Florida Senate - 2012 SENATOR AMENDMENT
Bill No. CS for HB 5509
Senate . House
Floor: WD/2R .
02/23/2012 06:30 PM .
Senator Ring moved the following:
1 Senate Amendment (with title amendment)
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. (1) The Agency for Enterprise Information
6 Technology is abolished.
7 (2) All of the powers, duties, functions, records,
8 personnel, and property; funds, trust funds, and unexpended
9 balances of appropriations, allocations, and other funds;
10 administrative authority; administrative rules; pending issues;
11 and existing contracts of the Agency for Enterprise Information
12 Technology are transferred by a type two transfer, pursuant to
13 s. 20.06(2), Florida Statutes, to the Agency for State
15 Section 2. (1) The portions of the Technology Program
16 established under section 20.22(2), Florida Statutes and
17 identified in the approved plan defined in s. 282.0055(2),
18 Florida Statutes shall transfer by a type one transfer, as
19 defined in s. 20.06(1), Florida Statutes, from the Department of
20 Management Services to the Agency for State Technology no later
21 than June 30, 2014.
22 (2) The Northwood Shared Resource Center is transferred by
23 a type one transfer, as defined in s. 20.06(1), Florida
24 Statutes, from the Department of Management Services to the
25 Agency for State Technology
26 (a) Any binding contract or interagency agreement entered
27 into between the Northwood Shared Resource Center or an entity
28 or agent of the center and any other agency, entity, or person
29 continues as a binding contract or agreement for the remainder
30 of the term of such contract or agreement on the Agency for
31 State Technology.
32 (b) The rules of the Northwood Shared Resource Center which
33 were in effect at 11:59 p.m. on June 30, 2012, become rules of
34 the Agency for State Technology and remain in effect until
35 amended or repealed in the manner provided by law.
36 (3) The Southwood Shared Resource Center is transferred by
37 a type one transfer, as defined in s. 20.06(1), Florida
38 Statutes, from the Department of Management Services to the
39 Agency for State Technology.
40 (a) Any binding contract or interagency agreement entered
41 into between the Southwood Shared Resource Center or an entity
42 or agent of the center and any other agency, entity, or person
43 continues as a binding contract or agreement for the remainder
44 of the term of such contract or agreement on the Agency for
45 State Technology.
46 (b) The rules of the Southwood Shared Resource Center which
47 were in effect at 11:59 p.m. on June 30, 2012, become rules of
48 the Agency for State Technology and remain in effect until
49 amended or repealed in the manner provided by law.
50 Section 3. Section 14.204, Florida Statutes, is repealed.
51 Section 4. Section 14.206, Florida Statutes, is created to
53 14.206 Agency for State Technology.—The Agency for State
54 Technology is created .
55 (1) The head of the agency shall be the Governor and
57 (2) The agency shall have an executive director who is the
58 state’s Chief Information Officer and who must:
59 (a) Have at least a bachelor’s degree in computer science,
60 information systems, business or public administration, or a
61 related field, or equivalent work experience;
62 (b) Have 10 or more years of experience working in the
63 field of information technology;
64 (c) Have 5 or more years of experience in related industry
65 managing multiple, large, cross-functional teams or projects,
66 and influencing senior-level management and key stakeholders;
67 (d) Have at least 5 years of executive-level leadership
69 (e) Have performed an integral role in enterprise-wide
70 information technology consolidations;
71 (f) Be appointed by the Governor, subject to confirmation
72 by the Cabinet and the Senate, and shall serve at the pleasure
73 of the Governor and Cabinet.
74 (3) The executive director:
75 (a) Shall be responsible for developing and administering a
76 comprehensive long-range plan for the state’s information
77 technology resources, ensuring the proper management of such
78 resources, and delivering services.
79 (b) Shall appoint a Chief Technology Officer to lead the
80 divisions of the agency dedicated to the operation and delivery
81 of enterprise information technology services.
82 (c) Shall appoint a Chief Operations Officer to lead the
83 divisions of the agency dedicated to enterprise information
84 technology policy, planning, standards and procurement.
85 (d) Shall designate a state Chief Information Security
87 (e) May appoint all employees necessary to carry out the
88 duties and responsibilities of the agency.
89 (4) The Agency for State Technology is prohibited from
90 using, and executives of the agency are prohibited from
91 directing spending from, operational information technology
92 trust funds, as defined in 282.0041, F.S., for any purpose for
93 which the Strategic Information Technology Trust Fund was
95 (5) The following officers
, and divisions , of the agency
96 are established:
97 (a) Under the Chief Technology Officer:
98 1. Upon transfer any portion of the Technology Program from
99 the Department of Management Services to the agency, there shall
100 be a The Division of Telecommunications once the migration of
101 DivTel from DMS is accomplished.
102 2. The Division of Data Center Operations which includes,
103 but is not limited to, any shared resource center established or
104 operated by the agency.
105 (b) Under the Chief Operations Officer:
106 1. Strategic Planning.
107 2. Enterprise Information Technology Standards.
108 a. Enterprise Information Technology Procurement.
109 b. Information Technology Security and Compliance.
110 3. Enterprise Services Planning and Consolidation.
111 4. Enterprise Project Management.
112 (c) Under the Director of Administration:
113 1. Accounting and Budgeting.
114 2. Personnel.
115 3. Procurement and Contracts.
116 (d) Under the Office of the Executive Director:
117 1. Inspector General.
118 2. Legal.
119 3. Governmental Affairs.
120 (6) The agency shall operate in a manner that ensures the
121 participation and representation of state agencies.
122 (7) The agency shall have the following duties and
123 responsibilities. The agency shall:
124 (a) Develop and publish a long-term State Information
125 Technology Resources Strategic Plan.
126 (b) Initiate, plan, design, implement, and manage
127 enterprise information technology services.
128 (c) Beginning October 1, 2012, and every 3 months
129 thereafter, provide a status report on its initiatives. The
130 report shall be presented at a meeting of the Governor and
132 (d) Beginning September 1, 2013, and every 3 months
133 thereafter until enterprise information technology service
134 consolidations are complete, provide a status report on the
135 implementation of the consolidations that must be completed
136 during the fiscal year. The report shall be submitted to the
137 Executive Office of the Governor, the Cabinet, the President of
138 the Senate, and the Speaker of the House of Representatives. At
139 a minimum, the report must describe:
140 1. Whether the consolidation is on schedule, including
141 progress on achieving the milestones necessary for successful
142 and timely consolidation of scheduled agency data centers and
143 computing facilities; and
144 2. The risks that may affect the progress or outcome of the
145 consolidation and how such risks are being mitigated or managed.
146 (e) Set technical standards for information technology,
147 including, but not limited to, desktop computers, printers, and
148 mobile devices; review major information technology projects and
149 procurements; establish information technology security
150 standards; provide for the procurement of information technology
151 resources, excluding human resources; and deliver enterprise
152 information technology services as defined in s. 282.0041.
153 (f) Designate primary data centers and shared resource
155 (g) Operate shared resource centers in a manner that
156 promotes energy efficiency.
157 (h) Establish and deliver enterprise information technology
158 services to serve state agencies on a cost-sharing basis,
159 charging each state agency its proportionate share of the cost
160 of maintaining and delivering a service based on a state
161 agency’s use of the service.
162 (i) Use the following principles to develop a means of
163 chargeback for primary data center services:
164 1. The customers of the primary data center shall provide
165 payments to the primary data center which are sufficient to
166 maintain the solvency of the primary data center operation for
167 all costs not directly funded through the General Appropriations
169 2. Per unit cost of usage shall be the primary basis for
170 pricing, and usage must be accurately measurable and
171 attributable to the appropriate customer.
172 3. The primary data center shall combine the aggregate
173 purchasing power of large and small customers to achieve
174 collective savings opportunities to all customers.
175 4. Chargeback methodologies shall be devised to consider
176 restrictions on grants to customers.
177 5. Chargeback methodologies should establish incentives
178 that lead to customer usage practices that result in lower costs
179 to the state.
180 6. Chargeback methodologies must consider technological
181 change when:
182 a. New services require short-term investments before
183 achieving long-term, full cost recovery for the service.
184 b. Customers of antiquated services may not be able to bear
185 all of the costs for the antiquated services during periods when
186 customers are migrating to replacement services.
187 7. Prices may be established which allow for accrual of
188 cash balances for the purpose of maintaining contingent
189 operating funds and funding planned capital investments. Accrual
190 of the cash balances shall be considered costs for the purposes
191 of this section.
192 8. Flat rate charges may be used only if there are
193 provisions for reconciling charges to comport with actual costs
194 and use.
