Florida Senate - 2014 CS for SB 928
By the Committees on Appropriations; and Governmental Oversight
and Accountability
576-02579A-14 2014928c1
1 A bill to be entitled
2 An act relating to state technology; repealing s.
3 14.204, F.S., relating to the Agency for Enterprise
4 Information Technology within the Executive Office of
5 the Governor; creating s. 20.61, F.S.; creating the
6 Agency for State Technology; providing that the
7 executive director shall serve as the state’s chief
8 information officer; establishing certain agency
9 positions; establishing the Technology Advisory
10 Council; providing for membership and duties of the
11 council; providing that members of the council are
12 governed by the Code of Ethics for Public Officers and
13 Employees; amending s. 282.0041, F.S.; revising,
14 creating, and deleting definitions used in the
15 Enterprise Information Technology Services Management
16 Act; creating s. 282.0051, F.S.; providing powers,
17 duties, and functions of the Agency for State
18 Technology; authorizing the agency to adopt rules;
19 creating s. 282.00515, F.S.; requiring the Department
20 of Legal Affairs, the Department of Financial
21 Services, and the Department of Agriculture and
22 Consumer Services to adopt certain technical standards
23 or alternatives to those standards and authorizing
24 such departments to contract with the Agency for State
25 Technology for certain purposes; creating s. 287.0591,
26 F.S.; limiting the terms of certain competitive
27 solicitations for information technology commodities;
28 providing an exception; repealing s. 282.0055, F.S.,
29 relating to the assignment of information technology
30 resource and service responsibilities; repealing s.
31 282.0056, F.S., relating to the development of an
32 annual work plan, the development of implementation
33 plans, and policy recommendations relating to
34 enterprise information technology services; amending
35 s. 282.201, F.S.; providing for a state data center
36 and the duties of the center; deleting duties for the
37 Agency for Enterprise Information Technology; revising
38 the schedule for consolidating agency data centers and
39 deleting obsolete provisions; revising the limitations
40 on state agencies; repealing s. 282.203, F.S.,
41 relating to primary data centers; repealing s.
42 282.204, F.S., relating to the Northwood Shared
43 Resource Center; repealing s. 282.205, F.S., relating
44 to the Southwood Shared Resource Center; amending s.
45 282.318, F.S.; changing the name of the Enterprise
46 Security of Data and Information Technology Act;
47 defining the term “agency” as used in the act;
48 requiring the Agency for State Technology to establish
49 and publish certain security standards and processes;
50 requiring state agencies to perform certain security
51 related duties; requiring the agency to adopt rules;
52 conforming provisions; repealing s. 282.33, F.S.,
53 relating to objective standards for data center energy
54 efficiency; repealing s. 282.34, F.S., relating to
55 statewide e-mail service; amending ss. 17.0315,
56 20.055, 110.205, 215.322, and 215.96, F.S.; conforming
57 provisions to changes made by the act; amending s.
58 216.023, F.S.; requiring the governance structure of
59 information technology projects to incorporate certain
60 standards; amending s. 287.057, F.S.; requiring the
61 Department of Management Services to consult with the
62 agency with respect to the online procurement of
63 commodities; amending ss. 445.011, 445.045, and
64 668.50, F.S.; conforming provisions to changes made by
65 the act; amending s. 943.0415, F.S.; providing
66 additional duties for the Cybercrime Office in the
67 Department of Law Enforcement relating to cyber
68 security; requiring the office to provide cyber
69 security training to state agency employees; requiring
70 the office to consult with the agency; amending s.
71 1004.649, F.S.; revising provisions relating to the
72 Northwest Regional Data Center; revising the center’s
73 duties and the content of service-level agreements
74 with state agency customers; transferring the
75 components of the Agency for Enterprise Information
76 Technology to the Agency for State Technology;
77 providing that certain rules adopted by the Agency for
78 Enterprise Information Technology are nullified;
79 transferring the Northwood Shared Resource Center and
80 the Southwood Shared Resource Center to the Agency for
81 State Technology; requiring the Agency for State
82 Technology to conduct a study and submit a report to
83 the Governor and Legislature; creating a state data
84 center task force; providing for membership, duties,
85 and abolishment of the task force; providing
86 appropriations and authorizing positions; requiring
87 the Agency for State Technology to complete an
88 operational assessment; requiring reports to the
89 Governor and Legislature; providing that certain
90 reorganizations within state agencies do not require
91 approval by the Legislative Budget Commission;
92 providing effective dates.
93
94 Be It Enacted by the Legislature of the State of Florida:
95
96 Section 1. Section 14.204, Florida Statutes, is repealed.
97 Section 2. Section 20.61, Florida Statutes, is created to
98 read:
99 20.61 Agency for State Technology.—The Agency for State
100 Technology is created within the Department of Management
101 Services. The agency is a separate budget program and is not
102 subject to control, supervision, or direction by the Department
103 of Management Services, including, but not limited to,
104 purchasing, transactions involving real or personal property,
105 personnel, or budgetary matters.
106 (1)(a) The executive director of the agency shall serve as
107 the state’s chief information officer and shall be appointed by
108 the Governor, subject to confirmation by the Senate.
109 (b) The executive director must be a proven, effective
110 administrator who preferably has executive-level experience in
111 both the public and private sectors in development and
112 implementation of information technology strategic planning;
113 management of enterprise information technology projects,
114 particularly management of large-scale consolidation projects;
115 and development and implementation of fiscal and substantive
116 information technology policy.
117 (2) The following positions are established within the
118 agency, all of whom shall be appointed by the executive
119 director:
120 (a) Deputy executive director, who shall serve as the
121 deputy chief information officer.
122 (b) Chief planning officer and six strategic planning
123 coordinators. One coordinator shall be assigned to each of the
124 following major program areas: health and human services,
125 education, government operations, criminal and civil justice,
126 agriculture and natural resources, and transportation and
127 economic development.
128 (c) Chief operations officer.
129 (d) Chief information security officer.
130 (e) Chief technology officer.
131 (3) The Technology Advisory Council, consisting of seven
132 members, is established within the Agency for State Technology
133 and shall be maintained pursuant to s. 20.052. Four members of
134 the council shall be appointed by the Governor, two of whom must
135 be from the private sector. The President of the Senate and the
136 Speaker of the House of Representatives shall each appoint one
137 member of the council. The Attorney General, the Commissioner of
138 Agriculture and Consumer Services, and the Chief Financial
139 Officer shall jointly appoint one member by agreement of a
140 majority of these officers. Upon initial establishment of the
141 council, two of the Governor’s appointments shall be for 2-year
142 terms. Thereafter, all appointments shall be for 4-year terms.
143 (a) The council shall consider and make recommendations to
144 the executive director on such matters as enterprise information
145 technology policies, standards, services, and architecture. The
146 council may also identify and recommend opportunities for the
147 establishment of public-private partnerships when considering
148 technology infrastructure and services in order to accelerate
149 project delivery and provide a source of new or increased
150 project funding.
151 (b) The executive director shall consult with the council
152 with regard to executing the duties and responsibilities of the
153 agency related to statewide information technology strategic
154 planning and policy.
155 (c) The council shall be governed by the Code of Ethics for
156 Public Officers and Employees as set forth in part III of
157 chapter 112, and each member must file a statement of financial
158 interests pursuant to s. 112.3145.
159 Section 3. Section 282.0041, Florida Statutes, is amended
160 to read:
161 282.0041 Definitions.—As used in this chapter, the term:
162 (1) “Agency data center” means agency space containing 10
163 or more physical or logical servers “Agency” has the same
164 meaning as in s. 216.011(1)(qq), except that for purposes of
165 this chapter, “agency” does not include university boards of
166 trustees or state universities.
167 (2) “Agency for Enterprise Information Technology” means
168 the agency created in s. 14.204.
169 (3) “Agency information technology service” means a service
170 that directly helps an agency fulfill its statutory or
171 constitutional responsibilities and policy objectives and is
172 usually associated with the agency’s primary or core business
173 functions.
174 (4) “Annual budget meeting” means a meeting of the board of
175 trustees of a primary data center to review data center usage to
176 determine the apportionment of board members for the following
177 fiscal year, review rates for each service provided, and
178 determine any other required changes.
179 (2)(5) “Breach” means a confirmed event that compromises
180 the confidentiality, integrity, or availability of information
181 or data has the same meaning as in s. 817.5681(4).
182 (3)(6) “Business continuity plan” means a collection of
183 procedures and information designed to keep an agency’s critical
184 operations running during a period of displacement or
185 interruption of normal operations plan for disaster recovery
186 which provides for the continued functioning of a primary data
187 center during and after a disaster.
188 (4)(7) “Computing facility” or “agency computing facility”
189 means agency space containing fewer than a total of 10 physical
190 or logical servers, any of which supports a strategic or
191 nonstrategic information technology service, as described in
192 budget instructions developed pursuant to s. 216.023, but
193 excluding single, logical-server installations that exclusively
194 perform a utility function such as file and print servers.
195 (5)(8) “Customer entity” means an entity that obtains
196 services from the state a primary data center.
197 (9) “Data center” means agency space containing 10 or more
198 physical or logical servers any of which supports a strategic or
199 nonstrategic information technology service, as described in
200 budget instructions developed pursuant to s. 216.023.
201 (6)(10) “Department” means the Department of Management
202 Services.
203 (7) “Disaster recovery” means the process, policies,
204 procedures, and infrastructure related to preparing for and
205 implementing recovery or continuation of an agency’s vital
206 technology infrastructure after a natural or human-induced
207 disaster.
208 (8)(11) “Enterprise information technology service” means
209 an information technology service that is used in all agencies
210 or a subset of agencies and is established in law to be
211 designed, delivered, and managed at the enterprise level.
212 (9) “Event” means an observable occurrence in a system or
213 network.
214 (10) “Incident” means a violation or imminent threat of
215 violation, whether such violation is accidental or deliberate,
216 of information technology security policies, acceptable use
217 policies, or standard security practices. An imminent threat of
218 violation refers to a situation in which the state agency has a
219 factual basis for believing that a specific incident is about to
220 occur.
221 (12) “E-mail, messaging, and calendaring service” means the
222 enterprise information technology service that enables users to
223 send, receive, file, store, manage, and retrieve electronic
224 messages, attachments, appointments, and addresses. The e-mail,
225 messaging, and calendaring service must include e-mail account
226 management; help desk; technical support and user provisioning
227 services; disaster recovery and backup and restore capabilities;
228 antispam and antivirus capabilities; archiving and e-discovery;
229 and remote access and mobile messaging capabilities.
230 (13) “Information-system utility” means a full-service
231 information-processing facility offering hardware, software,
232 operations, integration, networking, and consulting services.
233 (11)(14) “Information technology” means equipment,
234 hardware, software, firmware, programs, systems, networks,
235 infrastructure, media, and related material used to
236 automatically, electronically, and wirelessly collect, receive,
237 access, transmit, display, store, record, retrieve, analyze,
238 evaluate, process, classify, manipulate, manage, assimilate,
239 control, communicate, exchange, convert, converge, interface,
240 switch, or disseminate information of any kind or form.
