Florida Senate - 2012 SENATOR AMENDMENT
Bill No. CS for HB 5509
Senate . House
Floor: 1/R/2R .
03/09/2012 06:43 PM .
Senator Ring moved the following:
1 Senate Amendment (with title amendment)
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. (1) The Agency for Enterprise Information
6 Technology is abolished.
7 (2) All of the powers, duties, functions, records,
8 personnel, and property; funds, trust funds, and unexpended
9 balances of appropriations, allocations, and other funds;
10 administrative authority; administrative rules; pending issues;
11 and existing contracts of the Agency for Enterprise Information
12 Technology are transferred by a type two transfer, pursuant to
13 s. 20.06(2), Florida Statutes, to the Agency for State
15 Section 2. (1) The portions of the Technology Program
16 established under section 20.22(2), Florida Statutes, and
17 identified in the approved plan defined in s. 282.0055(2),
18 Florida Statutes, shall transfer by a type one transfer, as
19 defined in s. 20.06(1), Florida Statutes, from the Department of
20 Management Services to the Agency for State Technology no later
21 than June 30, 2014.
22 (2) The Northwood Shared Resource Center is transferred by
23 a type one transfer, as defined in s. 20.06(1), Florida
24 Statutes, from the Department of Management Services to the
25 Agency for State Technology.
26 (a) Any binding contract or interagency agreement entered
27 into between the Northwood Shared Resource Center, or an entity
28 or agent of the center, and any other agency, entity, or person
29 is binding on the Agency for State Technology for the remainder
30 of the term of such contract or agreement.
31 (b) The rules of the Northwood Shared Resource Center which
32 were in effect at 11:59 p.m. on June 30, 2012, become rules of
33 the Agency for State Technology and remain in effect until
34 amended or repealed in the manner provided by law.
35 (3) The Southwood Shared Resource Center is transferred by
36 a type one transfer, as defined in s. 20.06(1), Florida
37 Statutes, from the Department of Management Services to the
38 Agency for State Technology.
39 (a) Any binding contract or interagency agreement entered
40 into between the Southwood Shared Resource Center or an entity
41 or agent of the center and any other agency, entity, or person
42 is binding on the Agency for State Technology for the remainder
43 of the term of such contract or agreement.
44 (b) The rules of the Southwood Shared Resource Center which
45 were in effect at 11:59 p.m. on June 30, 2012, become rules of
46 the Agency for State Technology and remain in effect until
47 amended or repealed in the manner provided by law.
48 Section 3. Section 14.204, Florida Statutes, is repealed.
49 Section 4. Section 20.70, Florida Statutes, is created to
51 20.70 Agency for State Technology.—The Agency for State
52 Technology is created.
53 (1) The head of the agency shall be the Governor and
55 (2) The agency shall have an executive director who is the
56 state’s Chief Information Officer and who must:
57 (a) Have at least a bachelor’s degree in computer science,
58 information systems, business or public administration, or a
59 related field, or equivalent work experience;
60 (b) Have 10 or more years of experience working in the
61 field of information technology;
62 (c) Have 5 or more years of experience in related industry
63 managing multiple, large, cross-functional teams or projects,
64 and influencing senior-level management and key stakeholders;
65 (d) Have at least 5 years of executive-level leadership
67 (e) Have performed an integral role in enterprise-wide
68 information technology consolidations;
69 (f) Be appointed by the Governor, subject to confirmation
70 by the Cabinet and the Senate, and shall serve at the pleasure
71 of the Governor and Cabinet.
72 (3) The executive director:
73 (a) Shall be responsible for developing and administering a
74 comprehensive long-range plan for the state’s information
75 technology resources, ensuring the proper management of such
76 resources, and delivering services.
77 (b) Shall appoint a Chief Technology Officer to lead the
78 divisions of the agency dedicated to the operation and delivery
79 of enterprise information technology services.
80 (c) Shall appoint a Chief Operations Officer to lead the
81 divisions of the agency dedicated to enterprise information
82 technology policy, planning, standards, and procurement.
83 (d) Shall designate a state Chief Information Security
85 (e) May appoint all employees necessary to carry out the
86 duties and responsibilities of the agency.
87 (4) The Agency for State Technology is prohibited from
88 using, and executives of the agency are prohibited from
89 directing spending from, operational information technology
90 trust funds, as defined in 282.0041, F.S., for any purpose for
91 which the Strategic Information Technology Trust Fund was
93 (5) The following officers and divisions of the agency are
95 (a) Under the Chief Technology Officer:
96 1. Upon transfer any portion of the Technology Program from
97 the Department of Management Services to the agency, there shall
98 be a Division of Telecommunications.
99 2. The Division of Data Center Operations which includes,
100 but is not limited to, any shared resource center established or
101 operated by the agency.
102 (b) Under the Chief Operations Officer:
103 1. Strategic Planning.
104 2. Enterprise Information Technology Standards.
105 a. Enterprise Information Technology Procurement.
106 b. Information Technology Security and Compliance.
107 3. Enterprise Services Planning and Consolidation.
108 4. Enterprise Project Management.
109 (c) Under the Director of Administration:
110 1. Accounting and Budgeting.
111 2. Personnel.
112 3. Procurement and Contracts.
113 (d) Under the Office of the Executive Director:
114 1. Inspector General.
115 2. Legal.
116 3. Governmental Affairs.
117 (6) The agency shall operate in a manner that ensures the
118 participation and representation of state agencies.
119 (7) The agency shall have the following duties and
120 responsibilities. The agency shall:
121 (a) Develop and publish a long-term State Information
122 Technology Resources Strategic Plan.
123 (b) Initiate, plan, design, implement, and manage
124 enterprise information technology services.
125 (c) Beginning October 1, 2012, and every 3 months
126 thereafter, provide a status report on its initiatives. The
127 report shall be presented at a meeting of the Governor and
129 (d) Beginning September 1, 2013, and every 3 months
130 thereafter until enterprise information technology service
131 consolidations are complete, provide a status report on the
132 implementation of the consolidations that must be completed
133 during the fiscal year. The report shall be submitted to the
134 Executive Office of the Governor, the Cabinet, the President of
135 the Senate, and the Speaker of the House of Representatives. At
136 a minimum, the report must describe:
137 1. Whether the consolidation is on schedule, including
138 progress on achieving the milestones necessary for successful
139 and timely consolidation of scheduled agency data centers and
140 computing facilities; and
141 2. The risks that may affect the progress or outcome of the
142 consolidation and how such risks are being mitigated or managed.
143 (e) Set technical standards for information technology,
144 including, but not limited to, desktop computers, printers, and
145 mobile devices; review major information technology projects and
146 procurements; establish information technology security
147 standards; provide for the procurement of information technology
148 resources, excluding human resources; and deliver enterprise
149 information technology services as defined in s. 282.0041.
150 (f) Designate primary data centers and shared resource
152 (g) Operate shared resource centers in a manner that
153 promotes energy efficiency.
154 (h) Establish and deliver enterprise information technology
155 services to serve state agencies on a cost-sharing basis,
156 charging each state agency its proportionate share of the cost
157 of maintaining and delivering a service based on a state
158 agency’s use of the service.
159 (i) Use the following criteria to develop a means of
160 chargeback for primary data center services:
161 1. The customers of the primary data center shall provide
162 payments to the primary data center which are sufficient to
163 maintain the solvency of the primary data center operation for
164 the costs not directly funded through the General Appropriations
166 2. Per unit cost of usage shall be the primary basis for
167 pricing, and usage must be accurately measurable and
168 attributable to the appropriate customer.
169 3. The primary data center shall combine the aggregate
170 purchasing power of large and small customers to achieve
171 collective savings opportunities to all customers.
172 4. Chargeback methodologies shall be devised to consider
173 restrictions on grants to customers.
174 5. Chargeback methodologies should establish incentives
175 that lead to customer usage practices that result in lower costs
176 to the state.
177 6. Chargeback methodologies must consider technological
178 change when:
179 a. New services require short-term investments before
180 achieving long-term, full cost recovery for the service.
181 b. Customers of antiquated services may not be able to bear
182 the costs for the antiquated services during periods when
183 customers are migrating to replacement services.
184 7. Prices may be established which allow for accrual of
185 cash balances for the purpose of maintaining contingent
186 operating funds and funding planned capital investments. Accrual
187 of the cash balances shall be considered costs for the purposes
188 of this section.
189 8. Flat rate charges may be used only if there are
190 provisions for reconciling charges to comport with actual costs
191 and use.