195 (i) Exercise technical and fiscal prudence in determining
196 the best way to deliver enterprise information technology
198 (j) Collect and maintain an inventory of the information
199 technology resources in the state agencies.
200 (k) Assume ownership or custody and control of information
201 processing equipment, supplies, and positions required in order
202 to thoroughly carry out the agency’s duties and
204 (l) Adopt rules and policies for the efficient, secure, and
205 economical management and operation of the shared resource
206 centers and state telecommunications services.
207 (m) Provide other public sector organizations as defined in
208 s. 282.0041 with access to the services provided by the agency.
209 Access shall be provided on the same cost basis that applies to
210 state agencies.
211 (n) Ensure that data that is confidential under state or
212 federal law may not be entered into or processed through any
213 shared resource center or network established under the agency
214 until safeguards for the data’s security satisfactory to the
215 agency head and the executive director of the agency have been
216 designed, installed, and tested and are fully operational. This
217 paragraph does not prescribe what actions necessary to satisfy a
218 state agency’s objectives are to be undertaken or to remove from
219 the control and administration of the state agency the
220 responsibility for working with the agency to implement
221 safeguards, regardless of whether such control and
222 administration are specifically required by general law or
223 administered under the general program authority and
224 responsibility of the state agency. If the agency head and
225 executive director of the agency cannot reach agreement on
226 satisfactory safeguards, the issue shall be decided by the
227 Governor and Cabinet.
228 (o) Conduct periodic assessments of state agencies for
229 compliance with statewide information technology policies and
230 recommend to the Governor and Cabinet statewide policies for
231 information technology.
232 (8) The agency may not use or direct the spending of
233 operational information technology trust funds to study and
234 develop enterprise information technology strategies, plans,
235 rules, reports, policies, proposals, budgets, or enterprise
236 information technology initiatives that are not directly related
237 to developing information technology services for which usage
238 fees reimburse the costs of the initiative. As used in this
239 subsection, the term “operational information technology trust
240 funds” means funds into which deposits are made on a fee-for
241 service basis or a trust fund dedicated to a specific
242 information technology project or system.
243 (9) The portions of the agency’s activities described in
244 subsection (8) for which usage fees do not reimburse costs of
245 the activity shall be funded at a rate of 0.55% of the total
246 identified information technology spend through
248 (10) The agency may adopt rules to carry out its duties and
250 Section 5. Section 282.0041, Florida Statutes, is reordered
251 and amended to read:
252 282.0041 Definitions.—As used in this chapter, the term:
253 (1) “Agency” has the same meaning as in s. 216.011 (1)(qq),
254 except that for purposes of this chapter, “agency” does not
255 include university boards of trustees or state universities.
256 (1) (2) “Agency for State Enterprise Information Technology”
257 or “agency” means the agency created in s. 14.206 14.204.
258 (2) (3) “Agency information technology service” means a
259 service that directly helps a state an agency fulfill its
260 statutory or constitutional responsibilities and policy
261 objectives and is usually associated with the state agency’s
262 primary or core business functions.
263 (4) “Annual budget meeting” means a meeting of the board of
264 trustees of a primary data center to review data center usage to
265 determine the apportionment of board members for the following
266 fiscal year, review rates for each service provided, and
267 determine any other required changes.
268 (3) (5) “Breach” has the same meaning as in s. 817.5681(4).
269 (4) (6) “Business continuity plan” means a plan for disaster
270 recovery which provides for the continued functioning of a
271 primary data center during and after a disaster.
272 (5) “Collocation” means the method by which a state
273 agency’s data center occupies physical space within a shared
274 resource center where physical floor space, bandwidth, power,
275 cooling, and physical security are available for an equitable
276 usage rate and minimal complexity, and allow for the sustained
277 management and oversight of the collocating agency’s information
278 technology resources as well as physical and logical database
279 administration by the collocating agency’s staff.
280 (6) (7) “Computing facility” means a state agency site space
281 containing fewer than a total of 10 physical or logical servers,
282 any of which supports a strategic or nonstrategic information
283 technology service, as described in budget instructions
284 developed pursuant to s. 216.023, but excluding
285 telecommunications and voice gateways and a clustered pair of
286 servers operating as a single logical server to provide file,
287 print, security, and endpoint management services single,
288 logical-server installations that exclusively perform a utility
289 function such as file and print servers.
290 (7) “Computing service” means an information technology
291 service that is used in all state agencies or a subset of
292 agencies and is, therefore, a candidate for being established as
293 an enterprise information technology service. Examples include
294 e-mail, service hosting, telecommunications, and disaster
296 (8) “Customer entity” means an entity that obtains services
297 from a primary data center.
298 (8) (9) “Data center” means a state agency site space
299 containing 10 or more physical or logical servers any of which
300 supports a strategic or nonstrategic information technology
301 service, as described in budget instructions developed pursuant
302 to s. 216.023.
303 (10) “Department” means the Department of Management
305 (10) (11) “Enterprise information technology service” means
306 an information technology service that is used in all state
307 agencies or a subset of state agencies and is designated by the
308 agency or established in law to be designed, delivered, and
309 managed at the enterprise level. Current enterprise information
310 technology services include data center services, e-mail, and
312 (11) (12) “E-mail, messaging, and calendaring service” means
313 the enterprise information technology service that enables users
314 to send, receive, file, store, manage, and retrieve electronic
315 messages, attachments, appointments, and addresses. The e-mail,
316 messaging, and calendaring service must include e-mail account
317 management; help desk; technical support and user provisioning
318 services; disaster recovery and backup and restore capabilities;
319 antispam and antivirus capabilities; archiving and e-discovery;
320 and remote access and mobile messaging capabilities.
321 (12) (13) “Information-system utility” means an information
322 processing a full-service information-processing facility
323 offering hardware, software, operations, integration,
324 networking, floor space, and consulting services.
325 (13) (14) “Information technology resources” means
326 equipment, hardware, software, firmware, programs, systems,
327 networks, infrastructure, media, and related material used to
328 automatically, electronically, and wirelessly collect, receive,
329 access, transmit, display, store, record, retrieve, analyze,
330 evaluate, process, classify, manipulate, manage, assimilate,
331 control, communicate, exchange, convert, converge, interface,
332 switch, or disseminate information of any kind or form, and
333 includes the human resources to perform such duties, but
334 excludes application developers and logical database
336 (14) “Local area network” means any telecommunications
337 network through which messages and data are exchanged strictly
338 within a single building or contiguous campus.
339 (12) (15) “Information technology policy” means statements
340 that describe clear choices for how information technology will
341 deliver effective and efficient government services to residents
342 and improve state agency operations. A policy may relate to
343 investments, business applications, architecture, or
344 infrastructure. A policy describes its rationale, implications
345 of compliance or noncompliance, the timeline for implementation,
346 metrics for determining compliance, and the accountable
347 structure responsible for its implementation.
348 (15) “Logical database administration” means the resources
349 required to build and maintain database structure, implement and
350 maintain role-based data access controls, and perform
351 performance optimization of data queries and includes the
352 manipulation, transformation, modification, and maintenance of
353 data within a logical database. Typical tasks include schema
354 design and modifications, user provisioning, query tuning, index
355 and statistics maintenance, and data import, export, and
357 (16) “Memorandum of understanding” means a written
358 agreement between a shared resource center or the Division of
359 Telecommunications in the agency and a state agency which
360 specifies the scope of services provided, service level,
361 duration of the agreement, responsible parties, and service
362 costs. A memorandum of understanding is not a rule pursuant to
363 chapter 120.
364 (17) “Operational information technology trust funds” means
365 funds into which deposits are made on a fee for service bases,
366 or a trust fund dedicated to a specific information technology
367 project or system.
368 (18) “Other public sector organizations” means entities of
369 the legislative and judicial branches, the State University
370 System, the Florida Community College System, counties, and
371 municipalities. Such organizations may elect to participate in
372 the information technology programs, services, or contracts
373 offered by the Agency for State Technology, including
374 information technology procurement, in accordance with general
375 law, policies, and administrative rules.
376 (19) (16) “Performance metrics” means the measures of an
377 organization’s activities and performance.
378 (20) “Physical database administration” means the resources
379 responsible for installing, maintaining, and operating an
380 environment within which a database is hosted. Typical tasks
381 include database engine installation, configuration, and
382 security patching, as well as performing backup and restoration
383 of hosted databases, setup and maintenance of instance-based
384 data replication, and monitoring the health and performance of
385 the database environment.
