Florida Senate - 2023 COMMITTEE AMENDMENT
Bill No. SB 1708
Ì793268MÎ793268
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/29/2023 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(DiCeglie) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. This act may be cited as the “Florida Cyber
6 Protection Act.”
7 Section 2. Paragraph (y) is added to subsection (2) of
8 section 110.205, Florida Statutes, to read:
9 110.205 Career service; exemptions.—
10 (2) EXEMPT POSITIONS.—The exempt positions that are not
11 covered by this part include the following:
12 (y) Personnel employed by or reporting to the state chief
13 information security officer, the state chief data officer, a
14 chief information security officer, and an agency information
15 security manager.
16 Section 3. Present subsections (3) through (5), (6) through
17 (19), and (20) through (38) of section 282.0041, Florida
18 Statutes, are redesignated as subsections (4) through (6), (8)
19 through (21), and (24) through (42), respectively, new
20 subsections (3), (7), (22), and (23) are added to that section,
21 and present subsection (19) is amended, to read:
22 282.0041 Definitions.—As used in this chapter, the term:
23 (3) “As a service” means the contracting with or
24 outsourcing to a third-party of a defined role or function as a
25 means of delivery.
26 (7) “Cloud provider” has the same meaning as provided in
27 Special Publication 800-145 issued by the National Institute of
28 Standards and Technology.
29 (21)(19) “Incident” means a violation or an imminent threat
30 of violation, whether such violation is accidental or
31 deliberate, of information technology resources, security,
32 policies, or practices, or which may jeopardize the
33 confidentiality, integrity, or availability of an information
34 technology system or the information the system processes,
35 stores, or transmits. An imminent threat of violation refers to
36 a situation in which a state agency, county, or municipality has
37 a factual basis for believing that a specific incident is about
38 to occur.
39 (22) “Independent” means, for an entity providing
40 independent verification and validation, having no technical,
41 managerial, or financial interest in the relevant technology
42 project; no relationship to the relevant agency; and no
43 responsibility for or participation in any aspect of the
44 project, which includes project oversight by the Florida Digital
45 Service.
46 (23) “Independent verification and validation” means third
47 party support services that provide a completely independent and
48 impartial assessment of the progress and work products of a
49 technology project from concept to business case and throughout
50 the project life cycle.
51 Section 4. Section 282.0051, Florida Statutes, is amended
52 to read:
53 282.0051 Department of Management Services; Florida Digital
54 Service; powers, duties, and functions.—
55 (1) The Florida Digital Service is has been created within
56 the department to propose innovative solutions that securely
57 modernize state government, including technology and information
58 services, to achieve value through digital transformation and
59 interoperability, and to fully support the cloud-first policy as
60 specified in s. 282.206. The department, through the Florida
61 Digital Service, shall have the following powers, duties, and
62 functions:
63 (a) Develop and publish information technology policy for
64 the management of the state’s information technology resources.
65 (b) Develop an enterprise architecture that:
66 1. Acknowledges the unique needs of the entities within the
67 enterprise in the development and publication of standards and
68 terminologies to facilitate digital interoperability;
69 2. Supports the cloud-first policy as specified in s.
70 282.206; and
71 3. Addresses how information technology infrastructure may
72 be modernized to achieve cloud-first objectives.
73 (c) Establish project management and oversight standards
74 with which state agencies must comply when implementing
75 information technology projects. The department, acting through
76 the Florida Digital Service, shall provide training
77 opportunities to state agencies to assist in the adoption of the
78 project management and oversight standards. To support data
79 driven decisionmaking, the standards must include, but are not
80 limited to:
81 1. Performance measurements and metrics that objectively
82 reflect the status of an information technology project based on
83 a defined and documented project scope, cost, and schedule.
84 2. Methodologies for calculating acceptable variances in
85 the projected versus actual scope, schedule, or cost of an
86 information technology project.
87 3. Reporting requirements, including requirements designed
88 to alert all defined stakeholders that an information technology
89 project has exceeded acceptable variances defined and documented
90 in a project plan.
91 4. Content, format, and frequency of project updates.
92 5. Technical standards to ensure an information technology
93 project complies with the enterprise architecture.
94 (d) Ensure that independent Perform project oversight on
95 all state agency information technology projects that have total
96 project costs of $10 million or more and that are funded in the
97 General Appropriations Act or any other law is performed and in
98 compliance with applicable state and federal law.
99 1. The department may not be considered independent for
100 purposes of project oversight under this paragraph on a project
101 for which the department has provided or may be asked to provide
102 any operational or technical support, including, but not limited
103 to, providing advice or conducting any review.
104 2. The department shall establish an appropriate contract
105 vehicle to facilitate procurement of project oversight as a
106 service by the enterprise and ensure that the contract vehicle
107 includes offerings that incorporate the ability to comply with
108 applicable state and federal law, including any independent
109 verification and validation requirements. An entity that
110 provides project oversight as a service must provide a project
111 oversight report to the department.
112 3. An agency may request the department to procure project
113 oversight as a service for a project that is subject to this
114 paragraph. Such procurement by the department does not violate
115 the requirement that the project oversight must be independent.
116 4. The department, acting through the Florida Digital
117 Service, shall at least quarterly review received project
118 oversight reports and, upon acceptance of the contents of such
119 reports, provide the reports to the Executive Office of the
120 Governor, the President of the Senate, and the Speaker of the
121 House of Representatives.
122 5. The department, acting through the Florida Digital
123 Service, shall report at least quarterly to the Executive Office
124 of the Governor, the President of the Senate, and the Speaker of
125 the House of Representatives on any information technology
126 project that the department identifies as high-risk due to the
127 project exceeding acceptable variance ranges defined and
128 documented in a project plan. The report must include a risk
129 assessment, including fiscal risks, associated with proceeding
130 to the next stage of the project, and a recommendation for
131 corrective actions required, including suspension or termination
132 of the project.
133 (e) Identify opportunities for standardization and
134 consolidation of information technology services that support
135 interoperability and the cloud-first policy, as specified in s.
136 282.206, and business functions and operations, including
137 administrative functions such as purchasing, accounting and
138 reporting, cash management, and personnel, and that are common
139 across state agencies. The department, acting through the
140 Florida Digital Service, shall biennially on January 15 1 of
141 each even-numbered year provide recommendations for
142 standardization and consolidation to the Executive Office of the
143 Governor, the President of the Senate, and the Speaker of the
144 House of Representatives.
145 (f) Establish best practices for the procurement of
146 information technology products and cloud-computing services in
147 order to reduce costs, increase the quality of data center
148 services, or improve government services.
149 (g) Develop standards for information technology reports
150 and updates, including, but not limited to, operational work
151 plans, project spend plans, and project status reports, for use
152 by state agencies.
