Florida Senate - 2014 COMMITTEE AMENDMENT
Bill No. PCS (290876) for SB 928
Ì388256EÎ388256
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/13/2014 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 79 - 529
4 and insert:
5 Section 2. Section 20.61, Florida Statutes, is created to
6 read:
7 20.61 Agency for State Technology.—The Agency for State
8 Technology is created within the Department of Management
9 Services. The agency is a separate budget program and is not
10 subject to control, supervision, or direction by the Department
11 of Management Services, including, but not limited to,
12 purchasing, transactions involving real or personal property,
13 personnel, or budgetary matters.
14 (1)(a) The executive director of the agency shall serve as
15 the state’s chief information officer and shall be appointed by
16 the Governor, subject to confirmation by the Senate.
17 (b) The executive director must be a proven, effective
18 administrator who preferably has executive-level experience in
19 both the public and private sectors in development and
20 implementation of information technology strategic planning;
21 management of enterprise information technology projects,
22 particularly management of large-scale consolidation projects;
23 and development and implementation of fiscal and substantive
24 information technology policy.
25 (2) The following positions are established within the
26 agency, all of whom shall be appointed by the executive
27 director:
28 (a) Deputy executive director, who shall serve as the
29 deputy chief information officer.
30 (b) Chief planning officer and six strategic planning
31 coordinators. One coordinator shall be assigned to each of the
32 following major program areas: health and human services,
33 education, government operations, criminal and civil justice,
34 agriculture and natural resources, and transportation and
35 economic development.
36 (c) Chief operations officer.
37 (d) Chief information security officer.
38 (e) Chief technology officer.
39 (3) The Technology Advisory Council, consisting of seven
40 members, is established within the Agency for State Technology
41 and shall be maintained pursuant to s. 20.052. Four members of
42 the council shall be appointed by the Governor, two of whom must
43 be from the private sector. The President of the Senate and the
44 Speaker of the House of Representatives shall each appoint one
45 member of the council. The Attorney General, the Commissioner of
46 Agriculture and Consumer Services, and the Chief Financial
47 Officer shall jointly appoint one member by agreement of a
48 majority of these officers. Upon initial establishment of the
49 council, two of the Governor’s appointments shall be for 2-year
50 terms. Thereafter, all appointments shall be for 4-year terms.
51 (a) The council shall consider and make recommendations to
52 the executive director on such matters as enterprise information
53 technology policies, standards, services, and architecture. The
54 council may also identify and recommend opportunities for the
55 establishment of public-private partnerships when considering
56 technology infrastructure and services in order to accelerate
57 project delivery and provide a source of new or increased
58 project funding.
59 (b) The executive director shall consult with the council
60 with regard to executing the duties and responsibilities of the
61 agency related to statewide information technology strategic
62 planning and policy.
63 (c) The council shall be governed by the Code of Ethics for
64 Public Officers and Employees as set forth in part III of
65 chapter 112, and each member must file a statement of financial
66 interests pursuant to s. 112.3145.
67 Section 3. Section 282.0041, Florida Statutes, is amended
68 to read:
69 282.0041 Definitions.—As used in this chapter, the term:
70 (1) “Agency data center” means agency space containing 10
71 or more physical or logical servers “Agency” has the same
72 meaning as in s. 216.011(1)(qq), except that for purposes of
73 this chapter, “agency” does not include university boards of
74 trustees or state universities.
75 (2) “Agency for Enterprise Information Technology” means
76 the agency created in s. 14.204.
77 (3) “Agency information technology service” means a service
78 that directly helps an agency fulfill its statutory or
79 constitutional responsibilities and policy objectives and is
80 usually associated with the agency’s primary or core business
81 functions.
82 (4) “Annual budget meeting” means a meeting of the board of
83 trustees of a primary data center to review data center usage to
84 determine the apportionment of board members for the following
85 fiscal year, review rates for each service provided, and
86 determine any other required changes.