192 (i) Exercise technical and fiscal prudence in determining
193 the best way to deliver enterprise information technology
195 (j) Collect and maintain an inventory of the information
196 technology resources in the state agencies.
197 (k) Assume ownership or custody and control of information
198 processing equipment, supplies, and positions required in order
199 to thoroughly carry out the agency’s duties and
201 (l) Adopt rules and policies for the efficient, secure, and
202 economical management and operation of the shared resource
203 centers and state telecommunications services.
204 (m) Provide other public sector organizations as defined in
205 s. 282.0041 with access to the services provided by the agency.
206 Access shall be provided on the same cost basis that applies to
207 state agencies.
208 (n) Ensure that data that is confidential under state or
209 federal law is not entered into or processed through any shared
210 resource center or network established under the agency until
211 the agency head and the executive director of the agency are
212 satisfied that safeguards for the data’s security have been
213 properly designed, installed, and tested and are fully
214 operational. This paragraph does not prescribe what actions
215 necessary to satisfy a state agency’s objectives are to be
216 undertaken or remove from the control and administration of the
217 state agency the responsibility for working with the agency to
218 implement safeguards, whether such control and administration
219 are specifically required by general law or administered under
220 the general program authority and responsibility of the state
221 agency. If the agency head and executive director of the agency
222 cannot reach agreement on satisfactory safeguards, the issue
223 shall be decided by the Governor and Cabinet.
224 (o) Conduct periodic assessments of state agencies for
225 compliance with statewide information technology policies and
226 recommend to the Governor and Cabinet statewide policies for
227 information technology.
228 (8) The agency may not use or direct the spending of
229 operational information technology trust funds to study and
230 develop enterprise information technology strategies, plans,
231 rules, reports, policies, proposals, budgets, or enterprise
232 information technology initiatives that are not directly related
233 to developing information technology services for which usage
234 fees reimburse the costs of the initiative. As used in this
235 subsection, the term “operational information technology trust
236 funds” means funds into which deposits are made on a fee-for
237 service basis or a trust fund dedicated to a specific
238 information technology project or system.
239 (9) The portions of the agency’s activities described in
240 subsection (8) for which usage fees do not reimburse costs of
241 the activity shall be funded at a rate of 0.55% of the total
242 identified information technology spend through
244 (10) The agency may adopt rules to carry out its duties and
246 Section 5. Section 282.0041, Florida Statutes, amended to
248 282.0041 Definitions.—As used in this chapter, the term:
(1) “Agency” has the same meaning as in s. 216.011 (1)(qq),
250 except that for purposes of this chapter, “agency” does not
251 include university boards of trustees or state universities.
252 (1) (2) “Agency for State Enterprise Information Technology”
253 or “agency” means the agency created in s. 20.70 14.204.
254 (2) (3) “Agency information technology service” means a
255 service that directly helps a state an agency fulfill its
256 statutory or constitutional responsibilities and policy
257 objectives and is usually associated with the state agency’s
258 primary or core business functions.
259 (4) “Annual budget meeting” means a meeting of the board of
260 trustees of a primary data center to review data center usage to
261 determine the apportionment of board members for the following
262 fiscal year, review rates for each service provided, and
263 determine any other required changes.
264 (3) (5) “Breach” has the same meaning as in s. 817.5681(4).
265 (4) (6) “Business continuity plan” means a plan for disaster
266 recovery which provides for the continued functioning of a
267 primary data center during and after a disaster.
268 (5) “Collocation” means the method by which a state
269 agency’s data center occupies physical space within a shared
270 resource center where physical floor space, bandwidth, power,
271 cooling, and physical security are available for an equitable
272 usage rate and minimal complexity, and allow for the sustained
273 management and oversight of the collocating agency’s information
274 technology resources as well as physical and logical database
275 administration by the collocating agency’s staff.
276 (6) (7) “Computing facility” means a state agency site space
277 containing fewer than a total of 10 physical or logical servers,
278 any of which supports a strategic or nonstrategic information
279 technology service, as described in budget instructions
280 developed pursuant to s. 216.023, but excluding
281 telecommunications and voice gateways and a clustered pair of
282 servers operating as a single logical server to provide file,
283 print, security, and endpoint management services single,
284 logical-server installations that exclusively perform a utility
285 function such as file and print servers.
286 (7) “Computing service” means an information technology
287 service that is used in all state agencies or a subset of
288 agencies and is, therefore, a candidate for being established as
289 an enterprise information technology service. Examples include
290 e-mail, service hosting, telecommunications, and disaster
292 (8) “Customer entity” means an entity that obtains services
293 from a primary data center.
294 (8) (9) “Data center” means a state agency site space
295 containing 10 or more physical or logical servers any of which
296 supports a strategic or nonstrategic information technology
297 service, as described in budget instructions developed pursuant
298 to s. 216.023.
299 (10) “Department” means the Department of Management
301 (9) (11) “Enterprise information technology service” means
302 an information technology service that is used in all state
303 agencies or a subset of state agencies and is designated by the
304 agency or established in law to be designed, delivered, and
305 managed at the enterprise level. Current enterprise information
306 technology services include data center services, e-mail, and
308 (10) (12) “E-mail, messaging, and calendaring service” means
309 the enterprise information technology service that enables users
310 to send, receive, file, store, manage, and retrieve electronic
311 messages, attachments, appointments, and addresses. The e-mail,
312 messaging, and calendaring service must include e-mail account
313 management; help desk; technical support and user provisioning
314 services; disaster recovery and backup and restore capabilities;
315 antispam and antivirus capabilities; archiving and e-discovery;
316 and remote access and mobile messaging capabilities.
317 (11) (13) “Information-system utility” means an information
318 processing a full-service information-processing facility
319 offering hardware, software, operations, integration,
320 networking, floor space, and consulting services.
321 (12) (14) “Information technology resources” means
322 equipment, hardware, software, firmware, programs, systems,
323 networks, infrastructure, media, and related material used to
324 automatically, electronically, and wirelessly collect, receive,
325 access, transmit, display, store, record, retrieve, analyze,
326 evaluate, process, classify, manipulate, manage, assimilate,
327 control, communicate, exchange, convert, converge, interface,
328 switch, or disseminate information of any kind or form, and
329 includes the human resources to perform such duties, but
330 excludes application developers and logical database
332 (13) “Local area network” means any telecommunications
333 network through which messages and data are exchanged strictly
334 within a single building or contiguous campus.
335 (14) (15) “Information technology policy” means statements
336 that describe clear choices for how information technology will
337 deliver effective and efficient government services to residents
338 and improve state agency operations. A policy may relate to
339 investments, business applications, architecture, or
340 infrastructure. A policy describes its rationale, implications
341 of compliance or noncompliance, the timeline for implementation,
342 metrics for determining compliance, and the accountable
343 structure responsible for its implementation.
344 (15) “Logical database administration” means the resources
345 required to build and maintain database structure, implement and
346 maintain role-based data access controls, and perform
347 performance optimization of data queries and includes the
348 manipulation, transformation, modification, and maintenance of
349 data within a logical database. Typical tasks include schema
350 design and modifications, user provisioning, query tuning, index
351 and statistics maintenance, and data import, export, and
353 (16) “Memorandum of understanding” means a written
354 agreement between a shared resource center or the Division of
355 Telecommunications in the agency and a state agency which
356 specifies the scope of services provided, service level,
357 duration of the agreement, responsible parties, and service
358 costs. A memorandum of understanding is not a rule pursuant to
359 chapter 120.
360 (17) “Other public sector organizations” means entities of
361 the legislative and judicial branches, the State University
362 System, the Florida Community College System, counties, and
363 municipalities. Such organizations may elect to participate in
364 the information technology programs, services, or contracts
365 offered by the Agency for State Technology, including
366 information technology procurement, in accordance with general
367 law, policies, and administrative rules.
368 (18) (16) “Performance metrics” means the measures of an
369 organization’s activities and performance.
370 (19) “Physical database administration” means the resources
371 responsible for installing, maintaining, and operating an
372 environment within which a database is hosted. Typical tasks
373 include database engine installation, configuration, and
374 security patching, as well as performing backup and restoration
375 of hosted databases, setup and maintenance of instance-based
376 data replication, and monitoring the health and performance of
377 the database environment.
378 (20) (17) “Primary data center” means a data center that is
379 a recipient entity for consolidation of state agency information
380 technology resources nonprimary data centers and computing
381 facilities and that is established by law.
382 (21) (18) “Project” means an endeavor that has a defined
383 start and end point; is undertaken to create or modify a unique
384 product, service, or result; and has specific objectives that,
385 when attained, signify completion.