241 (12)(15) “Information technology policy” means a definite
242 course or method of action selected from among one or more
243 alternatives that guide and determine present and future
244 decisions statements that describe clear choices for how
245 information technology will deliver effective and efficient
246 government services to residents and improve state agency
247 operations. A policy may relate to investments, business
248 applications, architecture, or infrastructure. A policy
249 describes its rationale, implications of compliance or
250 noncompliance, the timeline for implementation, metrics for
251 determining compliance, and the accountable structure
252 responsible for its implementation.
253 (13) “Information technology resources” has the same
254 meaning as provided in s. 119.011.
255 (14) “Information technology security” means the protection
256 afforded to an automated information system in order to attain
257 the applicable objectives of preserving the integrity,
258 availability, and confidentiality of data, information, and
259 information technology resources.
260 (15)(16) “Performance metrics” means the measures of an
261 organization’s activities and performance.
262 (17) “Primary data center” means a data center that is a
263 recipient entity for consolidation of nonprimary data centers
264 and computing facilities and that is established by law.
265 (16)(18) “Project” means an endeavor that has a defined
266 start and end point; is undertaken to create or modify a unique
267 product, service, or result; and has specific objectives that,
268 when attained, signify completion.
269 (17) “Project oversight” means an independent review and
270 analysis of an information technology project that provides
271 information on the project’s scope, completion timeframes, and
272 budget and that identifies and quantifies issues or risks
273 affecting the successful and timely completion of the project.
274 (18)(19) “Risk assessment analysis” means the process of
275 identifying security risks, determining their magnitude, and
276 identifying areas needing safeguards.
277 (19)(20) “Service level” means the key performance
278 indicators (KPI) of an organization or service which must be
279 regularly performed, monitored, and achieved.
280 (20)(21) “Service-level agreement” means a written contract
281 between the state a data center and a customer entity which
282 specifies the scope of services provided, service level, the
283 duration of the agreement, the responsible parties, and service
284 costs. A service-level agreement is not a rule pursuant to
285 chapter 120.
286 (21) “Stakeholder” means a person, group, organization, or
287 state agency involved in or affected by a course of action.
288 (22) “Standards” means required practices, controls,
289 components, or configurations established by an authority.
290 (23) “State agency” means any official, officer,
291 commission, board, authority, council, committee, or department
292 of the executive branch of state government; the Justice
293 Administrative Commission; and the Public Service Commission.
294 The term does not include university boards of trustees or state
295 universities. As used in part I of this chapter, except as
296 otherwise specifically provided, the term does not include the
297 Department of Legal Affairs, the Department of Agriculture and
298 Consumer Services, or the Department of Financial Services.
299 (24)(23) “SUNCOM Network” means the state enterprise
300 telecommunications system that provides all methods of
301 electronic or optical telecommunications beyond a single
302 building or contiguous building complex and used by entities
303 authorized as network users under this part.
304 (25)(24) “Telecommunications” means the science and
305 technology of communication at a distance, including electronic
306 systems used in the transmission or reception of information.
307 (26)(25) “Threat” means any circumstance or event that has
308 the potential to adversely impact a state agency’s operations or
309 assets through an information system via unauthorized access,
310 destruction, disclosure, or modification of information or
311 denial of service any circumstance or event that may cause harm
312 to the integrity, availability, or confidentiality of
313 information technology resources.
314 (27) “Variance” means a calculated value that illustrates
315 how far positive or negative a projection has deviated when
316 measured against documented estimates within a project plan.
317 (26) “Total cost” means all costs associated with
318 information technology projects or initiatives, including, but
319 not limited to, value of hardware, software, service,
320 maintenance, incremental personnel, and facilities. Total cost
321 of a loan or gift of information technology resources to an
322 agency includes the fair market value of the resources.
323 (27) “Usage” means the billing amount charged by the
324 primary data center, less any pass-through charges, to the
325 customer entity.
326 (28) “Usage rate” means a customer entity’s usage or
327 billing amount as a percentage of total usage.
328 Section 4. Section 282.0051, Florida Statutes, is created
329 to read:
330 282.0051 Agency for State Technology; powers, duties, and
331 functions.—The Agency for State Technology shall have the
332 following powers, duties, and functions:
333 (1) Develop and publish information technology policy for
334 the management of the state’s information technology resources.
335 (2) Establish and publish information technology
336 architecture standards to provide for the most efficient use of
337 the state’s information technology resources and to ensure
338 compatibility and alignment with the needs of state agencies.
339 The agency shall assist state agencies in complying with the
340 standards.
341 (3) By June 30, 2015, establish project management and
342 oversight standards with which state agencies must comply when
343 implementing information technology projects. The agency shall
344 provide training opportunities to state agencies to assist in
345 the adoption of the project management and oversight standards.
346 To support data-driven decisionmaking, the standards must
347 include, but are not limited to:
348 (a) Performance measurements and metrics that objectively
349 reflect the status of an information technology project based on
350 a defined and documented project scope, cost, and schedule.
351 (b) Methodologies for calculating acceptable variances in
352 the projected versus actual scope, schedule, or cost of an
353 information technology project.
354 (c) Reporting requirements, including requirements designed
355 to alert all defined stakeholders that an information technology
356 project has exceeded acceptable variances defined and documented
357 in a project plan.
358 (d) Content, format, and frequency of project updates.
359 (4) Beginning January 1, 2015, perform project oversight on
360 all state agency information technology projects that have total
361 project costs of $10 million or more and that are funded in the
362 General Appropriations Act or any other law. The agency shall
363 report at least quarterly to the Executive Office of the
364 Governor, the President of the Senate, and the Speaker of the
365 House of Representatives on any information technology project
366 that the agency identifies as high-risk due to the project
367 exceeding acceptable variance ranges defined and documented in a
368 project plan. The report must include a risk assessment,
369 including fiscal risks, associated with proceeding to the next
370 stage of the project, and a recommendation for corrective
371 actions required, including suspension or termination of the
372 project.
373 (5) By April 1, 2016, and biennially thereafter, identify
374 opportunities for standardization and consolidation of
375 information technology services that support business functions
376 and operations, including administrative functions such as
377 purchasing, accounting and reporting, cash management, and
378 personnel, and that are common across state agencies. The agency
379 shall provide recommendations for standardization and
380 consolidation to the Executive Office of the Governor, the
381 President of the Senate, and the Speaker of the House of
382 Representatives. The agency is not precluded from providing
383 recommendations before April 1, 2016.
384 (6) In collaboration with the Department of Management
385 Services, establish best practices for the procurement of
386 information technology products in order to reduce costs,
387 increase productivity, or improve services. Such practices must
388 include a provision requiring the agency to review all
389 information technology purchases made by state agencies that
390 have a total cost of $250,000 or more, unless a purchase is
391 specifically mandated by the Legislature, for compliance with
392 the standards established pursuant to this section.
393 (7)(a) Participate with the Department of Management
394 Services in evaluating, conducting, and negotiating competitive
395 solicitations for state term contracts for information
396 technology commodities, consultant services, or staff
397 augmentation contractual services pursuant to s. 287.0591.
398 (b) Collaborate with the Department of Management Services
399 in information technology resource acquisition planning.
400 (8) Develop standards for information technology reports
401 and updates, including, but not limited to, operational work
402 plans, project spend plans, and project status reports, for use
403 by state agencies.
404 (9) Upon request, assist state agencies in the development
405 of information technology-related legislative budget requests.
406 (10) Beginning July 1, 2016, and annually thereafter,
407 conduct annual assessments of state agencies to determine
408 compliance with all information technology standards and
409 guidelines developed and published by the agency, and beginning
410 December 1, 2016, and annually thereafter, provide results of
411 the assessments to the Executive Office of the Governor, the
412 President of the Senate, and the Speaker of the House of
413 Representatives.
414 (11) Provide operational management and oversight of the
415 state data center established pursuant to s. 282.201, which
416 includes:
417 (a) Implementing industry standards and best practices for
418 the state data center’s facilities, operations, maintenance,
419 planning, and management processes.
420 (b) Developing and implementing cost-recovery mechanisms
421 that recover the full direct and indirect cost of services
422 through charges to applicable customer entities. Such cost
423 recovery mechanisms must comply with applicable state and
424 federal regulations concerning distribution and use of funds and
425 must ensure that, for any fiscal year, no service or customer
426 entity subsidizes another service or customer entity.
427 (c) Developing and implementing appropriate operating
428 guidelines and procedures necessary for the state data center to
429 perform its duties pursuant to s. 282.201. The guidelines and
430 procedures must comply with applicable state and federal laws,
431 regulations, and policies and conform to generally accepted
432 governmental accounting and auditing standards. The guidelines
433 and procedures must include, but not be limited to:
434 1. Implementing a consolidated administrative support
435 structure responsible for providing financial management,
436 procurement, transactions involving real or personal property,
437 human resources, and operational support.
438 2. Implementing an annual reconciliation process to ensure
439 that each customer entity is paying for the full direct and
440 indirect cost of each service as determined by the customer
441 entity’s use of each service.
442 3. Providing rebates that may be credited against future
443 billings to customer entities when revenues exceed costs.
444 4. Requiring customer entities to validate that sufficient
445 funds exist in the appropriate data processing appropriation
446 category or will be transferred into the appropriate data
447 processing appropriation category before implementation of a
448 customer entity’s request for a change in the type or level of
449 service provided, if such change results in a net increase to
450 the customer entity’s costs for that fiscal year.
451 5. By September 1 of each year, providing to each customer
452 entity’s agency head the projected costs of providing data
453 center services for the following fiscal year.
454 6. Providing a plan for consideration by the Legislative
455 Budget Commission if the cost of a service is increased for a
456 reason other than a customer entity’s request made pursuant to
457 subparagraph 4. Such a plan is required only if the service cost
458 increase results in a net increase to a customer entity for that
459 fiscal year.
460 7. Standardizing and consolidating procurement and
461 contracting practices.
462 (d) In collaboration with the Department of Law
463 Enforcement, developing and implementing a process for
464 detecting, reporting, and responding to information technology
465 security incidents, breaches, and threats.
466 (e) Adopting rules relating to the operation of the state
467 data center, including, but not limited to, budgeting and
468 accounting procedures, cost-recovery methodologies, and
469 operating procedures.
470 (f) Beginning May 1, 2016, and annually thereafter,
471 conducting a market analysis to determine whether the state’s
472 approach to the provision of data center services is the most
473 effective and efficient manner by which its customer entities
474 can acquire such services, based on federal, state, and local
475 government trends; best practices in service provision; and the
476 acquisition of new and emerging technologies. The results of the
477 market analysis shall assist the state data center in making
478 adjustments to its data center service offerings.
