SB 2518 First Engrossed
20222518e1
1 A bill to be entitled
2 An act relating to information technology; providing
3 for a type two transfer of the specified functions and
4 components of the Florida Digital Service to the
5 Executive Office of the Governor; providing for the
6 continuation of certain contracts and interagency
7 agreements; providing that all functions, records,
8 personnel, contracts, interagency agreements, and
9 equipment of the Department of Management Services
10 State Data Center are consolidated in the Northwest
11 Regional Data Center; transferring remaining funds
12 from the Working Capital Trust Fund to the Northwest
13 Regional Data Center for specified purposes; creating
14 s. 14.2017, F.S.; creating the Enterprise Florida
15 First Technology Center within the Executive Office of
16 the Governor; providing for the management of the
17 center by a director; prescribing qualifications of
18 the director and state chief data officer; providing
19 that the center is a separate budget entity;
20 prescribing duties of the director; amending s. 20.22,
21 F.S.; removing the Florida Digital Service from the
22 divisions, programs, and services within the
23 Department of Management Services, to conform to
24 changes made by the act; amending s. 282.0041, F.S.;
25 revising the definition of the term “service-level
26 agreement”; amending s. 282.0051, F.S.; creating the
27 Enterprise Florida First Technology Center within the
28 Executive Office of the Governor; deleting references
29 to the Florida Digital Service to conform to changes
30 made by the act; requiring the center to consult with
31 the Department of Management Services to establish an
32 information technology policy for specified
33 procurement activities; requiring the Enterprise
34 Florida First Technology Center to adopt rules;
35 conforming provisions to changes made by the act;
36 repealing s. 282.201, F.S., relating to the state data
37 center; amending s. 282.318, F.S.; designating the
38 Enterprise Florida First Technology Center as the lead
39 entity in state agency cybersecurity matters;
40 requiring the center to adopt certain rules; requiring
41 the center to designate an employee as the state chief
42 information security officer; conforming provisions to
43 changes made by the act; amending s. 282.319, F.S.;
44 housing the Florida Cybersecurity Advisory Council
45 within the Executive Office of the Governor, rather
46 than the Department of Management Services, to conform
47 to changes made by the act; providing that the
48 director of the Office of Policy and Budget, rather
49 than the Secretary of Management Services, is the
50 executive director of the advisory council; conforming
51 provisions to changes made by the act; amending s.
52 287.0591, F.S.; requiring the Enterprise Florida First
53 Technology Center to participate in certain
54 solicitations for information technology commodities
55 and services; requiring the Department of Management
56 Services to consult with the Enterprise Florida First
57 Technology Center in prequalifying entities to provide
58 information technology services to the state; amending
59 s. 1004.649, F.S.; designating the Northwest Regional
60 Data Center as the state data center; specifying
61 required duties of the Northwest Regional Data Center;
62 specifying additional requirements for service-level
63 agreements with state agency customers; exempting
64 certain entities from using the data center;
65 prohibiting state agencies from engaging in certain
66 activities, unless otherwise authorized; modifying
67 provisions governing the transition of state agency
68 customers to a cloud-based data center; amending ss.
69 282.00515, 443.1113, and 943.0415, F.S.; conforming a
70 cross-reference and provisions to changes made by the
71 act; providing an effective date.
72
73 Be It Enacted by the Legislature of the State of Florida:
74
75 Section 1. All powers; duties; functions; records; offices;
76 personnel; associated administrative support positions;
77 property; pending issues and existing contracts; administrative
78 authority; administrative rules in chapter 74, Florida
79 Administrative Code, in effect as of July 1, 2022; and
80 unexpended balances of appropriations and allocations from the
81 General Revenue Fund of the Department of Management Services
82 Florida Digital Service, with the exception of the State Data
83 Center, are transferred by a type two transfer pursuant to s.
84 20.06(2), Florida Statutes, to the Executive Office of the
85 Governor.
86 Section 2. Any contract or interagency agreement existing
87 before July 1, 2022, between the Department of Management
88 Services Florida Digital Service, or any entity or agent of the
89 agency, and any other agency, entity, or person shall continue
90 as a contract or agreement of the successor department or entity
91 responsible for the program, activity, or function relative to
92 the contract or agreement.
93 Section 3. All functions, records, personnel, contracts,
94 interagency agreements, and equipment in the current Department
95 of Management Services State Data Center are consolidated in the
96 Northwest Regional Data Center. The unexpended balance of funds
97 remaining in the Working Capital Trust Fund on June 30, 2022, is
98 transferred to the Northwest Regional Data Center to be used to
99 satisfy customer refunds or excess assessments for fiscal year
100 2021-2022.
101 Section 4. Section 14.2017, Florida Statutes, is created to
102 read:
103 14.2017 Enterprise Florida First Technology Center.—
104 (1) The Enterprise Florida First Technology Center is
105 established within the Executive Office of the Governor, headed
106 for all purposes by a director who holds the title of state
107 chief information officer. The Enterprise Florida First
108 Technology Center shall be a separate budget entity. The
109 director of the center shall be appointed by and serves at the
110 pleasure of the Governor and must be a proven, effective
111 administrator who has at least 10 years of executive-level
112 experience in the public or private sector, preferably with
113 experience in the development of information technology
114 strategic planning and the development and implementation of
115 fiscal and substantive information technology policy and
116 standards.
117 (2) The state chief information officer shall designate a
118 state chief data officer. The chief data officer must be a
119 proven and effective administrator who must have significant and
120 substantive experience in data management, data governance,
121 interoperability, and security.