386 (22) (19) “Risk analysis” means the process of identifying
387 security risks, determining their magnitude, and identifying
388 areas needing safeguards.
389 (23) (20) “Service level” means the key performance
390 indicators (KPI) of an organization or service which must be
391 regularly performed, monitored, and achieved.
392 (21) “Service-level agreement” means a written contract
393 between a data center and a customer entity which specifies the
394 scope of services provided, service level, the duration of the
395 agreement, the responsible parties, and service costs. A
396 service-level agreement is not a rule pursuant to chapter 120.
397 (24) “Shared resource center” means a primary data center
398 that has been designated and assigned specific duties under this
399 chapter or by the Agency for State Technology under s. 20.70.
400 (25) (22) “Standards” means required practices, controls,
401 components, or configurations established by an authority.
402 (26) “State agency” means any official, officer,
403 commission, board, authority, council, committee, or department
404 of the executive branch of state government. The term does not
405 include university boards of trustees or state universities.
406 (27) “State agency site” means a single, contiguous local
407 area network segment that does not traverse a metropolitan area
408 network or wide area network.
409 (28) (23) “SUNCOM Network” means the state enterprise
410 telecommunications system that provides all methods of
411 electronic or optical telecommunications beyond a single
412 building or contiguous building complex and used by entities
413 authorized as network users under this part.
414 (29) (24) “Telecommunications” means the science and
415 technology of communication at a distance, including electronic
416 systems used in the transmission or reception of information.
417 (30) (25) “Threat” means any circumstance or event that may
418 cause harm to the integrity, availability, or confidentiality of
419 information technology resources.
420 (31) (26) “Total cost” means all costs associated with
421 information technology projects or initiatives, including, but
422 not limited to, value of hardware, software, service,
423 maintenance, incremental personnel, and facilities. Total cost
424 of a loan or gift of information technology resources to a state
425 an agency includes the fair market value of the resources.
426 (32) (27) “Usage” means the billing amount charged by the
427 primary data center, less any pass-through charges, to the state
428 agency customer entity.
429 (33) (28) “Usage rate” means a state agency’s customer
430 entity’s usage or billing amount as a percentage of total usage.
431 (34) “Wide area network” means any telecommunications
432 network or components thereof through which messages and data
433 are exchanged outside of a local area network.
434 Section 6. Section 282.0055, Florida Statutes, is amended
435 to read:
436 (Substantial rewording of section. See
437 s. 282.0055, Florida Statutes, for current text.)
438 282.0055 Assignment of enterprise information technology.—
439 (1) The establishment of a systematic process for the
440 planning, design, implementation, procurement, delivery, and
441 maintenance of enterprise information technology services shall
442 be the responsibility of the Agency for State Technology for
443 executive branch agencies that are created or authorized in
444 statute to perform legislatively delegated functions. The
445 agency’s duties shall be performed in collaboration with the
446 state agencies. The supervision, design, development, delivery,
447 and maintenance of state-agency specific or unique software
448 applications shall remain within the responsibility and control
449 of the individual state agency or other public sector
451 (2) During the 2012-2013 fiscal year, the Agency for State
452 Technology shall, in collaboration with the state agencies and
453 other stakeholders, create a road map for enterprise information
454 technology service consolidation. The road map shall be
455 presented for approval by the Governor and Cabinet by August 30,
456 2013. At a minimum, the road map must include:
457 (a) An enterprise architecture that provides innovative,
458 yet pragmatic and cost-effective offering, and which
459 contemplates the consolidated delivery of services based on
460 similar business processes and functions that span across all
461 executive and cabinet agencies.
462 (b) A schedule for the consolidation of state agency data
464 (c) Cost-saving targets and timeframes for when the savings
465 will be realized.
466 (d) Recommendations, including cost estimates, for
467 improvements to the shared resource centers, which will improve
468 the agency’s ability to deliver enterprise information
469 technology services.
470 (e) A transition plan for the transfer of portions of the
471 Technology Program established under s. 20.22(2), Florida
472 Statutes, that provide an enterprise information technology
474 (3) By October 15th of each year beginning in 2013, the
475 Agency for State Technology shall develop a comprehensive
476 transition plan for scheduled consolidations occurring in the
477 next fiscal year. This plan shall be submitted to the Governor,
478 the Cabinet, the President of the Senate, and the Speaker of the
479 House of Representatives. The transition plan shall be developed
480 in consultation with other state agencies submitting state
481 agency transition plans. The comprehensive transition plan must
483 (a) Recommendations for accomplishing the proposed
484 transitions as efficiently and effectively as possible with
485 minimal disruption to state agency business processes.
486 (b) Strategies to minimize risks associated with any of the
487 proposed consolidations.
488 (c) A compilation of the state agency transition plans
489 submitted by state agencies scheduled for consolidation for the
490 following fiscal year.
491 (d) An estimate of the cost to provide enterprise
492 information technology services for each state agency scheduled
493 for consolidation.
494 (e) An analysis of the cost effects resulting from the
495 planned consolidations on existing state agencies.
496 (f) The fiscal year adjustments to budget categories in
497 order to absorb the transfer of state agency information
498 technology resources pursuant to the legislative budget request
499 instructions provided in s. 216.023.
500 (g) A description of any issues that must be resolved in
501 order to accomplish as efficiently and effectively as possible
502 all consolidations required during the fiscal year.
503 (4) State agencies have the following duties:
504 (a) For the purpose of completing its work activities, each
505 state agency shall provide to the Agency for State Technology
506 all requested information and any other information relevant to
507 the state agency’s ability to effectively transition its
508 information technology resources into the agency.
509 (b) For the purpose of completing its work activities, each
510 state agency shall temporarily assign staff to assist the agency
511 with designated tasks as negotiated between the agency and the
512 state agency.
513 (c) Each state agency identified for consolidation into an
514 enterprise information technology service offering must submit a
515 transition plan to the Agency for State Technology by September
516 1 of the fiscal year before the fiscal year in which the
517 scheduled consolidation will occur. Transition plans shall be
518 developed in consultation with the agency and must include:
519 1. An inventory of the state agency data center’s resources
520 being consolidated, including all hardware, software, staff, and
521 contracted services, and the facility resources performing data
522 center management and operations, security, backup and recovery,
523 disaster recovery, system administration, database
524 administration, system programming, mainframe maintenance, job
525 control, production control, print, storage, technical support,
526 help desk, and managed services, but excluding application
528 2. A description of the level of services needed to meet
529 the technical and operational requirements of the platforms
530 being consolidated and an estimate of the primary data center’s
531 cost for the provision of such services.
532 3. A description of expected changes to its information
533 technology needs and the timeframe when such changes will occur.
534 4. A description of the information technology resources
535 proposed to remain in the state agency.
536 5. A baseline project schedule for the completion of the
538 6. The specific recurring and nonrecurring budget
539 adjustments of budget resources by appropriation category into
540 the appropriate data processing category pursuant to the
541 legislative budget instructions in s. 216.023 necessary to
542 support state agency costs for the transfer.
543 (5)(a) Unless authorized by the Legislature or the agency
544 as provided in paragraphs (b) and (c), a state agency may not:
545 1. Create a new computing service or expand an existing
546 computing service if that service has been designated as an
547 enterprise information technology service.
548 2. Spend funds before the state agency’s scheduled
549 consolidation to an enterprise information technology service to
550 purchase or modify hardware or operations software that does not
551 comply with hardware and software standards established by the
552 Agency for State Technology.
553 3. Unless for the purpose of offsite disaster recovery
554 services, transfer existing computing services to any service
555 provider other than the Agency for State Technology.
556 4. Terminate services with the Agency for State Technology
557 without giving written notice of intent to terminate or transfer
558 services 180 days before such termination or transfer.
559 5. Initiate a new computing service with any service
560 provider other than the Agency for State Technology if that
561 service has been designated as an enterprise information
562 technology service.
563 (b) Exceptions to the limitations in subparagraphs (a)1.,
564 2., 3., and 5. may be granted by the Agency for State Technology
565 if there is insufficient capacity in the primary data centers to
566 absorb the workload associated with agency computing services,
567 expenditures are compatible with the scheduled consolidation and
568 established standards, or the equipment or resources are needed
569 to meet a critical state agency business need that cannot be
570 satisfied from surplus equipment or resources of the primary
571 data center until the state agency data center is consolidated.