479 (12) Recommend other information technology services that
480 should be designed, delivered, and managed as enterprise
481 information technology services. Recommendations must include
482 the identification of existing information technology resources
483 associated with the services, if existing services must be
484 transferred as a result of being delivered and managed as
485 enterprise information technology services.
486 (13) Recommend additional consolidations of agency
487 computing facilities or data centers into the state data center
488 established pursuant to s. 282.201. Such recommendations shall
489 include a proposed timeline for consolidation.
490 (14) In consultation with state agencies, propose a
491 methodology and approach for identifying and collecting both
492 current and planned information technology expenditure data at
493 the state agency level.
494 (15)(a) Beginning January 1, 2015, and notwithstanding any
495 other law, provide project oversight on any information
496 technology project of the Department of Financial Services, the
497 Department of Legal Affairs, and the Department of Agriculture
498 and Consumer Services that has a total project cost of $25
499 million or more and that impacts one or more other agencies.
500 Such information technology projects must also comply with the
501 applicable information technology architecture, project
502 management and oversight, and reporting standards established by
503 the agency.
504 (b) When performing the project oversight function
505 specified in paragraph (a), report at least quarterly to the
506 Executive Office of the Governor, the President of the Senate,
507 and the Speaker of the House of Representatives on any
508 information technology project that the agency identifies as
509 high-risk due to the project exceeding acceptable variance
510 ranges defined and documented in the project plan. The report
511 shall include a risk assessment, including fiscal risks,
512 associated with proceeding to the next stage of the project and
513 a recommendation for corrective actions required, including
514 suspension or termination of the project.
515 (16) If an information technology project implemented by a
516 state agency must be connected to or otherwise accommodated by
517 an information technology system administered by the Department
518 of Financial Services, the Department of Legal Affairs, or the
519 Department of Agriculture and Consumer Services, consult with
520 these departments regarding the risks and other effects of such
521 projects on their information technology systems and work
522 cooperatively with these departments regarding the connections,
523 interfaces, timing, or accommodations required to implement such
524 projects.
525 (17) If adherence to standards or policies adopted by or
526 established pursuant to this section causes conflict with
527 federal regulations or requirements imposed on a state agency
528 and results in adverse action against the state agency or
529 federal funding, work with the state agency to provide
530 alternative standards, policies, or requirements that do not
531 conflict with the federal regulation or requirement. Beginning
532 July 1, 2015, the agency shall annually report such alternative
533 standards to the Governor, the President of the Senate, and the
534 Speaker of the House of Representatives.
535 (18) Adopt rules to administer this section.
536 Section 5. Section 282.00515, Florida Statutes, is created
537 to read:
538 282.00515 Duties of Cabinet agencies.—The Department of
539 Legal Affairs, the Department of Financial Services, and the
540 Department of Agriculture and Consumer Services shall adopt the
541 standards established in s. 282.0051(2), (3), and (8) or adopt
542 alternative standards based on best practices and industry
543 standards, and may contract with the Agency for State Technology
544 to provide or perform any of the services and functions
545 described in s. 282.0051 for the Department of Legal Affairs,
546 the Department of Financial Services, or the Department of
547 Agriculture and Consumer Services.
548 Section 6. Section 287.0591, Florida Statutes, is created
549 to read:
550 287.0591 Information technology.—
551 (1) Beginning July 1, 2014, any competitive solicitation
552 issued by the department for a state term contract for
553 information technology commodities must include a term that does
554 not exceed 48 months.
555 (2) Beginning September 1, 2015, any competitive
556 solicitation issued by the department for a state term contract
557 for information technology consultant services or information
558 technology staff augmentation contractual services must include
559 a term that does not exceed 48 months.
560 (3) The department may execute a state term contract for
561 information technology commodities, consultant services, or
562 staff augmentation contractual services that exceeds the 48
563 month requirement if the Secretary of Management Services and
564 the executive director of the Agency for State Technology
565 certify to the Executive Office of the Governor that a longer
566 contract term is in the best interest of the state.
567 (4) If the department issues a competitive solicitation for
568 information technology commodities, consultant services, or
569 staff augmentation contractual services, the Agency for State
570 Technology shall participate in such solicitations.
571 Section 7. Section 282.0055, Florida Statutes, is repealed.
572 Section 8. Section 282.0056, Florida Statutes, is repealed.
573 Section 9. Section 282.201, Florida Statutes, is amended to
574 read:
575 282.201 State data center system; agency duties and
576 limitations.—The A state data center system that includes all
577 primary data centers, other nonprimary data centers, and
578 computing facilities, and that provides an enterprise
579 information technology service as defined in s. 282.0041, is
580 established as a primary data center within the Agency for State
581 Technology and includes the facilities formerly known as the
582 Northwood Shared Resource Center and the Southwood Shared
583 Resource Center.
584 (1) INTENT.—The Legislature finds that the most efficient
585 and effective means of providing quality utility data processing
586 services to state agencies requires that computing resources be
587 concentrated in quality facilities that provide the proper
588 security, disaster recovery, infrastructure, and staff resources
589 to ensure that the state’s data is maintained reliably and
590 safely, and is recoverable in the event of a disaster.
591 Efficiencies resulting from such consolidation include the
592 increased ability to leverage technological expertise and
593 hardware and software capabilities; increased savings through
594 consolidated purchasing decisions; and the enhanced ability to
595 deploy technology improvements and implement new policies
596 consistently throughout the consolidated organization. Unless
597 otherwise exempt by law, it is the intent of the Legislature
598 that all agency data centers and computing facilities be
599 consolidated into the state a primary data center by 2019.
600 (2) STATE DATA CENTER DUTIES.—The state data center shall:
601 (a) Offer, develop, and support the services and
602 applications as provided in the service-level agreements
603 executed with its customer entities.
604 (b) Maintain the performance of the state data center,
605 which includes ensuring proper data backup, data backup
606 recovery, a disaster recovery plan, appropriate security, power,
607 cooling, fire suppression, and capacity.
608 (c) Develop a business continuity plan and a disaster
609 recovery plan, and conduct a live exercise of these plans at
610 least annually.
611 (d) Enter into a service level agreement with each customer
612 entity to provide the required type and level of service or
613 services. If a customer entity fails to execute an agreement
614 within 60 days after the commencement of a service, the state
615 data center may cease service. A service level agreement may not
616 have a term exceeding 3 years and at a minimum must:
617 1. Identify the parties and their roles, duties, and
618 responsibilities under the agreement.
619 2. State the duration of the contractual term and specify
620 the conditions for renewal.
621 3. Identify the scope of work.
622 4. Identify the products or services to be delivered with
623 sufficient specificity to permit an external financial or
624 performance audit.
625 5. Establish the services to be provided, the business
626 standards that must be met for each service, the cost of each
627 service, and the metrics and processes by which the business
628 standards for each service are to be objectively measured and
629 reported.
630 6. Provide a timely billing methodology for recovering the
631 cost of services provided to the customer entity pursuant to s.
632 215.422.
633 7. Provide a procedure for modifying the service level
634 agreement based on changes in the type, level, and cost of a
635 service.
636 8. Include a right-to-audit clause to ensure that the
637 parties to the agreement have access to records for audit
638 purposes during the term of the service level agreement.
639 9. Provide that a service level agreement may be terminated
640 by either party for cause only after giving the other party and
641 the Agency for State Technology notice in writing of the cause
642 for termination and an opportunity for the other party to
643 resolve the identified cause within a reasonable period.
644 10. Provide for the mediation of disputes by the Division
645 of Administrative Hearings pursuant to s. 120.573.
646 (e) Be the custodian of resources and equipment that are
647 located, operated, supported, and managed by the state data
648 center for the purposes of chapter 273.
649 (f) Assume administrative access rights to the resources
650 and equipment, such as servers, network components, and other
651 devices that are consolidated into the state data center.
652 1. On the date of each consolidation specified in this
653 section, the General Appropriations Act, or the Laws of Florida,
654 each state agency shall relinquish all administrative rights to
655 such resources and equipment. State agencies required to comply
656 with federal security regulations and policies shall retain
657 administrative access rights sufficient to comply with the
658 management control provisions of those regulations and policies;
659 however, the state data center shall have the appropriate type
660 or level of rights to allow the center to comply with its duties
661 pursuant to this section. The Department of Law Enforcement
662 shall serve as the arbiter of any disputes which may arise
663 regarding the appropriate type and level of administrative
664 access rights relating to the provision of management control in
665 accordance with federal criminal justice information guidelines.
666 2. The state data center shall provide its customer
667 entities with access to applications, servers, network
668 components, and other devices necessary for state agencies to
669 perform business activities and functions, and as defined and
670 documented in the service level agreement.
671 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
672 The Agency for Enterprise Information Technology shall:
673 (a) Collect and maintain information necessary for
674 developing policies relating to the data center system,
675 including, but not limited to, an inventory of facilities.
676 (b) Annually approve cost-recovery mechanisms and rate
677 structures for primary data centers which recover costs through
678 charges to customer entities.
679 (c) By September 30 of each year, submit to the
680 Legislature, the Executive Office of the Governor, and the
681 primary data centers recommendations to improve the efficiency
682 and cost-effectiveness of computing services provided by state
683 data center system facilities. Such recommendations must
684 include, but need not be limited to:
685 1. Policies for improving the cost-effectiveness and
686 efficiency of the state data center system, which includes the
687 primary data centers being transferred to a shared, virtualized
688 server environment, and the associated cost savings resulting
689 from the implementation of such policies.
690 2. Infrastructure improvements supporting the consolidation
691 of facilities or preempting the need to create additional data
692 centers or computing facilities.
693 3. Uniform disaster recovery standards.
694 4. Standards for primary data centers which provide cost
695 effective services and transparent financial data to user
696 agencies.
697 5. Consolidation of contract practices or coordination of
698 software, hardware, or other technology-related procurements and
699 the associated cost savings.
700 6. Improvements to data center governance structures.
701 (d) By October 1 of each year, provide recommendations to
702 the Governor and Legislature relating to changes to the schedule
703 for the consolidations of state agency data centers as provided
704 in subsection (4).
705 1. The recommendations must be based on the goal of
706 maximizing current and future cost savings by:
707 a. Consolidating purchase decisions.
708 b. Leveraging expertise and other resources to gain
709 economies of scale.
710 c. Implementing state information technology policies more
711 effectively.
712 d. Maintaining or improving the level of service provision
713 to customer entities.
714 2. The agency shall establish workgroups as necessary to
715 ensure participation by affected agencies in the development of
716 recommendations related to consolidations.
717 (e) Develop and establish rules relating to the operation
718 of the state data center system which comply with applicable
719 federal regulations, including 2 C.F.R. part 225 and 45 C.F.R.
720 The rules must address:
721 1. Ensuring that financial information is captured and
722 reported consistently and accurately.
723 2. Identifying standards for hardware, including standards
724 for a shared, virtualized server environment, and operations
725 system software and other operational software, including
726 security and network infrastructure, for the primary data
727 centers; requiring compliance with such standards in order to
728 enable the efficient consolidation of the agency data centers or
729 computing facilities; and providing an exemption process from
730 compliance with such standards, which must be consistent with
731 paragraph (5)(b).