122 (3) The state chief information officer shall facilitate
123 meetings with all state agency chief information officers for
124 the purpose of communication regarding standards, rules,
125 projects, and significant events related to information
126 technology. These meetings must be held at least quarterly.
127 Section 5. Paragraph (b) of subsection (2) of section
128 20.22, Florida Statutes, is amended to read:
129 20.22 Department of Management Services.—There is created a
130 Department of Management Services.
131 (2) The following divisions, programs, and services within
132 the Department of Management Services are established:
133 (b) The Florida Digital Service.
134 Section 6. Subsection (30) of section 282.0041, Florida
135 Statutes, is amended to read:
136 282.0041 Definitions.—As used in this chapter, the term:
137 (30) “Service-level agreement” means a written contract
138 between the Department of Management Services or a provider of
139 data center services and a customer entity which specifies the
140 scope of services provided, service level, the duration of the
141 agreement, the responsible parties, and service costs. A
142 service-level agreement is not a rule pursuant to chapter 120.
143 Section 7. Section 282.0051, Florida Statutes, is amended
144 to read:
145 282.0051 Executive Office of the Governor Department of
146 Management Services; Enterprise Florida First Technology Center
147 Florida Digital Service; powers, duties, and functions.—
148 (1) The Enterprise Florida First Technology Center Florida
149 Digital Service has been created within the Executive Office of
150 the Governor department to propose innovative solutions that
151 securely modernize state government, including technology and
152 information services, to achieve value through digital
153 transformation and interoperability, and to fully support the
154 cloud-first policy as specified in s. 282.206. The Executive
155 Office of the Governor department, through the Enterprise
156 Florida First Technology Center Florida Digital Service, shall
157 have the following powers, duties, and functions:
158 (a) Develop and publish information technology policy for
159 the management of the state’s information technology resources.
160 (b) Develop an enterprise architecture that:
161 1. Acknowledges the unique needs of the entities within the
162 enterprise in the development and publication of standards and
163 terminologies to facilitate digital interoperability;
164 2. Supports the cloud-first policy as specified in s.
165 282.206; and
166 3. Addresses how information technology infrastructure may
167 be modernized to achieve cloud-first objectives.
168 (c) Establish project management and oversight standards
169 with which state agencies must comply when implementing
170 information technology projects. The center department, acting
171 through the Florida Digital Service, shall provide training
172 opportunities to state agencies to assist in the adoption of the
173 project management and oversight standards. To support data
174 driven decisionmaking, the standards must include, but are not
175 limited to:
176 1. Performance measurements and metrics that objectively
177 reflect the status of an information technology project based on
178 a defined and documented project scope, cost, and schedule.
179 2. Methodologies for calculating acceptable variances in
180 the projected versus actual scope, schedule, or cost of an
181 information technology project.
182 3. Reporting requirements, including requirements designed
183 to alert all defined stakeholders that an information technology
184 project has exceeded acceptable variances defined and documented
185 in a project plan.
186 4. Content, format, and frequency of project updates.
187 5. Technical standards to ensure an information technology
188 project complies with the enterprise architecture.
189 (d) Perform project oversight on all state agency
190 information technology projects that have total project costs of
191 $10 million or more and that are funded in the General
192 Appropriations Act or any other law. The center department,
193 acting through the Florida Digital Service, shall report at
194 least quarterly to the Executive Office of the Governor, the
195 President of the Senate, and the Speaker of the House of
196 Representatives on any information technology project that the
197 center department identifies as high-risk due to the project
198 exceeding acceptable variance ranges defined and documented in a
199 project plan. The report must include a risk assessment,
200 including fiscal risks, associated with proceeding to the next
201 stage of the project, and a recommendation for corrective
202 actions required, including suspension or termination of the
203 project.
204 (e) Identify opportunities for standardization and
205 consolidation of information technology services that support
206 interoperability and the cloud-first policy, as specified in s.
207 282.206, and business functions and operations, including
208 administrative functions such as purchasing, accounting and
209 reporting, cash management, and personnel, and that are common
210 across state agencies. The center department, acting through the
211 Florida Digital Service, shall biennially on January 1 of each
212 even-numbered year provide recommendations for standardization
213 and consolidation to the Executive Office of the Governor, the
214 President of the Senate, and the Speaker of the House of
215 Representatives.
216 (f) Establish best practices for the procurement of
217 information technology products and cloud-computing services in
218 order to reduce costs, increase the quality of data center
219 services, or improve government services.
220 (g) Develop standards for information technology reports
221 and updates, including, but not limited to, operational work
222 plans, project spend plans, and project status reports, for use
223 by state agencies.
224 (h) Upon request, assist state agencies in the development
225 of information technology-related legislative budget requests.
226 (i) Conduct annual assessments of state agencies to
227 determine compliance with all information technology standards
228 and guidelines developed and published by the center department
229 and provide results of the assessments to the Executive Office
230 of the Governor, the President of the Senate, and the Speaker of
231 the House of Representatives.
232 (j) Provide operational management and oversight of the
233 state data center established pursuant to s. 282.201, which
234 includes:
235 1. Implementing industry standards and best practices for
236 the state data center’s facilities, operations, maintenance,
237 planning, and management processes.
238 2. Developing and implementing cost-recovery mechanisms
239 that recover the full direct and indirect cost of services
240 through charges to applicable customer entities. Such cost
241 recovery mechanisms must comply with applicable state and
242 federal regulations concerning distribution and use of funds and
243 must ensure that, for any fiscal year, no service or customer
244 entity subsidizes another service or customer entity. The
245 Florida Digital Service may recommend other payment mechanisms
246 to the Executive Office of the Governor, the President of the
247 Senate, and the Speaker of the House of Representatives. Such
248 mechanism may be implemented only if specifically authorized by
249 the Legislature.