153 (h) Upon request, assist state agencies in the development
154 of information technology-related legislative budget requests.
155 (i) Conduct annual assessments of state agencies to
156 determine compliance with all information technology standards
157 and guidelines developed and published by the department and
158 provide results of the assessments to the Executive Office of
159 the Governor, the President of the Senate, and the Speaker of
160 the House of Representatives.
161 (j) Conduct a market analysis not less frequently than
162 every 3 years beginning in 2021 to determine whether the
163 information technology resources within the enterprise are
164 utilized in the most cost-effective and cost-efficient manner,
165 while recognizing that the replacement of certain legacy
166 information technology systems within the enterprise may be cost
167 prohibitive or cost inefficient due to the remaining useful life
168 of those resources; whether the enterprise is complying with the
169 cloud-first policy specified in s. 282.206; and whether the
170 enterprise is utilizing best practices with respect to
171 information technology, information services, and the
172 acquisition of emerging technologies and information services.
173 Each market analysis shall be used to prepare a strategic plan
174 for continued and future information technology and information
175 services for the enterprise, including, but not limited to,
176 proposed acquisition of new services or technologies and
177 approaches to the implementation of any new services or
178 technologies. Copies of each market analysis and accompanying
179 strategic plan must be submitted to the Executive Office of the
180 Governor, the President of the Senate, and the Speaker of the
181 House of Representatives not later than December 31 of each year
182 that a market analysis is conducted.
183 (k) Recommend other information technology services that
184 should be designed, delivered, and managed as enterprise
185 information technology services. Recommendations must include
186 the identification of existing information technology resources
187 associated with the services, if existing services must be
188 transferred as a result of being delivered and managed as
189 enterprise information technology services.
190 (l) In consultation with state agencies, propose a
191 methodology and approach for identifying and collecting both
192 current and planned information technology expenditure data at
193 the state agency level.
194 (m)1. Notwithstanding any other law, provide project
195 oversight on any information technology project of the
196 Department of Financial Services, the Department of Legal
197 Affairs, and the Department of Agriculture and Consumer Services
198 which has a total project cost of $20 million or more. Such
199 information technology projects must also comply with the
200 applicable information technology architecture, project
201 management and oversight, and reporting standards established by
202 the department, acting through the Florida Digital Service.
203 2. When performing the project oversight function specified
204 in subparagraph 1., report by the 15th day after the end of each
205 quarter at least quarterly to the Executive Office of the
206 Governor, the President of the Senate, and the Speaker of the
207 House of Representatives on any information technology project
208 that the department, acting through the Florida Digital Service,
209 identifies as high-risk due to the project exceeding acceptable
210 variance ranges defined and documented in the project plan. The
211 report shall include a risk assessment, including fiscal risks,
212 associated with proceeding to the next stage of the project and
213 a recommendation for corrective actions required, including
214 suspension or termination of the project.
215 (n) If an information technology project implemented by a
216 state agency must be connected to or otherwise accommodated by
217 an information technology system administered by the Department
218 of Financial Services, the Department of Legal Affairs, or the
219 Department of Agriculture and Consumer Services, consult with
220 these departments regarding the risks and other effects of such
221 projects on their information technology systems and work
222 cooperatively with these departments regarding the connections,
223 interfaces, timing, or accommodations required to implement such
224 projects.
225 (o) If adherence to standards or policies adopted by or
226 established pursuant to this section causes conflict with
227 federal regulations or requirements imposed on an entity within
228 the enterprise and results in adverse action against an entity
229 or federal funding, work with the entity to provide alternative
230 standards, policies, or requirements that do not conflict with
231 the federal regulation or requirement. The department, acting
232 through the Florida Digital Service, shall annually by January
233 15 report such alternative standards to the Executive Office of
234 the Governor, the President of the Senate, and the Speaker of
235 the House of Representatives.
236 (p)1. Establish an information technology policy for all
237 information technology-related state contracts, including state
238 term contracts for information technology commodities,
239 consultant services, and staff augmentation services. The
240 information technology policy must include:
241 a. Identification of the information technology product and
242 service categories to be included in state term contracts.
243 b. Requirements to be included in solicitations for state
244 term contracts.
245 c. Evaluation criteria for the award of information
246 technology-related state term contracts.
247 d. The term of each information technology-related state
248 term contract.
249 e. The maximum number of vendors authorized on each state
250 term contract.
251 f. At a minimum, a requirement that any contract for
252 information technology commodities or services meet the National
253 Institute of Standards and Technology Cybersecurity Framework.
254 g. For an information technology project wherein project
255 oversight is required pursuant to paragraph (d) or paragraph
256 (m), a requirement that independent verification and validation
257 be employed throughout the project life cycle with the primary
258 objective of independent verification and validation being to
259 provide an objective assessment of products and processes
260 throughout the project life cycle. An entity providing
261 independent verification and validation may not have technical,
262 managerial, or financial interest in the project and may not
263 have responsibility for, or participate in, any other aspect of
264 the project.
265 2. Evaluate vendor responses for information technology
266 related state term contract solicitations and invitations to
267 negotiate.
268 3. Answer vendor questions on information technology
269 related state term contract solicitations.
270 4. Ensure that the information technology policy
271 established pursuant to subparagraph 1. is included in all
272 solicitations and contracts that are administratively executed
273 by the department.
274 (q) Recommend potential methods for standardizing data
275 across state agencies which will promote interoperability and
276 reduce the collection of duplicative data.
277 (r) Recommend open data technical standards and
278 terminologies for use by the enterprise.
279 (s) Ensure that enterprise information technology solutions
280 are capable of utilizing an electronic credential and comply
281 with the enterprise architecture standards.
282 (t) Establish an operations committee that shall meet as
283 necessary for the purpose of developing collaborative efforts
284 between agencies and other governmental entities relating to
285 cybersecurity issues, including the coordination of preparedness
286 and response efforts relating to cybersecurity incidents and
287 issues relating to the interoperability of agency projects. The
288 Secretary of Management Services shall serve as the executive
289 director of the committee. The committee shall be composed of
290 the following members:
291 1. The state chief information officer, or his or her
292 designee.
293 2. The Attorney General, or his or her designee.
294 3. The Secretary of State, or his or her designee.
295 4. The executive director of the Department of Law
296 Enforcement, or his or her designee.
297 5. The Secretary of Transportation, or his or her designee.
298 6. The director of the Division of Emergency Management, or
299 his or her designee.
300 7. The Secretary of Health Care Administration, or his or
301 her designee.
302 8. The Commissioner of Education, or his or her designee.