732 3. Requiring annual full cost recovery on an equitable
733 rational basis. The cost-recovery methodology must ensure that
734 no service is subsidizing another service and may include
735 adjusting the subsequent year’s rates as a means to recover
736 deficits or refund surpluses from a prior year.
737 4. Requiring that any special assessment imposed to fund
738 expansion is based on a methodology that apportions the
739 assessment according to the proportional benefit to each
740 customer entity.
741 5. Requiring that rebates be given when revenues have
742 exceeded costs, that rebates be applied to offset charges to
743 those customer entities that have subsidized the costs of other
744 customer entities, and that such rebates may be in the form of
745 credits against future billings.
746 6. Requiring that all service-level agreements have a
747 contract term of up to 3 years, but may include an option to
748 renew for up to 3 additional years contingent on approval by the
749 board, and require at least a 180-day notice of termination.
750 (3) STATE AGENCY DUTIES.—
751 (a) For the purpose of completing the work activities
752 described in subsections (1) and (2), Each state agency shall
753 provide to the Agency for State Enterprise Information
754 Technology all requested information relating to its data
755 centers and computing facilities and any other information
756 relevant to the effective agency’s ability to effectively
757 transition of a state agency data center or computing facility
758 its computer services into the state a primary data center. The
759 agency shall also participate as required in workgroups relating
760 to specific consolidation planning and implementation tasks as
761 assigned by the Agency for Enterprise Information Technology and
762 determined necessary to accomplish consolidation goals.
763 (b) Each state agency customer of the state a primary data
764 center shall notify the state data center, by May 31 and
765 November 30 of each year, of any significant changes in
766 anticipated use utilization of data center services pursuant to
767 requirements established by the state boards of trustees of each
768 primary data center.
769 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
770 (a) Consolidations of agency data centers and computing
771 facilities shall be made by the date and to the specified state
772 primary data center facility as provided in this section and in
773 accordance with budget adjustments contained in the General
774 Appropriations Act.
775 (b) By December 31, 2011, the following shall be
776 consolidated into the Northwest Regional Data Center:
777 1. The Department of Education’s Knott Data Center in the
778 Turlington Building.
779 2. The Department of Education’s Division of Vocational
780 Rehabilitation.
781 3. The Department of Education’s Division of Blind
782 Services, except for the division’s disaster recovery site in
783 Daytona Beach.
784 4. The FCAT Explorer.
785 (c) During the 2011-2012 fiscal year, the following shall
786 be consolidated into the Southwood Shared Resource Center:
787 1. By September 30, 2011, the Department of Corrections.
788 2. By March 31, 2012, the Department of Transportation’s
789 Burns Building.
790 3. By March 31, 2012, the Department of Transportation’s
791 Survey & Mapping Office.
792 (d) By July 1, 2012, the Department of Highway Safety and
793 Motor Vehicles’ Office of Commercial Vehicle Enforcement shall
794 be consolidated into the Northwood Shared Resource Center.
795 (e) By September 30, 2012, the Department of Revenue’s
796 Carlton Building and Imaging Center locations shall be
797 consolidated into the Northwest Regional Data Center.
798 (f) During the 2012-2013 fiscal year, the following shall
799 be consolidated into the Northwood Shared Resource Center:
800 1. By July 1, 2012, the Agency for Health Care
801 Administration.
802 2. By August 31, 2012, the Department of Highway Safety and
803 Motor Vehicles.
804 3. By December 31, 2012, the Department of Environmental
805 Protection’s Palmetto Commons.
806 4. By December 31, 2012, the Department of Health’s Test
807 and Development Lab and all remaining data center resources
808 located at the Capital Circle Office Complex.
809 (g) During the 2013-2014 fiscal year, the following shall
810 be consolidated into the Southwood Shared Resource Center:
811 1. By October 31, 2013, the Department of Economic
812 Opportunity.
813 2. By December 31, 2013, the Executive Office of the
814 Governor, to include the Division of Emergency Management except
815 for the Emergency Operation Center’s management system in
816 Tallahassee and the Camp Blanding Emergency Operations Center in
817 Starke.
818 3. By March 31, 2014, the Department of Elderly Affairs.
819 (h) By October 30, 2013, the Fish and Wildlife Conservation
820 Commission, except for the commission’s Fish and Wildlife
821 Research Institute in St. Petersburg, shall be consolidated into
822 the Northwood Shared Resource Center.
823 (i) During the 2014-2015 fiscal year, the following
824 agencies shall work with the Agency for Enterprise Information
825 Technology to begin preliminary planning for consolidation into
826 a primary data center:
827 1. The Department of Health’s Jacksonville Lab Data Center.
828 2. The Department of Transportation’s district offices,
829 toll offices, and the District Materials Office.
830 3. The Department of Military Affairs’ Camp Blanding Joint
831 Training Center in Starke.
832 4. The Camp Blanding Emergency Operations Center in Starke.
833 5. The Department of Education’s Division of Blind Services
834 disaster recovery site in Daytona Beach.
835 6. The Department of Education’s disaster recovery site at
836 Santa Fe College.
837 7. The Fish and Wildlife Conservation Commission’s Fish and
838 Wildlife Research Institute in St. Petersburg.
839 8. The Department of Children and Family Services’ Suncoast
840 Data Center in Tampa.
841 9. The Department of Children and Family Services’ Florida
842 State Hospital in Chattahoochee.
843 (j) During the 2015-2016 fiscal year, all computing
844 resources remaining within an agency data center or computing
845 facility, to include the Department of Financial Services’
846 Hartman, Larson, and Fletcher Buildings data centers, shall be
847 transferred to a primary data center for consolidation unless
848 otherwise required to remain in the agency for specified
849 financial, technical, or business reasons that must be justified
850 in writing and approved by the Agency for Enterprise Information
851 Technology. Such data centers, computing facilities, and
852 resources must be identified by the Agency for Enterprise
853 Information Technology by October 1, 2014.
854 (b)(k) The Department of Financial Services, the Department
855 of Legal Affairs, the Department of Agriculture and Consumer
856 Services, the Department of Law Enforcement, the Department of
857 the Lottery’s Gaming System, Systems Design and Development in
858 the Office of Policy and Budget, the regional traffic management
859 centers and the Office of Toll Operations of the Department of
860 Transportation, and the State Board of Administration, state
861 attorneys, public defenders, criminal conflict and civil
862 regional counsel, capital collateral regional counsel, the
863 Florida Clerks of Court Operations Corporation, and the Florida
864 Housing Finance Corporation are exempt from data center
865 consolidation under this section.
866 (c)(l) A state Any agency that is consolidating its agency
867 data center or computing facility centers into the state a
868 primary data center must execute a new or update an existing
869 service-level agreement within 60 days after the commencement of
870 service specified consolidation date, as required by s.
871 282.201(2) s. 282.203, in order to specify the services and
872 levels of service it is to receive from the state primary data
873 center as a result of the consolidation. If the state an agency
874 and the state primary data center are unable to execute a
875 service-level agreement by that date, the agency and the primary
876 data center shall submit a report to the Executive Office of the
877 Governor and to the chairs of the legislative appropriations
878 committees within 5 working days after that date which explains
879 the specific issues preventing execution and describing the plan
880 and schedule for resolving those issues.
881 (m) Beginning September 1, 2011, and every 6 months
882 thereafter until data center consolidations are complete, the
883 Agency for Enterprise Information Technology shall provide a
884 status report on the implementation of the consolidations that
885 must be completed during the fiscal year. The report shall be
886 submitted to the Executive Office of the Governor and the chairs
887 of the legislative appropriations committees. The report must,
888 at a minimum, describe:
889 1. Whether the consolidation is on schedule, including
890 progress on achieving the milestones necessary for successful
891 and timely consolidation of scheduled agency data centers and
892 computing facilities.
893 2. The risks that may affect the progress or outcome of the
894 consolidation and how these risks are being addressed,
895 mitigated, or managed.
896 (d)(n) Each state agency scheduled identified in this
897 subsection for consolidation into the state a primary data
898 center shall submit a transition plan to the Agency for State
899 Technology appropriate primary data center by July 1 of the
900 fiscal year before the fiscal year in which the scheduled
901 consolidation will occur. Transition plans shall be developed in
902 consultation with the state appropriate primary data center
903 centers and the Agency for Enterprise Information Technology,
904 and must include:
905 1. An inventory of the state agency data center’s resources
906 being consolidated, including all hardware and its associated
907 life cycle replacement schedule, software, staff, contracted
908 services, and facility resources performing data center
909 management and operations, security, backup and recovery,
910 disaster recovery, system administration, database
911 administration, system programming, job control, production
912 control, print, storage, technical support, help desk, and
913 managed services, but excluding application development, and the
914 state agency’s costs supporting these resources.
915 2. A list of contracts in effect, including, but not
916 limited to, contracts for hardware, software, and maintenance,
917 which identifies the expiration date, the contract parties, and
918 the cost of each contract.
919 3. A detailed description of the level of services needed
920 to meet the technical and operational requirements of the
921 platforms being consolidated.
922 4. A description of resources for computing services
923 proposed to remain in the department.
924 4.5. A timetable with significant milestones for the
925 completion of the consolidation.
926 (o) Each primary data center shall develop a transition
927 plan for absorbing the transfer of agency data center resources
928 based upon the timetables for transition as provided in this
929 subsection. The plan shall be submitted to the Agency for
930 Enterprise Information Technology, the Executive Office of the
931 Governor, and the chairs of the legislative appropriations
932 committees by September 1 of the fiscal year before the fiscal
933 year in which the scheduled consolidations will occur. Each plan
934 must include:
935 1. The projected cost to provide data center services for
936 each agency scheduled for consolidation.
937 2. A staffing plan that identifies the projected staffing
938 needs and requirements based on the estimated workload
939 identified in the agency transition plan.
940 3. The fiscal year adjustments to budget categories in
941 order to absorb the transfer of agency data center resources
942 pursuant to the legislative budget request instructions provided
943 in s. 216.023.
944 4. An analysis of the cost effects resulting from the
945 planned consolidations on existing agency customers.
946 5. A description of any issues that must be resolved in
947 order to accomplish as efficiently and effectively as possible
948 all consolidations required during the fiscal year.
949 (e)(p) Each state agency scheduled identified in this
950 subsection for consolidation into the state a primary data
951 center shall submit with its respective legislative budget
952 request the specific recurring and nonrecurring budget
953 adjustments of resources by appropriation category into the
954 appropriate data processing category pursuant to the legislative
955 budget request instructions in s. 216.023.