87 (2)(5) “Breach” means a confirmed event that compromises
88 the confidentiality, integrity, or availability of information
89 or data has the same meaning as in s. 817.5681(4).
90 (3)(6) “Business continuity plan” means a collection of
91 procedures and information designed to keep an agency’s critical
92 operations running during a period of displacement or
93 interruption of normal operations plan for disaster recovery
94 which provides for the continued functioning of a primary data
95 center during and after a disaster.
96 (4)(7) “Computing facility” or “agency computing facility”
97 means agency space containing fewer than a total of 10 physical
98 or logical servers, any of which supports a strategic or
99 nonstrategic information technology service, as described in
100 budget instructions developed pursuant to s. 216.023, but
101 excluding single, logical-server installations that exclusively
102 perform a utility function such as file and print servers.
103 (5)(8) “Customer entity” means an entity that obtains
104 services from the state a primary data center.
105 (9) “Data center” means agency space containing 10 or more
106 physical or logical servers any of which supports a strategic or
107 nonstrategic information technology service, as described in
108 budget instructions developed pursuant to s. 216.023.
109 (6)(10) “Department” means the Department of Management
110 Services.
111 (7) “Disaster recovery” means the process, policies,
112 procedures, and infrastructure related to preparing for and
113 implementing recovery or continuation of an agency’s vital
114 technology infrastructure after a natural or human-induced
115 disaster.
116 (8)(11) “Enterprise information technology service” means
117 an information technology service that is used in all agencies
118 or a subset of agencies and is established in law to be
119 designed, delivered, and managed at the enterprise level.
120 (9) “Event” means an observable occurrence in a system or
121 network.
122 (10) “Incident” means a violation or imminent threat of
123 violation, whether such violation is accidental or deliberate,
124 of information technology security policies, acceptable use
125 policies, or standard security practices. An imminent threat of
126 violation refers to a situation in which the state agency has a
127 factual basis for believing that a specific incident is about to
128 occur.
129 (12) “E-mail, messaging, and calendaring service” means the
130 enterprise information technology service that enables users to
131 send, receive, file, store, manage, and retrieve electronic
132 messages, attachments, appointments, and addresses. The e-mail,
133 messaging, and calendaring service must include e-mail account
134 management; help desk; technical support and user provisioning
135 services; disaster recovery and backup and restore capabilities;
136 antispam and antivirus capabilities; archiving and e-discovery;
137 and remote access and mobile messaging capabilities.
138 (13) “Information-system utility” means a full-service
139 information-processing facility offering hardware, software,
140 operations, integration, networking, and consulting services.
141 (11)(14) “Information technology” means equipment,
142 hardware, software, firmware, programs, systems, networks,
143 infrastructure, media, and related material used to
144 automatically, electronically, and wirelessly collect, receive,
145 access, transmit, display, store, record, retrieve, analyze,
146 evaluate, process, classify, manipulate, manage, assimilate,
147 control, communicate, exchange, convert, converge, interface,
148 switch, or disseminate information of any kind or form.
149 (12)(15) “Information technology policy” means a definite
150 course or method of action selected from among one or more
151 alternatives that guide and determine present and future
152 decisions statements that describe clear choices for how
153 information technology will deliver effective and efficient
154 government services to residents and improve state agency
155 operations. A policy may relate to investments, business
156 applications, architecture, or infrastructure. A policy
157 describes its rationale, implications of compliance or
158 noncompliance, the timeline for implementation, metrics for
159 determining compliance, and the accountable structure
160 responsible for its implementation.
161 (13) “Information technology resources” has the same
162 meaning as provided in s. 119.011.
163 (14) “Information technology security” means the protection
164 afforded to an automated information system in order to attain
165 the applicable objectives of preserving the integrity,
166 availability, and confidentiality of data, information, and
167 information technology resources.