386 (21) (17) “Primary data center” means a data center that is
387 a recipient entity for consolidation of state agency information
388 technology resources nonprimary data centers and computing
389 facilities and that is established by law.
390 (22) (18) “Project” means an endeavor that has a defined
391 start and end point; is undertaken to create or modify a unique
392 product, service, or result; and has specific objectives that,
393 when attained, signify completion.
394 (23) (19) “Risk analysis” means the process of identifying
395 security risks, determining their magnitude, and identifying
396 areas needing safeguards.
397 (24) (20) “Service level” means the key performance
398 indicators (KPI) of an organization or service which must be
399 regularly performed, monitored, and achieved.
400 (21) “Service-level agreement” means a written contract
401 between a data center and a customer entity which specifies the
402 scope of services provided, service level, the duration of the
403 agreement, the responsible parties, and service costs. A
404 service-level agreement is not a rule pursuant to chapter 120.
405 (25) “Shared resource center” means a primary data center
406 that has been designated and assigned specific duties under this
407 chapter or by the Agency for State Technology under s. 14.206.
408 (26) (22) “Standards” means required practices, controls,
409 components, or configurations established by an authority.
410 (27) “State agency” means any official, officer,
411 commission, board, authority, council, committee, or department
412 of the executive branch of state government. The term does not
413 include university boards of trustees or state universities.
414 (28) “State agency site” means a single, contiguous local
415 area network segment that does not traverse a metropolitan area
416 network or wide area network.
417 (29) (23) “SUNCOM Network” means the state enterprise
418 telecommunications system that provides all methods of
419 electronic or optical telecommunications beyond a single
420 building or contiguous building complex and used by entities
421 authorized as network users under this part.
422 (30) (24) “Telecommunications” means the science and
423 technology of communication at a distance, including electronic
424 systems used in the transmission or reception of information.
425 (31) (25) “Threat” means any circumstance or event that may
426 cause harm to the integrity, availability, or confidentiality of
427 information technology resources.
428 (32) (26) “Total cost” means all costs associated with
429 information technology projects or initiatives, including, but
430 not limited to, value of hardware, software, service,
431 maintenance, incremental personnel, and facilities. Total cost
432 of a loan or gift of information technology resources to a state
433 an agency includes the fair market value of the resources.
434 (33) (27) “Usage” means the billing amount charged by the
435 primary data center, less any pass-through charges, to the state
436 agency customer entity.
437 (34) (28) “Usage rate” means a state agency’s customer
438 entity’s usage or billing amount as a percentage of total usage.
439 (35) “Wide area network” means any telecommunications
440 network or components thereof through which messages and data
441 are exchanged outside of a local area network.
442 Section 6. Section 282.0055, Florida Statutes, is amended
443 to read:
444 (Substantial rewording of section. See
445 s. 282.0055, Florida Statutes, for current text.)
446 282.0055 Assignment of enterprise information technology.—
447 (1) The establishment of a systematic process for the
448 planning, design, implementation, procurement, delivery, and
449 maintenance of enterprise information technology services shall
450 be the responsibility of the Agency for State Technology for
451 executive branch agencies that are created or authorized in
452 statute to perform legislatively delegated functions. The
453 agency’s duties shall be performed in collaboration with the
454 state agencies. The supervision, design, development, delivery,
455 and maintenance of state-agency specific or unique software
456 applications shall remain within the responsibility and control
457 of the individual state agency or other public sector
459 (2) During the 2012-2013 fiscal year, the Agency for State
460 Technology shall, in collaboration with the state agencies and
461 other stakeholders, create a road map for enterprise information
462 technology service consolidation. The road map shall be
463 presented for approval by the Governor and Cabinet by August 30,
464 2013. At a minimum, the road map must include:
465 (a) An enterprise architecture that provides innovative,
466 yet pragmatic and cost-effective offering, and which
467 contemplates the consolidated delivery of services based on
468 similar business processes and functions that span across all
469 executive and cabinet agencies.
470 (b) A schedule for the consolidation of state agency data
472 (c) Cost-saving targets and timeframes for when the savings
473 will be realized.
474 (d) Recommendations, including cost estimates, for
475 improvements to the shared resource centers, which will improve
476 the agency’s ability to deliver enterprise information
477 technology services.
478 (e) A transition plan for the transfer of portions of the
479 Technology Program established under s. 20.22(2), Florida
480 Statutes that provide an enterprise information technology
482 (3) By October 15th of each year beginning in 2013, the
483 Agency for State Technology shall develop a comprehensive
484 transition plan for scheduled consolidations occurring in the
485 next fiscal year. This plan shall be submitted to the Governor,
486 the Cabinet, the President of the Senate, and the Speaker of the
487 House of Representatives. The transition plan shall be developed
488 in consultation with other state agencies submitting state
489 agency transition plans. The comprehensive transition plan must
491 (a) Recommendations for accomplishing the proposed
492 transitions as efficiently and effectively as possible with
493 minimal disruption to state agency business processes.
494 (b) Strategies to minimize risks associated with any of the
495 proposed consolidations.
496 (c) A compilation of the state agency transition plans
497 submitted by state agencies scheduled for consolidation for the
498 following fiscal year.
499 (d) An estimate of the cost to provide enterprise
500 information technology services for each state agency scheduled
501 for consolidation.
502 (e) An analysis of the cost effects resulting from the
503 planned consolidations on existing state agencies.
504 (f) The fiscal year adjustments to budget categories in
505 order to absorb the transfer of state agency information
506 technology resources pursuant to the legislative budget request
507 instructions provided in s. 216.023.
508 (g) A description of any issues that must be resolved in
509 order to accomplish as efficiently and effectively as possible
510 all consolidations required during the fiscal year.
511 (4) State agencies have the following duties:
512 (a) For the purpose of completing its work activities, each
513 state agency shall provide to the Agency for State Technology
514 all requested information and any other information relevant to
515 the state agency’s ability to effectively transition its
516 information technology resources into the agency.
517 (b) For the purpose of completing its work activities, each
518 state agency shall temporarily assign staff to assist the agency
519 with designated tasks as negotiated between the agency and the
520 state agency.
521 (c) Each state agency identified for consolidation into an
522 enterprise information technology service offering must submit a
523 transition plan to the Agency for State Technology by September
524 1 of the fiscal year before the fiscal year in which the
525 scheduled consolidation will occur. Transition plans shall be
526 developed in consultation with the agency and must include:
527 1. An inventory of the state agency data center’s resources
528 being consolidated, including all hardware, software, staff, and
529 contracted services, and the facility resources performing data
530 center management and operations, security, backup and recovery,
531 disaster recovery, system administration, database
532 administration, system programming, mainframe maintenance, job
533 control, production control, print, storage, technical support,
534 help desk, and managed services, but excluding application
536 2. A description of the level of services needed to meet
537 the technical and operational requirements of the platforms
538 being consolidated and an estimate of the primary data center’s
539 cost for the provision of such services.
540 3. A description of expected changes to its information
541 technology needs and the timeframe when such changes will occur.
542 4. A description of the information technology resources
543 proposed to remain in the state agency.
544 5. A baseline project schedule for the completion of the
546 6. The specific recurring and nonrecurring budget
547 adjustments of budget resources by appropriation category into
548 the appropriate data processing category pursuant to the
549 legislative budget instructions in s. 216.023 necessary to
550 support state agency costs for the transfer.
551 (5)(a) Unless authorized by the Legislature or the agency
552 as provided in paragraphs (b) and (c), a state agency may not:
553 1. Create a new computing service or expand an existing
554 computing service if that service has been designated as an
555 enterprise information technology service.
556 2. Spend funds before the state agency’s scheduled
557 consolidation to an enterprise information technology service to
558 purchase or modify hardware or operations software that does not
559 comply with hardware and software standards established by the
560 Agency for State Technology.
561 3. Unless for the purpose of offsite disaster recovery
562 services, transfer existing computing services to any service
563 provider other than the Agency for State Technology.
564 4. Terminate services with the Agency for State Technology
565 without giving written notice of intent to terminate or transfer
566 services 180 days before such termination or transfer.
567 5. Initiate a new computing service with any service
568 provider other than the Agency for State Technology if that
569 service has been designated as an enterprise information
570 technology service.
571 (b) Exceptions to the limitations in subparagraphs (a)1.,
572 2., 3., and 5. may be granted by the Agency for State Technology
573 if there is insufficient capacity in the primary data centers to
574 absorb the workload associated with agency computing services,
575 expenditures are compatible with the scheduled consolidation and
576 established standards, or the equipment or resources are needed
577 to meet a critical state agency business need that cannot be
578 satisfied from surplus equipment or resources of the primary
579 data center until the state agency data center is consolidated.