303 9. The executive director of the Department of Highway
304 Safety and Motor Vehicles, or his or her designee.
305 10. The chair of the Public Service Commission, or his or
306 her designee.
307 11. The director of the Florida State Guard, or his or her
308 designee.
309 12. The Adjutant General of the Florida National Guard, or
310 his or her designee.
311 13. Any other agency head appointed by the Governor.
312 (2)(a) The Governor shall appoint Secretary of Management
313 Services shall designate a state chief information officer,
314 subject to confirmation by the Senate, who shall administer the
315 Florida Digital Service. The state chief information officer,
316 before prior to appointment, must have at least 5 years of
317 experience in the development of information system strategic
318 planning and development or information technology policy, and,
319 preferably, have leadership-level experience in the design,
320 development, and deployment of interoperable software and data
321 solutions.
322 (b) The state chief information officer, in consultation
323 with the Secretary of Management Services, shall designate a
324 state chief data officer. The chief data officer must be a
325 proven and effective administrator who must have significant and
326 substantive experience in data management, data governance,
327 interoperability, and security.
328 (c) The state chief information officer shall designate a
329 state chief technology officer who shall be responsible for:
330 1. Exploring technology solutions to meet the enterprise
331 need;
332 2. The deployments of adopted enterprise solutions;
333 3. Compliance with the cloud-first policy specified in s.
334 282.206;
335 4. Recommending best practices to increase the likelihood
336 of technology project success;
337 5. Developing strategic partnerships with the private
338 sector; and
339 6. Directly supporting enterprise cybersecurity and data
340 interoperability initiatives.
341
342 The state chief technology officer may acquire cloud migration
343 as a service to comply with this section as it pertains to the
344 implementation across the enterprise of the cloud-first policy.
345 (3) The department, acting through the Florida Digital
346 Service and from funds appropriated to the Florida Digital
347 Service, shall:
348 (a) Create, not later than December 1, 2022, and maintain a
349 comprehensive indexed data catalog in collaboration with the
350 enterprise that lists the data elements housed within the
351 enterprise and the legacy system or application in which these
352 data elements are located. The data catalog must, at a minimum,
353 specifically identify all data that is restricted from public
354 disclosure based on federal or state laws and regulations and
355 require that all such information be protected in accordance
356 with s. 282.318.
357 (b) Develop and publish, not later than December 1, 2022,
358 in collaboration with the enterprise, a data dictionary for each
359 agency that reflects the nomenclature in the comprehensive
360 indexed data catalog.
361 (c) Adopt, by rule, standards that support the creation and
362 deployment of an application programming interface to facilitate
363 integration throughout the enterprise.
364 (d) Adopt, by rule, standards necessary to facilitate a
365 secure ecosystem of data interoperability that is compliant with
366 the enterprise architecture.
367 (e) Adopt, by rule, standards that facilitate the
368 deployment of applications or solutions to the existing
369 enterprise system in a controlled and phased approach.
370 (f) After submission of documented use cases developed in
371 conjunction with the affected agencies, assist the affected
372 agencies with the deployment, contingent upon a specific
373 appropriation therefor, of new interoperable applications and
374 solutions:
375 1. For the Department of Health, the Agency for Health Care
376 Administration, the Agency for Persons with Disabilities, the
377 Department of Education, the Department of Elderly Affairs, and
378 the Department of Children and Families.
379 2. To support military members, veterans, and their
380 families.
381 (4) For information technology projects that have a total
382 project costs cost of $10 million or more:
383 (a) State agencies must provide the Florida Digital Service
384 with written notice of any planned procurement of an information
385 technology project.
386 (b) The Florida Digital Service must participate in the
387 development of specifications and recommend modifications to any
388 planned procurement of an information technology project by
389 state agencies so that the procurement complies with the
390 enterprise architecture.
391 (c) The Florida Digital Service must participate in post
392 award contract monitoring.
393 (5) The department, acting through the Florida Digital
394 Service, may not retrieve or disclose any data without a shared
395 data agreement in place between the department and the
396 enterprise entity that has primary custodial responsibility of,
397 or data-sharing responsibility for, that data.
398 (6) The department, acting through the Florida Digital
399 Service, shall adopt rules to administer this section.
400 Section 5. Section 282.201, Florida Statutes, is amended to
401 read:
402 282.201 State data center.—The state data center is
403 established within the department and shall be overseen by and
404 accountable to the department in consultation with the state
405 chief information officer, the state chief data officer, the
406 state chief information security officer, and the state chief
407 technology officer. Any procurement or purchase of enterprise
408 architecture which is comparable to a project that would be
409 subject to requirements under s. 282.0051(4) if the total
410 project cost was $10 million or more and which may be consumed
411 by an enterprise must be provided to the department and the
412 Florida Digital Service for review before publication. The
413 provision of data center services must comply with applicable
414 state and federal laws, regulations, and policies, including all
415 applicable security, privacy, and auditing requirements. The
416 Florida Digital Service department shall appoint a director of
417 the state data center who has experience in leading data center
418 facilities and has expertise in cloud-computing management.
419 (1) STATE DATA CENTER DUTIES.—The state data center shall:
420 (a) Offer, develop, and support the services and
421 applications defined in service-level agreements executed with
422 its customer entities.
423 (b) Maintain performance of the state data center by
424 ensuring proper data backup; data backup recovery; disaster
425 recovery; and appropriate security, power, cooling, fire
426 suppression, and capacity.
427 (c) Develop and implement business continuity and disaster
428 recovery plans, and annually conduct a live exercise of each
429 plan.
430 (d) Enter into a service-level agreement with each customer
431 entity to provide the required type and level of service or
432 services. If a customer entity fails to execute an agreement
433 within 60 days after commencement of a service, the state data
434 center may cease service. A service-level agreement may not have
435 a term exceeding 3 years and at a minimum must:
436 1. Identify the parties and their roles, duties, and
437 responsibilities under the agreement.
438 2. State the duration of the contract term and specify the
439 conditions for renewal.
440 3. Identify the scope of work.
441 4. Identify the products or services to be delivered with
442 sufficient specificity to permit an external financial or
443 performance audit.
444 5. Establish the services to be provided, the business
445 standards that must be met for each service, the cost of each
446 service by agency application, and the metrics and processes by
447 which the business standards for each service are to be
448 objectively measured and reported.
449 6. Provide a timely billing methodology to recover the
450 costs of services provided to the customer entity pursuant to s.
451 215.422.
452 7. Provide a procedure for modifying the service-level
453 agreement based on changes in the type, level, and cost of a
454 service.
455 8. Include a right-to-audit clause to ensure that the
456 parties to the agreement have access to records for audit
457 purposes during the term of the service-level agreement.