250 3. Developing and implementing appropriate operating
251 guidelines and procedures necessary for the state data center to
252 perform its duties pursuant to s. 282.201. The guidelines and
253 procedures must comply with applicable state and federal laws,
254 regulations, and policies and conform to generally accepted
255 governmental accounting and auditing standards. The guidelines
256 and procedures must include, but need not be limited to:
257 a. Implementing a consolidated administrative support
258 structure responsible for providing financial management,
259 procurement, transactions involving real or personal property,
260 human resources, and operational support.
261 b. Implementing an annual reconciliation process to ensure
262 that each customer entity is paying for the full direct and
263 indirect cost of each service as determined by the customer
264 entity’s use of each service.
265 c. Providing rebates that may be credited against future
266 billings to customer entities when revenues exceed costs.
267 d. Requiring customer entities to validate that sufficient
268 funds exist in the appropriate data processing appropriation
269 category or will be transferred into the appropriate data
270 processing appropriation category before implementation of a
271 customer entity’s request for a change in the type or level of
272 service provided, if such change results in a net increase to
273 the customer entity’s cost for that fiscal year.
274 e. By November 15 of each year, providing to the Office of
275 Policy and Budget in the Executive Office of the Governor and to
276 the chairs of the legislative appropriations committees the
277 projected costs of providing data center services for the
278 following fiscal year.
279 f. Providing a plan for consideration by the Legislative
280 Budget Commission if the cost of a service is increased for a
281 reason other than a customer entity’s request made pursuant to
282 sub-subparagraph d. Such a plan is required only if the service
283 cost increase results in a net increase to a customer entity for
284 that fiscal year.
285 g. Standardizing and consolidating procurement and
286 contracting practices.
287 4. Collaborate In collaboration with the Department of Law
288 Enforcement, to develop and implement developing and
289 implementing a process for detecting, reporting, and responding
290 to cybersecurity incidents, breaches, and threats.
291 5. Adopting rules relating to the operation of the state
292 data center, including, but not limited to, budgeting and
293 accounting procedures, cost-recovery methodologies, and
294 operating procedures.
295 (k) Conduct a market analysis not less frequently than
296 every 3 years beginning in 2021 to determine whether the
297 information technology resources within the enterprise are
298 utilized in the most cost-effective and cost-efficient manner,
299 while recognizing that the replacement of certain legacy
300 information technology systems within the enterprise may be cost
301 prohibitive or cost inefficient due to the remaining useful life
302 of those resources; whether the enterprise is complying with the
303 cloud-first policy specified in s. 282.206; and whether the
304 enterprise is utilizing best practices with respect to
305 information technology, information services, and the
306 acquisition of emerging technologies and information services.
307 Each market analysis shall be used to prepare a strategic plan
308 for continued and future information technology and information
309 services for the enterprise, including, but not limited to,
310 proposed acquisition of new services or technologies and
311 approaches to the implementation of any new services or
312 technologies. Copies of each market analysis and accompanying
313 strategic plan must be submitted to the Executive Office of the
314 Governor, the President of the Senate, and the Speaker of the
315 House of Representatives not later than December 31 of each year
316 that a market analysis is conducted.
317 (l) Recommend other information technology services that
318 should be designed, delivered, and managed as enterprise
319 information technology services. Recommendations must include
320 the identification of existing information technology resources
321 associated with the services, if existing services must be
322 transferred as a result of being delivered and managed as
323 enterprise information technology services.
324 (m) In consultation with state agencies, propose a
325 methodology and approach for identifying and collecting both
326 current and planned information technology expenditure data at
327 the state agency level.
328 (n)1. Notwithstanding any other law, provide project
329 oversight on any information technology project of the
330 Department of Financial Services, the Department of Legal
331 Affairs, and the Department of Agriculture and Consumer Services
332 which has a total project cost of $20 million or more. Such
333 information technology projects must also comply with the
334 applicable information technology architecture, project
335 management and oversight, and reporting standards established by
336 the center department, acting through the Florida Digital
337 Service.
338 2. When performing the project oversight function specified
339 in subparagraph 1., report at least quarterly to the Executive
340 Office of the Governor, the President of the Senate, and the
341 Speaker of the House of Representatives on any information
342 technology project that the center department, acting through
343 the Florida Digital Service, identifies as high-risk due to the
344 project exceeding acceptable variance ranges defined and
345 documented in the project plan. The report must shall include a
346 risk assessment, including fiscal risks, associated with
347 proceeding to the next stage of the project and a recommendation
348 for corrective actions required, including suspension or
349 termination of the project.
350 (o) If an information technology project implemented by a
351 state agency must be connected to or otherwise accommodated by
352 an information technology system administered by the Department
353 of Financial Services, the Department of Legal Affairs, or the
354 Department of Agriculture and Consumer Services, consult with
355 these departments regarding the risks and other effects of such
356 projects on their information technology systems and work
357 cooperatively with these departments regarding the connections,
358 interfaces, timing, or accommodations required to implement such
359 projects.
360 (p) If adherence to standards or policies adopted by or
361 established pursuant to this section causes conflict with
362 federal regulations or requirements imposed on an entity within
363 the enterprise and results in adverse action against an entity
364 or federal funding, work with the entity to provide alternative
365 standards, policies, or requirements that do not conflict with
366 the federal regulation or requirement. The center department,
367 acting through the Florida Digital Service, shall annually
368 report such alternative standards to the Executive Office of the
369 Governor, the President of the Senate, and the Speaker of the
370 House of Representatives.
371 (q)1. Establish, in consultation with the department, an
372 information technology policy for all information technology
373 related state contracts, including state term contracts for
374 information technology commodities, consultant services, and
375 staff augmentation services. The information technology policy
376 must include:
377 a. Identification of the information technology product and
378 service categories to be included in state term contracts.