572 1. A request for an exception must be submitted in writing
573 to the Agency for State Technology. The agency must accept,
574 accept with conditions, or deny the request within 60 days after
575 receipt of the written request. The agency’s decision is not
576 subject to chapter 120.
577 2. The Agency for State Technology may not approve a
578 request unless it includes, at a minimum:
579 a. A detailed description of the capacity requirements of
580 the state agency requesting the exception.
581 b. Documentation from the state agency head demonstrating
582 why it is critical to the state agency’s mission that the
583 expansion or transfer must be completed within the fiscal year
584 rather than when capacity is established at a primary data
586 3. Exceptions to subparagraph (a)4. may be granted by the
587 Agency for State Technology if the termination or transfer of
588 services can be absorbed within the current cost-allocation
590 Section 7. Section 282.0056, Florida Statutes, is amended
591 to read:
592 282.0056 Strategic plan, development of work plan, and ;
593 development of implementation plans; and policy
595 (1) In order to provide a systematic process for meeting
596 the state’s technology needs, the executive director of the
597 Agency for State Technology shall develop a biennial state
598 Information Technology Resources Strategic Plan. The Governor
599 and Cabinet shall approve the plan before transmitting it to the
600 Legislature, biennially, starting October 1, 2013. The plan must
601 include the following elements:
602 (a) The vision, goals, initiatives, and targets for state
603 information technology for the short term of 2 years, midterm of
604 3 to 5 years, and long term of more than 5 years.
605 (b) An inventory of the information technology resources in
606 state agencies and major projects currently in progress and
607 planned. This does not imply that the agency has approval
608 authority over major projects. As used in this section, the term
609 “major project” means projects that cost more than $1 million to
611 (c) An analysis of opportunities for statewide initiatives
612 that would yield efficiencies, cost savings, or avoidance or
613 improve effectiveness in state programs. The analysis must
615 1. Information technology services that should be designed,
616 delivered, and managed as enterprise information technology
618 2. Techniques for consolidating the purchase of information
619 technology commodities and services that may result in savings
620 for the state and for establishing a process to achieve savings
621 through consolidated purchases.
622 3. A cost-benefit analysis of options, such as
623 privatization, outsourcing, or insourcing, to reduce costs or
624 improve services to agencies and taxpayers.
625 (d) Recommended initiatives based on the analysis in
626 paragraph (c).
627 (e) Implementation plans for enterprise information
628 technology services designated by the agency. The implementation
629 plans must describe the scope of service, requirements analyses,
630 costs and savings projects, and a project schedule for statewide
632 (2) Each state agency shall, biennially, provide to the
633 agency the inventory required under paragraph (1)(b). The agency
634 shall consult with and assist state agencies in the preparation
635 of these inventories. Each state agency shall submit its
636 inventory to the agency biennially, starting January 1, 2013.
637 (3) For the purpose of completing its work activities, each
638 state agency shall provide to the agency all requested
639 information, including, but not limited to, the state agency’s
640 costs, service requirements, staffing, and equipment
642 (4) (1) For the purpose of ensuring accountability for the
643 duties and responsibilities of the executive director and the
644 agency under ss. 20.70 and 282.0055, the executive director For
645 the purposes of carrying out its responsibilities under s.
646 282.0055 , the Agency for Enterprise Information Technology shall
647 develop an annual work plan within 60 days after the beginning
648 of the fiscal year describing the activities that the agency
649 intends to undertake for that year and identify the critical
650 success factors, risks, and issues associated with the work
651 planned. The work plan must also include planned including
652 proposed outcomes and completion timeframes for the planning and
653 implementation of all enterprise information technology
654 services. The work plan must align with the state Information
655 Technology Resources Strategic Plan, be presented at a public
656 hearing, and be approved by the Governor and Cabinet; , and,
657 thereafter, be submitted to the President of the Senate and the
658 Speaker of the House of Representatives. The work plan may be
659 amended as needed, subject to approval by the Governor and
661 (2) The agency may develop and submit to the President of
662 the Senate, the Speaker of the House of Representatives, and the
663 Governor by October 1 of each year implementation plans for
664 proposed enterprise information technology services to be
665 established in law.
666 (3) In developing policy recommendations and implementation
667 plans for established and proposed enterprise information
668 technology services, the agency shall describe the scope of
669 operation, conduct costs and requirements analyses, conduct an
670 inventory of all existing information technology resources that
671 are associated with each service, and develop strategies and
672 timeframes for statewide migration.
673 (4) For the purpose of completing its work activities, each
674 state agency shall provide to the agency all requested
675 information, including, but not limited to, the state agency’s
676 costs, service requirements, and equipment inventories.
677 (5) For the purpose of ensuring accountability for the
678 duties and responsibilities of the executive director and the
679 agency under ss. 20.70 and 282.0055, within 60 days after the
680 end of each fiscal year, the executive director agency shall
681 report to the Governor and Cabinet, the President of the Senate,
682 and the Speaker of the House of Representatives on what was
683 achieved or not achieved in the prior year’s work plan.
684 Section 8. Section 282.201, Florida Statutes, is amended to
686 (Substantial rewording of section. See
687 s. 282.201, Florida Statutes, for current text.)
688 282.201 State data center system; agency duties and
689 limitations.—A state data center system that includes all
690 primary data centers, other nonprimary data centers, and
691 computing facilities, and that provides an enterprise
692 information technology service, is established.
693 (1) INTENT.—The Legislature finds that the most efficient
694 and effective means of providing quality utility data processing
695 services to state agencies requires that computing resources be
696 concentrated in quality facilities that provide the proper
697 security, infrastructure, and staff resources to ensure that the
698 state’s data is maintained reliably and safely and is
699 recoverable in the event of a disaster. Efficiencies resulting
700 from such consolidation include the increased ability to
701 leverage technological expertise and hardware and software
702 capabilities; increased savings through consolidated purchasing
703 decisions; and the enhanced ability to deploy technology
704 improvements and implement new policies consistently throughout
705 the consolidated organization.
706 (2) AGENCY FOR STATE TECHNOLOGY DUTIES.—
707 (a) The agency shall by October 1, 2013, provide to the
708 Governor and Cabinet, recommendations for approving, confirming
709 and removing primary data center designation. The
710 recommendations shall consider the recommendations from the Law
711 Enforcement Consolidations Task Force. Upon approval of the
712 Governor and Cabinet of primary data center designations,
713 existing primary data center designations are repealed by
714 operation of law, and therefore, obsolete.
715 (b) Establish a schedule for the consolidation of state
716 agency data centers or a transition plan for outsourcing data
717 center services, subject to review by the Governor and Cabinet.
718 The schedule or transition plan must be provided by October 1,
719 2013, and be updated annually until the completion of
720 consolidation. The schedule must be based on the goals of
721 maximizing the efficiency and quality of service delivery and
722 cost savings.
723 (3) STATE AGENCY DUTIES.—
724 (a) Any state agency that is consolidating agency data
725 centers into a primary data center must execute a new or update
726 an existing memorandum of understanding or service level
727 agreement within 60 days after the specified consolidation date,
728 as required by s. 282.203, in order to specify the services and
729 levels of service it is to receive from the primary data center
730 as a result of the consolidation. If a state agency is unable to
731 execute a memorandum of understanding by that date, the state
732 agency shall submit a report to the Executive Office of the
733 Governor, the Cabinet, the President of the Senate, and the
734 Speaker of the House of Representatives within 5 working days
735 after that date which explains the specific issues preventing
736 execution and describes its plan and schedule for resolving
737 those issues.
738 (b) On the date of each consolidation specified in general
739 law or the General Appropriations Act, each state agency shall
740 retain the least-privileged administrative access rights
741 necessary to perform the duties not assigned to the primary data
743 (4) SCHEDULE FOR CONSOLIDATIONS OF STATE AGENCY DATA
744 CENTERS.—Consolidations of state agency data centers are
745 suspended for the 2012-2013 fiscal year. Consolidations shall
746 resume during the 2013-2014 fiscal year based upon a revised
747 schedule developed by the agency. The revised schedule shall
748 consider the recommendations from the Law Enforcement
749 Consolidation Task Force. State agency data centers and
750 computing facilities shall be consolidated into the agency by
751 June 30, 2018.
752 Section 9. Section 282.203, Florida Statutes, is amended to
754 (Substantial rewording of section. See
755 s. 282.203, Florida Statutes, for current text.)
756 282.203 Primary data centers; duties.—
757 (1) Each primary data center shall:
758 (a) Serve participating state agencies as an information
759 system utility.
760 (b) Cooperate with participating state agencies to offer,
761 develop, and support the services and applications.