458 9. Provide that a service-level agreement may be terminated
459 by either party for cause only after giving the other party and
460 the department notice in writing of the cause for termination
461 and an opportunity for the other party to resolve the identified
462 cause within a reasonable period.
463 10. Provide for mediation of disputes by the Division of
464 Administrative Hearings pursuant to s. 120.573.
465 (e) For purposes of chapter 273, be the custodian of
466 resources and equipment located in and operated, supported, and
467 managed by the state data center.
468 (f) Assume administrative access rights to resources and
469 equipment, including servers, network components, and other
470 devices, consolidated into the state data center.
471 1. Upon consolidation, a state agency shall relinquish
472 administrative rights to consolidated resources and equipment.
473 State agencies required to comply with federal and state
474 criminal justice information security rules and policies shall
475 retain administrative access rights sufficient to comply with
476 the management control provisions of those rules and policies;
477 however, the state data center shall have the appropriate type
478 or level of rights to allow the center to comply with its duties
479 pursuant to this section. The Department of Law Enforcement
480 shall serve as the arbiter of disputes pertaining to the
481 appropriate type and level of administrative access rights
482 pertaining to the provision of management control in accordance
483 with the federal criminal justice information guidelines.
484 2. The state data center shall provide customer entities
485 with access to applications, servers, network components, and
486 other devices necessary for entities to perform business
487 activities and functions, and as defined and documented in a
488 service-level agreement.
489 (g) In its procurement process, show preference for cloud
490 computing solutions that minimize or do not require the
491 purchasing, financing, or leasing of state data center
492 infrastructure, and that meet the needs of customer agencies,
493 that reduce costs, and that meet or exceed the applicable state
494 and federal laws, regulations, and standards for cybersecurity.
495 (h) Assist customer entities in transitioning from state
496 data center services to the Northwest Regional Data Center or
497 other third-party cloud-computing services procured by a
498 customer entity or by the Northwest Regional Data Center on
499 behalf of a customer entity.
500 (2) USE OF THE STATE DATA CENTER.—The following are exempt
501 from the use of the state data center: the Department of Law
502 Enforcement, the Department of the Lottery’s Gaming System,
503 Systems Design and Development in the Office of Policy and
504 Budget, the regional traffic management centers as described in
505 s. 335.14(2) and the Office of Toll Operations of the Department
506 of Transportation, the State Board of Administration, state
507 attorneys, public defenders, criminal conflict and civil
508 regional counsel, capital collateral regional counsel, and the
509 Florida Housing Finance Corporation.
510 (3) AGENCY LIMITATIONS.—Unless exempt from the use of the
511 state data center pursuant to this section or authorized by the
512 Legislature, a state agency may not:
513 (a) Create a new agency computing facility or data center,
514 or expand the capability to support additional computer
515 equipment in an existing agency computing facility or data
516 center; or
517 (b) Terminate services with the state data center without
518 giving written notice of intent to terminate services 180 days
519 before such termination.
520 (4) DEPARTMENT RESPONSIBILITIES.—The department shall
521 provide operational management and oversight of the state data
522 center, which includes:
523 (a) Implementing industry standards and best practices for
524 the state data center’s facilities, operations, maintenance,
525 planning, and management processes.
526 (b) Developing and implementing cost-recovery mechanisms
527 that recover the full direct and indirect cost of services
528 through charges to applicable customer entities. Such cost
529 recovery mechanisms must comply with applicable state and
530 federal regulations concerning distribution and use of funds and
531 must ensure that, for any fiscal year, no service or customer
532 entity subsidizes another service or customer entity. The
533 department may recommend other payment mechanisms to the
534 Executive Office of the Governor, the President of the Senate,
535 and the Speaker of the House of Representatives. Such mechanisms
536 may be implemented only if specifically authorized by the
537 Legislature.
538 (c) Developing and implementing appropriate operating
539 guidelines and procedures necessary for the state data center to
540 perform its duties pursuant to subsection (1). The guidelines
541 and procedures must comply with applicable state and federal
542 laws, regulations, and policies and conform to generally
543 accepted governmental accounting and auditing standards. The
544 guidelines and procedures must include, but need not be limited
545 to:
546 1. Implementing a consolidated administrative support
547 structure responsible for providing financial management,
548 procurement, transactions involving real or personal property,
549 human resources, and operational support.
550 2. Implementing an annual reconciliation process to ensure
551 that each customer entity is paying for the full direct and
552 indirect cost of each service as determined by the customer
553 entity’s use of each service.
554 3. Providing rebates that may be credited against future
555 billings to customer entities when revenues exceed costs.
556 4. Requiring customer entities to validate that sufficient
557 funds exist before implementation of a customer entity’s request
558 for a change in the type or level of service provided, if such
559 change results in a net increase to the customer entity’s cost
560 for that fiscal year.
561 5. By November 15 of each year, providing to the Office of
562 Policy and Budget in the Executive Office of the Governor and to
563 the chairs of the legislative appropriations committees the
564 projected costs of providing data center services for the
565 following fiscal year.
566 6. Providing a plan for consideration by the Legislative
567 Budget Commission if the cost of a service is increased for a
568 reason other than a customer entity’s request made pursuant to
569 subparagraph 4. Such a plan is required only if the service cost
570 increase results in a net increase to a customer entity for that
571 fiscal year.
572 7. Standardizing and consolidating procurement and
573 contracting practices.
574 (d) In collaboration with the Department of Law Enforcement
575 and the Florida Digital Service, developing and implementing a
576 process for detecting, reporting, and responding to
577 cybersecurity incidents, breaches, and threats.
578 (e) Adopting rules relating to the operation of the state
579 data center, including, but not limited to, budgeting and
580 accounting procedures, cost-recovery methodologies, and
581 operating procedures.
582 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
583 the department to carry out its duties and responsibilities
584 relating to the state data center, the state chief information
585 officer shall assume responsibility for the contract entered
586 into by the secretary of the department shall contract by July
587 1, 2022, with the Northwest Regional Data Center pursuant to s.
588 287.057(11). The contract shall provide that the Northwest
589 Regional Data Center will manage the operations of the state
590 data center and provide data center services to state agencies.
591 Notwithstanding the terms of the contract, the Northwest
592 Regional Data Center must provide the Florida Digital Service
593 with access to information regarding the operations of the state
594 data center.
595 (a) The department shall provide contract oversight,
596 including, but not limited to, reviewing invoices provided by
597 the Northwest Regional Data Center for services provided to
598 state agency customers.
599 (b) The department shall approve or request updates to
600 invoices within 10 business days after receipt. If the
601 department does not respond to the Northwest Regional Data
602 Center, the invoice will be approved by default. The Northwest
603 Regional Data Center must submit approved invoices directly to
604 state agency customers.