379 b. Requirements to be included in solicitations for state
380 term contracts.
381 c. Evaluation criteria for the award of information
382 technology-related state term contracts.
383 d. The term of each information technology-related state
384 term contract.
385 e. The maximum number of vendors authorized on each state
386 term contract.
387 f. At a minimum, a requirement that any contract for
388 information technology commodities or services meet the National
389 Institute of Standards and Technology Cybersecurity Framework.
390 g. For an information technology project wherein project
391 oversight is required pursuant to paragraph (d) or paragraph
392 (n), a requirement that independent verification and validation
393 be employed throughout the project life cycle with the primary
394 objective of independent verification and validation being to
395 provide an objective assessment of products and processes
396 throughout the project life cycle. An entity providing
397 independent verification and validation may not have technical,
398 managerial, or financial interest in the project and may not
399 have responsibility for, or participate in, any other aspect of
400 the project.
401 2. Evaluate vendor responses for information technology
402 related state term contract solicitations and invitations to
403 negotiate.
404 3. Answer vendor questions on information technology
405 related state term contract solicitations.
406 4. Ensure that the information technology policy
407 established pursuant to subparagraph 1. is included in all
408 solicitations and contracts that are administratively executed
409 by the department.
410 (r) Recommend potential methods for standardizing data
411 across state agencies which will promote interoperability and
412 reduce the collection of duplicative data.
413 (s) Recommend open data technical standards and
414 terminologies for use by the enterprise.
415 (t) Ensure that enterprise information technology solutions
416 are capable of utilizing an electronic credential and comply
417 with the enterprise architecture standards.
418 (2)(a) The Secretary of Management Services shall designate
419 a state chief information officer, who shall administer the
420 Florida Digital Service. The state chief information officer,
421 prior to appointment, must have at least 5 years of experience
422 in the development of information system strategic planning and
423 development or information technology policy, and, preferably,
424 have leadership-level experience in the design, development, and
425 deployment of interoperable software and data solutions.
426 (b) The state chief information officer, in consultation
427 with the Secretary of Management Services, shall designate a
428 state chief data officer. The chief data officer must be a
429 proven and effective administrator who must have significant and
430 substantive experience in data management, data governance,
431 interoperability, and security.
432 (3) The Enterprise Florida First Technology Center
433 department, acting through the Florida Digital Service and from
434 funds appropriated to the center Florida Digital Service, shall:
435 (a) Create, not later than December 1, 2022 October 1,
436 2021, and maintain a comprehensive indexed data catalog in
437 collaboration with the enterprise that lists the data elements
438 housed within the enterprise and the legacy system or
439 application in which these data elements are located. The data
440 catalog must, at a minimum, specifically identify all data that
441 is restricted from public disclosure based on federal or state
442 laws and regulations and require that all such information be
443 protected in accordance with s. 282.318.
444 (b) Develop and publish, not later than December 1, 2022
445 October 1, 2021, in collaboration with the enterprise, a data
446 dictionary for each agency that reflects the nomenclature in the
447 comprehensive indexed data catalog.
448 (c) Adopt, by rule, standards that support the creation and
449 deployment of an application programming interface to facilitate
450 integration throughout the enterprise.
451 (d) Adopt, by rule, standards necessary to facilitate a
452 secure ecosystem of data interoperability that is compliant with
453 the enterprise architecture.
454 (e) Adopt, by rule, standards that facilitate the
455 deployment of applications or solutions to the existing
456 enterprise system in a controlled and phased approach.
457 (f) After submission of documented use cases developed in
458 conjunction with the affected agencies, assist the affected
459 agencies with the deployment, contingent upon a specific
460 appropriation therefor, of new interoperable applications and
461 solutions:
462 1. For the Department of Health, the Agency for Health Care
463 Administration, the Agency for Persons with Disabilities, the
464 Department of Education, the Department of Elderly Affairs, and
465 the Department of Children and Families.
466 2. To support military members, veterans, and their
467 families.
468 (3)(4) For information technology projects that have a
469 total project cost of $10 million or more:
470 (a) State agencies must provide the Enterprise Florida
471 First Technology Center Florida Digital Service with written
472 notice of any planned procurement of an information technology
473 project.
474 (b) The center Florida Digital Service must participate in
475 the development of specifications and recommend modifications to
476 any planned procurement of an information technology project by
477 state agencies so that the procurement complies with the
478 enterprise architecture.
479 (c) The center Florida Digital Service must participate in
480 post-award contract monitoring.
481 (4)(5) The Enterprise Florida First Technology Center
482 department, acting through the Florida Digital Service, may not
483 retrieve or disclose any data without a shared-data agreement in
484 place between the center department and the enterprise entity
485 that has primary custodial responsibility of, or data-sharing
486 responsibility for, that data.
487 (5)(6) The Enterprise Florida First Technology Center
488 department, acting through the Florida Digital Service, shall
489 adopt rules to administer this section.