956 (5) AGENCY LIMITATIONS.—
957 (a) Unless exempt from state data center consolidation
958 pursuant to this section, authorized by the Legislature, or as
959 provided in paragraph paragraphs (b) and (c), a state agency may
960 not:
961 1. Create a new computing facility or data center, or
962 expand the capability to support additional computer equipment
963 in an existing state agency computing facility or nonprimary
964 data center;
965 2. Spend funds before the state agency’s scheduled
966 consolidation into the state a primary data center to purchase
967 or modify hardware or operations software that does not comply
968 with hardware and software standards established by the Agency
969 for State Enterprise Information Technology pursuant to
970 paragraph (2)(e) for the efficient consolidation of the agency
971 data centers or computing facilities;
972 3. Transfer existing computer services to any data center
973 other than the state a primary data center;
974 4. Terminate services with the state a primary data center
975 or transfer services between primary data centers without giving
976 written notice of intent to terminate or transfer services 180
977 days before such termination or transfer; or
978 5. Initiate a new computer service except with the state a
979 primary data center.
980 (b) Exceptions to the limitations in subparagraphs (a)1.,
981 2., 3., and 5. may be granted by the Agency for State Enterprise
982 Information Technology if there is insufficient capacity in the
983 state a primary data center to absorb the workload associated
984 with agency computing services, if expenditures are compatible
985 with the scheduled consolidation and the standards established
986 pursuant to s. 282.0051 paragraph (2)(e), or if the equipment or
987 resources are needed to meet a critical agency business need
988 that cannot be satisfied by from surplus equipment or resources
989 of the state primary data center until the agency data center is
990 consolidated. The Agency for State Technology shall develop and
991 publish the guidelines and required documentation that a state
992 agency must comply with when requesting an exception. The
993 agency’s decision regarding the exception request is not subject
994 to chapter 120.
995 1. A request for an exception must be submitted in writing
996 to the Agency for Enterprise Information Technology. The agency
997 must accept, accept with conditions, or deny the request within
998 60 days after receipt of the written request. The agency’s
999 decision is not subject to chapter 120.
1000 2. At a minimum, the agency may not approve a request
1001 unless it includes:
1002 a. Documentation approved by the primary data center’s
1003 board of trustees which confirms that the center cannot meet the
1004 capacity requirements of the agency requesting the exception
1005 within the current fiscal year.
1006 b. A description of the capacity requirements of the agency
1007 requesting the exception.
1008 c. Documentation from the agency demonstrating why it is
1009 critical to the agency’s mission that the expansion or transfer
1010 must be completed within the fiscal year rather than when
1011 capacity is established at a primary data center.
1012 (c) Exceptions to subparagraph (a)4. may be granted by the
1013 board of trustees of the primary data center if the termination
1014 or transfer of services can be absorbed within the current cost
1015 allocation plan.
1016 (d) Upon the termination of or transfer of agency computing
1017 services from the primary data center, the primary data center
1018 shall require information sufficient to determine compliance
1019 with this section. If a primary data center determines that an
1020 agency is in violation of this section, it shall report the
1021 violation to the Agency for Enterprise Information Technology.
1022 (6) RULES.—The Agency for Enterprise Information Technology
1023 may adopt rules to administer this part relating to the state
1024 data center system including the primary data centers.
1025 Section 10. Section 282.203, Florida Statutes, is repealed.
1026 Section 11. Section 282.204, Florida Statutes, is repealed.
1027 Section 12. Section 282.205, Florida Statutes, is repealed.
1028 Section 13. Section 282.318, Florida Statutes, is amended
1029 to read:
1030 282.318 Enterprise Security of data and information
1031 technology.—
1032 (1) This section may be cited as the “Enterprise Security
1033 of Data and Information Technology Security Act.”
1034 (2) As used in this section, the term “state agency” has
1035 the same meaning as provided in s. 282.0041, except that the
1036 term includes the Department of Legal Affairs, the Department of
1037 Agriculture and Consumer Services, and the Department of
1038 Financial Services.
1039 (2) Information technology security is established as an
1040 enterprise information technology service as defined in s.
1041 282.0041.
1042 (3) The Agency for State Enterprise Information Technology
1043 is responsible for establishing standards and processes
1044 consistent with generally accepted best practices for
1045 information technology security and adopting rules that
1046 safeguard an agency’s data, information, and information
1047 technology resources to ensure availability, confidentiality,
1048 and integrity and publishing guidelines for ensuring an
1049 appropriate level of security for all data and information
1050 technology resources for executive branch agencies. The agency
1051 shall also perform the following duties and responsibilities:
1052 (a) Develop, and annually update by February 1, a statewide
1053 an enterprise information technology security strategic plan
1054 that includes security goals and objectives for the strategic
1055 issues of information technology security policy, risk
1056 management, training, incident management, and disaster recovery
1057 survivability planning.
1058 (b) Develop and publish for use by state agencies an
1059 information technology security framework that, at a minimum,
1060 includes enterprise security rules and published guidelines and
1061 processes for:
1062 1. Establishing asset management procedures to ensure that
1063 an agency’s information technology resources are identified and
1064 managed consistent with their relative importance to the
1065 agency’s business objectives.
1066 2. Using a standard risk assessment methodology that
1067 includes the identification of an agency’s priorities,
1068 constraints, risk tolerances, and assumptions necessary to
1069 support operational risk decisions.
1070 3.1. Completing comprehensive risk assessments analyses and
1071 information technology security audits and submitting completed
1072 assessments and audits to the Agency for State Technology
1073 conducted by state agencies.
1074 4. Identifying protection procedures to manage the
1075 protection of an agency’s information, data, and information
1076 technology resources.
1077 5. Establishing procedures for accessing information and
1078 data to ensure the confidentiality, integrity, and availability
1079 of such information and data.
1080 6. Detecting threats through proactive monitoring of
1081 events, continuous security monitoring, and defined detection
1082 processes.
1083 7.2. Responding to information technology suspected or
1084 confirmed information security incidents, including suspected or
1085 confirmed breaches of personal information containing
1086 confidential or exempt data.
1087 8. Recovering information and data in response to an
1088 information technology security incident. The recovery may
1089 include recommended improvements to the agency processes,
1090 policies, or guidelines.
1091 9.3. Developing agency strategic and operational
1092 information technology security plans required pursuant to this
1093 section, including strategic security plans and security program
1094 plans.
1095 4. The recovery of information technology and data
1096 following a disaster.
1097 10.5. Establishing the managerial, operational, and
1098 technical safeguards for protecting state government data and
1099 information technology resources that align with the state
1100 agency risk management strategy and that protect the
1101 confidentiality, integrity, and availability of information and
1102 data.
1103 (c) Assist state agencies in complying with the provisions
1104 of this section.
1105 (d) Pursue appropriate funding for the purpose of enhancing
1106 domestic security.
1107 (d)(e) In collaboration with the Cybercrime Office of the
1108 Department of Law Enforcement, provide training for state agency
1109 information security managers.
1110 (e)(f) Annually review the strategic and operational
1111 information technology security plans of executive branch
1112 agencies.
1113 (4) To assist the Agency for Enterprise Information
1114 Technology in carrying out its responsibilities, Each state
1115 agency head shall, at a minimum:
1116 (a) Designate an information security manager to administer
1117 the information technology security program of the state agency
1118 for its data and information technology resources. This
1119 designation must be provided annually in writing to the Agency
1120 for State Enterprise Information Technology by January 1. A
1121 state agency’s information security manager, for purposes of
1122 these information security duties, shall report directly to the
1123 agency head.
1124 (b) Submit to the Agency for State Enterprise Information
1125 Technology annually by July 31, the state agency’s strategic and
1126 operational information technology security plans developed
1127 pursuant to the rules and guidelines established by the Agency
1128 for State Enterprise Information Technology.
1129 1. The state agency strategic information technology
1130 security plan must cover a 3-year period and, at a minimum,
1131 define security goals, intermediate objectives, and projected
1132 agency costs for the strategic issues of agency information
1133 security policy, risk management, security training, security
1134 incident response, and disaster recovery survivability. The plan
1135 must be based on the statewide enterprise strategic information
1136 technology security strategic plan created by the Agency for
1137 State Enterprise Information Technology and include performance
1138 metrics that can be objectively measured to reflect the status
1139 of the state agency’s progress in meeting security goals and
1140 objectives identified in the agency’s strategic information
1141 security plan. Additional issues may be included.
1142 2. The state agency operational information technology
1143 security plan must include a progress report that objectively
1144 measures progress made towards for the prior operational
1145 information technology security plan and a project plan that
1146 includes activities, timelines, and deliverables for security
1147 objectives that, subject to current resources, the state agency
1148 will implement during the current fiscal year. The cost of
1149 implementing the portions of the plan which cannot be funded
1150 from current resources must be identified in the plan.
1151 (c) Conduct, and update every 3 years, a comprehensive risk
1152 assessment analysis to determine the security threats to the
1153 data, information, and information technology resources of the
1154 agency. The risk assessment must comply with the risk assessment
1155 methodology developed by the Agency for State Technology and
1156 analysis information is confidential and exempt from the
1157 provisions of s. 119.07(1), except that such information shall
1158 be available to the Auditor General, and the Agency for State
1159 Enterprise Information Technology, the Cybercrime Office of the
1160 Department of Law Enforcement, and, for state agencies under the
1161 jurisdiction of the Governor, the Chief Inspector General for
1162 performing postauditing duties.
1163 (d) Develop, and periodically update, written internal
1164 policies and procedures, which include procedures for reporting
1165 information technology security incidents and breaches to the
1166 Cybercrime Office of the Department of Law Enforcement and
1167 notifying the Agency for State Enterprise Information Technology
1168 when a suspected or confirmed breach, or an information security
1169 incident, occurs. Such policies and procedures must be
1170 consistent with the rules, and guidelines, and processes
1171 established by the Agency for State Enterprise Information
1172 Technology to ensure the security of the data, information, and
1173 information technology resources of the agency. The internal
1174 policies and procedures that, if disclosed, could facilitate the
1175 unauthorized modification, disclosure, or destruction of data or
1176 information technology resources are confidential information
1177 and exempt from s. 119.07(1), except that such information shall
1178 be available to the Auditor General, the Cybercrime Office of
1179 the Department of Law Enforcement, and the Agency for State
1180 Enterprise Information Technology, and, for state agencies under
1181 the jurisdiction of the Governor, the Chief Inspector General
1182 for performing postauditing duties.
1183 (e) Implement managerial, operational, and technical
1184 appropriate cost-effective safeguards established by the Agency
1185 for State Technology to address identified risks to the data,
1186 information, and information technology resources of the agency.
1187 (f) Ensure that periodic internal audits and evaluations of
1188 the agency’s information technology security program for the
1189 data, information, and information technology resources of the
1190 agency are conducted. The results of such audits and evaluations
1191 are confidential information and exempt from s. 119.07(1),
1192 except that such information shall be available to the Auditor
1193 General, the Cybercrime Office of the Department of Law
1194 Enforcement, and the Agency for State Enterprise Information
1195 Technology, and, for agencies under the jurisdiction of the
1196 Governor, the Chief Inspector General for performing
1197 postauditing duties.