605 (6) FLORIDA DIGITAL SERVICE ACCESS.—The state data center,
606 and any successor entity assuming the responsibilities of the
607 state data center, including, but not limited to, the Northwest
608 Regional Data Center, shall provide the Florida Digital Service
609 with full access to any infrastructure, system, application, or
610 other means that hosts, supports, or manages data in the custody
611 of an enterprise. For any such infrastructure, system,
612 application, or other means, the state data center or a
613 successor entity shall fully integrate with the Cybersecurity
614 Operations Center.
615 (7) STATE DATA CENTER REPORT.—Subject to s. 119.0725, the
616 state data center and any successor entity must submit to the
617 department and the Florida Digital Service a quarterly report
618 that provides, relating to infrastructure servicing enterprise
619 customers and data, the number of:
620 (a) Technology assets which are within 1 year of end of
621 life as defined by the manufacturer.
622 (b) Technology assets which are beyond end of life as
623 defined by the manufacturer.
624 (c) Technology assets which are within 2 years of being
625 unsupported by the manufacturer.
626 (d) Technology assets which are currently unsupported by
627 the manufacturer.
628 (e) Workloads which are hosted by a commercial cloud
629 service provider as defined in the National Institute of
630 Standards and Technology publication 500-292.
631 (f) Workloads which are not hosted by a commercial entity
632 which is a cloud service provider as defined in the National
633 Institute of Standards and Technology publication 500-292.
634 (g) Service level disruptions and average duration of
635 disruption.
636 Section 6. Present subsection (10) of section 282.318,
637 Florida Statutes, is redesignated as subsection (11), a new
638 subsection (10) is added to that section, and subsections (3)
639 and (4) of that section are amended, to read:
640 282.318 Cybersecurity.—
641 (3) The department, acting through the Florida Digital
642 Service, is the lead entity responsible for establishing
643 standards and processes for assessing state agency cybersecurity
644 risks and determining appropriate security measures. Such
645 standards and processes must be consistent with generally
646 accepted technology best practices, including the National
647 Institute for Standards and Technology Cybersecurity Framework,
648 for cybersecurity. The department, acting through the Florida
649 Digital Service, shall adopt rules that mitigate risks;
650 safeguard state agency digital assets, data, information, and
651 information technology resources to ensure availability,
652 confidentiality, and integrity; and support a security
653 governance framework. The department, acting through the Florida
654 Digital Service, shall also:
655 (a) Designate an employee of the Florida Digital Service as
656 the state chief information security officer. The state chief
657 information security officer must have experience and expertise
658 in security and risk management for communications and
659 information technology resources. The state chief information
660 security officer is responsible for the development, operation,
661 and oversight of cybersecurity for state technology systems. The
662 state chief information security officer shall be notified of
663 all confirmed or suspected incidents or threats of state agency
664 information technology resources and must report such incidents
665 or threats to the state chief information officer and the
666 Governor.
667 (b) Develop, and annually update by February 1, a statewide
668 cybersecurity strategic plan that includes security goals and
669 objectives for cybersecurity, including the identification and
670 mitigation of risk, proactive protections against threats,
671 tactical risk detection, threat reporting, and response and
672 recovery protocols for a cyber incident.
673 (c) Develop and publish for use by state agencies a
674 cybersecurity governance framework that, at a minimum, includes
675 guidelines and processes for:
676 1. Establishing asset management procedures to ensure that
677 an agency’s information technology resources are identified and
678 managed consistent with their relative importance to the
679 agency’s business objectives.
680 2. Using a standard risk assessment methodology that
681 includes the identification of an agency’s priorities,
682 constraints, risk tolerances, and assumptions necessary to
683 support operational risk decisions.
684 3. Completing comprehensive risk assessments and
685 cybersecurity audits, which may be completed by a private sector
686 vendor, and submitting completed assessments and audits to the
687 department.
688 4. Identifying protection procedures to manage the
689 protection of an agency’s information, data, and information
690 technology resources.
691 5. Establishing procedures for accessing information and
692 data to ensure the confidentiality, integrity, and availability
693 of such information and data.
694 6. Detecting threats through proactive monitoring of
695 events, continuous security monitoring, and defined detection
696 processes.
697 7. Establishing agency cybersecurity incident response
698 teams and describing their responsibilities for responding to
699 cybersecurity incidents, including breaches of personal
700 information containing confidential or exempt data.
701 8. Recovering information and data in response to a
702 cybersecurity incident. The recovery may include recommended
703 improvements to the agency processes, policies, or guidelines.
704 9. Establishing a cybersecurity incident reporting process
705 that includes procedures for notifying the department and the
706 Department of Law Enforcement of cybersecurity incidents.
707 a. The level of severity of the cybersecurity incident is
708 defined by the National Cyber Incident Response Plan of the
709 United States Department of Homeland Security as follows:
710 (I) Level 5 is an emergency-level incident within the
711 specified jurisdiction that poses an imminent threat to the
712 provision of wide-scale critical infrastructure services;
713 national, state, or local government security; or the lives of
714 the country’s, state’s, or local government’s residents.
715 (II) Level 4 is a severe-level incident that is likely to
716 result in a significant impact in the affected jurisdiction to
717 public health or safety; national, state, or local security;
718 economic security; or civil liberties.
719 (III) Level 3 is a high-level incident that is likely to
720 result in a demonstrable impact in the affected jurisdiction to
721 public health or safety; national, state, or local security;
722 economic security; civil liberties; or public confidence.
723 (IV) Level 2 is a medium-level incident that may impact
724 public health or safety; national, state, or local security;
725 economic security; civil liberties; or public confidence.
726 (V) Level 1 is a low-level incident that is unlikely to
727 impact public health or safety; national, state, or local
728 security; economic security; civil liberties; or public
729 confidence.
730 b. The cybersecurity incident reporting process must
731 specify the information that must be reported by a state agency
732 following a cybersecurity incident or ransomware incident,
733 which, at a minimum, must include the following:
734 (I) A summary of the facts surrounding the cybersecurity
735 incident or ransomware incident.
736 (II) The date on which the state agency most recently
737 backed up its data; the physical location of the backup, if the
738 backup was affected; and if the backup was created using cloud
739 computing.
740 (III) The types of data compromised by the cybersecurity
741 incident or ransomware incident.
742 (IV) The estimated fiscal impact of the cybersecurity
743 incident or ransomware incident.
744 (V) In the case of a ransomware incident, the details of
745 the ransom demanded.