490 Section 8. Section 282.201, Florida Statutes, is repealed.
491 Section 9. Subsections (3), (4), (8), and (11) of section
492 282.318, Florida Statutes, are amended to read:
493 282.318 Cybersecurity.—
494 (3) The Enterprise Florida First Technology Center
495 department, acting through the Florida Digital Service, is the
496 lead entity responsible for establishing standards and processes
497 for assessing state agency cybersecurity risks and determining
498 appropriate security measures. Such standards and processes must
499 be consistent with generally accepted technology best practices,
500 including the National Institute for Standards and Technology
501 Cybersecurity Framework, for cybersecurity. The Enterprise
502 Florida First Technology Center department, acting through the
503 Florida Digital Service, shall adopt rules that mitigate risks;
504 safeguard state agency digital assets, data, information, and
505 information technology resources to ensure availability,
506 confidentiality, and integrity; and support a security
507 governance framework. The center department, acting through the
508 Florida Digital Service, shall also:
509 (a) Designate an employee of the center Florida Digital
510 Service as the state chief information security officer. The
511 state chief information security officer must have experience
512 and expertise in security and risk management for communications
513 and information technology resources. The state chief
514 information security officer is responsible for the development,
515 operation, and oversight of cybersecurity for state technology
516 systems. The state chief information security officer shall be
517 notified of all confirmed or suspected incidents or threats of
518 state agency information technology resources and must report
519 such incidents or threats to the state chief information officer
520 and the Governor.
521 (b) Develop, and annually update by February 1, a statewide
522 cybersecurity strategic plan that includes security goals and
523 objectives for cybersecurity, including the identification and
524 mitigation of risk, proactive protections against threats,
525 tactical risk detection, threat reporting, and response and
526 recovery protocols for a cyber incident.
527 (c) Develop and publish for use by state agencies a
528 cybersecurity governance framework that, at a minimum, includes
529 guidelines and processes for:
530 1. Establishing asset management procedures to ensure that
531 an agency’s information technology resources are identified and
532 managed consistent with their relative importance to the
533 agency’s business objectives.
534 2. Using a standard risk assessment methodology that
535 includes the identification of an agency’s priorities,
536 constraints, risk tolerances, and assumptions necessary to
537 support operational risk decisions.
538 3. Completing comprehensive risk assessments and
539 cybersecurity audits, which may be completed by a private sector
540 vendor, and submitting completed assessments and audits to the
541 center department.
542 4. Identifying protection procedures to manage the
543 protection of an agency’s information, data, and information
544 technology resources.
545 5. Establishing procedures for accessing information and
546 data to ensure the confidentiality, integrity, and availability
547 of such information and data.
548 6. Detecting threats through proactive monitoring of
549 events, continuous security monitoring, and defined detection
550 processes.
551 7. Establishing agency cybersecurity incident response
552 teams and describing their responsibilities for responding to
553 cybersecurity incidents, including breaches of personal
554 information containing confidential or exempt data.
555 8. Recovering information and data in response to a
556 cybersecurity incident. The recovery may include recommended
557 improvements to the agency processes, policies, or guidelines.
558 9. Establishing a cybersecurity incident reporting process
559 that includes procedures and tiered reporting timeframes for
560 notifying the center department and the Department of Law
561 Enforcement of cybersecurity incidents. The tiered reporting
562 timeframes shall be based upon the level of severity of the
563 cybersecurity incidents being reported.
564 10. Incorporating information obtained through detection
565 and response activities into the agency’s cybersecurity incident
566 response plans.
567 11. Developing agency strategic and operational
568 cybersecurity plans required pursuant to this section.
569 12. Establishing the managerial, operational, and technical
570 safeguards for protecting state government data and information
571 technology resources that align with the state agency risk
572 management strategy and that protect the confidentiality,
573 integrity, and availability of information and data.
574 13. Establishing procedures for procuring information
575 technology commodities and services that require the commodity
576 or service to meet the National Institute of Standards and
577 Technology Cybersecurity Framework.
578 (d) Assist state agencies in complying with this section.
579 (e) In collaboration with the Cybercrime Office of the
580 Department of Law Enforcement, annually provide training for
581 state agency information security managers and computer security
582 incident response team members that contains training on
583 cybersecurity, including cybersecurity threats, trends, and best
584 practices.
585 (f) Annually review the strategic and operational
586 cybersecurity plans of state agencies.
587 (g) Provide cybersecurity training to all state agency
588 technology professionals that develops, assesses, and documents
589 competencies by role and skill level. The training may be
590 provided in collaboration with the Cybercrime Office of the
591 Department of Law Enforcement, a private sector entity, or an
592 institution of the state university system.
593 (h) Operate and maintain a Cybersecurity Operations Center
594 led by the state chief information security officer, which must
595 be primarily virtual and staffed with tactical detection and
596 incident response personnel. The Cybersecurity Operations Center
597 shall serve as a clearinghouse for threat information and
598 coordinate with the Department of Law Enforcement to support
599 state agencies and their response to any confirmed or suspected
600 cybersecurity incident.
601 (i) Lead an Emergency Support Function, ESF CYBER, under
602 the state comprehensive emergency management plan as described
603 in s. 252.35.
604 (4) Each state agency head shall, at a minimum:
605 (a) Designate an information security manager to administer
606 the cybersecurity program of the state agency. This designation
607 must be provided annually in writing to the Enterprise Florida
608 First Technology Center department by January 1. A state
609 agency’s information security manager, for purposes of these
610 information security duties, shall report directly to the agency
611 head.
612 (b) In consultation with the center department, through the
613 Florida Digital Service, and the Cybercrime Office of the
614 Department of Law Enforcement, establish an agency cybersecurity
615 response team to respond to a cybersecurity incident. The agency
616 cybersecurity response team shall convene upon notification of a
617 cybersecurity incident and must immediately report all confirmed
618 or suspected incidents to the state chief information security
619 officer, or his or her designee, and comply with all applicable
620 guidelines and processes established pursuant to paragraph
621 (3)(c).