1198 (g) Include appropriate information technology security
1199 requirements in the written specifications for the solicitation
1200 of information technology and information technology resources
1201 and services, which are consistent with the rules and guidelines
1202 established by the Agency for State Enterprise Information
1203 Technology in collaboration with the Department of Management
1204 Services.
1205 (h) Provide information technology security awareness
1206 training to all state agency employees and users of the agency’s
1207 communication and information resources concerning information
1208 technology security risks and the responsibility of employees
1209 and users to comply with policies, standards, guidelines, and
1210 operating procedures adopted by the state agency to reduce those
1211 risks. The training may be provided in collaboration with the
1212 Cybercrime Office of the Department of Law Enforcement.
1213 (i) Develop a process for detecting, reporting, and
1214 responding to threats, breaches, or information technology
1215 security suspected or confirmed security incidents that are,
1216 including suspected or confirmed breaches consistent with the
1217 security rules, and guidelines, and processes established by the
1218 Agency for State Enterprise Information Technology.
1219 1. All information technology Suspected or confirmed
1220 information security incidents and breaches must be immediately
1221 reported to the Agency for State Enterprise Information
1222 Technology.
1223 2. For information technology security incidents involving
1224 breaches, state agencies shall provide notice in accordance with
1225 s. 817.5681 and to the Agency for Enterprise Information
1226 Technology in accordance with this subsection.
1227 (5) Each state agency shall include appropriate security
1228 requirements in the specifications for the solicitation of
1229 contracts for procuring information technology or information
1230 technology resources or services which are consistent with the
1231 rules and guidelines established by the Agency for Enterprise
1232 Information Technology.
1233 (5)(6) The Agency for State Enterprise Information
1234 Technology shall may adopt rules relating to information
1235 technology security and to administer the provisions of this
1236 section.
1237 Section 14. Section 282.33, Florida Statutes, is repealed.
1238 Section 15. Effective upon this act becoming a law, section
1239 282.34, Florida Statutes, is repealed.
1240 Section 16. Subsections (1) and (2) of section 17.0315,
1241 Florida Statutes, are amended to read:
1242 17.0315 Financial and cash management system; task force.—
1243 (1) The Chief Financial Officer, as the constitutional
1244 officer responsible for settling and approving accounts against
1245 the state and keeping all state funds pursuant to s. 4, Art. IV
1246 of the State Constitution, is shall be the head of and shall
1247 appoint members to a task force established to develop a
1248 strategic business plan for a successor financial and cash
1249 management system. The task force shall include the executive
1250 director of the Agency for State Enterprise Information
1251 Technology and the director of the Office of Policy and Budget
1252 in the Executive Office of the Governor. Any member of the task
1253 force may appoint a designee.
1254 (2) The strategic business plan for a successor financial
1255 and cash management system must:
1256 (a) Permit proper disbursement and auditing controls
1257 consistent with the respective constitutional duties of the
1258 Chief Financial Officer and the Legislature;
1259 (b) Promote transparency in the accounting of public funds;
1260 (c) Provide timely and accurate recording of financial
1261 transactions by agencies and their professional staffs;
1262 (d) Support executive reporting and data analysis
1263 requirements;
1264 (e) Be capable of interfacing with other systems providing
1265 human resource services, procuring goods and services, and
1266 providing other enterprise functions;
1267 (f) Be capable of interfacing with the existing legislative
1268 appropriations, planning, and budgeting systems;
1269 (g) Be coordinated with the information technology strategy
1270 development efforts of the Agency for State Enterprise
1271 Information Technology;
1272 (h) Be coordinated with the revenue estimating conference
1273 process as supported by the Office of Economic and Demographic
1274 Research; and
1275 (i) Address other such issues as the Chief Financial
1276 Officer identifies.
1277 Section 17. Subsection (1) of section 20.055, Florida
1278 Statutes, is reordered and amended to read:
1279 20.055 Agency inspectors general.—
1280 (1) As used in For the purposes of this section, the term:
1281 (d)(a) “State agency” means each department created
1282 pursuant to this chapter, and also includes the Executive Office
1283 of the Governor, the Department of Military Affairs, the Fish
1284 and Wildlife Conservation Commission, the Office of Insurance
1285 Regulation of the Financial Services Commission, the Office of
1286 Financial Regulation of the Financial Services Commission, the
1287 Public Service Commission, the Board of Governors of the State
1288 University System, the Florida Housing Finance Corporation, the
1289 Agency for State Technology, and the state courts system.
1290 (a)(b) “Agency head” means the Governor, a Cabinet officer,
1291 a secretary as defined in s. 20.03(5), or an executive director
1292 as those terms are defined in s. 20.03, 20.03(6). It also
1293 includes the chair of the Public Service Commission, the
1294 Director of the Office of Insurance Regulation of the Financial
1295 Services Commission, the Director of the Office of Financial
1296 Regulation of the Financial Services Commission, the board of
1297 directors of the Florida Housing Finance Corporation, and the
1298 Chief Justice of the State Supreme Court.
1299 (c) “Individuals substantially affected” means natural
1300 persons who have established a real and sufficiently immediate
1301 injury in fact due to the findings, conclusions, or
1302 recommendations of a final report of a state agency inspector
1303 general, who are the subject of the audit or investigation, and
1304 who do not have or are not currently afforded an existing right
1305 to an independent review process. The term does not apply to
1306 employees of the state, including career service, probationary,
1307 other personal service, Selected Exempt Service, and Senior
1308 Management Service employees;, are not covered by this
1309 definition. This definition also does not cover former employees
1310 of the state if the final report of the state agency inspector
1311 general relates to matters arising during a former employee’s
1312 term of state employment; or. This definition does not apply to
1313 persons who are the subject of audits or investigations
1314 conducted pursuant to ss. 112.3187-112.31895 or s. 409.913 or
1315 which are otherwise confidential and exempt under s. 119.07.
1316 (b)(d) “Entities contracting with the state” means for
1317 profit and not-for-profit organizations or businesses that have
1318 having a legal existence, such as corporations or partnerships,
1319 as opposed to natural persons, which have entered into a
1320 relationship with a state agency as defined in paragraph (a) to
1321 provide for consideration certain goods or services to the state
1322 agency or on behalf of the state agency. The relationship may be
1323 evidenced by payment by warrant or purchasing card, contract,
1324 purchase order, provider agreement, or other such mutually
1325 agreed upon relationship. The term This definition does not
1326 apply to entities that which are the subject of audits or
1327 investigations conducted pursuant to ss. 112.3187-112.31895 or
1328 s. 409.913 or which are otherwise confidential and exempt under
1329 s. 119.07.
1330 Section 18. Paragraph (e) of subsection (2) of section
1331 110.205, Florida Statutes, is amended to read:
1332 110.205 Career service; exemptions.—
1333 (2) EXEMPT POSITIONS.—The exempt positions that are not
1334 covered by this part include the following:
1335 (e) The Chief Information Officer in the Agency for State
1336 Enterprise Information Technology. Unless otherwise fixed by
1337 law, the Agency for State Enterprise Information Technology
1338 shall set the salary and benefits of this position in accordance
1339 with the rules of the Senior Management Service.
1340 Section 19. Subsections (2) and (9) of section 215.322,
1341 Florida Statutes, are amended to read:
1342 215.322 Acceptance of credit cards, charge cards, debit
1343 cards, or electronic funds transfers by state agencies, units of
1344 local government, and the judicial branch.—
1345 (2) A state agency as defined in s. 216.011, or the
1346 judicial branch, may accept credit cards, charge cards, debit
1347 cards, or electronic funds transfers in payment for goods and
1348 services with the prior approval of the Chief Financial Officer.
1349 If the Internet or other related electronic methods are to be
1350 used as the collection medium, the Agency for State Enterprise
1351 Information Technology shall review and recommend to the Chief
1352 Financial Officer whether to approve the request with regard to
1353 the process or procedure to be used.
1354 (9) For payment programs in which credit cards, charge
1355 cards, or debit cards are accepted by state agencies, the
1356 judicial branch, or units of local government, the Chief
1357 Financial Officer, in consultation with the Agency for State
1358 Enterprise Information Technology, may adopt rules to establish
1359 uniform security safeguards for cardholder data and to ensure
1360 compliance with the Payment Card Industry Data Security
1361 Standards.
1362 Section 20. Subsection (2) of section 215.96, Florida
1363 Statutes, is amended to read:
1364 215.96 Coordinating council and design and coordination
1365 staff.—
1366 (2) The coordinating council shall consist of the Chief
1367 Financial Officer; the Commissioner of Agriculture; the Attorney
1368 General; the secretary of the Department of Management Services;
1369 the executive director of the Agency for State Technology the
1370 Attorney General; and the Director of Planning and Budgeting,
1371 Executive Office of the Governor, or their designees. The Chief
1372 Financial Officer, or his or her designee, shall be chair of the
1373 coordinating council, and the design and coordination staff
1374 shall provide administrative and clerical support to the council
1375 and the board. The design and coordination staff shall maintain
1376 the minutes of each meeting and shall make such minutes
1377 available to any interested person. The Auditor General, the
1378 State Courts Administrator, an executive officer of the Florida
1379 Association of State Agency Administrative Services Directors,
1380 and an executive officer of the Florida Association of State
1381 Budget Officers, or their designees, shall serve without voting
1382 rights as ex officio members of on the coordinating council. The
1383 chair may call meetings of the coordinating council as often as
1384 necessary to transact business; however, the coordinating
1385 council must shall meet at least annually once a year. Action of
1386 the coordinating council shall be by motion, duly made, seconded
1387 and passed by a majority of the coordinating council voting in
1388 the affirmative for approval of items that are to be recommended
1389 for approval to the Financial Management Information Board.
1390 Section 21. Paragraph (a) of subsection (4) of section
1391 216.023, Florida Statutes, is amended to read:
1392 216.023 Legislative budget requests to be furnished to
1393 Legislature by agencies.—
1394 (4)(a) The legislative budget request must contain for each
1395 program must contain:
1396 1. The constitutional or statutory authority for a program,
1397 a brief purpose statement, and approved program components.
1398 2. Information on expenditures for 3 fiscal years (actual
1399 prior-year expenditures, current-year estimated expenditures,
1400 and agency budget requested expenditures for the next fiscal
1401 year) by appropriation category.
1402 3. Details on trust funds and fees.
1403 4. The total number of positions (authorized, fixed, and
1404 requested).
1405 5. An issue narrative describing and justifying changes in
1406 amounts and positions requested for current and proposed
1407 programs for the next fiscal year.
1408 6. Information resource requests.
1409 7. Supporting information, including applicable cost
1410 benefit analyses, business case analyses, performance
1411 contracting procedures, service comparisons, and impacts on
1412 performance standards for any request to outsource or privatize
1413 agency functions. The cost-benefit and business case analyses
1414 must include an assessment of the impact on each affected
1415 activity from those identified in accordance with paragraph (b).
1416 Performance standards must include standards for each affected
1417 activity and be expressed in terms of the associated unit of
1418 activity.
