CS/CS/HB 1297 — Cybersecurity
by State Affairs Committee; Government Operations Subcommittee; and Reps. Giallombardo, Byrd and others (CS/CS/SB 1900 by Appropriations Committee; Governmental Oversight and Accountability Committee; and Senator Boyd)
This summary is provided for information only and does not represent the opinion of any Senator, Senate Officer, or Senate Office.
Prepared by: Governmental Oversight and Accountability Committee (GO)
The bill expands the duties and responsibilities of the Florida Digital Service (FDS) relating to the state’s cybersecurity governance framework.
The bill defines “cybersecurity” to mean the protection afforded to an automated information system in order to attain the applicable objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology (IT) resources. The bill makes conforming changes across several provisions by replacing all versions of the term “information technology security” with the term “cybersecurity.”
The bill requires that a cybersecurity audit plan be included in the long-term and annual audit plans that agency inspectors general are required to complete.
The bill specifies the Department of Management Services (DMS), acting through the FDS, is the lead entity responsible for assessing state agency cybersecurity risks and determining appropriate security measures to combat such risks. The bill creates new, and amends current, cybersecurity-related duties and responsibilities of the DMS. The bill also expands the responsibilities of each state agency head in relation to cybersecurity.
The bill creates the Florida Cybersecurity Advisory Council (council) within the DMS. The purpose of the council is to assist the state in protecting the state’s IT resources from cyber threats and incidents, and to assist the FDS in implementing best cybersecurity practices. The bill outlines membership requirements of the council, term requirements of each member, and duties and responsibilities of the council as a whole. The bill requires the members of the council to maintain the confidential or exempt status of information received in the performance of their duties and responsibilities as members of the council.
Beginning June 30, 2022, and annually thereafter, the council is required to submit a report to the Governor, the President of the Senate, and the Speaker of the House of Representatives outlining any recommendations considered necessary by the council to address cybersecurity.
If approved by the Governor, these provisions take effect July 1, 2021.
Vote: Senate 40-0; House 118-0