622 (c) Submit to the Executive Office of the Governor
623 department annually by July 31, the state agency’s strategic and
624 operational cybersecurity plans developed pursuant to rules and
625 guidelines established by the center department, through the
626 Florida Digital Service.
627 1. The state agency strategic cybersecurity plan must cover
628 a 3-year period and, at a minimum, define security goals,
629 intermediate objectives, and projected agency costs for the
630 strategic issues of agency information security policy, risk
631 management, security training, security incident response, and
632 disaster recovery. The plan must be based on the statewide
633 cybersecurity strategic plan created by the center department
634 and include performance metrics that can be objectively measured
635 to reflect the status of the state agency’s progress in meeting
636 security goals and objectives identified in the agency’s
637 strategic information security plan.
638 2. The state agency operational cybersecurity plan must
639 include a progress report that objectively measures progress
640 made towards the prior operational cybersecurity plan and a
641 project plan that includes activities, timelines, and
642 deliverables for security objectives that the state agency will
643 implement during the current fiscal year.
644 (d) Conduct, and update every 3 years, a comprehensive risk
645 assessment, which may be completed by a private sector vendor,
646 to determine the security threats to the data, information, and
647 information technology resources, including mobile devices and
648 print environments, of the agency. The risk assessment must
649 comply with the risk assessment methodology developed by the
650 center department and is confidential and exempt from s.
651 119.07(1), except that such information shall be available to
652 the Auditor General, the center Florida Digital Service within
653 the department, the Cybercrime Office of the Department of Law
654 Enforcement, and, for state agencies under the jurisdiction of
655 the Governor, the Chief Inspector General. If a private sector
656 vendor is used to complete a comprehensive risk assessment, it
657 must attest to the validity of the risk assessment findings.
658 (e) Develop, and periodically update, written internal
659 policies and procedures, which include procedures for reporting
660 cybersecurity incidents and breaches to the Cybercrime Office of
661 the Department of Law Enforcement and the center Florida Digital
662 Service within the department. Such policies and procedures must
663 be consistent with the rules, guidelines, and processes
664 established by the center department to ensure the security of
665 the data, information, and information technology resources of
666 the agency. The internal policies and procedures that, if
667 disclosed, could facilitate the unauthorized modification,
668 disclosure, or destruction of data or information technology
669 resources are confidential information and exempt from s.
670 119.07(1), except that such information shall be available to
671 the Auditor General, the Cybercrime Office of the Department of
672 Law Enforcement, the center Florida Digital Service within the
673 department, and, for state agencies under the jurisdiction of
674 the Governor, the Chief Inspector General.
675 (f) Implement managerial, operational, and technical
676 safeguards and risk assessment remediation plans recommended by
677 the center department to address identified risks to the data,
678 information, and information technology resources of the agency.
679 The center department, through the Florida Digital Service,
680 shall track implementation by state agencies upon development of
681 such remediation plans in coordination with agency inspectors
682 general.
683 (g) Ensure that periodic internal audits and evaluations of
684 the agency’s cybersecurity program for the data, information,
685 and information technology resources of the agency are
686 conducted. The results of such audits and evaluations are
687 confidential information and exempt from s. 119.07(1), except
688 that such information shall be available to the Auditor General,
689 the Cybercrime Office of the Department of Law Enforcement, the
690 center Florida Digital Service within the department, and, for
691 agencies under the jurisdiction of the Governor, the Chief
692 Inspector General.
693 (h) Ensure that the cybersecurity requirements in the
694 written specifications for the solicitation, contracts, and
695 service-level agreement of information technology and
696 information technology resources and services meet or exceed the
697 applicable state and federal laws, regulations, and standards
698 for cybersecurity, including the National Institute of Standards
699 and Technology Cybersecurity Framework. Service-level agreements
700 must identify service provider and state agency responsibilities
701 for privacy and security, protection of government data,
702 personnel background screening, and security deliverables with
703 associated frequencies.
704 (i) Provide cybersecurity awareness training to all state
705 agency employees in the first 30 days after commencing
706 employment concerning cybersecurity risks and the responsibility
707 of employees to comply with policies, standards, guidelines, and
708 operating procedures adopted by the state agency to reduce those
709 risks. The training may be provided in collaboration with the
710 Cybercrime Office of the Department of Law Enforcement, a
711 private sector entity, or an institution of the state university
712 system.
713 (j) Develop a process for detecting, reporting, and
714 responding to threats, breaches, or cybersecurity incidents
715 which is consistent with the security rules, guidelines, and
716 processes established by the center department through the
717 Florida Digital Service.
718 1. All cybersecurity incidents and breaches must be
719 reported to the center Florida Digital Service within the
720 department and the Cybercrime Office of the Department of Law
721 Enforcement and must comply with the notification procedures and
722 reporting timeframes established pursuant to paragraph (3)(c).
723 2. For cybersecurity breaches, state agencies shall provide
724 notice in accordance with s. 501.171.
725 (8) The portions of records made confidential and exempt in
726 subsections (5), (6), and (7) shall be available to the Auditor
727 General, the Cybercrime Office of the Department of Law
728 Enforcement, the center Florida Digital Service within the
729 department, and, for agencies under the jurisdiction of the
730 Governor, the Chief Inspector General. Such portions of records
731 may be made available to a local government, another state
732 agency, or a federal agency for cybersecurity purposes or in
733 furtherance of the state agency’s official duties.
734 (11) The Enterprise Florida First Technology Center
735 department shall adopt rules relating to cybersecurity and to
736 administer this section.