746 c.(I) A state agency shall report all ransomware incidents
747 and any cybersecurity incidents incident determined by the state
748 agency to be of severity level 3, 4, or 5 to the Florida Digital
749 Service, the Cybersecurity Operations Center, and the Cybercrime
750 Office of the Department of Law Enforcement as soon as possible
751 but no later than 4 48 hours after discovery of the
752 cybersecurity incident and no later than 2 12 hours after
753 discovery of the ransomware incident. The report must contain
754 the information required in sub-subparagraph b. The Florida
755 Digital Service shall notify the Governor, the President of the
756 Senate, and the Speaker of the House of Representatives of any
757 incident discovered by a state agency but not timely reported
758 under this sub-sub-subparagraph.
759 (II) The Cybersecurity Operations Center shall notify the
760 President of the Senate and the Speaker of the House of
761 Representatives of any severity level 3, 4, or 5 incident as
762 soon as possible but no later than 12 hours after receiving a
763 state agency’s incident report. The notification must include a
764 high-level description of the incident and the likely effects
765 and must be provided in a secure environment.
766 d. A state agency shall report a cybersecurity incident
767 determined by the state agency to be of severity level 1 or 2 to
768 the Cybersecurity Operations Center and the Cybercrime Office of
769 the Department of Law Enforcement as soon as possible. The
770 report must contain the information required in sub-subparagraph
771 b.
772 e. The Cybersecurity Operations Center shall provide a
773 consolidated incident report by the 15th day after the end of
774 each quarter on a quarterly basis to the President of the
775 Senate, the Speaker of the House of Representatives, and the
776 Florida Cybersecurity Advisory Council. The report provided to
777 the Florida Cybersecurity Advisory Council may not contain the
778 name of any agency, network information, or system identifying
779 information but must contain sufficient relevant information to
780 allow the Florida Cybersecurity Advisory Council to fulfill its
781 responsibilities as required in s. 282.319(9).
782 10. Incorporating information obtained through detection
783 and response activities into the agency’s cybersecurity incident
784 response plans.
785 11. Developing agency strategic and operational
786 cybersecurity plans required pursuant to this section.
787 12. Establishing the managerial, operational, and technical
788 safeguards for protecting state government data and information
789 technology resources that align with the state agency risk
790 management strategy and that protect the confidentiality,
791 integrity, and availability of information and data.
792 13. Establishing procedures for procuring information
793 technology commodities and services that require the commodity
794 or service to meet the National Institute of Standards and
795 Technology Cybersecurity Framework.
796 14. Submitting after-action reports following a
797 cybersecurity incident or ransomware incident. Such guidelines
798 and processes for submitting after-action reports must be
799 developed and published by December 1, 2022.
800 (d) Assist state agencies in complying with this section.
801 (e) In collaboration with the Cybercrime Office of the
802 Department of Law Enforcement, annually provide training for
803 state agency information security managers and computer security
804 incident response team members that contains training on
805 cybersecurity, including cybersecurity threats, trends, and best
806 practices.
807 (f) Annually review the strategic and operational
808 cybersecurity plans of state agencies.
809 (g) Annually provide cybersecurity training to all state
810 agency technology professionals and employees with access to
811 highly sensitive information which develops, assesses, and
812 documents competencies by role and skill level. The
813 cybersecurity training curriculum must include training on the
814 identification of each cybersecurity incident severity level
815 referenced in sub-subparagraph (c)9.a. The training may be
816 provided in collaboration with the Cybercrime Office of the
817 Department of Law Enforcement, a private sector entity, or an
818 institution of the State University System.
819 (h) Operate and maintain a Cybersecurity Operations Center
820 led by the state chief information security officer, which must
821 be primarily virtual and staffed with tactical detection and
822 incident response personnel. The Cybersecurity Operations Center
823 shall serve as a clearinghouse for threat information and
824 coordinate with the Department of Law Enforcement to support
825 state agencies and their response to any confirmed or suspected
826 cybersecurity incident.
827 (i) Lead an Emergency Support Function, ESF CYBER and
828 DIGITAL, under the state comprehensive emergency management plan
829 as described in s. 252.35.
830 (j) Provide cybersecurity briefings to the members of any
831 legislative committee or subcommittee responsible for policy
832 matters relating to cybersecurity.
833 (k) Have the authority to respond to any state agency
834 cybersecurity incident.
835 (4) Each state agency head shall, at a minimum:
836 (a) Designate a chief information security officer to
837 integrate the agency’s technical and operational cybersecurity
838 efforts with the Cybersecurity Operations Center. This
839 designation must be provided annually in writing to the Florida
840 Digital Service by January 1. An agency’s chief information
841 security officer shall report to the agency’s chief information
842 officer. An agency may request the department to procure a chief
843 information security officer as a service to fulfill the
844 agency’s duties under this paragraph.
845 (b)(a) Designate an information security manager to ensure
846 compliance with cybersecurity governance, manage risk, and
847 ensure compliance with the state’s incident response plan
848 administer the cybersecurity program of the state agency. This
849 designation must be provided annually in writing to the
850 department by January 15 1. A state agency’s information
851 security manager, for purposes of these information security
852 duties, shall report directly to the agency head.
853 (c)(b) In consultation with the department, through the
854 Florida Digital Service, and the Cybercrime Office of the
855 Department of Law Enforcement, and incorporating the resources
856 of the Florida State Guard as appropriate, establish an agency
857 cybersecurity response team to respond to a cybersecurity
858 incident. The agency cybersecurity response team shall convene
859 upon notification of a cybersecurity incident and must
860 immediately report all confirmed or suspected incidents to the
861 state chief information security officer, or his or her
862 designee, and comply with all applicable guidelines and
863 processes established pursuant to paragraph (3)(c).
864 (d)(c) Submit to the department annually by July 31, the
865 state agency’s strategic and operational cybersecurity plans
866 developed pursuant to rules and guidelines established by the
867 department, through the Florida Digital Service.
868 1. The state agency strategic cybersecurity plan must cover
869 a 3-year period and, at a minimum, define security goals,
870 intermediate objectives, and projected agency costs for the
871 strategic issues of agency information security policy, risk
872 management, security training, security incident response, and
873 disaster recovery. The plan must be based on the statewide
874 cybersecurity strategic plan created by the department and
875 include performance metrics that can be objectively measured to
876 reflect the status of the state agency’s progress in meeting
877 security goals and objectives identified in the agency’s
878 strategic information security plan.
879 2. The state agency operational cybersecurity plan must
880 include a progress report that objectively measures progress
881 made towards the prior operational cybersecurity plan and a
882 project plan that includes activities, timelines, and
883 deliverables for security objectives that the state agency will
884 implement during the current fiscal year.