762 (c) Provide transparent financial statements to
763 participating state agencies.
764 (d) Assume the least-privileged administrative access
765 rights necessary to perform the services provided by the data
766 center for the software and equipment that is consolidated into
767 a primary data center.
768 (2) Each primary data center shall enter into a memorandum
769 of understanding with each participating state agency to provide
770 services. A memorandum of understanding may not have a term
771 exceeding 3 years but may include an option to renew for up to 3
772 years. Failure to execute a memorandum within 60 days after
773 service commencement shall, in the case of a participating state
774 agency, result in the continuation of the terms of the
775 memorandum of understanding from the previous fiscal year,
776 including any amendments that were formally proposed to the
777 state agency by the primary data center within the 3 months
778 before service commencement, and a revised cost-of-service
779 estimate. If a participating state agency fails to execute a
780 memorandum of understanding within 60 days after service
781 commencement, the data center may cease providing services.
782 Section 10. Section 282.204, Florida Statutes, is repealed.
783 Section 11. Section 282.205, Florida Statutes, is repealed.
784 Section 12. Section 282.33, Florida Statutes, is repealed.
785 Section 13. Section 282.34, Florida Statutes, is amended to
787 282.34 Statewide e-mail service.—A statewide e-mail service
788 that includes the delivery and support of e-mail, messaging, and
789 calendaring capabilities is established as an enterprise
790 information technology service as defined in s. 282.0041. The
791 service shall be provisioned designed to meet the needs of all
792 executive branch agencies and may also be used by other public
793 sector nonstate agency entities. The primary goals of the
794 service are to provide a reliable collaborative communication
795 service to state agencies; minimize the state investment
796 required to establish, operate, and support the statewide
797 service; reduce the cost of current e-mail operations and the
798 number of duplicative e-mail systems; and eliminate the need for
799 each state agency to maintain its own e-mail staff.
800 (1) Except as specified in subsection (2), all state
801 agencies shall receive their primary email services exclusively
802 through the Agency for State Technology. The Southwood Shared
803 Resource Center, a primary data center, shall be the provider of
804 the statewide e-mail service for all state agencies. The center
805 shall centrally host, manage, operate, and support the service,
806 or outsource the hosting, management, operational, or support
807 components of the service in order to achieve the primary goals
808 identified in this section.
809 (2) The Department of Legal Affairs shall work with the
810 agency to develop a plan to migrate to the enterprise email
811 service. The plan shall identify the time frame for migration,
812 the associated costs, and the risks. The plan shall be presented
813 to the Governor and Cabinet by December 1, 2014. The Agency for
814 Enterprise Information Technology, in cooperation and
815 consultation with all state agencies, shall prepare and submit
816 for approval by the Legislative Budget Commission at a meeting
817 scheduled before June 30, 2011, a proposed plan for the
818 migration of all state agencies to the statewide e-mail service.
819 The plan for migration must include:
820 (a) A cost-benefit analysis that compares the total
821 recurring and nonrecurring operating costs of the current agency
822 e-mail systems, including monthly mailbox costs, staffing,
823 licensing and maintenance costs, hardware, and other related e
824 mail product and service costs to the costs associated with the
825 proposed statewide e-mail service. The analysis must also
827 1. A comparison of the estimated total 7-year life-cycle
828 cost of the current agency e-mail systems versus the feasibility
829 of funding the migration and operation of the statewide e-mail
831 2. An estimate of recurring costs associated with the
832 energy consumption of current agency e-mail equipment, and the
833 basis for the estimate.
834 3. An identification of the overall cost savings resulting
835 from state agencies migrating to the statewide e-mail service
836 and decommissioning their agency e-mail systems.
837 (b) A proposed migration date for all state agencies to be
838 migrated to the statewide e-mail service. The Agency for
839 Enterprise Information Technology shall work with the Executive
840 Office of the Governor to develop the schedule for migrating all
841 state agencies to the statewide e-mail service except for the
842 Department of Legal Affairs. The Department of Legal Affairs
843 shall provide to the Agency for Enterprise Information
844 Technology by June 1, 2011, a proposed migration date based upon
845 its decision to participate in the statewide e-mail service and
846 the identification of any issues that require resolution in
847 order to migrate to the statewide e-mail service.
848 (c) A budget amendment, submitted pursuant to chapter 216,
849 for adjustments to each agency’s approved operating budget
850 necessary to transfer sufficient budget resources into the
851 appropriate data processing category to support its statewide e
852 mail service costs.
853 (d) A budget amendment, submitted pursuant to chapter 216,
854 for adjustments to the Southwood Shared Resource Center approved
855 operating budget to include adjustments in the number of
856 authorized positions, salary budget and associated rate,
857 necessary to implement the statewide e-mail service.
858 (3) Contingent upon approval by the Legislative Budget
859 Commission, the Southwood Shared Resource Center may contract
860 for the provision of a statewide e-mail service. Executive
861 branch agencies must be completely migrated to the statewide e
862 mail service based upon the migration date included in the
863 proposed plan approved by the Legislative Budget Commission.
864 (4) Notwithstanding chapter 216, general revenue funds may
865 be increased or decreased for each agency provided the net
866 change to general revenue in total for all agencies is zero or
868 (5) Subsequent to the approval of the consolidated budget
869 amendment to reflect budget adjustments necessary to migrate to
870 the statewide e-mail service, an agency may make adjustments
871 subject to s. 216.177 , notwithstanding provisions in chapter 216
872 which may require such adjustments to be approved by the
873 Legislative Budget Commission.
874 (6) No agency may initiate a new e-mail service or execute
875 a new e-mail contract or amend a current e-mail contract, other
876 than with the Southwood Shared Resource Center, for nonessential
877 products or services unless the Legislative Budget Commission
878 denies approval for the Southwood Shared Resource Center to
879 enter into a contract for the statewide e-mail service.
880 (7) The Agency for Enterprise Information Technology shall
881 work with the Southwood Shared Resource Center to develop an
882 implementation plan that identifies and describes the detailed
883 processes and timelines for an agency’s migration to the
884 statewide e-mail service based on the migration date approved by
885 the Legislative Budget Commission. The agency may establish and
886 coordinate workgroups consisting of agency e-mail management,
887 information technology, budget, and administrative staff to
888 assist the agency in the development of the plan.
889 (8) Each executive branch agency shall provide all
890 information necessary to develop the implementation plan,
891 including, but not limited to, required mailbox features and the
892 number of mailboxes that will require migration services. Each
893 agency must also identify any known business, operational, or
894 technical plans, limitations, or constraints that should be
895 considered when developing the plan.
896 Section 14. Section 282.702, Florida Statutes, is amended
897 to read:
898 282.702 Powers and duties.—The Department of Management
899 Services shall have the following powers, duties, and functions:
900 (1) To publish electronically the portfolio of services
901 available from the department, including pricing information;
902 the policies and procedures governing usage of available
903 services; and a forecast of the department’s priorities for each
904 telecommunications service.
905 (2) To adopt technical standards by rule for the state
906 telecommunications network which ensure the interconnection and
907 operational security of computer networks, telecommunications,
908 and information systems of agencies.
909 (3) To enter into agreements related to information
910 technology and telecommunications services with state agencies
911 and political subdivisions of the state.
912 (4) To purchase from or contract with information
913 technology providers for information technology, including
914 private line services.
915 (5) To apply for, receive, and hold authorizations,
916 patents, copyrights, trademarks, service marks, licenses, and
917 allocations or channels and frequencies to carry out the
918 purposes of this part.
919 (6) To purchase, lease, or otherwise acquire and to hold,
920 sell, transfer, license, or otherwise dispose of real, personal,
921 and intellectual property, including, but not limited to,
922 patents, trademarks, copyrights, and service marks.
923 (7) To cooperate with any federal, state, or local
924 emergency management agency in providing for emergency
925 telecommunications services.
926 (8) To control and approve the purchase, lease, or
927 acquisition and the use of telecommunications services,
928 software, circuits, and equipment provided as part of any other
929 total telecommunications system to be used by the state or its
931 (9) To adopt rules pursuant to ss. 120.536(1) and 120.54
932 relating to telecommunications and to administer the provisions
933 of this part.
934 (10) To apply for and accept federal funds for the purposes
935 of this part as well as gifts and donations from individuals,
936 foundations, and private organizations.
937 (11) To monitor issues relating to telecommunications
938 facilities and services before the Florida Public Service
939 Commission and the Federal Communications Commission and, if
940 necessary, prepare position papers, prepare testimony, appear as
941 a witness, and retain witnesses on behalf of state agencies in
942 proceedings before the commissions.
