1207  judicial branch, or units of local government, the Chief
 1208  Financial Officer, in consultation with the Agency for State
 1209  Enterprise Information Technology, may adopt rules to establish
 1210  uniform security safeguards for cardholder data and to ensure
 1211  compliance with the Payment Card Industry Data Security
 1212  Standards.
 1213         Section 17. Subsections (3), (4), (5), and (6) of section
 1214  282.318, Florida Statutes, are amended to read:
 1215         282.318 Enterprise security of data and information
 1216  technology.—
 1217         (3) The Agency for State Enterprise Information Technology
 1218  is responsible for establishing rules and publishing guidelines
 1219  for ensuring an appropriate level of security for all data and
 1220  information technology resources for executive branch agencies.
 1221  The agency shall also perform the following duties and
 1222  responsibilities:
 1223         (a) Develop, and annually update by February 1, an
 1224  enterprise information security strategic plan that includes
 1225  security goals and objectives for the strategic issues of
 1226  information security policy, risk management, training, incident
 1227  management, and survivability planning.
 1228         (b) Develop enterprise security rules and published
 1229  guidelines for:
 1230         1. Comprehensive risk analyses and information security
 1231  audits conducted by state agencies.
 1232         2. Responding to suspected or confirmed information
 1233  security incidents, including suspected or confirmed breaches of
 1234  personal information or exempt data.
 1235         3. Agency security plans, including strategic security
 1236  plans and security program plans.
 1237         4. The recovery of information technology and data
 1238  following a disaster.
 1239         5. The managerial, operational, and technical safeguards
 1240  for protecting state government data and information technology
 1241  resources.
 1242         (c) Assist agencies in complying with the provisions of
 1243  this section.
 1244         (d) Pursue appropriate funding for the purpose of enhancing
 1245  domestic security.
 1246         (e) Provide training for agency information security
 1247  managers.
 1248         (f) Annually review the strategic and operational
 1249  information security plans of executive branch agencies.
 1250         (4) To assist the Agency for State Enterprise Information
 1251  Technology in carrying out its responsibilities, each state
 1252  agency head shall, at a minimum:
 1253         (a) Designate an information security manager to administer
 1254  the security program of the state agency for its data and
 1255  information technology resources. This designation must be
 1256  provided annually in writing to the Agency for State Enterprise
 1257  Information Technology by January 1.
 1258         (b) Annually submit to the Agency for State Enterprise
 1259  Information Technology annually by July 31, the state agency’s
 1260  comprehensive strategic and operational information security
 1261  plans developed pursuant to the rules and guidelines established
 1262  by the Agency for State Enterprise Information Technology.
 1263         1. The state agency comprehensive strategic information
 1264  security plan must cover a 3-year period and define security
 1265  goals, intermediate objectives, and projected agency costs for
 1266  the strategic issues of agency information security policy, risk
 1267  management, security training, security incident response, and
 1268  survivability. The plan must be based on the enterprise
 1269  strategic information security plan created by the Agency for
 1270  State Enterprise Information Technology. Additional issues may
 1271  be included.
 1272         2. The state agency operational information security plan
 1273  must include a progress report for the prior operational
 1274  information security plan and a project plan that includes
 1275  activities, timelines, and deliverables for security objectives
 1276  that, subject to current resources, the state agency will
 1277  implement during the current fiscal year. The cost of
 1278  implementing the portions of the plan which cannot be funded
 1279  from current resources must be identified in the plan.
 1280         (c) Conduct, and update every 3 years, a comprehensive risk
 1281  analysis to determine the security threats to the data,
 1282  information, and information technology resources of the state
 1283  agency. The risk analysis information is confidential and exempt
 1284  from the provisions of s. 119.07(1), except that such
 1285  information shall be available to the Auditor General and the
 1286  Agency for State Enterprise Information Technology for
 1287  performing postauditing duties.
 1288         (d) Develop, and periodically update, written internal
 1289  policies and procedures that, which include procedures for
 1290  notifying the Agency for State Enterprise Information Technology
 1291  when a suspected or confirmed breach, or an information security
 1292  incident, occurs. Such policies and procedures must be
 1293  consistent with the rules and guidelines established by the
 1294  Agency for State Enterprise Information Technology to ensure the
 1295  security of the data, information, and information technology
 1296  resources of the state agency. The internal policies and
 1297  procedures that, if disclosed, could facilitate the unauthorized
 1298  modification, disclosure, or destruction of data or information
 1299  technology resources are confidential information and exempt
 1300  from s. 119.07(1), except that such information shall be
 1301  available to the Auditor General and the Agency for State
 1302  Enterprise Information Technology for performing postauditing
 1303  duties.