885 (e)(d) Conduct, and update annually by April 30 every 3
886 years, a comprehensive risk assessment, which may be facilitated
887 by the department or completed by a private sector vendor, to
888 determine the security threats to the data, information, and
889 information technology resources, including mobile devices and
890 print environments, of the agency. The risk assessment must
891 comply with the risk assessment criteria, methodology, and scope
892 developed by the state chief information security officer. The
893 risk assessment findings must be signed by the agency head or
894 the agency head’s designee and the Florida Digital Service. The
895 risk assessment methodology developed by the department and is
896 confidential and exempt from s. 119.07(1), except that such
897 information shall be available to the Auditor General, the
898 Florida Digital Service within the department, the Cybercrime
899 Office of the Department of Law Enforcement, and, for state
900 agencies under the jurisdiction of the Governor, the Chief
901 Inspector General. If a private sector vendor is used to
902 complete a comprehensive risk assessment, it must attest to the
903 validity of the risk assessment findings.
904 (f)(e) Develop, and periodically update, written internal
905 policies and procedures, which include procedures for reporting
906 cybersecurity incidents and breaches to the Cybercrime Office of
907 the Department of Law Enforcement and the Florida Digital
908 Service within the department. Such policies and procedures must
909 be consistent with the rules, guidelines, and processes
910 established by the department to ensure the security of the
911 data, information, and information technology resources of the
912 agency. The internal policies and procedures that, if disclosed,
913 could facilitate the unauthorized modification, disclosure, or
914 destruction of data or information technology resources are
915 confidential information and exempt from s. 119.07(1), except
916 that such information shall be available to the Auditor General,
917 the Cybercrime Office of the Department of Law Enforcement, the
918 Florida Digital Service within the department, and, for state
919 agencies under the jurisdiction of the Governor, the Chief
920 Inspector General.
921 (g)(f) Implement managerial, operational, and technical
922 safeguards and risk assessment remediation plans recommended by
923 the department to address identified risks to the data,
924 information, and information technology resources of the agency.
925 The department, through the Florida Digital Service, shall track
926 implementation by state agencies upon development of such
927 remediation plans in coordination with agency inspectors
928 general.
929 (h)(g) Ensure that periodic internal audits and evaluations
930 of the agency’s cybersecurity program for the data, information,
931 and information technology resources of the agency are
932 conducted. The results of such audits and evaluations are
933 confidential information and exempt from s. 119.07(1), except
934 that such information shall be available to the Auditor General,
935 the Cybercrime Office of the Department of Law Enforcement, the
936 Florida Digital Service within the department, and, for agencies
937 under the jurisdiction of the Governor, the Chief Inspector
938 General.
939 (i)(h) Ensure that the cybersecurity requirements in the
940 written specifications for the solicitation, contracts, and
941 service-level agreement of information technology and
942 information technology resources and services meet or exceed the
943 applicable state and federal laws, regulations, and standards
944 for cybersecurity, including the National Institute of Standards
945 and Technology Cybersecurity Framework. Service-level agreements
946 must identify service provider and state agency responsibilities
947 for privacy and security, protection of government data,
948 personnel background screening, and security deliverables with
949 associated frequencies.
950 (j)(i) Provide cybersecurity awareness training to all
951 state agency employees within 30 days after commencing
952 employment, and annually thereafter, concerning cybersecurity
953 risks and the responsibility of employees to comply with
954 policies, standards, guidelines, and operating procedures
955 adopted by the state agency to reduce those risks. The training
956 may be provided in collaboration with the Cybercrime Office of
957 the Department of Law Enforcement, a private sector entity, or
958 an institution of the State University System.
959 (k)(j) Develop a process for detecting, reporting, and
960 responding to threats, breaches, or cybersecurity incidents
961 which is consistent with the security rules, guidelines, and
962 processes established by the department through the Florida
963 Digital Service.
964 1. All cybersecurity incidents and ransomware incidents
965 must be reported by state agencies. Such reports must comply
966 with the notification procedures and reporting timeframes
967 established pursuant to paragraph (3)(c).
968 2. For cybersecurity breaches, state agencies shall provide
969 notice in accordance with s. 501.171.
970 (l)(k) Submit to the Florida Digital Service, within 1 week
971 after the remediation of a cybersecurity incident or ransomware
972 incident, an after-action report that summarizes the incident,
973 the incident’s resolution, and any insights gained as a result
974 of the incident.
975 (10) Any legislative committee or subcommittee responsible
976 for policy matters relating to cybersecurity may hold meetings
977 closed by the respective legislative body under the rules of
978 such legislative body at which such committee or subcommittee is
979 briefed on records made confidential and exempt under
980 subsections (5) and (6). The committee or subcommittee must
981 maintain the confidential and exempt status of such records.
982 Section 7. Paragraphs (b) and (c) of subsection (5) of
983 section 282.3185, Florida Statutes, are amended to read:
984 282.3185 Local government cybersecurity.—
985 (5) INCIDENT NOTIFICATION.—
986 (b)1. A local government shall report all ransomware
987 incidents and any cybersecurity incidents incident determined by
988 the local government to be of severity level 3, 4, or 5 as
989 provided in s. 282.318(3)(c) to the Florida Digital Service, the
990 Cybersecurity Operations Center, the Cybercrime Office of the
991 Department of Law Enforcement, and the sheriff who has
992 jurisdiction over the local government as soon as possible but
993 no later than 4 48 hours after discovery of the cybersecurity
994 incident and no later than 2 12 hours after discovery of the
995 ransomware incident. The report must contain the information
996 required in paragraph (a). The Florida Digital Service shall
997 notify the Governor, the President of the Senate, and the
998 Speaker of the House of Representatives of any incident
999 discovered by a local government but not timely reported under
1000 this subparagraph.
1001 2. The Cybersecurity Operations Center shall notify the
1002 President of the Senate and the Speaker of the House of
1003 Representatives of any severity level 3, 4, or 5 incident as
1004 soon as possible but no later than 12 hours after receiving a
1005 local government’s incident report. The notification must
1006 include a high-level description of the incident and the likely
1007 effects and must be provided in a secure environment.
1008 (c) A local government may report a cybersecurity incident
1009 determined by the local government to be of severity level 1 or
1010 2 as provided in s. 282.318(3)(c) to the Cybersecurity
1011 Operations Center, the Cybercrime Office of the Department of
1012 Law Enforcement, and the sheriff who has jurisdiction over the
1013 local government. The report shall contain the information
1014 required in paragraph (a).
1015 Section 8. Paragraph (j) of subsection (4) of section
1016 282.319, Florida Statutes, is amended to read:
1017 282.319 Florida Cybersecurity Advisory Council.—
1018 (4) The council shall be comprised of the following
1019 members:
1020 (j) Three representatives from critical infrastructure
1021 sectors, one of whom must be from a water treatment facility,
1022 appointed by the Governor.