737 Section 10. Subsections (1), (3), (6), and (9) of section
738 282.319, Florida Statutes, are amended to read:
739 282.319 Florida Cybersecurity Advisory Council.—
740 (1) The Florida Cybersecurity Advisory Council, an advisory
741 council as defined in s. 20.03(7), is housed created within the
742 Executive Office of the Governor department. Except as otherwise
743 provided in this section, the advisory council shall operate in
744 a manner consistent with s. 20.052.
745 (3) The council shall assist the Enterprise Florida First
746 Technology Center Florida Digital Service in implementing best
747 cybersecurity practices, taking into consideration the final
748 recommendations of the Florida Cybersecurity Task Force created
749 under chapter 2019-118, Laws of Florida.
750 (6) The director of the Office of Policy and Budget
751 Secretary of Management Services, or his or her designee, shall
752 serve as the ex officio, nonvoting executive director of the
753 council.
754 (9) The council shall meet at least quarterly to:
755 (a) Review existing state agency cybersecurity policies.
756 (b) Assess ongoing risks to state agency information
757 technology.
758 (c) Recommend a reporting and information sharing system to
759 notify state agencies of new risks.
760 (d) Recommend data breach simulation exercises.
761 (e) Assist the Enterprise Florida First Technology Center
762 Florida Digital Service in developing cybersecurity best
763 practice recommendations for state agencies which that include
764 recommendations regarding:
765 1. Continuous risk monitoring.
766 2. Password management.
767 3. Protecting data in legacy and new systems.
768 (f) Examine inconsistencies between state and federal law
769 regarding cybersecurity.
770 Section 11. Subsections (4) and (6) of section 287.0591,
771 Florida Statutes, are amended to read:
772 287.0591 Information technology; vendor disqualification.—
773 (4) If the department issues a competitive solicitation for
774 information technology commodities, consultant services, or
775 staff augmentation contractual services, the Enterprise Florida
776 First Technology Center Florida Digital Service within the
777 Executive Office of the Governor must department shall
778 participate in such solicitations.
779 (6) Beginning October 1, 2021, and each October 1
780 thereafter, the department, in consultation with the Enterprise
781 Florida First Technology Center, shall prequalify firms and
782 individuals to provide information technology staff augmentation
783 contractual services on state term contract. In order to
784 prequalify a firm or individual for participation on the state
785 term contract, the department must consider, at a minimum, the
786 capability, experience, and past performance record of the firm
787 or individual. A firm or individual removed from the source of
788 supply pursuant to s. 287.042(1)(b) or placed on a disqualified
789 vendor list pursuant to s. 287.133 or s. 287.134 is immediately
790 disqualified from state term contract eligibility. Once a firm
791 or individual has been prequalified to provide information
792 technology staff augmentation contractual services on state term
793 contract, the firm or individual may respond to requests for
794 quotes from an agency to provide such services.
795 Section 12. Section 1004.649, Florida Statutes, is amended
796 to read:
797 1004.649 Northwest Regional Data Center.—
798 (1) The Northwest Regional Data Center is designated as the
799 state data center and preferred cloud services provider for all
800 state agencies. The Northwest Regional Data Center can provide
801 data center services to state agencies from multiple facilities
802 as funded in the General Appropriations Act.
803 (2) For the purpose of providing data center services to
804 its state agency customers, the Northwest Regional Data Center
805 shall:
806 (a) Operate under a governance structure that represents
807 its customers proportionally.
808 (b) Maintain an appropriate cost-allocation methodology
809 that accurately bills state agency customers based solely on the
810 actual direct and indirect costs of the services provided to
811 state agency customers, and ensures that for any fiscal year,
812 state agency customers are not subsidizing other customers of
813 the data center. Such cost-allocation methodology must comply
814 with applicable state and federal regulations concerning the
815 distribution and use of state and federal funds.
816 (c) Enter into a service-level agreement with each state
817 agency customer to provide services as defined and approved by
818 the governing board of the center. At a minimum, such service
819 level agreements must:
820 1. Identify the parties and their roles, duties, and
821 responsibilities under the agreement;
822 2. State the duration of the agreement term, which may not
823 exceed 3 years, and specify the conditions for up to two
824 optional 1-year renewals of the agreement before execution of a
825 new agreement renewal;
826 3. Identify the scope of work;
827 4. Establish the services to be provided, the business
828 standards that must be met for each service, the cost of each
829 service, and the process by which the business standards for
830 each service are to be objectively measured and reported;
831 5. Provide a timely billing methodology for recovering the
832 cost of services provided pursuant to s. 215.422;
833 6. Provide a procedure for modifying the service-level
834 agreement to address any changes in projected costs of service;
835 7. Include a right-to-audit clause to ensure that the
836 parties to the agreement have access to records for audit
837 purposes during the term of the service-level agreement Prohibit
838 the transfer of computing services between the Northwest
839 Regional Data Center and the state data center established
840 pursuant to s. 282.201 without at least 180 days’ written
841 notification of service cancellation;
842 8. Identify the products or services to be delivered with
843 sufficient specificity to permit an external financial or
844 performance audit; and
845 9. Provide that the service-level agreement may be
846 terminated by either party for cause only after giving the other
847 party notice in writing of the cause for termination and an
848 opportunity for the other party to resolve the identified cause
849 within a reasonable period; and
850 10. Provide state agency customer entities with access to
851 application, servers, network components, and other devices
852 necessary for entities to perform business activities and
853 functions and as defined and documented in a service-level
854 agreement.
855 (d) In its procurement process, show preference for cloud
856 based computing solutions that minimize or do not require the
857 purchasing, financing, or leasing of state data center
858 infrastructure, that meet the needs of state agency customer
859 entities that reduce costs, and that meet or exceed the
860 applicable state and federal laws, regulations, and standards
861 for cybersecurity.