 1304         (e) Implement appropriate cost-effective safeguards to
 1305  address identified risks to the data, information, and
 1306  information technology resources of the state agency.
 1307         (f) Ensure that periodic internal audits and evaluations of
 1308  the state agency’s security program for the data, information,
 1309  and information technology resources of the state agency are
 1310  conducted. The results of such audits and evaluations are
 1311  confidential information and exempt from s. 119.07(1), except
 1312  that such information shall be available to the Auditor General
 1313  and the Agency for State Enterprise Information Technology for
 1314  performing postauditing duties.
 1315         (g) Include appropriate security requirements in the
 1316  written specifications for the solicitation of information
 1317  technology and information technology resources and services,
 1318  which are consistent with the rules and guidelines established
 1319  by the Agency for State Enterprise Information Technology.
 1320         (h) Provide security awareness training to employees and
 1321  users of the state agency’s communication and information
 1322  resources concerning information security risks and the
 1323  responsibility of employees and users to comply with policies,
 1324  standards, guidelines, and operating procedures adopted by the
 1325  state agency to reduce those risks.
 1326         (i) Develop a process for detecting, reporting, and
 1327  responding to suspected or confirmed security incidents,
 1328  including suspected or confirmed breaches consistent with the
 1329  security rules and guidelines established by the Agency for
 1330  State Enterprise Information Technology.
 1331         1. Suspected or confirmed information security incidents
 1332  and breaches must be immediately reported to the Agency for
 1333  State Enterprise Information Technology.
 1334         2. For incidents involving breaches, agencies shall provide
 1335  notice in accordance with s. 817.5681 and to the Agency for
 1336  State Enterprise Information Technology in accordance with this
 1337  subsection.
 1338         (5) Each state agency shall include appropriate security
 1339  requirements in the specifications for the solicitation of
 1340  contracts for procuring information technology or information
 1341  technology resources or services which are consistent with the
 1342  rules and guidelines established by the Agency for State
 1343  Enterprise Information Technology.
 1344         (6) The Agency for State Enterprise Information Technology
 1345  may adopt rules relating to information security and to
 1346  administer the provisions of this section.
 1347         Section 18. Subsection (14) of section 287.012, Florida
 1348  Statutes, is amended to read:
 1349         287.012 Definitions.—As used in this part, the term:
 1350         (14) “Information technology” means, but is not limited to,
 1351  equipment, hardware, software, mainframe maintenance, firmware,
 1352  programs, systems, networks, infrastructure, media, and related
 1353  material used to automatically, electronically, and wirelessly
 1354  collect, receive, access, transmit, display, store, record,
 1355  retrieve, analyze, evaluate, process, classify, manipulate,
 1356  manage, assimilate, control, communicate, exchange, convert,
 1357  converge, interface, switch, or disseminate information of any
 1358  kind or form has the meaning ascribed in s. 282.0041.
 1359         Section 19. Subsection (22) of section 287.057, Florida
 1360  Statutes, is amended to read:
 1361         287.057 Procurement of commodities or contractual
 1362  services.—
 1363         (22) The department, in consultation with the Agency for
 1364  State Enterprise Information Technology and the Chief Financial
 1365  Officer Comptroller, shall develop a program for online
 1366  procurement of commodities and contractual services. To enable
 1367  the state to promote open competition and to leverage its buying
 1368  power, agencies shall participate in the online procurement
 1369  program, and eligible users may participate in the program. Only
 1370  vendors prequalified as meeting mandatory requirements and
 1371  qualifications criteria may participate in online procurement.
 1372         (a) The department, in consultation with the agency, may
 1373  contract for equipment and services necessary to develop and
 1374  implement online procurement.
 1375         (b) The department, in consultation with the agency, shall
 1376  adopt rules, pursuant to ss. 120.536(1) and 120.54, to
 1377  administer the program for online procurement. The rules shall
 1378  include, but not be limited to:
 1379         1. Determining the requirements and qualification criteria
 1380  for prequalifying vendors.
 1381         2. Establishing the procedures for conducting online
 1382  procurement.
 1383         3. Establishing the criteria for eligible commodities and
 1384  contractual services.
 1385         4. Establishing the procedures for providing access to
 1386  online procurement.