1023 Section 9. Section 768.401, Florida Statutes, is created to
1024 read:
1025 768.401 Limitation on liability for cybersecurity
1026 incidents.—
1027 (1) A county or municipality that substantially complies
1028 with s. 282.3185 is not liable in connection with a
1029 cybersecurity incident.
1030 (2) A sole proprietorship, partnership, corporation, trust,
1031 estate, cooperative, association, or other commercial entity
1032 that acquires, maintains, stores, or uses personal information
1033 is not liable in connection with a cybersecurity incident if the
1034 entity substantially complies with s. 501.171, if applicable,
1035 and has:
1036 (a) Adopted a cybersecurity program that substantially
1037 aligns with the current version of any of the following
1038 standards:
1039 1. The National Institute of Standards and Technology
1040 (NIST) Framework for Improving Critical Infrastructure
1041 Cybersecurity.
1042 2. NIST special publication 800-171.
1043 3. NIST special publications 800-53 and 800-53A.
1044 4. The Federal Risk and Authorization Management Program
1045 security assessment framework.
1046 5. CIS Critical Security Controls.
1047 6. The International Organization for
1048 Standardization/International Electrotechnical Commission 27000
1049 series family of standards; or
1050 (b) If regulated by the state or Federal Government, or
1051 both, or if otherwise subject to the requirements of any of the
1052 following laws and regulations, substantially complied its
1053 cybersecurity program to the current version of the following,
1054 as applicable:
1055 1. The security requirements of the Health Insurance
1056 Portability and Accountability Act of 1996, 45 C.F.R. part 164
1057 subpart C.
1058 2. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
1059 No. 106-102, as amended.
1060 3. The Federal Information Security Modernization Act of
1061 2014, Pub. L. No. 113-283.
1062 4. The Health Information Technology for Economic and
1063 Clinical Health Act, 45 C.F.R. part 162.
1064 (3) The scale and scope of compliance with a standard, law,
1065 or regulation under paragraph (2)(a) or paragraph (2)(b) by a
1066 covered entity, as applicable, is appropriate if it is based on
1067 all of the following factors:
1068 (a) The size and complexity of the covered entity;
1069 (b) The nature and scope of the activities of the covered
1070 entity; and
1071 (c) The sensitivity of the information to be protected.
1072 (4) Any commercial entity covered by subsection (2) that
1073 substantially complies with a combination of industry-recognized
1074 cybersecurity frameworks or standards, including the payment
1075 card industry data security standard, to gain the presumption
1076 against liability pursuant to subsection (2) must, upon the
1077 revision of two or more of the frameworks or standards with
1078 which the entity complies, adopt the revised frameworks or
1079 standards within 1 year after the latest publication date stated
1080 in the revisions.
1081 (5) This section does not establish a private cause of
1082 action. Failure of a county, municipality, or commercial entity
1083 to substantially implement a cybersecurity program that is in
1084 compliance with this section is not evidence of negligence and
1085 does not constitute negligence per se.
1086 (6) In an action in connection with a cybersecurity
1087 incident, if the defendant is an entity covered by subsection
1088 (1) or subsection (2), the defendant has the burden of proof to
1089 establish substantial compliance.
1090 Section 10. This act shall take effect July 1, 2023.
1091
1092 ================= T I T L E A M E N D M E N T ================
1093 And the title is amended as follows:
1094 Delete everything before the enacting clause
1095 and insert:
1096 A bill to be entitled
1097 An act relating to cybersecurity; providing a short
1098 title; amending s. 110.205, F.S.; exempting certain
1099 personnel from the career service; amending s.
1100 282.0041, F.S.; defining terms; revising the
1101 definition of the term “incident”; amending s.
1102 282.0051, F.S.; requiring the Florida Digital Service
1103 to ensure that independent project oversight is
1104 performed in a certain manner and to take certain
1105 actions relating to the procurement of project
1106 oversight as a service; requiring the Florida Digital
1107 Service to provide certain reports by certain dates;
1108 requiring the Florida Digital Service to establish an
1109 operations committee for a certain purpose and
1110 composed of certain members; requiring the Governor to
1111 appoint a state chief information officer subject to
1112 confirmation by the Senate; requiring the state chief
1113 information officer to designate a state chief
1114 technology officer; providing duties of the state
1115 chief technology officer; amending s. 282.201, F.S.;
1116 requiring that the state data center be overseen by
1117 and accountable to the Department of Management
1118 Services in consultation with certain officers;
1119 providing requirements for certain state data center
1120 procurements; requiring the state chief information
1121 officer to assume responsibility for a certain
1122 contract; requiring that the Florida Digital Service
1123 be provided with full access to state data center
1124 infrastructure, systems, applications, and other means
1125 of hosting, supporting, and managing certain data;
1126 requiring the state data center to submit a certain
1127 report to the department and the Florida Digital
1128 Service; amending s. 282.318, F.S.; requiring a state
1129 agency to report ransomware and cybersecurity
1130 incidents within a certain time period; requiring the
1131 Florida Digital Service to notify the Governor and
1132 Legislature of certain incidents; requiring that
1133 certain notification be provided in a secure
1134 environment; requiring the Florida Digital Service to
1135 provide cybersecurity briefings to certain legislative
1136 committees; authorizing the Florida Digital Service to
1137 respond to certain cybersecurity incidents; requiring
1138 a state agency head to designate a chief information
1139 security officer for the agency; revising the purpose
1140 of an agency’s information security manager and the
1141 date by which he or she must be designated; revising
1142 the frequency of a comprehensive risk assessment;
1143 authorizing the department to facilitate and providing
1144 requirements for such assessment; authorizing certain
1145 legislative committees to hold closed meetings to
1146 receive certain briefings; requiring such committees
1147 to maintain the confidential and exempt status of
1148 certain records; amending s. 282.3185, F.S.; requiring
1149 a local government to report ransomware and
1150 cybersecurity incidents within a certain time period;
1151 requiring the Florida Digital Service to notify the
1152 Governor and Legislature of certain incidents;
1153 requiring that certain notification be provided in a
1154 secure environment; amending s. 282.319, F.S.;
1155 revising the membership of the Florida Cybersecurity
1156 Advisory Council; creating s. 768.401, F.S.; providing
1157 that a county, municipality, or commercial entity that
1158 complies with certain requirements is not liable in
1159 connection with a cybersecurity incident; requiring
1160 certain entities to adopt certain revised frameworks
1161 or standards within a specified time period; providing
1162 that a private cause of action is not established;
1163 providing that certain failures are not evidence of
1164 negligence and do not constitute negligence per se;
1165 specifying that the defendant in certain actions has a
1166 certain burden of proof; providing an effective date.