168 (15)(16) “Performance metrics” means the measures of an
169 organization’s activities and performance.
170 (17) “Primary data center” means a data center that is a
171 recipient entity for consolidation of nonprimary data centers
172 and computing facilities and that is established by law.
173 (16)(18) “Project” means an endeavor that has a defined
174 start and end point; is undertaken to create or modify a unique
175 product, service, or result; and has specific objectives that,
176 when attained, signify completion.
177 (17) “Project oversight” means an independent review and
178 analysis of an information technology project that provides
179 information on the project’s scope, completion timeframes, and
180 budget and that identifies and quantifies issues or risks
181 affecting the successful and timely completion of the project.
182 (18)(19) “Risk assessment analysis” means the process of
183 identifying security risks, determining their magnitude, and
184 identifying areas needing safeguards.
185 (19)(20) “Service level” means the key performance
186 indicators (KPI) of an organization or service which must be
187 regularly performed, monitored, and achieved.
188 (20)(21) “Service-level agreement” means a written contract
189 between the state a data center and a customer entity which
190 specifies the scope of services provided, service level, the
191 duration of the agreement, the responsible parties, and service
192 costs. A service-level agreement is not a rule pursuant to
193 chapter 120.
194 (21) “Stakeholder” means a person, group, organization, or
195 state agency involved in or affected by a course of action.
196 (22) “Standards” means required practices, controls,
197 components, or configurations established by an authority.
198 (23) “State agency” means any official, officer,
199 commission, board, authority, council, committee, or department
200 of the executive branch of state government; the Justice
201 Administrative Commission; and the Public Service Commission.
202 The term does not include university boards of trustees or state
203 universities. As used in part I of this chapter, except as
204 otherwise specifically provided, the term does not include the
205 Department of Legal Affairs, the Department of Agriculture and
206 Consumer Services, or the Department of Financial Services.
207 (24)(23) “SUNCOM Network” means the state enterprise
208 telecommunications system that provides all methods of
209 electronic or optical telecommunications beyond a single
210 building or contiguous building complex and used by entities
211 authorized as network users under this part.
212 (25)(24) “Telecommunications” means the science and
213 technology of communication at a distance, including electronic
214 systems used in the transmission or reception of information.
215 (26)(25) “Threat” means any circumstance or event that has
216 the potential to adversely impact a state agency’s operations or
217 assets through an information system via unauthorized access,
218 destruction, disclosure, or modification of information or
219 denial of service any circumstance or event that may cause harm
220 to the integrity, availability, or confidentiality of
221 information technology resources.
222 (27) “Variance” means a calculated value that illustrates
223 how far positive or negative a projection has deviated when
224 measured against documented estimates within a project plan.
225 (26) “Total cost” means all costs associated with
226 information technology projects or initiatives, including, but
227 not limited to, value of hardware, software, service,
228 maintenance, incremental personnel, and facilities. Total cost
229 of a loan or gift of information technology resources to an
230 agency includes the fair market value of the resources.
231 (27) “Usage” means the billing amount charged by the
232 primary data center, less any pass-through charges, to the
233 customer entity.
234 (28) “Usage rate” means a customer entity’s usage or
235 billing amount as a percentage of total usage.
236 Section 4. Section 282.0051, Florida Statutes, is created
237 to read:
238 282.0051 Agency for State Technology; powers, duties, and
239 functions.—The Agency for State Technology shall have the
240 following powers, duties, and functions:
241 (1) Develop and publish information technology policy for
242 the management of the state’s information technology resources.
243 (2) Establish and publish information technology
244 architecture standards to provide for the most efficient use of
245 the state’s information technology resources and to ensure
246 compatibility and alignment with the needs of state agencies.
247 The agency shall assist state agencies in complying with the
248 standards.
249 (3) By June 30, 2015, establish project management and
250 oversight standards with which state agencies must comply when
251 implementing information technology projects. The agency shall
252 provide training opportunities to state agencies to assist in
253 the adoption of the project management and oversight standards.