580 1. A request for an exception must be submitted in writing
581 to the Agency for State Technology. The agency must accept,
582 accept with conditions, or deny the request within 60 days after
583 receipt of the written request. The agency’s decision is not
584 subject to chapter 120.
585 2. The Agency for State Technology may not approve a
586 request unless it includes, at a minimum:
587 a. A detailed description of the capacity requirements of
588 the state agency requesting the exception.
589 b. Documentation from the state agency head demonstrating
590 why it is critical to the state agency’s mission that the
591 expansion or transfer must be completed within the fiscal year
592 rather than when capacity is established at a primary data
594 3. Exceptions to subparagraph (a)4. may be granted by the
595 Agency for State Technology if the termination or transfer of
596 services can be absorbed within the current cost-allocation
598 Section 7. Section 282.0056, Florida Statutes, is amended
599 to read:
600 282.0056 Strategic plan, development of work plan, and ;
601 development of implementation plans; and policy
603 (1) In order to provide a systematic process for meeting
604 the state’s technology needs, the executive director of the
605 Agency for State Technology shall develop a biennial state
606 Information Technology Resources Strategic Plan. The Governor
607 and Cabinet shall approve the plan before transmitting it to the
608 Legislature, biennially, starting October 1, 2013. The plan must
609 include the following elements:
610 (a) The vision, goals, initiatives, and targets for state
611 information technology for the short term of 2 years, midterm of
612 3 to 5 years, and long term of more than 5 years.
613 (b) An inventory of the information technology resources in
614 state agencies and major projects currently in progress and
615 planned. This does not imply that the agency has approval
616 authority over major projects. As used in this section, the term
617 “major project” means projects that cost more than $1 million to
619 (c) An analysis of opportunities for statewide initiatives
620 that would yield efficiencies, cost savings, or avoidance or
621 improve effectiveness in state programs. The analysis must
623 1. Information technology services that should be designed,
624 delivered, and managed as enterprise information technology
626 2. Techniques for consolidating the purchase of information
627 technology commodities and services that may result in savings
628 for the state and for establishing a process to achieve savings
629 through consolidated purchases.
630 3. A cost-benefit analysis of options, such as
631 privatization, outsourcing, or in-sourcing, to reduce costs or
632 improve services to agencies and taxpayers.
633 (d) Recommended initiatives based on the analysis in
634 paragraph (c).
635 (e) Implementation plans for enterprise information
636 technology services designated by the agency. The implementation
637 plans must describe the scope of service, requirements analyses,
638 costs and savings projects, and a project schedule for statewide
640 (2) Each state agency shall, biennially, provide to the
641 agency the inventory required under paragraph (1)(b). The agency
642 shall consult with and assist state agencies in the preparation
643 of these inventories. Each state agency shall submit its
644 inventory to the agency biennially, starting January 1, 2013.
645 (3) For the purpose of completing its work activities, each
646 state agency shall provide to the agency all requested
647 information, including, but not limited to, the state agency’s
648 costs, service requirements, staffing, and equipment
650 (4) (1) For the purpose of ensuring accountability for the
651 duties and responsibilities of the executive director and the
652 agency under ss. 14.206 and 282.0055, the executive director For
653 the purposes of carrying out its responsibilities under s.
654 282.0055 , the Agency for Enterprise Information Technology shall
655 develop an annual work plan within 60 days after the beginning
656 of the fiscal year describing the activities that the agency
657 intends to undertake for that year and identify the critical
658 success factors, risks, and issues associated with the work
659 planned. The work plan must also include planned including
660 proposed outcomes and completion timeframes for the planning and
661 implementation of all enterprise information technology
662 services. The work plan must align with the state Information
663 Technology Resources Strategic Plan, be presented at a public
664 hearing, and be approved by the Governor and Cabinet; , and,
665 thereafter, be submitted to the President of the Senate and the
666 Speaker of the House of Representatives. The work plan may be
667 amended as needed, subject to approval by the Governor and
669 (2) The agency may develop and submit to the President of
670 the Senate, the Speaker of the House of Representatives, and the
671 Governor by October 1 of each year implementation plans for
672 proposed enterprise information technology services to be
673 established in law.
674 (3) In developing policy recommendations and implementation
675 plans for established and proposed enterprise information
676 technology services, the agency shall describe the scope of
677 operation, conduct costs and requirements analyses, conduct an
678 inventory of all existing information technology resources that
679 are associated with each service, and develop strategies and
680 timeframes for statewide migration.
681 (4) For the purpose of completing its work activities, each
682 state agency shall provide to the agency all requested
683 information, including, but not limited to, the state agency’s
684 costs, service requirements, and equipment inventories.
685 (5) For the purpose of ensuring accountability for the
686 duties and responsibilities of the executive director and the
687 agency under ss. 14.206 and 282.0055, within 60 days after the
688 end of each fiscal year, the executive director agency shall
689 report to the Governor and Cabinet, the President of the Senate,
690 and the Speaker of the House of Representatives on what was
691 achieved or not achieved in the prior year’s work plan.
692 Section 8. Section 282.201, Florida Statutes, is amended to
694 (Substantial rewording of section. See
695 s. 282.201, Florida Statutes, for current text.)
696 282.201 State data center system; agency duties and
697 limitations.—A state data center system that includes all
698 primary data centers, other nonprimary data centers, and
699 computing facilities, and that provides an enterprise
700 information technology service, is established.
701 (1) INTENT.—The Legislature finds that the most efficient
702 and effective means of providing quality utility data processing
703 services to state agencies requires that computing resources be
704 concentrated in quality facilities that provide the proper
705 security, infrastructure, and staff resources to ensure that the
706 state’s data is maintained reliably and safely and is
707 recoverable in the event of a disaster. Efficiencies resulting
708 from such consolidation include the increased ability to
709 leverage technological expertise and hardware and software
710 capabilities; increased savings through consolidated purchasing
711 decisions; and the enhanced ability to deploy technology
712 improvements and implement new policies consistently throughout
713 the consolidated organization.
714 (2) AGENCY FOR STATE TECHNOLOGY DUTIES.—(a) The agency
715 shall by October 1, 2013, provide to the Governor and Cabinet,
716 recommendations for approving, confirming and removing primary
717 data center designation. The recommendations shall consider the
718 recommendations from the Law Enforcement Consolidations Task
719 Force. Upon approval of the Governor and Cabinet of primary data
720 center designations, existing primary data center designations
721 are repealed by operation of law, and therefore, obsolete.
722 (b) Establish a schedule for the consolidation of state
723 agency data centers or a transition plan for outsourcing data
724 center services, subject to review by the Governor and Cabinet.
725 The schedule or transition plan must be provided by October 1,
726 2013, and be updated annually until the completion of
727 consolidation. The schedule must be based on the goals of
728 maximizing the efficiency and quality of service delivery and
729 cost savings.
730 (3) STATE AGENCY DUTIES.—
731 (a) Any state agency that is consolidating agency data
732 centers into a primary data center must execute a new or update
733 an existing memorandum of understanding or service level
734 agreement within 60 days after the specified consolidation date,
735 as required by s. 282.203, in order to specify the services and
736 levels of service it is to receive from the primary data center
737 as a result of the consolidation. If a state agency is unable to
738 execute a memorandum of understanding by that date, the state
739 agency shall submit a report to the Executive Office of the
740 Governor, the Cabinet, the President of the Senate, and the
741 Speaker of the House of Representatives within 5 working days
742 after that date which explains the specific issues preventing
743 execution and describes its plan and schedule for resolving
744 those issues.
745 (b) On the date of each consolidation specified in general
746 law or the General Appropriations Act, each state agency shall
747 retain the least-privileged administrative access rights
748 necessary to perform the duties not assigned to the primary data
750 (4) SCHEDULE FOR CONSOLIDATIONS OF STATE AGENCY DATA
751 CENTERS.—Consolidations of state agency data centers are
752 suspended for the 2012-2013 fiscal year. Consolidations shall
753 resume during the 2013-2014 fiscal year based upon a revised
754 schedule developed by the agency. The revised schedule shall
755 consider the recommendations from the Law Enforcement
756 Consolidation Task Force. State agency data centers and
757 computing facilities shall be consolidated into the agency by
758 June 30, 2018.
759 Section 9. Section 282.203, Florida Statutes, is amended to
761 (Substantial rewording of section. See
762 s. 282.203, Florida Statutes, for current text.)