943 (12) Unless delegated to the state agencies by the
944 department, to manage and control, but not intercept or
945 interpret, telecommunications within the SUNCOM Network by:
946 (a) Establishing technical standards to physically
947 interface with the SUNCOM Network.
948 (b) Specifying how telecommunications are transmitted
949 within the SUNCOM Network.
950 (c) Controlling the routing of telecommunications within
951 the SUNCOM Network.
952 (d) Establishing standards, policies, and procedures for
953 access to and the security of the SUNCOM Network.
954 (e) Ensuring orderly and reliable telecommunications
955 services in accordance with the service level agreements
956 executed with state agencies.
957 (13) To plan, design, and conduct experiments for
958 telecommunications services, equipment, and technologies, and to
959 implement enhancements in the state telecommunications network
960 if in the public interest and cost-effective. Funding for such
961 experiments must be derived from SUNCOM Network service revenues
962 and may not exceed 2 percent of the annual budget for the SUNCOM
963 Network for any fiscal year or as provided in the General
964 Appropriations Act. New services offered as a result of this
965 subsection may not affect existing rates for facilities or
967 (14) To enter into contracts or agreements, with or without
968 competitive bidding or procurement, to make available, on a
969 fair, reasonable, and nondiscriminatory basis, property and
970 other structures under departmental control for the placement of
971 new facilities by any wireless provider of mobile service as
972 defined in 47 U.S.C. s. 153(27) or s. 332(d) and any
973 telecommunications company as defined in s. 364.02 if it is
974 practical and feasible to make such property or other structures
975 available. The department may, without adopting a rule, charge a
976 just, reasonable, and nondiscriminatory fee for the placement of
977 the facilities, payable annually, based on the fair market value
978 of space used by comparable telecommunications facilities in the
979 state. The department and a wireless provider or
980 telecommunications company may negotiate the reduction or
981 elimination of a fee in consideration of services provided to
982 the department by the wireless provider or telecommunications
983 company. All such fees collected by the department shall be
984 deposited directly into the Law Enforcement Radio Operating
985 Trust Fund, and may be used by the department to construct,
986 maintain, or support the system.
987 (15) Establish policies that ensure that the department’s
988 cost-recovery methodologies, billings, receivables,
989 expenditures, budgeting, and accounting data are captured and
990 reported timely, consistently, accurately, and transparently and
991 are in compliance with all applicable federal and state laws and
992 rules. The department shall annually submit to the Governor, the
993 President of the Senate, and the Speaker of the House of
994 Representatives a report that describes each service and its
995 cost, the billing methodology for recovering the cost of the
996 service, and, if applicable, the identity of those services that
997 are subsidized.
998 (16) Develop a plan for statewide voice-over-Internet
999 protocol services. The plan shall include cost estimates and the
1000 estimated return on investment. The plan shall be submitted to
1001 the Governor, the Cabinet, the President of the Senate, and the
1002 Speaker of the House of Representatives by June 30, 2013.
1003 (17) The department shall produce a feasibility analysis by
1004 January 1, 2013, of the options for procuring end-to-end network
1005 services, including services provided by the statewide area
1006 network, metropolitan area networks, and local area networks,
1007 which may be provided by each state agency. The scope of this
1008 service does not include wiring or file and print server
1009 infrastructure. The feasibility analysis must determine the
1010 technical and economic feasibility of using existing resources
1011 and infrastructure that are owned or used by state entities in
1012 the provision or receipt of network services in order to reduce
1013 the cost of network services for the state. At a minimum, the
1014 feasibility analysis must include:
1015 (a) A definition and assessment of the current portfolio of
1016 services, the network services that are provided by each state
1017 agency, and a forecast of anticipated changes in network service
1018 needs which considers specific state agency business needs and
1019 the implementation of enterprise services established under this
1021 (b) A description of any limitations or enhancements in the
1022 network, including any technical or logistical challenges
1023 relating to the central provisioning of local area network
1024 services currently provided and supported by each state agency.
1025 The analysis must also address changes in usage patterns which
1026 can reasonably be expected due to the consolidation of state
1027 agency data centers or the specific business needs of state
1028 agencies and other service customers.
1029 (c) An analysis and comparison of the risks associated with
1030 the current service delivery models and at least two other
1031 options that leverage the existing resources and infrastructure
1032 identified in this subsection. Options may include multi-vendor
1033 and segmented contracting options. All sourcing options must
1034 produce a service that can be used by schools and other
1035 qualified entities that seek federal grants provided through the
1036 Universal Service Fund Program.
1037 (d) A cost-benefit analysis that estimates all major cost
1038 elements associated with each sourcing option, focusing on the
1039 nonrecurring and recurring life-cycle costs of the proposal in
1040 order to determine the financial feasibility of each sourcing
1041 option. The cost-benefit analysis must include:
1042 1. The total recurring operating costs of the proposed
1043 state network service including estimates of monthly charges,
1044 staffing, billing, licenses and maintenance, hardware, and other
1045 related costs.
1046 2. An estimate of nonrecurring costs associated with
1047 construction, transmission lines, premises and switching
1048 hardware purchase and installation, and required software based
1049 on the proposed solution.
1050 3. An estimate of other critical costs associated with the
1051 current and proposed sourcing options for the state network.
1052 (e) Recommendations for reducing current costs associated
1053 with statewide network services. The department shall consider
1054 the following in developing the recommendations:
1055 1. Leveraging existing resources and expertise.
1056 2. Standardizing service-level agreements to customer
1057 entities in order to maximize capacity and availability.
1058 (f) A detailed timeline for the complete procurement and
1059 transition to a more efficient and cost-effective solution.
1060 Section 15. Paragraph (e) of subsection (2) of section
1061 110.205, Florida Statutes, is amended to read:
1062 110.205 Career service; exemptions.—
1063 (2) EXEMPT POSITIONS.—The exempt positions that are not
1064 covered by this part include the following:
1065 (e) The executive director of Chief Information Officer in
1066 the Agency for State Enterprise Information Technology. Unless
1067 otherwise fixed by law, the Governor and Cabinet Agency for
1068 Enterprise Information Technology shall set the salary and
1069 benefits of this position in accordance with the rules of the
1070 Senior Management Service.
1071 Section 16. Subsections (2) and (9) of section 215.322,
1072 Florida Statutes, are amended to read:
1073 215.322 Acceptance of credit cards, charge cards, debit
1074 cards, or electronic funds transfers by state agencies, units of
1075 local government, and the judicial branch.—
1076 (2) A state agency as defined in s. 216.011, or the
1077 judicial branch, may accept credit cards, charge cards, debit
1078 cards, or electronic funds transfers in payment for goods and
1079 services with the prior approval of the Chief Financial Officer.
1080 If the Internet or other related electronic methods are to be
1081 used as the collection medium, the Agency for State Enterprise
1082 Information Technology shall review and recommend to the Chief
1083 Financial Officer whether to approve the request with regard to
1084 the process or procedure to be used.
1085 (9) For payment programs in which credit cards, charge
1086 cards, or debit cards are accepted by state agencies, the
1087 judicial branch, or units of local government, the Chief
1088 Financial Officer, in consultation with the Agency for State
1089 Enterprise Information Technology, may adopt rules to establish
1090 uniform security safeguards for cardholder data and to ensure
1091 compliance with the Payment Card Industry Data Security
1093 Section 17. Subsections (3), (4), (5), and (6) of section
1094 282.318, Florida Statutes, are amended to read:
1095 282.318 Enterprise security of data and information
1097 (3) The Agency for State Enterprise Information Technology
1098 is responsible for establishing rules and publishing guidelines
1099 for ensuring an appropriate level of security for all data and
1100 information technology resources for executive branch agencies.
1101 The agency shall also perform the following duties and
1103 (a) Develop, and annually update by February 1, an
1104 enterprise information security strategic plan that includes
1105 security goals and objectives for the strategic issues of
1106 information security policy, risk management, training, incident
1107 management, and survivability planning.
1108 (b) Develop enterprise security rules and published
1109 guidelines for:
1110 1. Comprehensive risk analyses and information security
1111 audits conducted by state agencies.
1112 2. Responding to suspected or confirmed information
1113 security incidents, including suspected or confirmed breaches of
1114 personal information or exempt data.
1115 3. Agency security plans, including strategic security
1116 plans and security program plans.
1117 4. The recovery of information technology and data
1118 following a disaster.