1419 8. An evaluation of any major outsourcing and privatization
1420 initiatives undertaken during the last 5 fiscal years having
1421 aggregate expenditures exceeding $10 million during the term of
1422 the contract. The evaluation must shall include an assessment of
1423 contractor performance, a comparison of anticipated service
1424 levels to actual service levels, and a comparison of estimated
1425 savings to actual savings achieved. Consolidated reports issued
1426 by the Department of Management Services may be used to satisfy
1427 this requirement.
1428 9. Supporting information for any proposed consolidated
1429 financing of deferred-payment commodity contracts including
1430 guaranteed energy performance savings contracts. Supporting
1431 information must also include narrative describing and
1432 justifying the need, baseline for current costs, estimated cost
1433 savings, projected equipment purchases, estimated contract
1434 costs, and return on investment calculation.
1435 10. For projects that exceed $10 million in total cost, the
1436 statutory reference of the existing policy or the proposed
1437 substantive policy that establishes and defines the project’s
1438 governance structure, planned scope, main business objectives
1439 that must be achieved, and estimated completion timeframes. The
1440 governance structure for information technology-related projects
1441 requested by a state agency must incorporate the applicable
1442 project management and oversight standards established under s.
1443 282.0051. Information technology budget requests for the
1444 continuance of existing hardware and software maintenance
1445 agreements, renewal of existing software licensing agreements,
1446 or the replacement of desktop units with new technology that is
1447 similar to the technology currently in use are exempt from this
1448 requirement.
1449 Section 22. Subsection (22) of section 287.057, Florida
1450 Statutes, is amended to read:
1451 287.057 Procurement of commodities or contractual
1452 services.—
1453 (22) The department, in consultation with the Chief
1454 Financial Officer and the Agency for State Technology, shall
1455 maintain a program for the online procurement of commodities and
1456 contractual services. To enable the state to promote open
1457 competition and leverage its buying power, agencies shall
1458 participate in the online procurement program, and eligible
1459 users may participate in the program. Only vendors prequalified
1460 as meeting mandatory requirements and qualifications criteria
1461 may participate in online procurement.
1462 (a) The department, in consultation with the Agency for
1463 State Technology and in compliance with the standards and
1464 policies of the agency, may contract for equipment and services
1465 necessary to develop and implement online procurement.
1466 (b) The department shall adopt rules to administer the
1467 program for online procurement. The rules must include, but not
1468 be limited to:
1469 1. Determining the requirements and qualification criteria
1470 for prequalifying vendors.
1471 2. Establishing the procedures for conducting online
1472 procurement.
1473 3. Establishing the criteria for eligible commodities and
1474 contractual services.
1475 4. Establishing the procedures for providing access to
1476 online procurement.
1477 5. Determining the criteria warranting any exceptions to
1478 participation in the online procurement program.
1479 (c) The department may impose and shall collect all fees
1480 for the use of the online procurement systems.
1481 1. The fees may be imposed on an individual transaction
1482 basis or as a fixed percentage of the cost savings generated. At
1483 a minimum, the fees must be set in an amount sufficient to cover
1484 the projected costs of the services, including administrative
1485 and project service costs in accordance with the policies of the
1486 department.
1487 2. If the department contracts with a provider for online
1488 procurement, the department, pursuant to appropriation, shall
1489 compensate the provider from the fees after the department has
1490 satisfied all ongoing costs. The provider shall report
1491 transaction data to the department each month so that the
1492 department may determine the amount due and payable to the
1493 department from each vendor.
1494 3. All fees that are due and payable to the state on a
1495 transactional basis or as a fixed percentage of the cost savings
1496 generated are subject to s. 215.31 and must be remitted within
1497 40 days after receipt of payment for which the fees are due. For
1498 fees that are not remitted within 40 days, the vendor shall pay
1499 interest at the rate established under s. 55.03(1) on the unpaid
1500 balance from the expiration of the 40-day period until the fees
1501 are remitted.
1502 4. All fees and surcharges collected under this paragraph
1503 shall be deposited in the Operating Trust Fund as provided by
1504 law.
1505 Section 23. Subsection (4) of section 445.011, Florida
1506 Statutes, is amended to read:
1507 445.011 Workforce information systems.—
1508 (4) Workforce Florida, Inc., shall coordinate development
1509 and implementation of workforce information systems with the
1510 executive director of the Agency for State Enterprise
1511 Information Technology to ensure compatibility with the state’s
1512 information system strategy and enterprise architecture.
1513 Section 24. Subsections (2) and (4) of section 445.045,
1514 Florida Statutes, are amended to read:
1515 445.045 Development of an Internet-based system for
1516 information technology industry promotion and workforce
1517 recruitment.—
1518 (2) Workforce Florida, Inc., shall coordinate with the
1519 Agency for State Enterprise Information Technology and the
1520 Department of Economic Opportunity to ensure links, where
1521 feasible and appropriate, to existing job information websites
1522 maintained by the state and state agencies and to ensure that
1523 information technology positions offered by the state and state
1524 agencies are posted on the information technology website.
1525 (4)(a) Workforce Florida, Inc., shall coordinate
1526 development and maintenance of the website under this section
1527 with the executive director of the Agency for State Enterprise
1528 Information Technology to ensure compatibility with the state’s
1529 information system strategy and enterprise architecture.
1530 (b) Workforce Florida, Inc., may enter into an agreement
1531 with the Agency for State Enterprise Information Technology, the
1532 Department of Economic Opportunity, or any other public agency
1533 with the requisite information technology expertise for the
1534 provision of design, operating, or other technological services
1535 necessary to develop and maintain the website.
1536 (c) Workforce Florida, Inc., may procure services necessary
1537 to implement the provisions of this section, if it employs
1538 competitive processes, including requests for proposals,
1539 competitive negotiation, and other competitive processes that to
1540 ensure that the procurement results in the most cost-effective
1541 investment of state funds.
1542 Section 25. Paragraph (b) of subsection (18) of section
1543 668.50, Florida Statutes, is amended to read:
1544 668.50 Uniform Electronic Transaction Act.—
1545 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1546 GOVERNMENTAL AGENCIES.—
1547 (b) To the extent that a governmental agency uses
1548 electronic records and electronic signatures under paragraph
1549 (a), the Agency for State Enterprise Information Technology, in
1550 consultation with the governmental agency, giving due
1551 consideration to security, may specify:
1552 1. The manner and format in which the electronic records
1553 must be created, generated, sent, communicated, received, and
1554 stored and the systems established for those purposes.
1555 2. If electronic records must be signed by electronic
1556 means, the type of electronic signature required, the manner and
1557 format in which the electronic signature must be affixed to the
1558 electronic record, and the identity of, or criteria that must be
1559 met by, any third party used by a person filing a document to
1560 facilitate the process.
1561 3. Control processes and procedures as appropriate to
1562 ensure adequate preservation, disposition, integrity, security,
1563 confidentiality, and auditability of electronic records.
1564 4. Any other required attributes for electronic records
1565 which are specified for corresponding nonelectronic records or
1566 reasonably necessary under the circumstances.
1567 Section 26. Section 943.0415, Florida Statutes, is amended
1568 to read:
1569 943.0415 Cybercrime Office.—The Cybercrime Office There is
1570 created within the Department of Law Enforcement the Cybercrime
1571 Office. The office may:
1572 (1) Investigate violations of state law pertaining to the
1573 sexual exploitation of children which are facilitated by or
1574 connected to the use of any device capable of storing electronic
1575 data.
1576 (2) Monitor information technology resources and provide
1577 analysis on information technology security incidents, threats,
1578 or breaches as those terms are defined in s. 282.0041.
1579 (3) Investigate violations of state law pertaining to
1580 information technology security incidents, threats, or breaches
1581 pursuant to s. 282.0041 and assist in incident response and
1582 recovery.
1583 (4) Provide security awareness training and information to
1584 state agency employees concerning cyber security, online sexual
1585 exploitation of children, security risks, and the responsibility
1586 of employees to comply with policies, standards, guidelines, and
1587 operating procedures adopted by the Agency for State Technology.
1588 (5) Consult with the Agency for State Technology in the
1589 adoption of rules relating to the information technology
1590 security provisions of s. 282.318.
1591 Section 27. Section 1004.649, Florida Statutes, is amended
1592 to read:
1593 1004.649 Northwest Regional Data Center.—
1594 (1) For the purpose of providing data center services to
1595 serving its state agency customers, the Northwest Regional Data
1596 Center at Florida State University is designated as a primary
1597 data center and shall:
1598 (a) Operate under a governance structure that represents
1599 its customers proportionally.
1600 (b) Maintain an appropriate cost-allocation methodology
1601 that accurately bills state agency customers based solely on the
1602 actual direct and indirect costs of the services provided to
1603 state agency customers, and ensures that for any fiscal year a
1604 state agency customer is not subsidizing a prohibits the
1605 subsidization of nonstate agency customer or another state
1606 agency customer customers’ costs by state agency customers. Such
1607 cost-allocation methodology must comply with applicable state
1608 and federal requirements concerning the distribution and use of
1609 state and federal funds.
1610 (c) Enter into a service-level agreement with each state
1611 agency customer to provide services as defined and approved by
1612 the governing board of the center. At a minimum, such service
1613 level agreements must:
1614 1. Identify the parties and their roles, duties, and
1615 responsibilities under the agreement;
1616 2. State the duration of the agreement term and specify the
1617 conditions for renewal;
1618 3. Identify the scope of work;
1619 4. Establish the services to be provided, the business
1620 standards that must be met for each service, the cost of each
1621 service, and the process by which the business standards for
1622 each service are to be objectively measured and reported;
1623 5. Provide a timely billing methodology for recovering the
1624 cost of services provided pursuant to s. 215.422; and
1625 6. Provide a procedure for modifying the service-level
1626 agreement to address any changes in projected costs of service;
1627 7. Prohibit the transfer of computing services between the
1628 Northwest Regional Data Center and the state data center
1629 established under s. 282.201 without at least 180 days’ notice
1630 of service cancellation;
1631 8. Identify the products or services to be delivered with
1632 sufficient specificity to permit an external financial or
1633 performance audit; and
1634 9. Provide that the service-level agreement may be
1635 terminated by either party for cause only after giving the other
1636 party notice in writing of the cause for termination and an
1637 opportunity for the other party to resolve the identified cause
1638 within a reasonable period.
1639 (d) Provide to the Board of Governors the total annual
1640 budget by major expenditure category, including, but not limited
1641 to, salaries, expenses, operating capital outlay, contracted
1642 services, or other personnel services by July 30 each fiscal
1643 year.
1644 (e) Provide to each state agency customer its projected
1645 annual cost for providing the agreed-upon data center services
1646 by September 1 each fiscal year.
1647 (f) Provide a plan for consideration by the Legislative
1648 Budget Commission if the governing body of the center approves
1649 the use of a billing rate schedule after the start of the fiscal
1650 year that increases any state agency customer’s costs for that
1651 fiscal year.