763 282.203 Primary data centers; duties.—
764 (1) Each primary data center shall:
765 (a) Serve participating state agencies as an information
766 system utility.
767 (b) Cooperate with participating state agencies to offer,
768 develop, and support the services and applications.
769 (c) Provide transparent financial statements to
770 participating state agencies.
771 (d) Assume the least-privileged administrative access
772 rights necessary to perform the services provided by the data
773 center for the software and equipment that is consolidated into
774 a primary data center.
775 (2) Each primary data center shall enter into a memorandum
776 of understanding with each participating state agency to provide
777 services. A memorandum of understanding may not have a term
778 exceeding 3 years but may include an option to renew for up to 3
779 years. Failure to execute a memorandum within 60 days after
780 service commencement shall, in the case of a participating state
781 agency, result in the continuation of the terms of the
782 memorandum of understanding from the previous fiscal year,
783 including any amendments that were formally proposed to the
784 state agency by the primary data center within the 3 months
785 before service commencement, and a revised cost-of-service
786 estimate. If a participating state agency fails to execute a
787 memorandum of understanding within 60 days after service
788 commencement, the data center may cease providing services.
789 Section 10. Section 282.204, Florida Statutes, is repealed.
790 Section 11. Section 282.205, Florida Statutes, is repealed.
791 Section 12. Section 282.33, Florida Statutes, is repealed.
792 Section 13. Section 282.34, Florida Statutes, is amended to
794 282.34 Statewide e-mail service.—A statewide e-mail service
795 that includes the delivery and support of e-mail, messaging, and
796 calendaring capabilities is established as an enterprise
797 information technology service as defined in s. 282.0041. The
798 service shall be provisioned designed to meet the needs of all
799 executive branch agencies and may also be used by other public
800 sector nonstate agency entities. The primary goals of the
801 service are to provide a reliable collaborative communication
802 service to state agencies; minimize the state investment
803 required to establish, operate, and support the statewide
804 service; reduce the cost of current e-mail operations and the
805 number of duplicative e-mail systems; and eliminate the need for
806 each state agency to maintain its own e-mail staff.
807 (1) Except as specified in subsection (2), all state
808 agencies shall receive their primary email services exclusively
809 through the Agency for State Technology. The Southwood Shared
810 Resource Center, a primary data center, shall be the provider of
811 the statewide e-mail service for all state agencies. The center
812 shall centrally host, manage, operate, and support the service,
813 or outsource the hosting, management, operational, or support
814 components of the service in order to achieve the primary goals
815 identified in this section.
816 (2) The Department of Legal Affairs shall work with the
817 agency to develop a plan to migrate to the enterprise email
818 service. The plan shall identify the time frame for migration,
819 the associated costs, and the risks. The plan shall be presented
820 to the Governor and Cabinet by December 1, 2014. The Agency for
821 Enterprise Information Technology, in cooperation and
822 consultation with all state agencies, shall prepare and submit
823 for approval by the Legislative Budget Commission at a meeting
824 scheduled before June 30, 2011, a proposed plan for the
825 migration of all state agencies to the statewide e-mail service.
826 The plan for migration must include:
827 (a) A cost-benefit analysis that compares the total
828 recurring and nonrecurring operating costs of the current agency
829 e-mail systems, including monthly mailbox costs, staffing,
830 licensing and maintenance costs, hardware, and other related e
831 mail product and service costs to the costs associated with the
832 proposed statewide e-mail service. The analysis must also
834 1. A comparison of the estimated total 7-year life-cycle
835 cost of the current agency e-mail systems versus the feasibility
836 of funding the migration and operation of the statewide e-mail
838 2. An estimate of recurring costs associated with the
839 energy consumption of current agency e-mail equipment, and the
840 basis for the estimate.
841 3. An identification of the overall cost savings resulting
842 from state agencies migrating to the statewide e-mail service
843 and decommissioning their agency e-mail systems.
844 (b) A proposed migration date for all state agencies to be
845 migrated to the statewide e-mail service. The Agency for
846 Enterprise Information Technology shall work with the Executive
847 Office of the Governor to develop the schedule for migrating all
848 state agencies to the statewide e-mail service except for the
849 Department of Legal Affairs. The Department of Legal Affairs
850 shall provide to the Agency for Enterprise Information
851 Technology by June 1, 2011, a proposed migration date based upon
852 its decision to participate in the statewide e-mail service and
853 the identification of any issues that require resolution in
854 order to migrate to the statewide e-mail service.
855 (c) A budget amendment, submitted pursuant to chapter 216,
856 for adjustments to each agency’s approved operating budget
857 necessary to transfer sufficient budget resources into the
858 appropriate data processing category to support its statewide e
859 mail service costs.
860 (d) A budget amendment, submitted pursuant to chapter 216,
861 for adjustments to the Southwood Shared Resource Center approved
862 operating budget to include adjustments in the number of
863 authorized positions, salary budget and associated rate,
864 necessary to implement the statewide e-mail service.
865 (3) Contingent upon approval by the Legislative Budget
866 Commission, the Southwood Shared Resource Center may contract
867 for the provision of a statewide e-mail service. Executive
868 branch agencies must be completely migrated to the statewide e
869 mail service based upon the migration date included in the
870 proposed plan approved by the Legislative Budget Commission.
871 (4) Notwithstanding chapter 216, general revenue funds may
872 be increased or decreased for each agency provided the net
873 change to general revenue in total for all agencies is zero or
875 (5) Subsequent to the approval of the consolidated budget
876 amendment to reflect budget adjustments necessary to migrate to
877 the statewide e-mail service, an agency may make adjustments
878 subject to s. 216.177 , notwithstanding provisions in chapter 216
879 which may require such adjustments to be approved by the
880 Legislative Budget Commission.
881 (6) No agency may initiate a new e-mail service or execute
882 a new e-mail contract or amend a current e-mail contract, other
883 than with the Southwood Shared Resource Center, for nonessential
884 products or services unless the Legislative Budget Commission
885 denies approval for the Southwood Shared Resource Center to
886 enter into a contract for the statewide e-mail service.
887 (7) The Agency for Enterprise Information Technology shall
888 work with the Southwood Shared Resource Center to develop an
889 implementation plan that identifies and describes the detailed
890 processes and timelines for an agency’s migration to the
891 statewide e-mail service based on the migration date approved by
892 the Legislative Budget Commission. The agency may establish and
893 coordinate workgroups consisting of agency e-mail management,
894 information technology, budget, and administrative staff to
895 assist the agency in the development of the plan.
896 (8) Each executive branch agency shall provide all
897 information necessary to develop the implementation plan,
898 including, but not limited to, required mailbox features and the
899 number of mailboxes that will require migration services. Each
900 agency must also identify any known business, operational, or
901 technical plans, limitations, or constraints that should be
902 considered when developing the plan.
903 Section 14. Section 282.702, Florida Statutes, is amended
904 to read:
905 282.702 Powers and duties.—The Department of Management
906 Services shall have the following powers, duties, and functions:
907 (1) To publish electronically the portfolio of services
908 available from the department, including pricing information;
909 the policies and procedures governing usage of available
910 services; and a forecast of the department’s priorities for each
911 telecommunications service.
912 (2) To adopt technical standards by rule for the state
913 telecommunications network which ensure the interconnection and
914 operational security of computer networks, telecommunications,
915 and information systems of agencies.
916 (3) To enter into agreements related to information
917 technology and telecommunications services with state agencies
918 and political subdivisions of the state.
919 (4) To purchase from or contract with information
920 technology providers for information technology, including
921 private line services.
922 (5) To apply for, receive, and hold authorizations,
923 patents, copyrights, trademarks, service marks, licenses, and
924 allocations or channels and frequencies to carry out the
925 purposes of this part.
926 (6) To purchase, lease, or otherwise acquire and to hold,
927 sell, transfer, license, or otherwise dispose of real, personal,
928 and intellectual property, including, but not limited to,
929 patents, trademarks, copyrights, and service marks.
930 (7) To cooperate with any federal, state, or local
931 emergency management agency in providing for emergency
932 telecommunications services.
933 (8) To control and approve the purchase, lease, or
934 acquisition and the use of telecommunications services,
935 software, circuits, and equipment provided as part of any other
936 total telecommunications system to be used by the state or its
938 (9) To adopt rules pursuant to ss. 120.536(1) and 120.54
939 relating to telecommunications and to administer the provisions
940 of this part.
941 (10) To apply for and accept federal funds for the purposes
942 of this part as well as gifts and donations from individuals,
943 foundations, and private organizations.