1119 5. The managerial, operational, and technical safeguards
1120 for protecting state government data and information technology
1122 (c) Assist agencies in complying with the provisions of
1123 this section.
1124 (d) Pursue appropriate funding for the purpose of enhancing
1125 domestic security.
1126 (e) Provide training for agency information security
1128 (f) Annually review the strategic and operational
1129 information security plans of executive branch agencies.
1130 (4) To assist the Agency for State Enterprise Information
1131 Technology in carrying out its responsibilities, each state
1132 agency head shall, at a minimum:
1133 (a) Designate an information security manager to administer
1134 the security program of the state agency for its data and
1135 information technology resources. This designation must be
1136 provided annually in writing to the Agency for State Enterprise
1137 Information Technology by January 1.
1138 (b) Annually submit to the Agency for State Enterprise
1139 Information Technology annually by July 31, the state agency’s
1140 comprehensive strategic and operational information security
1141 plans developed pursuant to the rules and guidelines established
1142 by the Agency for State Enterprise Information Technology.
1143 1. The state agency comprehensive strategic information
1144 security plan must cover a 3-year period and define security
1145 goals, intermediate objectives, and projected agency costs for
1146 the strategic issues of agency information security policy, risk
1147 management, security training, security incident response, and
1148 survivability. The plan must be based on the enterprise
1149 strategic information security plan created by the Agency for
1150 State Enterprise Information Technology. Additional issues may
1151 be included.
1152 2. The state agency operational information security plan
1153 must include a progress report for the prior operational
1154 information security plan and a project plan that includes
1155 activities, timelines, and deliverables for security objectives
1156 that, subject to current resources, the state agency will
1157 implement during the current fiscal year. The cost of
1158 implementing the portions of the plan which cannot be funded
1159 from current resources must be identified in the plan.
1160 (c) Conduct, and update every 3 years, a comprehensive risk
1161 analysis to determine the security threats to the data,
1162 information, and information technology resources of the state
1163 agency. The risk analysis information is confidential and exempt
1164 from the provisions of s. 119.07(1), except that such
1165 information shall be available to the Auditor General and the
1166 Agency for State Enterprise Information Technology for
1167 performing postauditing duties.
1168 (d) Develop, and periodically update, written internal
1169 policies and procedures that , which include procedures for
1170 notifying the Agency for State Enterprise Information Technology
1171 when a suspected or confirmed breach, or an information security
1172 incident, occurs. Such policies and procedures must be
1173 consistent with the rules and guidelines established by the
1174 Agency for State Enterprise Information Technology to ensure the
1175 security of the data, information, and information technology
1176 resources of the state agency. The internal policies and
1177 procedures that, if disclosed, could facilitate the unauthorized
1178 modification, disclosure, or destruction of data or information
1179 technology resources are confidential information and exempt
1180 from s. 119.07(1), except that such information shall be
1181 available to the Auditor General and the Agency for State
1182 Enterprise Information Technology for performing postauditing
1184 (e) Implement appropriate cost-effective safeguards to
1185 address identified risks to the data, information, and
1186 information technology resources of the state agency.
1187 (f) Ensure that periodic internal audits and evaluations of
1188 the state agency’s security program for the data, information,
1189 and information technology resources of the state agency are
1190 conducted. The results of such audits and evaluations are
1191 confidential information and exempt from s. 119.07(1), except
1192 that such information shall be available to the Auditor General
1193 and the Agency for State Enterprise Information Technology for
1194 performing postauditing duties.
1195 (g) Include appropriate security requirements in the
1196 written specifications for the solicitation of information
1197 technology and information technology resources and services ,
1198 which are consistent with the rules and guidelines established
1199 by the Agency for State Enterprise Information Technology.
1200 (h) Provide security awareness training to employees and
1201 users of the state agency’s communication and information
1202 resources concerning information security risks and the
1203 responsibility of employees and users to comply with policies,
1204 standards, guidelines, and operating procedures adopted by the
1205 state agency to reduce those risks.
1206 (i) Develop a process for detecting, reporting, and
1207 responding to suspected or confirmed security incidents,
1208 including suspected or confirmed breaches consistent with the
1209 security rules and guidelines established by the Agency for
1210 State Enterprise Information Technology.
1211 1. Suspected or confirmed information security incidents
1212 and breaches must be immediately reported to the Agency for
1213 State Enterprise Information Technology.
1214 2. For incidents involving breaches, agencies shall provide
1215 notice in accordance with s. 817.5681 and to the Agency for
1216 State Enterprise Information Technology in accordance with this
1218 (5) Each state agency shall include appropriate security
1219 requirements in the specifications for the solicitation of
1220 contracts for procuring information technology or information
1221 technology resources or services which are consistent with the
1222 rules and guidelines established by the Agency for State
1223 Enterprise Information Technology.
1224 (6) The Agency for State Enterprise Information Technology
1225 may adopt rules relating to information security and to
1226 administer the provisions of this section.
1227 Section 18. Subsection (14) of section 287.012, Florida
1228 Statutes, is amended to read:
1229 287.012 Definitions.—As used in this part, the term:
1230 (14) “Information technology” means, but is not limited to,
1231 equipment, hardware, software, mainframe maintenance, firmware,
1232 programs, systems, networks, infrastructure, media, and related
1233 material used to automatically, electronically, and wirelessly
1234 collect, receive, access, transmit, display, store, record,
1235 retrieve, analyze, evaluate, process, classify, manipulate,
1236 manage, assimilate, control, communicate, exchange, convert,
1237 converge, interface, switch, or disseminate information of any
1238 kind or form has the meaning ascribed in s. 282.0041.
1239 Section 19. Subsection (22) of section 287.057, Florida
1240 Statutes, is amended to read:
1241 287.057 Procurement of commodities or contractual
1243 (22) The department, in consultation with the Agency for
1244 State Enterprise Information Technology and the Chief Financial
1245 Officer Comptroller, shall develop a program for online
1246 procurement of commodities and contractual services. To enable
1247 the state to promote open competition and to leverage its buying
1248 power, agencies shall participate in the online procurement
1249 program, and eligible users may participate in the program. Only
1250 vendors prequalified as meeting mandatory requirements and
1251 qualifications criteria may participate in online procurement.
1252 (a) The department, in consultation with the agency, may
1253 contract for equipment and services necessary to develop and
1254 implement online procurement.
1255 (b) The department, in consultation with the agency, shall
1256 adopt rules, pursuant to ss. 120.536(1) and 120.54, to
1257 administer the program for online procurement. The rules shall
1258 include, but not be limited to:
1259 1. Determining the requirements and qualification criteria
1260 for prequalifying vendors.
1261 2. Establishing the procedures for conducting online
1263 3. Establishing the criteria for eligible commodities and
1264 contractual services.
1265 4. Establishing the procedures for providing access to
1266 online procurement.
1267 5. Determining the criteria warranting any exceptions to
1268 participation in the online procurement program.
1269 (c) The department may impose and shall collect all fees
1270 for the use of the online procurement systems.
1271 1. The fees may be imposed on an individual transaction
1272 basis or as a fixed percentage of the cost savings generated. At
1273 a minimum, the fees must be set in an amount sufficient to cover
1274 the projected costs of the services, including administrative
1275 and project service costs in accordance with the policies of the
1277 2. If the department contracts with a provider for online
1278 procurement, the department, pursuant to appropriation, shall
1279 compensate the provider from the fees after the department has
1280 satisfied all ongoing costs. The provider shall report
1281 transaction data to the department each month so that the
1282 department may determine the amount due and payable to the
1283 department from each vendor.
1284 3. All fees that are due and payable to the state on a
1285 transactional basis or as a fixed percentage of the cost savings
1286 generated are subject to s. 215.31 and must be remitted within
1287 40 days after receipt of payment for which the fees are due. For
1288 fees that are not remitted within 40 days, the vendor shall pay
1289 interest at the rate established under s. 55.03(1) on the unpaid
1290 balance from the expiration of the 40-day period until the fees
1291 are remitted.
1292 4. All fees and surcharges collected under this paragraph
1293 shall be deposited in the Operating Trust Fund as provided by
1295 Section 20. Subsection (4) of section 445.011, Florida
1296 Statutes, is amended to read:
1297 445.011 Workforce information systems.—
1298 (4) Workforce Florida, Inc., shall coordinate development
1299 and implementation of workforce information systems with the
1300 executive director of the Agency for State Enterprise
1301 Information Technology to ensure compatibility with the state’s
1302 information system strategy and enterprise architecture.