254 To support data-driven decisionmaking, the standards must
255 include, but are not limited to:
256 (a) Performance measurements and metrics that objectively
257 reflect the status of an information technology project based on
258 a defined and documented project scope, cost, and schedule.
259 (b) Methodologies for calculating acceptable variances in
260 the projected versus actual scope, schedule, or cost of an
261 information technology project.
262 (c) Reporting requirements, including requirements designed
263 to alert all defined stakeholders that an information technology
264 project has exceeded acceptable variances defined and documented
265 in a project plan.
266 (d) Content, format, and frequency of project updates.
267 (4) Beginning January 1, 2015, perform project oversight on
268 all state agency information technology projects that have total
269 project costs of $10 million or more and that are funded in the
270 General Appropriations Act or any other law. The agency shall
271 report at least quarterly to the Executive Office of the
272 Governor, the President of the Senate, and the Speaker of the
273 House of Representatives on any information technology project
274 that the agency identifies as high-risk due to the project
275 exceeding acceptable variance ranges defined and documented in a
276 project plan. The report must include a risk assessment,
277 including fiscal risks, associated with proceeding to the next
278 stage of the project, and a recommendation for corrective
279 actions required, including suspension or termination of the
280 project.
281 (5) By April 1, 2016, and biennially thereafter, identify
282 opportunities for standardization and consolidation of
283 information technology services that support business functions
284 and operations, including administrative functions such as
285 purchasing, accounting and reporting, cash management, and
286 personnel, and that are common across state agencies. The agency
287 shall provide recommendations for standardization and
288 consolidation to the Executive Office of the Governor, the
289 President of the Senate, and the Speaker of the House of
290 Representatives. The agency is not precluded from providing
291 recommendations before April 1, 2016.
292 (6) In collaboration with the Department of Management
293 Services, establish best practices for the procurement of
294 information technology products in order to reduce costs,
295 increase productivity, or improve services. Such practices must
296 include a provision requiring the agency to review all
297 information technology purchases made by state agencies that
298 have a total cost of $250,000 or more, unless a purchase is
299 specifically mandated by the Legislature, for compliance with
300 the standards established pursuant to this section.
301 (7)(a) Participate with the Department of Management
302 Services in evaluating, conducting, and negotiating competitive
303 solicitations for state term contracts for information
304 technology commodities, consultant services, or staff
305 augmentation contractual services pursuant to s. 287.0591.
306 (b) Collaborate with the Department of Management Services
307 in information technology resource acquisition planning.
308 (8) Develop standards for information technology reports
309 and updates, including, but not limited to, operational work
310 plans, project spend plans, and project status reports, for use
311 by state agencies.
312 (9) Upon request, assist state agencies in the development
313 of information technology-related legislative budget requests.
314 (10) Beginning July 1, 2016, and annually thereafter,
315 conduct annual assessments of state agencies to determine
316 compliance with all information technology standards and
317 guidelines developed and published by the agency, and beginning
318 December 1, 2016, and annually thereafter, provide results of
319 the assessments to the Executive Office of the Governor, the
320 President of the Senate, and the Speaker of the House of
321 Representatives.
322 (11) Provide operational management and oversight of the
323 state data center established pursuant to s. 282.201, which
324 includes:
325 (a) Implementing industry standards and best practices for
326 the state data center’s facilities, operations, maintenance,
327 planning, and management processes.
328 (b) Developing and implementing cost-recovery mechanisms
329 that recover the full direct and indirect cost of services
330 through charges to applicable customer entities. Such cost
331 recovery mechanisms must comply with applicable state and
332 federal regulations concerning distribution and use of funds and
333 must ensure that, for any fiscal year, no service or customer
334 entity subsidizes another service or customer entity.