944 (11) To monitor issues relating to telecommunications
945 facilities and services before the Florida Public Service
946 Commission and the Federal Communications Commission and, if
947 necessary, prepare position papers, prepare testimony, appear as
948 a witness, and retain witnesses on behalf of state agencies in
949 proceedings before the commissions.
950 (12) Unless delegated to the state agencies by the
951 department, to manage and control, but not intercept or
952 interpret, telecommunications within the SUNCOM Network by:
953 (a) Establishing technical standards to physically
954 interface with the SUNCOM Network.
955 (b) Specifying how telecommunications are transmitted
956 within the SUNCOM Network.
957 (c) Controlling the routing of telecommunications within
958 the SUNCOM Network.
959 (d) Establishing standards, policies, and procedures for
960 access to and the security of the SUNCOM Network.
961 (e) Ensuring orderly and reliable telecommunications
962 services in accordance with the service level agreements
963 executed with state agencies.
964 (13) To plan, design, and conduct experiments for
965 telecommunications services, equipment, and technologies, and to
966 implement enhancements in the state telecommunications network
967 if in the public interest and cost-effective. Funding for such
968 experiments must be derived from SUNCOM Network service revenues
969 and may not exceed 2 percent of the annual budget for the SUNCOM
970 Network for any fiscal year or as provided in the General
971 Appropriations Act. New services offered as a result of this
972 subsection may not affect existing rates for facilities or
974 (14) To enter into contracts or agreements, with or without
975 competitive bidding or procurement, to make available, on a
976 fair, reasonable, and nondiscriminatory basis, property and
977 other structures under departmental control for the placement of
978 new facilities by any wireless provider of mobile service as
979 defined in 47 U.S.C. s. 153(27) or s. 332(d) and any
980 telecommunications company as defined in s. 364.02 if it is
981 practical and feasible to make such property or other structures
982 available. The department may, without adopting a rule, charge a
983 just, reasonable, and nondiscriminatory fee for the placement of
984 the facilities, payable annually, based on the fair market value
985 of space used by comparable telecommunications facilities in the
986 state. The department and a wireless provider or
987 telecommunications company may negotiate the reduction or
988 elimination of a fee in consideration of services provided to
989 the department by the wireless provider or telecommunications
990 company. All such fees collected by the department shall be
991 deposited directly into the Law Enforcement Radio Operating
992 Trust Fund, and may be used by the department to construct,
993 maintain, or support the system.
994 (15) Establish policies that ensure that the department’s
995 cost-recovery methodologies, billings, receivables,
996 expenditures, budgeting, and accounting data are captured and
997 reported timely, consistently, accurately, and transparently and
998 are in compliance with all applicable federal and state laws and
999 rules. The department shall annually submit to the Governor, the
1000 President of the Senate, and the Speaker of the House of
1001 Representatives a report that describes each service and its
1002 cost, the billing methodology for recovering the cost of the
1003 service, and, if applicable, the identity of those services that
1004 are subsidized.
1005 (16) Develop a plan for statewide voice-over-Internet
1006 protocol services. The plan shall include cost estimates and the
1007 estimated return on investment. The plan shall be submitted to
1008 the Governor, the Cabinet, the President of the Senate, and the
1009 Speaker of the House of Representatives by June 30, 2013.
1010 (17) The department shall produce a feasibility analysis by
1011 January 1, 2013, of the options for procuring end-to-end network
1012 services, including services provided by the statewide area
1013 network, metropolitan area networks, and local area networks,
1014 which may be provided by each state agency. The scope of this
1015 service does not include wiring or file and print server
1016 infrastructure. The feasibility analysis must determine the
1017 technical and economic feasibility of using existing resources
1018 and infrastructure that are owned or used by state entities in
1019 the provision or receipt of network services in order to reduce
1020 the cost of network services for the state.
1021 (a) At a minimum, the feasibility analysis must include:
1022 1. A definition and assessment of the current portfolio of
1023 services, the network services that are provided by each state
1024 agency, and a forecast of anticipated changes in network service
1025 needs which considers specific state agency business needs and
1026 the implementation of enterprise services established under this
1028 2. A description of any limitations or enhancements in the
1029 network, including any technical or logistical challenges
1030 relating to the central provisioning of local area network
1031 services currently provided and supported by each state agency.
1032 The analysis must also address changes in usage patterns which
1033 can reasonably be expected due to the consolidation of state
1034 agency data centers or the specific business needs of state
1035 agencies and other service customers.
1036 3. An analysis and comparison of the risks associated with
1037 the current service delivery models and at least two other
1038 options that leverage the existing resources and infrastructure
1039 identified in this subsection. Options may include multi-vendor
1040 and segmented contracting options. All sourcing options must
1041 produce a service that can be used by schools and other
1042 qualified entities that seek federal grants provided through the
1043 Universal Service Fund Program.
1044 4. A cost-benefit analysis that estimates all major cost
1045 elements associated with each sourcing option, focusing on the
1046 nonrecurring and recurring life-cycle costs of the proposal in
1047 order to determine the financial feasibility of each sourcing
1048 option. The cost-benefit analysis must include:
1049 a. The total recurring operating costs of the proposed
1050 state network service including estimates of monthly charges,
1051 staffing, billing, licenses and maintenance, hardware, and other
1052 related costs.
1053 b. An estimate of nonrecurring costs associated with
1054 construction, transmission lines, premises and switching
1055 hardware purchase and installation, and required software based
1056 on the proposed solution.
1057 c. An estimate of other critical costs associated with the
1058 current and proposed sourcing options for the state network.
1059 5. Recommendations for reducing current costs associated
1060 with statewide network services. The department shall consider
1061 the following in developing the recommendations:
1062 a. Leveraging existing resources and expertise.
1063 b. Standardizing service-level agreements to customer
1064 entities in order to maximize capacity and availability.
1065 6. A detailed timeline for the complete procurement and
1066 transition to a more efficient and cost-effective solution.
1067 Section 15. Paragraph (e) of subsection (2) of section
1068 110.205, Florida Statutes, is amended to read:
1069 110.205 Career service; exemptions.—
1070 (2) EXEMPT POSITIONS.—The exempt positions that are not
1071 covered by this part include the following:
1072 (e) The executive director of Chief Information Officer in
1073 the Agency for State Enterprise Information Technology. Unless
1074 otherwise fixed by law, the Governor and Cabinet Agency for
1075 Enterprise Information Technology shall set the salary and
1076 benefits of this position in accordance with the rules of the
1077 Senior Management Service.
1078 Section 16. Subsections (2) and (9) of section 215.322,
1079 Florida Statutes, are amended to read:
1080 215.322 Acceptance of credit cards, charge cards, debit
1081 cards, or electronic funds transfers by state agencies, units of
1082 local government, and the judicial branch.—
1083 (2) A state agency as defined in s. 216.011, or the
1084 judicial branch, may accept credit cards, charge cards, debit
1085 cards, or electronic funds transfers in payment for goods and
1086 services with the prior approval of the Chief Financial Officer.
1087 If the Internet or other related electronic methods are to be
1088 used as the collection medium, the Agency for State Enterprise
1089 Information Technology shall review and recommend to the Chief
1090 Financial Officer whether to approve the request with regard to
1091 the process or procedure to be used.
1092 (9) For payment programs in which credit cards, charge
1093 cards, or debit cards are accepted by state agencies, the
1094 judicial branch, or units of local government, the Chief
1095 Financial Officer, in consultation with the Agency for State
1096 Enterprise Information Technology, may adopt rules to establish
1097 uniform security safeguards for cardholder data and to ensure
1098 compliance with the Payment Card Industry Data Security
1100 Section 17. Subsections (3), (4), (5), and (6) of section
1101 282.318, Florida Statutes, are amended to read:
1102 282.318 Enterprise security of data and information
1104 (3) The Agency for State Enterprise Information Technology
1105 is responsible for establishing rules and publishing guidelines
1106 for ensuring an appropriate level of security for all data and
1107 information technology resources for executive branch agencies.
1108 The agency shall also perform the following duties and
1110 (a) Develop, and annually update by February 1, an
1111 enterprise information security strategic plan that includes
1112 security goals and objectives for the strategic issues of
1113 information security policy, risk management, training, incident
1114 management, and survivability planning.
1115 (b) Develop enterprise security rules and published
1116 guidelines for:
1117 1. Comprehensive risk analyses and information security
1118 audits conducted by state agencies.
1119 2. Responding to suspected or confirmed information
1120 security incidents, including suspected or confirmed breaches of
1121 personal information or exempt data.
1122 3. Agency security plans, including strategic security
1123 plans and security program plans.