862 (e) Assist state agency customer entities in transitioning
863 from state data center services to third-party cloud-based
864 computing services procured by a customer entity or by the
865 Northwest Regional Data Center on behalf of the customer entity.
866 (f) Provide to the Board of Governors the total annual
867 budget by major expenditure category, including, but not limited
868 to, salaries, expenses, operating capital outlay, contracted
869 services, or other personnel services by July 30 each fiscal
870 year.
871 (g)(e) Provide to each state agency customer its projected
872 annual cost for providing the agreed-upon data center services
873 by September 1 each fiscal year.
874 (h)(f) Provide a plan for consideration by the Legislative
875 Budget Commission if the governing body of the center approves
876 the use of a billing rate schedule after the start of the fiscal
877 year that increases any state agency customer’s costs for that
878 fiscal year.
879 (i) Provide data center services that comply with
880 applicable state and federal laws, regulations, and policies,
881 including all applicable security, privacy, and auditing
882 requirements.
883 (j) Maintain performance of the data center facilities by
884 ensuring proper data backup, data backup recovery, disaster
885 recovery, and appropriate security, power, cooling, fire
886 suppression, and capacity.
887 (3) The following entities are exempt from the requirement
888 to use the Northwest Regional Data Center:
889 (a) The Department of Law Enforcement.
890 (b) The Department of the Lottery’s Gaming System.
891 (c) Systems Design and Development in the Office of Policy
892 and Budget.
893 (d) The regional traffic management centers described in s.
894 335.14(2) and the Office of Toll Operations of the Department of
895 Transportation.
896 (e) The State Board of Administration.
897 (f) The offices of the state attorneys, public defenders,
898 criminal conflict and regional counsels, and the capital
899 collateral regional counsel.
900 (g) The Florida Housing Finance Corporation.
901 (4) Unless exempt from the requirement to use the Northwest
902 Regional Data Center pursuant to this section or as authorized
903 by the Legislature, a state agency may not do any of the
904 following:
905 (a) Create a new agency computing facility or data center
906 or expand the capability to support additional computer
907 equipment in an existing agency computing facility or data
908 center.
909 (b) Terminate services with the Northwest Regional Data
910 Center without giving written notice of intent to terminate
911 services 180 days before such termination.
912 (c) Procure third-party cloud-based computing services
913 without evaluating the cloud-based computing services provided
914 by the Northwest Regional Data Center.
915 (5)(2) The Northwest Regional Data Center’s authority to
916 provide data center services to its state agency customers may
917 be terminated if:
918 (a) The center requests such termination to the Board of
919 Governors, the Senate President, and the Speaker of the House of
920 Representatives; or
921 (b) The center fails to comply with the provisions of this
922 section.
923 (6)(3) If such authority is terminated, the center has
924 shall have 1 year to provide for the transition of its state
925 agency customers to a qualified alternative cloud-based data
926 center that meets the enterprise architecture standards
927 established by the Enterprise Florida First Technology Center
928 the state data center established pursuant to s. 282.201.
929 Section 13. Subsections (1) and (4) of section 282.00515,
930 Florida Statutes, are amended to read:
931 282.00515 Duties of Cabinet agencies.—
932 (1) The Department of Legal Affairs, the Department of
933 Financial Services, and the Department of Agriculture and
934 Consumer Services shall adopt the standards established in s.
935 282.0051(1)(b), (c), and (s) and (2)(e) (3)(e) or adopt
936 alternative standards based on best practices and industry
937 standards that allow for open data interoperability.
938 (4)(a) Nothing in this section or in s. 282.0051 requires
939 the Department of Legal Affairs, the Department of Financial
940 Services, or the Department of Agriculture and Consumer Services
941 to integrate with information technology outside its own
942 department or with the Enterprise Florida First Technology
943 Center Florida Digital Service.
944 (b) The center department, acting through the Florida
945 Digital Service, may not retrieve or disclose any data without a
946 shared-data agreement in place between the center department and
947 the Department of Legal Affairs, the Department of Financial
948 Services, or the Department of Agriculture and Consumer
949 Services.
950 Section 14. Subsection (4) of section 443.1113, Florida
951 Statutes, is amended to read:
952 443.1113 Reemployment Assistance Claims and Benefits
953 Information System.—
954 (4)(a) The Department of Economic Opportunity shall perform
955 an annual review of the system and identify enhancements or
956 modernization efforts that improve the delivery of services to
957 claimants and employers and reporting to state and federal
958 entities. These improvements must include, but need not be
959 limited to:
960 1. Infrastructure upgrades through cloud services.
961 2. Software improvements.
962 3. Enhanced data analytics and reporting.
963 4. Increased cybersecurity pursuant to s. 282.318.
964 (b) The department shall seek input on recommended
965 enhancements from, at a minimum, the following entities:
966 1. The Enterprise Florida First Technology Center Florida
967 Digital Service within the Executive Office of the Governor
968 Department of Management Services.
969 2. The General Tax Administration Program Office within the
970 Department of Revenue.
971 3. The Division of Accounting and Auditing within the
972 Department of Financial Services.
973 Section 15. Subsection (5) of section 943.0415, Florida
974 Statutes, is amended to read:
975 943.0415 Cybercrime Office.—There is created within the
976 Department of Law Enforcement the Cybercrime Office. The office
977 may:
978 (5) Consult with the Enterprise Florida First Technology
979 Center Florida Digital Service within the Executive Office of
980 the Governor Department of Management Services in the adoption
981 of rules relating to the information technology security
982 provisions in s. 282.318.
983 Section 16. This act shall take effect July 1, 2022.