335 (c) Developing and implementing appropriate operating
336 guidelines and procedures necessary for the state data center to
337 perform its duties pursuant to s. 282.201. The guidelines and
338 procedures must comply with applicable state and federal laws,
339 regulations, and policies and conform to generally accepted
340 governmental accounting and auditing standards. The guidelines
341 and procedures must include, but not be limited to:
342 1. Implementing a consolidated administrative support
343 structure responsible for providing financial management,
344 procurement, transactions involving real or personal property,
345 human resources, and operational support.
346 2. Implementing an annual reconciliation process to ensure
347 that each customer entity is paying for the full direct and
348 indirect cost of each service as determined by the customer
349 entity’s use of each service.
350 3. Providing rebates that may be credited against future
351 billings to customer entities when revenues exceed costs.
352 4. Requiring customer entities to validate that sufficient
353 funds exist in the appropriate data processing appropriation
354 category or will be transferred into the appropriate data
355 processing appropriation category before implementation of a
356 customer entity’s request for a change in the type or level of
357 service provided, if such change results in a net increase to
358 the customer entity’s costs for that fiscal year.
359 5. By September 1 of each year, providing to each customer
360 entity’s agency head the projected costs of providing data
361 center services for the following fiscal year.
362 6. Providing a plan for consideration by the Legislative
363 Budget Commission if the cost of a service is increased for a
364 reason other than a customer entity’s request made pursuant to
365 subparagraph 4. Such a plan is required only if the service cost
366 increase results in a net increase to a customer entity for that
367 fiscal year.
368 7. Standardizing and consolidating procurement and
369 contracting practices.
370 (d) In collaboration with the Department of Law
371 Enforcement, developing and implementing a process for
372 detecting, reporting, and responding to information technology
373 security incidents, breaches, and threats.
374 (e) Adopting rules relating to the operation of the state
375 data center, including, but not limited to, budgeting and
376 accounting procedures, cost-recovery methodologies, and
377 operating procedures.
378 (f) Beginning May 1, 2016, and annually thereafter,
379 conducting a market analysis to determine whether the state’s
380 approach to the provision of data center services is the most
381 effective and efficient manner by which its customer entities
382 can acquire such services, based on federal, state, and local
383 government trends; best practices in service provision; and the
384 acquisition of new and emerging technologies. The results of the
385 market analysis shall assist the state data center in making
386 adjustments to its data center service offerings.
387 (12) Recommend other information technology services that
388 should be designed, delivered, and managed as enterprise
389 information technology services. Recommendations must include
390 the identification of existing information technology resources
391 associated with the services, if existing services must be
392 transferred as a result of being delivered and managed as
393 enterprise information technology services.
394 (13) Recommend additional consolidations of agency
395 computing facilities or data centers into the state data center
396 established pursuant to s. 282.201. Such recommendations shall
397 include a proposed timeline for consolidation.
398 (14) In consultation with state agencies, propose a
399 methodology and approach for identifying and collecting both
400 current and planned information technology expenditure data at
401 the state agency level.
402 (15)(a) Beginning January 1, 2015, and notwithstanding any
403 other law, provide project oversight on any information
404 technology project of the Department of Financial Services, the
405 Department of Legal Affairs, and the Department of Agriculture
406 and Consumer Services that has a total project cost of $25
407 million or more and that impacts one or more other agencies.
408 Such information technology projects must also comply with the
409 applicable information technology architecture, project
410 management and oversight, and reporting standards established by
411 the agency.
412 (b) When performing the project oversight function
413 specified in paragraph (a), report at least quarterly to the
414 Executive Office of the Governor, the President of the Senate,
415 and the Speaker of the House of Representatives on any
416 information technology project that the agency identifies as
417 high-risk due to the project exceeding acceptable variance
418 ranges defined and documented in the project plan. The report
419 shall include a risk assessment, including fiscal risks,
420 associated with proceeding to the next stage of the project and
421 a recommendation for corrective actions required, including
422 suspension or termination of the project.