1124 4. The recovery of information technology and data
1125 following a disaster.
1126 5. The managerial, operational, and technical safeguards
1127 for protecting state government data and information technology
1129 (c) Assist agencies in complying with the provisions of
1130 this section.
1131 (d) Pursue appropriate funding for the purpose of enhancing
1132 domestic security.
1133 (e) Provide training for agency information security
1135 (f) Annually review the strategic and operational
1136 information security plans of executive branch agencies.
1137 (4) To assist the Agency for State Enterprise Information
1138 Technology in carrying out its responsibilities, each state
1139 agency head shall, at a minimum:
1140 (a) Designate an information security manager to administer
1141 the security program of the state agency for its data and
1142 information technology resources. This designation must be
1143 provided annually in writing to the Agency for State Enterprise
1144 Information Technology by January 1.
1145 (b) Annually submit to the Agency for State Enterprise
1146 Information Technology annually by July 31, the state agency’s
1147 comprehensive strategic and operational information security
1148 plans developed pursuant to the rules and guidelines established
1149 by the Agency for State Enterprise Information Technology.
1150 1. The state agency comprehensive strategic information
1151 security plan must cover a 3-year period and define security
1152 goals, intermediate objectives, and projected agency costs for
1153 the strategic issues of agency information security policy, risk
1154 management, security training, security incident response, and
1155 survivability. The plan must be based on the enterprise
1156 strategic information security plan created by the Agency for
1157 State Enterprise Information Technology. Additional issues may
1158 be included.
1159 2. The state agency operational information security plan
1160 must include a progress report for the prior operational
1161 information security plan and a project plan that includes
1162 activities, timelines, and deliverables for security objectives
1163 that, subject to current resources, the state agency will
1164 implement during the current fiscal year. The cost of
1165 implementing the portions of the plan which cannot be funded
1166 from current resources must be identified in the plan.
1167 (c) Conduct, and update every 3 years, a comprehensive risk
1168 analysis to determine the security threats to the data,
1169 information, and information technology resources of the state
1170 agency. The risk analysis information is confidential and exempt
1171 from the provisions of s. 119.07(1), except that such
1172 information shall be available to the Auditor General and the
1173 Agency for State Enterprise Information Technology for
1174 performing postauditing duties.
1175 (d) Develop, and periodically update, written internal
1176 policies and procedures that , which include procedures for
1177 notifying the Agency for State Enterprise Information Technology
1178 when a suspected or confirmed breach, or an information security
1179 incident, occurs. Such policies and procedures must be
1180 consistent with the rules and guidelines established by the
1181 Agency for State Enterprise Information Technology to ensure the
1182 security of the data, information, and information technology
1183 resources of the state agency. The internal policies and
1184 procedures that, if disclosed, could facilitate the unauthorized
1185 modification, disclosure, or destruction of data or information
1186 technology resources are confidential information and exempt
1187 from s. 119.07(1), except that such information shall be
1188 available to the Auditor General and the Agency for State
1189 Enterprise Information Technology for performing postauditing
1191 (e) Implement appropriate cost-effective safeguards to
1192 address identified risks to the data, information, and
1193 information technology resources of the state agency.
1194 (f) Ensure that periodic internal audits and evaluations of
1195 the state agency’s security program for the data, information,
1196 and information technology resources of the state agency are
1197 conducted. The results of such audits and evaluations are
1198 confidential information and exempt from s. 119.07(1), except
1199 that such information shall be available to the Auditor General
1200 and the Agency for State Enterprise Information Technology for
1201 performing postauditing duties.
1202 (g) Include appropriate security requirements in the
1203 written specifications for the solicitation of information
1204 technology and information technology resources and services ,
1205 which are consistent with the rules and guidelines established
1206 by the Agency for State Enterprise Information Technology.
1207 (h) Provide security awareness training to employees and
1208 users of the state agency’s communication and information
1209 resources concerning information security risks and the
1210 responsibility of employees and users to comply with policies,
1211 standards, guidelines, and operating procedures adopted by the
1212 state agency to reduce those risks.
1213 (i) Develop a process for detecting, reporting, and
1214 responding to suspected or confirmed security incidents,
1215 including suspected or confirmed breaches consistent with the
1216 security rules and guidelines established by the Agency for
1217 State Enterprise Information Technology.
1218 1. Suspected or confirmed information security incidents
1219 and breaches must be immediately reported to the Agency for
1220 State Enterprise Information Technology.
1221 2. For incidents involving breaches, agencies shall provide
1222 notice in accordance with s. 817.5681 and to the Agency for
1223 State Enterprise Information Technology in accordance with this
1225 (5) Each state agency shall include appropriate security
1226 requirements in the specifications for the solicitation of
1227 contracts for procuring information technology or information
1228 technology resources or services which are consistent with the
1229 rules and guidelines established by the Agency for State
1230 Enterprise Information Technology.
1231 (6) The Agency for State Enterprise Information Technology
1232 may adopt rules relating to information security and to
1233 administer the provisions of this section.
1234 Section 18. Subsection (14) of section 287.012, Florida
1235 Statutes, is amended to read:
1236 287.012 Definitions.—As used in this part, the term:
1237 (14) “Information technology” means, but is not limited to,
1238 equipment, hardware, software, mainframe maintenance, firmware,
1239 programs, systems, networks, infrastructure, media, and related
1240 material used to automatically, electronically, and wirelessly
1241 collect, receive, access, transmit, display, store, record,
1242 retrieve, analyze, evaluate, process, classify, manipulate,
1243 manage, assimilate, control, communicate, exchange, convert,
1244 converge, interface, switch, or disseminate information of any
1245 kind or form has the meaning ascribed in s. 282.0041.
1246 Section 19. Subsection (22) of section 287.057, Florida
1247 Statutes, is amended to read:
1248 287.057 Procurement of commodities or contractual
1250 (22) The department, in consultation with the Agency for
1251 State Enterprise Information Technology and the Chief Financial
1252 Officer Comptroller, shall develop a program for online
1253 procurement of commodities and contractual services. To enable
1254 the state to promote open competition and to leverage its buying
1255 power, agencies shall participate in the online procurement
1256 program, and eligible users may participate in the program. Only
1257 vendors prequalified as meeting mandatory requirements and
1258 qualifications criteria may participate in online procurement.
1259 (a) The department, in consultation with the agency, may
1260 contract for equipment and services necessary to develop and
1261 implement online procurement.
1262 (b) The department, in consultation with the agency, shall
1263 adopt rules, pursuant to ss. 120.536(1) and 120.54, to
1264 administer the program for online procurement. The rules shall
1265 include, but not be limited to:
1266 1. Determining the requirements and qualification criteria
1267 for prequalifying vendors.
1268 2. Establishing the procedures for conducting online
1270 3. Establishing the criteria for eligible commodities and
1271 contractual services.
1272 4. Establishing the procedures for providing access to
1273 online procurement.
1274 5. Determining the criteria warranting any exceptions to
1275 participation in the online procurement program.
1276 (c) The department may impose and shall collect all fees
1277 for the use of the online procurement systems.
1278 1. The fees may be imposed on an individual transaction
1279 basis or as a fixed percentage of the cost savings generated. At
1280 a minimum, the fees must be set in an amount sufficient to cover
1281 the projected costs of the services, including administrative
1282 and project service costs in accordance with the policies of the
1284 2. If the department contracts with a provider for online
1285 procurement, the department, pursuant to appropriation, shall
1286 compensate the provider from the fees after the department has
1287 satisfied all ongoing costs. The provider shall report
1288 transaction data to the department each month so that the
1289 department may determine the amount due and payable to the
1290 department from each vendor.
1291 3. All fees that are due and payable to the state on a
1292 transactional basis or as a fixed percentage of the cost savings
1293 generated are subject to s. 215.31 and must be remitted within
1294 40 days after receipt of payment for which the fees are due. For
1295 fees that are not remitted within 40 days, the vendor shall pay
1296 interest at the rate established under s. 55.03(1) on the unpaid
1297 balance from the expiration of the 40-day period until the fees
1298 are remitted.
1299 4. All fees and surcharges collected under this paragraph
1300 shall be deposited in the Operating Trust Fund as provided by
1302 Section 20. Subsection (4) of section 445.011, Florida
1303 Statutes, is amended to read:
1304 445.011 Workforce information systems.—
1305 (4) Workforce Florida, Inc., shall coordinate development
1306 and implementation of workforce information systems with the
1307 executive director of the Agency for State Enterprise
1308 Information Technology to ensure compatibility with the state’s
1309 information system strategy and enterprise architecture.