1652 (2) The Northwest Regional Data Center’s designation as a
1653 primary data center for purposes of serving its state agency
1654 customers may be terminated if:
1655 (a) The center requests such termination to the Board of
1656 Governors, the Senate President, and the Speaker of the House of
1657 Representatives; or
1658 (b) The center fails to comply with the provisions of this
1659 section.
1660 (3) If such designation is terminated, the center shall
1661 have 1 year to provide for the transition of its state agency
1662 customers to the state data center system established under s.
1663 282.201 Southwood Shared Resource Center or the Northwood Shared
1664 Resource Center.
1665 Section 28. (1) All records, property, pending issues and
1666 existing contracts, administrative authority, administrative
1667 rules in chapters 71A-1 and 71A-2, Florida Administrative Code,
1668 in effect as of November 15, 2010, trust funds, and unexpended
1669 balances of appropriations, allocations, and other funds of the
1670 Agency for Enterprise Information Technology are transferred by
1671 a type two transfer pursuant to s. 20.06(2), Florida Statutes,
1672 to the Agency for State Technology established pursuant to s.
1673 20.61, Florida Statutes, as created by this act.
1674 (2) Except for those rules in chapters 71A-1 and 71A-2,
1675 Florida Administrative Code, transferred pursuant to subsection
1676 (1), any other rules adopted by the Agency for Enterprise
1677 Information Technology, if any, are void.
1678 Section 29. The Northwood Shared Resource Center is
1679 transferred by a type two transfer, pursuant to s. 20.06,
1680 Florida Statutes, from the Department of Management Services to
1681 the Agency for State Technology. Any binding contract or
1682 interagency agreement entered into and between the Northwood
1683 Shared Resource Center or an entity or agent of the center and
1684 any other agency, entity, or person shall continue as a binding
1685 contract or agreement of the Agency for State Technology for the
1686 remainder of the term of such contract or agreement.
1687 Section 30. The Southwood Shared Resource Center is
1688 transferred by a type two transfer, pursuant to s. 20.06,
1689 Florida Statutes, from the Department of Management Services to
1690 the Agency for State Technology. Any binding contract or
1691 interagency agreement entered into and between the Southwood
1692 Shared Resource Center or an entity or agent of the center and
1693 any other agency, entity, or person shall continue as a binding
1694 contract or agreement of the Agency for State Technology for the
1695 remainder of the term of such contract or agreement.
1696 Section 31. (1) The Agency for State Technology shall
1697 conduct a feasibility study that analyzes, evaluates, and
1698 provides recommendations for managing state government data in a
1699 manner that promotes interoperability and openness; ensures
1700 that, wherever legally permissible and not cost prohibitive,
1701 such data is available to the public in ways that make the data
1702 easy to find and use; and complies with the provisions of
1703 chapter 119, Florida Statutes.
1704 (2) By June 1, 2015, the Agency for State Technology shall
1705 submit a report on the feasibility study to the Governor, the
1706 President of the Senate, and the Speaker of the House of
1707 Representatives. The report, at a minimum, shall include the
1708 following components:
1709 (a) A clear description of what state government data is
1710 public information. The guiding principle for this component is
1711 a presumption of openness to the extent permitted by law and
1712 subject to privacy, confidentiality, security, and other fiscal
1713 and legal restrictions.
1714 (b) A fiscal analysis that identifies the impact to any
1715 agency that is authorized to assess a fee for providing certain
1716 state government data to the public if the description in
1717 paragraph (a) includes that data.
1718 (c) Recommended standards to make uniform the format and
1719 accessibility of public information and to ensure that the data
1720 is published in a nonproprietary, searchable, sortable,
1721 platform-independent, and machine-readable format. The report
1722 shall include the projected cost to state agencies to implement
1723 and maintain the standards.
1724 (d) A project plan for implementing a single Internet
1725 website that contains the public information or links to the
1726 public information. The plan shall include a timeline and
1727 benchmarks for making public information available online and
1728 shall identify costs associated with the development and ongoing
1729 maintenance of the website.
1730 (e) A recommended governance structure and a review and
1731 compliance process to ensure accountability on the part of those
1732 who create, maintain, manage, or store public information or
1733 post it on the single Internet website. The report shall include
1734 associated costs to implement and maintain the recommended
1735 governance structure and the review and compliance process.
1736 Section 32. Effective June 30, 2014, there is created the
1737 state data center task force comprised of all individuals who,
1738 upon that date are members of the boards of trustees of the
1739 Northwood Shared Resource Center or the Southwood Shared
1740 Resource Center, and agree to serve on the task force. The
1741 members of the task force shall elect a chair. The purpose of
1742 the task force is to assist with the transfer of the Northwood
1743 Shared Resource Center and Southwood Shared Resource Center to
1744 the Agency for State Technology and the transition to the state
1745 data center established pursuant to s. 282.201, Florida
1746 Statutes. The task force shall identify any operational or
1747 fiscal issues impacting the transition and provide
1748 recommendations to the Agency for State Technology for
1749 resolution of such issues. The task force does not have
1750 authority to make decisions regarding the state data center or
1751 the former Northwood Shared Resource Center or Southwood Shared
1752 Resource Center. The task force is abolished June 30, 2015, or
1753 at an earlier date as provided by the task force.
1754 Section 33. (1) For the 2014-2015 fiscal year, the sums of
1755 $3,563,573 in recurring funds and $1,095,005 in nonrecurring
1756 funds are appropriated from the General Revenue Fund to the
1757 Agency for State Technology, and 25 full-time equivalent
1758 positions and associated salary rate of 2,083,482 are
1759 authorized, for the purpose of implementing this act.
1760 (2)(a) The recurring general revenue funds shall be
1761 allocated to an Executive Direction and Support Services budget
1762 entity in specific appropriation categories: $2,851,452 in
1763 Salaries and Benefits, $252,894 in Expenses, $115,000 in
1764 Administrative Overhead, $10,000 in Operating Capital Outlay,
1765 $317,627 in Contracted Services, $3,000 in Risk Management
1766 Insurance, $8,600 in Transfer to Department of Management
1767 Services/Statewide Human Resources Contract, and $5,000 in Data
1768 Processing Services/Southwood Shared Resource Center.
1769 (b) The nonrecurring general revenue funds shall be
1770 allocated to an Executive Direction and Support Services budget
1771 entity in specific appropriation categories: $95,005 in Expenses
1772 and $1,000,000 in Contracted Services.
1773 Section 34. A Data Center Administration budget entity is
1774 created within the Agency for State Technology. Appropriations
1775 to the Data Center Administration budget entity shall reflect
1776 the indirect data center costs allocated to customer agencies.
1777 Section 35. For the 2014-2015 fiscal year only, the
1778 Northwood Shared Resource Center budget entity is created within
1779 the Agency for State Technology. Effective July 1, 2014, the
1780 appropriations provided for the Northwood Shared Resource Center
1781 in the General Appropriations Act for the 2014-2015 fiscal year
1782 shall be transferred to the Northwood Shared Resource Center
1783 budget entity within the Agency for State Technology.
1784 Section 36. For the 2014-2015 fiscal year only, the
1785 Southwood Shared Resource Center budget entity is created within
1786 the Agency for State Technology. Effective July 1, 2014, the
1787 appropriations provided for the Southwood Shared Resource Center
1788 in the General Appropriations Act for the 2014-2015 fiscal year
1789 shall be transferred to the Southwood Shared Resource Center
1790 budget entity within the Agency for State Technology.
1791 Section 37. (1) For the 2014-2015 fiscal year, the sums of
1792 $144,870 in recurring funds and $7,546 in nonrecurring funds are
1793 appropriated from the General Revenue Fund to the Department of
1794 Law Enforcement, and 2 full-time equivalent positions and
1795 associated salary rate of 93,120 are authorized, for the purpose
1796 of implementing the sections of this act related to cybercrime
1797 capacity and capability.
1798 (2)(a) The recurring general revenue funds shall be
1799 allocated to the Provide Investigative Services budget entity in
1800 specific appropriation categories: $131,660 in Salaries and
1801 Benefits, $12,522 in Expenses, and $688 in Transfer to
1802 Department of Management Services/Statewide Human Resources
1803 Contract.
1804 (b) The nonrecurring general revenue funds of $7,546 shall
1805 be allocated to the Provide Investigative Services budget entity
1806 in the Expenses appropriation category.
1807 Section 38. Beginning with the 2015-2016 fiscal year, the
1808 State Data Center budget entity is created within the Agency for
1809 State Technology. Appropriations to the State Data Center budget
1810 entity shall reflect the direct data center costs allocated to
1811 customer agencies.
1812 Section 39. (1) From the funds appropriated in section 31,
1813 $500,000 in nonrecurring general revenue funds shall be used by
1814 the Agency for State Technology to contract with an independent
1815 third party consulting firm to complete a risk assessment of
1816 information technology security that analyzes and provides
1817 recommendations for protecting the state’s information, data,
1818 and information technology resources. The risk assessment shall:
1819 (a) Focus on the state data center created in s. 282.201,
1820 Florida Statutes, and the state data center’s state agency
1821 customers.
1822 (b) Identify the existing security standards, guidelines,
1823 frameworks, and practices currently managing the state’s
1824 information, data, and information technology resources.
1825 (c) Evaluate industry best practices, standards,
1826 guidelines, and frameworks and provide recommendations to
1827 increase overall security within the state data center and its
1828 state agency customers.
1829 (d) Identify the differences between current operations or
1830 practices and the Agency for State Technology’s recommendations
1831 and prioritize the identified gaps in order of relative
1832 importance to state agency customers’ business objectives.
1833 (2) The Agency for State Technology shall submit the
1834 results of the completed risk assessment to the Governor, the
1835 President of the Senate, and the Speaker of the House of
1836 Representatives by June 30, 2015.
1837 Section 40. (1) The Agency for State Technology shall
1838 complete an operational assessment of the state data center
1839 created by s. 282.201, Florida Statutes. The operational
1840 assessment shall focus on:
1841 (a) Standardizing the state data center’s operational
1842 processes and practices to include its cost recovery
1843 methodologies.
1844 (b) Identifying duplication of any staff resources
1845 supporting the operation of the state data center and any
1846 positions created within the Agency for State Technology.
1847 (2) Based upon the results of the operational assessment,
1848 the Agency for State Technology shall provide recommendations
1849 for the potential reorganization of the state data center,
1850 including recommendations for the reduction or reclassification
1851 of duplicative positions, and submit its recommendations to the
1852 Governor, the President of the Senate, and the Speaker of the
1853 House of Representatives by February 1, 2015.
1854 Section 41. Notwithstanding s. 216.292(4)(d), Florida
1855 Statutes, the transfers authorized in sections 29 and 30 of this
1856 act do not require Legislative Budget Commission approval.
1857 Section 42. Except as otherwise expressly provided in this
1858 act and except for this section, which shall take effect upon
1859 this act becoming a law, this act shall take effect July 1,
1860 2014.