1303 Section 21. Subsection (2) and paragraphs (a) and (b) of
1304 subsection (4) of section 445.045, Florida Statutes, are amended
1305 to read:
1306 445.045 Development of an Internet-based system for
1307 information technology industry promotion and workforce
1309 (2) Workforce Florida, Inc., shall coordinate with the
1310 Agency for State Enterprise Information Technology and the
1311 Department of Economic Opportunity to ensure links, where
1312 feasible and appropriate, to existing job information websites
1313 maintained by the state and state agencies and to ensure that
1314 information technology positions offered by the state and state
1315 agencies are posted on the information technology website.
1316 (4)(a) Workforce Florida, Inc., shall coordinate
1317 development and maintenance of the website under this section
1318 with the executive director of the Agency for State Enterprise
1319 Information Technology to ensure compatibility with the state’s
1320 information system strategy and enterprise architecture.
1321 (b) Workforce Florida, Inc., may enter into an agreement
1322 with the Agency for State Enterprise Information Technology, the
1323 Department of Economic Opportunity, or any other public agency
1324 with the requisite information technology expertise for the
1325 provision of design, operating, or other technological services
1326 necessary to develop and maintain the website.
1327 Section 22. Paragraph (b) of subsection (18) of section
1328 668.50, Florida Statutes, is amended to read:
1329 668.50 Uniform Electronic Transaction Act.—
1330 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1331 GOVERNMENTAL AGENCIES.—
1332 (b) To the extent that a governmental agency uses
1333 electronic records and electronic signatures under paragraph
1334 (a), the Agency for State Enterprise Information Technology, in
1335 consultation with the governmental agency, giving due
1336 consideration to security, may specify:
1337 1. The manner and format in which the electronic records
1338 must be created, generated, sent, communicated, received, and
1339 stored and the systems established for those purposes.
1340 2. If electronic records must be signed by electronic
1341 means, the type of electronic signature required, the manner and
1342 format in which the electronic signature must be affixed to the
1343 electronic record, and the identity of, or criteria that must be
1344 met by, any third party used by a person filing a document to
1345 facilitate the process.
1346 3. Control processes and procedures as appropriate to
1347 ensure adequate preservation, disposition, integrity, security,
1348 confidentiality, and auditability of electronic records.
1349 4. Any other required attributes for electronic records
1350 which are specified for corresponding nonelectronic records or
1351 reasonably necessary under the circumstances.
1352 Section 23. This act shall take effect July 1, 2012.
1355 ================= T I T L E A M E N D M E N T ================
1356 And the title is amended as follows:
1357 Delete everything before the enacting clause
1358 and insert:
1359 A bill to be entitled
1360 An act relating to state technology; abolishing the
1361 Agency for Enterprise Information Technology;
1362 transferring the personnel, functions, and funds of
1363 the Agency for Enterprise Information Technology to
1364 the Agency for State Technology; transferring
1365 specified personnel, functions, and funds relating to
1366 technology programs from the Department of Management
1367 Services to the Agency for State Technology;
1368 transferring the Northwood Shared Resource Center and
1369 the Southwood Shared Resource Center to the agency;
1370 repealing s. 14.204, F.S., relating to the Agency for
1371 Enterprise Information Technology; creating s. 20.70,
1372 F.S.; creating the Agency for State Technology;
1373 providing for an executive director who shall be the
1374 state’s Chief Information Officer; providing for
1375 organization of the agency; providing duties and
1376 responsibilities of the agency and of the executive
1377 director; requiring certain status reports to the
1378 Governor, the Cabinet, and the Legislature;
1379 authorizing the agency to adopt rules; reordering and
1380 amending s. 282.0041, F.S.; revising and providing
1381 definitions of terms as used in the Enterprise
1382 Information Technology Services Management Act;
1383 amending s. 282.0055, F.S.; revising provisions for
1384 assignment of information technology services;
1385 directing the agency to create a road map for
1386 enterprise information technology service
1387 consolidation and a comprehensive transition plan;
1388 requiring the transition plan to be submitted to the
1389 Governor and Cabinet and the Legislature by a certain
1390 date; providing duties for state agencies relating to
1391 the transition plan; prohibiting state agencies from
1392 certain technology-related activities; providing for
1393 exceptions; amending s. 282.0056, F.S.; providing for
1394 development by the agency executive director of a
1395 biennial State Information Technology Strategic
1396 Resources Plan for approval by the Governor and the
1397 Cabinet; directing state agencies to submit their own
1398 information technology plans and any requested
1399 information to the agency; revising provisions for
1400 development of work plans and implementation plans;
1401 revising provisions for reporting on achievements;
1402 amending s. 282.201, F.S.; revising provisions for a
1403 state data center system; providing legislative
1404 intent; directing the agency to provide
1405 recommendations to the Governor and Legislature
1406 relating to changes to the schedule for the
1407 consolidations of state agency data centers; providing
1408 duties of a state agency consolidating a data center
1409 into a primary data center; revising the scheduled
1410 consolidation dates for state agency data centers;
1411 amending s. 282.203, F.S.; revising duties of primary
1412 data centers; removing provisions for boards of
1413 trustees to head primary data centers; requiring a
1414 memorandum of understanding between the primary data
1415 center and the participating state agency; limiting
1416 the term of the memorandum; providing for failure to
1417 enter into a memorandum; repealing s. 282.204, F.S.,
1418 relating to Northwood Shared Resource Center;
1419 repealing s. 282.205, F.S., relating to Southwood
1420 Shared Resource Center; creating s. 282.206, F.S.;
1421 establishing the Fletcher Shared Resource Center
1422 within the Department of Financial Services to provide
1423 enterprise information technology services; directing
1424 the center to collaborate with the agency; directing
1425 the center to provide collocation services to the
1426 Department of Legal Affairs, the Department of
1427 Agriculture and Consumer Services, and the Department
1428 of Financial Services; directing the Department of
1429 Financial Services to continue to use the center and
1430 provide service to the Office of Financial Regulation
1431 and the Office of Insurance Regulation and host the
1432 Legislative Appropriations System/Planning and
1433 Budgeting Subsystem; providing for governance of the
1434 center; providing for a steering committee to ensure
1435 adequacy and appropriateness of services; directing
1436 the Department of Legal Affairs and the Department of
1437 Agriculture and Consumer Services to move data center
1438 equipment to the center by certain dates; repealing s.
1439 282.33, F.S., relating to objective standards for data
1440 center energy efficiency; amending s. 282.34, F.S.;
1441 revising provisions for a statewide e-mail service to
1442 meet the needs of executive branch agencies; requiring
1443 state agencies to receive e-mail services through the
1444 agency; authorizing the Department of Agriculture and
1445 Consumer Services, the Department of Financial
1446 Services, the Office of Financial Regulation, and the
1447 Office of Insurance Regulation to receive e-mail
1448 services from the Fletcher Shared Resource Center or
1449 the agency; amending s. 282.702, F.S.; directing the
1450 agency to develop a plan for statewide voice-over
1451 Internet protocol services; requiring certain content
1452 in the plan; requiring the plan to be submitted to the
1453 Governor, the Cabinet, and the Legislature by a
1454 certain date; amending s. 364.0135, F.S.; providing
1455 for the agency’s role in the promotion of broadband
1456 Internet service; providing an additional duty;
1457 amending ss. 20.22, 110.205, 215.22, 215.322, 216.292,
1458 282.318, 282.604, 282.703, 282.704, 282.705, 282.706,
1459 282.707, 282.709, 282.7101, 282.711, 287.012, 287.057,
1460 318.18, 320.0802, 328.72, 365.171, 365.172, 365.173,
1461 365.174, 401.013, 401.015, 401.018, 401.021, 401.024,
1462 401.027, 401.465, 445.011, 445.045, and 668.50, F.S.,
1463 relating to a financial and cash management system
1464 task force, career service exemptions, trust funds,
1465 payment cards and electronic funds transfers, the
1466 Communications Working Capital Trust Fund, the
1467 Enterprise Information Technology Services Management
1468 Act, adoption of rules, the Communication Information
1469 Technology Services Act, procurement of commodities
1470 and contractual services, the Florida Uniform
1471 Disposition of Traffic Infractions Act, surcharge on
1472 vehicle license tax, vessel registration, broadband
1473 Internet service, the emergency communications number
1474 E911, regional emergency medical telecommunications,
1475 the Workforce Innovation Act of 2000, and the Uniform
1476 Electronic Transaction Act; conforming provisions and
1477 cross-references to changes made by the act; revising
1478 and deleting obsolete provisions; providing an
1479 effective date.