423 (16) If an information technology project implemented by a
424 state agency must be connected to or otherwise accommodated by
425 an information technology system administered by the Department
426 of Financial Services, the Department of Legal Affairs, or the
427 Department of Agriculture and Consumer Services, consult with
428 these departments regarding the risks and other effects of such
429 projects on their information technology systems and work
430 cooperatively with these departments regarding the connections,
431 interfaces, timing, or accommodations required to implement such
432 projects.
433 (17) If adherence to standards or policies adopted by or
434 established pursuant to this section causes conflict with
435 federal regulations or requirements imposed on a state agency
436 and results in adverse action against the state agency or
437 federal funding, work with the state agency to provide
438 alternative standards, policies, or requirements that do not
439 conflict with the federal regulation or requirement. Beginning
440 July 1, 2015, the agency shall annually report such alternative
441 standards to the Governor, the President of the Senate, and the
442 Speaker of the House of Representatives.
443 (18) Adopt rules to administer this section.
444 Section 5. Section 282.00515, Florida Statutes, is created
445 to read:
446 282.00515 Duties of Cabinet agencies.—The Department of
447 Legal Affairs, the Department of Financial Services, and the
448 Department of Agriculture and Consumer Services shall adopt the
449 standards established in s. 282.0051(2), (3), and (8) or adopt
450 alternative standards based on best practices and industry
451 standards, and may contract with the Agency for State Technology
452 to provide or perform any of the services and functions
453 described in s. 282.0051 for the Department of Legal Affairs,
454 the Department of Financial Services, or the Department of
455 Agriculture and Consumer Services.
456 Section 6. Section 287.0591, Florida Statutes, is created
457 to read:
458 287.0591 Information technology.—
459 (1) Beginning July 1, 2014, any competitive solicitation
460 issued by the department for a state term contract for
461 information technology commodities must include a term that does
462 not exceed 48 months.
463 (2) Beginning September 1, 2015, any competitive
464 solicitation issued by the department for a state term contract
465 for information technology consultant services or information
466 technology staff augmentation contractual services must include
467 a term that does not exceed 48 months.
468 (3) The department may execute a state term contract for
469 information technology commodities, consultant services, or
470 staff augmentation contractual services that exceeds the 48
471 month requirement if the Secretary of Management Services and
472 the executive director of the Agency for State Technology
473 certify to the Executive Office of the Governor that a longer
474 contract term is in the best interest of the state.
475 (4) If the department issues a competitive solicitation for
476 information technology commodities, consultant services, or
477 staff augmentation contractual services, the Agency for State
478 Technology shall participate in such solicitations.
479
480 ================= T I T L E A M E N D M E N T ================
481 And the title is amended as follows:
482 Delete lines 5 - 16
483 and insert:
484 the Governor; creating s. 20.61, F.S.; creating the
485 Agency for State Technology; providing that the
486 executive director shall serve as the state’s chief
487 information officer; establishing certain agency
488 positions; establishing the Technology Advisory
489 Council; providing for membership and duties of the
490 council; providing that members of the council are
491 governed by the Code of Ethics for Public Officers and
492 Employees; amending s. 282.0041, F.S.; revising,
493 creating, and deleting definitions used in the
494 Enterprise Information Technology Services Management
495 Act; creating s. 282.0051, F.S.; providing powers,
496 duties, and functions of the Agency for State
497 Technology; authorizing the agency to adopt rules;
498 creating s. 282.00515, F.S.; requiring the Department
499 of Legal Affairs, the Department of Financial
500 Services, and the Department of Agriculture and
501 Consumer Services to adopt certain technical standards
502 or alternatives to those standards and authorizing
503 such departments to contract with the Agency for State
504 Technology for certain purposes; creating s. 287.0591,
505 F.S.; limiting the terms of certain competitive
506 solicitations for information technology commodities;
507 providing an exception; repealing s.