 1387         5. Determining the criteria warranting any exceptions to
 1388  participation in the online procurement program.
 1389         (c) The department may impose and shall collect all fees
 1390  for the use of the online procurement systems.
 1391         1. The fees may be imposed on an individual transaction
 1392  basis or as a fixed percentage of the cost savings generated. At
 1393  a minimum, the fees must be set in an amount sufficient to cover
 1394  the projected costs of the services, including administrative
 1395  and project service costs in accordance with the policies of the
 1396  department.
 1397         2. If the department contracts with a provider for online
 1398  procurement, the department, pursuant to appropriation, shall
 1399  compensate the provider from the fees after the department has
 1400  satisfied all ongoing costs. The provider shall report
 1401  transaction data to the department each month so that the
 1402  department may determine the amount due and payable to the
 1403  department from each vendor.
 1404         3. All fees that are due and payable to the state on a
 1405  transactional basis or as a fixed percentage of the cost savings
 1406  generated are subject to s. 215.31 and must be remitted within
 1407  40 days after receipt of payment for which the fees are due. For
 1408  fees that are not remitted within 40 days, the vendor shall pay
 1409  interest at the rate established under s. 55.03(1) on the unpaid
 1410  balance from the expiration of the 40-day period until the fees
 1411  are remitted.
 1412         4. All fees and surcharges collected under this paragraph
 1413  shall be deposited in the Operating Trust Fund as provided by
 1414  law.
 1415         Section 20. Subsection (4) of section 445.011, Florida
 1416  Statutes, is amended to read:
 1417         445.011 Workforce information systems.—
 1418         (4) Workforce Florida, Inc., shall coordinate development
 1419  and implementation of workforce information systems with the
 1420  executive director of the Agency for State Enterprise
 1421  Information Technology to ensure compatibility with the state’s
 1422  information system strategy and enterprise architecture.
 1423         Section 21. Subsection (2) and paragraphs (a) and (b) of
 1424  subsection (4) of section 445.045, Florida Statutes, are amended
 1425  to read:
 1426         445.045 Development of an Internet-based system for
 1427  information technology industry promotion and workforce
 1428  recruitment.—
 1429         (2) Workforce Florida, Inc., shall coordinate with the
 1430  Agency for State Enterprise Information Technology and the
 1431  Department of Economic Opportunity to ensure links, where
 1432  feasible and appropriate, to existing job information websites
 1433  maintained by the state and state agencies and to ensure that
 1434  information technology positions offered by the state and state
 1435  agencies are posted on the information technology website.
 1436         (4)(a) Workforce Florida, Inc., shall coordinate
 1437  development and maintenance of the website under this section
 1438  with the executive director of the Agency for State Enterprise
 1439  Information Technology to ensure compatibility with the state’s
 1440  information system strategy and enterprise architecture.
 1441         (b) Workforce Florida, Inc., may enter into an agreement
 1442  with the Agency for State Enterprise Information Technology, the
 1443  Department of Economic Opportunity, or any other public agency
 1444  with the requisite information technology expertise for the
 1445  provision of design, operating, or other technological services
 1446  necessary to develop and maintain the website.
 1447         Section 22. Paragraph (b) of subsection (18) of section
 1448  668.50, Florida Statutes, is amended to read:
 1449         668.50 Uniform Electronic Transaction Act.—
 1452         (b) To the extent that a governmental agency uses
 1453  electronic records and electronic signatures under paragraph
 1454  (a), the Agency for State Enterprise Information Technology, in
 1455  consultation with the governmental agency, giving due
 1456  consideration to security, may specify:
 1457         1. The manner and format in which the electronic records
 1458  must be created, generated, sent, communicated, received, and
 1459  stored and the systems established for those purposes.
 1460         2. If electronic records must be signed by electronic
 1461  means, the type of electronic signature required, the manner and
 1462  format in which the electronic signature must be affixed to the
 1463  electronic record, and the identity of, or criteria that must be
 1464  met by, any third party used by a person filing a document to
 1465  facilitate the process.
 1466         3. Control processes and procedures as appropriate to
 1467  ensure adequate preservation, disposition, integrity, security,
 1468  confidentiality, and auditability of electronic records.
 1469         4. Any other required attributes for electronic records
 1470  which are specified for corresponding nonelectronic records or
 1471  reasonably necessary under the circumstances.
 1472         Section 23. This act shall take effect July 1, 2012.