1310 Section 21. Subsection (2) and paragraphs (a) and (b) of
1311 subsection (4) of section 445.045, Florida Statutes, are amended
1312 to read:
1313 445.045 Development of an Internet-based system for
1314 information technology industry promotion and workforce
1316 (2) Workforce Florida, Inc., shall coordinate with the
1317 Agency for State Enterprise Information Technology and the
1318 Department of Economic Opportunity to ensure links, where
1319 feasible and appropriate, to existing job information websites
1320 maintained by the state and state agencies and to ensure that
1321 information technology positions offered by the state and state
1322 agencies are posted on the information technology website.
1323 (4)(a) Workforce Florida, Inc., shall coordinate
1324 development and maintenance of the website under this section
1325 with the executive director of the Agency for State Enterprise
1326 Information Technology to ensure compatibility with the state’s
1327 information system strategy and enterprise architecture.
1328 (b) Workforce Florida, Inc., may enter into an agreement
1329 with the Agency for State Enterprise Information Technology, the
1330 Department of Economic Opportunity, or any other public agency
1331 with the requisite information technology expertise for the
1332 provision of design, operating, or other technological services
1333 necessary to develop and maintain the website.
1334 Section 22. Paragraph (b) of subsection (18) of section
1335 668.50, Florida Statutes, is amended to read:
1336 668.50 Uniform Electronic Transaction Act.—
1337 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1338 GOVERNMENTAL AGENCIES.—
1339 (b) To the extent that a governmental agency uses
1340 electronic records and electronic signatures under paragraph
1341 (a), the Agency for State Enterprise Information Technology, in
1342 consultation with the governmental agency, giving due
1343 consideration to security, may specify:
1344 1. The manner and format in which the electronic records
1345 must be created, generated, sent, communicated, received, and
1346 stored and the systems established for those purposes.
1347 2. If electronic records must be signed by electronic
1348 means, the type of electronic signature required, the manner and
1349 format in which the electronic signature must be affixed to the
1350 electronic record, and the identity of, or criteria that must be
1351 met by, any third party used by a person filing a document to
1352 facilitate the process.
1353 3. Control processes and procedures as appropriate to
1354 ensure adequate preservation, disposition, integrity, security,
1355 confidentiality, and auditability of electronic records.
1356 4. Any other required attributes for electronic records
1357 which are specified for corresponding nonelectronic records or
1358 reasonably necessary under the circumstances.
1359 Section 23. This act shall take effect July 1, 2012.
1362 ================= T I T L E A M E N D M E N T ================
1363 And the title is amended as follows:
1364 Delete everything before the enacting clause
1365 and insert:
1366 A bill to be entitled
1367 An act relating to state technology; abolishing the
1368 Agency for Enterprise Information Technology;
1369 transferring the personnel, functions, and funds of
1370 the Agency for Enterprise Information Technology to
1371 the Agency for State Technology; transferring
1372 specified personnel, functions, and funds relating to
1373 technology programs from the Department of Management
1374 Services to the Agency for State Technology;
1375 transferring the Northwood Shared Resource Center and
1376 the Southwood Shared Resource Center to the agency;
1377 repealing s. 14.204, F.S., relating to the Agency for
1378 Enterprise Information Technology; creating s. 14.206,
1379 F.S.; creating the Agency for State Technology;
1380 providing for an executive director who shall be the
1381 state’s Chief Information Officer; providing for
1382 organization of the agency; providing duties and
1383 responsibilities of the agency and of the executive
1384 director; requiring certain status reports to the
1385 Governor, the Cabinet, and the Legislature;
1386 authorizing the agency to adopt rules; reordering and
1387 amending s. 282.0041, F.S.; revising and providing
1388 definitions of terms as used in the Enterprise
1389 Information Technology Services Management Act;
1390 amending s. 282.0055, F.S.; revising provisions for
1391 assignment of information technology services;
1392 directing the agency to create a road map for
1393 enterprise information technology service
1394 consolidation and a comprehensive transition plan;
1395 requiring the transition plan to be submitted to the
1396 Governor and Cabinet and the Legislature by a certain
1397 date; providing duties for state agencies relating to
1398 the transition plan; prohibiting state agencies from
1399 certain technology-related activities; providing for
1400 exceptions; amending s. 282.0056, F.S.; providing for
1401 development by the agency executive director of a
1402 biennial State Information Technology Strategic
1403 Resources Plan for approval by the Governor and the
1404 Cabinet; directing state agencies to submit their own
1405 information technology plans and any requested
1406 information to the agency; revising provisions for
1407 development of work plans and implementation plans;
1408 revising provisions for reporting on achievements;
1409 amending s. 282.201, F.S.; revising provisions for a
1410 state data center system; providing legislative
1411 intent; directing the agency to provide
1412 recommendations to the Governor and Legislature
1413 relating to changes to the schedule for the
1414 consolidations of state agency data centers; providing
1415 duties of a state agency consolidating a data center
1416 into a primary data center; revising the scheduled
1417 consolidation dates for state agency data centers;
1418 amending s. 282.203, F.S.; revising duties of primary
1419 data centers; removing provisions for boards of
1420 trustees to head primary data centers; requiring a
1421 memorandum of understanding between the primary data
1422 center and the participating state agency; limiting
1423 the term of the memorandum; providing for failure to
1424 enter into a memorandum; repealing s. 282.204, F.S.,
1425 relating to Northwood Shared Resource Center;
1426 repealing s. 282.205, F.S., relating to Southwood
1427 Shared Resource Center; creating s. 282.206, F.S.;
1428 establishing the Fletcher Shared Resource Center
1429 within the Department of Financial Services to provide
1430 enterprise information technology services; directing
1431 the center to collaborate with the agency; directing
1432 the center to provide collocation services to the
1433 Department of Legal Affairs, the Department of
1434 Agriculture and Consumer Services, and the Department
1435 of Financial Services; directing the Department of
1436 Financial Services to continue to use the center and
1437 provide service to the Office of Financial Regulation
1438 and the Office of Insurance Regulation and host the
1439 Legislative Appropriations System/Planning and
1440 Budgeting Subsystem; providing for governance of the
1441 center; providing for a steering committee to ensure
1442 adequacy and appropriateness of services; directing
1443 the Department of Legal Affairs and the Department of
1444 Agriculture and Consumer Services to move data center
1445 equipment to the center by certain dates; repealing s.
1446 282.33, F.S., relating to objective standards for data
1447 center energy efficiency; amending s. 282.34, F.S.;
1448 revising provisions for a statewide e-mail service to
1449 meet the needs of executive branch agencies; requiring
1450 state agencies to receive e-mail services through the
1451 agency; authorizing the Department of Agriculture and
1452 Consumer Services, the Department of Financial
1453 Services, the Office of Financial Regulation, and the
1454 Office of Insurance Regulation to receive e-mail
1455 services from the Fletcher Shared Resource Center or
1456 the agency; amending s. 282.702, F.S.; directing the
1457 agency to develop a plan for statewide voice-over
1458 Internet protocol services; requiring certain content
1459 in the plan; requiring the plan to be submitted to the
1460 Governor, the Cabinet, and the Legislature by a
1461 certain date; amending s. 364.0135, F.S.; providing
1462 for the agency’s role in the promotion of broadband
1463 Internet service; providing an additional duty;
1464 amending ss. 20.22, 110.205, 215.22, 215.322, 216.292,
1465 282.318, 282.604, 282.703, 282.704, 282.705, 282.706,
1466 282.707, 282.709, 282.7101, 282.711, 287.012, 287.057,
1467 318.18, 320.0802, 328.72, 365.171, 365.172, 365.173,
1468 365.174, 401.013, 401.015, 401.018, 401.021, 401.024,
1469 401.027, 401.465, 445.011, 445.045, and 668.50, F.S.,
1470 relating to a financial and cash management system
1471 task force, career service exemptions, trust funds,
1472 payment cards and electronic funds transfers, the
1473 Communications Working Capital Trust Fund, the
1474 Enterprise Information Technology Services Management
1475 Act, adoption of rules, the Communication Information
1476 Technology Services Act, procurement of commodities
1477 and contractual services, the Florida Uniform
1478 Disposition of Traffic Infractions Act, surcharge on
1479 vehicle license tax, vessel registration, broadband
1480 Internet service, the emergency communications number
1481 E911, regional emergency medical telecommunications,
1482 the Workforce Innovation Act of 2000, and the Uniform
1483 Electronic Transaction Act; conforming provisions and
1484 cross-references to changes made by the act; revising
1485 and deleting obsolete provisions; providing an
1486 effective date.