Chapter 282 - 2018 Florida Statutes

Home > Laws > 2018 Florida Statutes > Title XIX > Chapter 282

Quick Links

General Laws Conversion Table (2024) [PDF]
Florida Statutes Definitions Index (2024) [PDF]
Table of Section Changes (2024) [PDF]
Preface to the Florida Statutes (2024) [PDF]
Table Tracing Session Laws to Florida Statutes (2024) [PDF]
Index to Special and Local Laws (1971-2024) [PDF]
Index to Special and Local Laws (1845-1970) [PDF]
Statute Search Tips

2018 Florida Statutes

Title XIX PUBLIC BUSINESS

Chapter 282
COMMUNICATIONS AND DATA PROCESSING

CHAPTER 282

COMMUNICATIONS AND DATA PROCESSING

PART I

ENTERPRISE INFORMATION TECHNOLOGY SERVICES
MANAGEMENT

(ss. 282.003-282.318)

PART II

ACCESSIBILITY OF INFORMATION AND TECHNOLOGY

(ss. 282.601-282.606)

PART III

COMMUNICATION INFORMATION TECHNOLOGY
SERVICES

(ss. 282.701-282.711)

PART I

ENTERPRISE INFORMATION TECHNOLOGY
SERVICES MANAGEMENT

282.003 Short title.

282.0041 Definitions.

282.0051 Agency for State Technology; powers, duties, and functions.

282.00515 Duties of Cabinet agencies.

282.201 State data center.

282.318 Security of data and information technology.

282.003 Short title.—This part may be cited as the “Enterprise Information Technology Services Management Act.”

History.—s. 8, ch. 87-137; s. 1, ch. 92-98; s. 93, ch. 92-142; s. 4, ch. 96-390; s. 7, ch. 97-286; s. 45, ch. 99-13; s. 4, ch. 2008-116; s. 5, ch. 2009-80.

282.0041 Definitions.—As used in this chapter, the term:

(1) “Agency data center” means agency space containing 10 or more physical or logical servers.

¹(2) “Breach” means a confirmed event that compromises the confidentiality, integrity, or availability of information or data.

(3) “Business continuity plan” means a collection of procedures and information designed to keep an agency’s critical operations running during a period of displacement or interruption of normal operations.

(4) “Computing facility” or “agency computing facility” means agency space containing fewer than a total of 10 physical or logical servers, but excluding single, logical-server installations that exclusively perform a utility function such as file and print servers.

²(5) “Customer entity” means an entity that obtains services from the Agency for State Technology.

(6) “Department” means the Department of Management Services.

(7) “Disaster recovery” means the process, policies, procedures, and infrastructure related to preparing for and implementing recovery or continuation of an agency’s vital technology infrastructure after a natural or human-induced disaster.

(8) “Enterprise information technology service” means an information technology service that is used in all agencies or a subset of agencies and is established in law to be designed, delivered, and managed at the enterprise level.

(9) “Event” means an observable occurrence in a system or network.

(10) “Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of information technology security policies, acceptable use policies, or standard security practices. An imminent threat of violation refers to a situation in which the state agency has a factual basis for believing that a specific incident is about to occur.

(11) “Information technology” means equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form.

(12) “Information technology policy” means a definite course or method of action selected from among one or more alternatives that guide and determine present and future decisions.

(13) “Information technology resources” has the same meaning as provided in s. 119.011.

(14) “Information technology security” means the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of data, information, and information technology resources.

(15) “Performance metrics” means the measures of an organization’s activities and performance.

(16) “Project” means an endeavor that has a defined start and end point; is undertaken to create or modify a unique product, service, or result; and has specific objectives that, when attained, signify completion.

(17) “Project oversight” means an independent review and analysis of an information technology project that provides information on the project’s scope, completion timeframes, and budget and that identifies and quantifies issues or risks affecting the successful and timely completion of the project.

(18) “Risk assessment” means the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.

(19) “Service level” means the key performance indicators (KPI) of an organization or service which must be regularly performed, monitored, and achieved.

²(20) “Service-level agreement” means a written contract between the Agency for State Technology and a customer entity which specifies the scope of services provided, service level, the duration of the agreement, the responsible parties, and agency assessment costs, which include administrative and data center costs. A service-level agreement is not a rule pursuant to chapter 120.

(21) “Stakeholder” means a person, group, organization, or state agency involved in or affected by a course of action.

(22) “Standards” means required practices, controls, components, or configurations established by an authority.

(23) “State agency” means any official, officer, commission, board, authority, council, committee, or department of the executive branch of state government; the Justice Administrative Commission; and the Public Service Commission. The term does not include university boards of trustees or state universities. As used in part I of this chapter, except as otherwise specifically provided, the term does not include the Department of Legal Affairs, the Department of Agriculture and Consumer Services, or the Department of Financial Services.

(24) “SUNCOM Network” means the state enterprise telecommunications system that provides all methods of electronic or optical telecommunications beyond a single building or contiguous building complex and used by entities authorized as network users under this part.

(25) “Telecommunications” means the science and technology of communication at a distance, including electronic systems used in the transmission or reception of information.

(26) “Threat” means any circumstance or event that has the potential to adversely impact a state agency’s operations or assets through an information system via unauthorized access, destruction, disclosure, or modification of information or denial of service.

(27) “Variance” means a calculated value that illustrates how far positive or negative a projection has deviated when measured against documented estimates within a project plan.

²(28) “Agency assessment” means the amount each customer entity must pay annually for services from the Agency for State Technology and includes administrative and data center services costs.

History.—ss. 3, 11, ch. 83-92; s. 17, ch. 87-137; ss. 10, 11, ch. 90-160; s. 4, ch. 91-171; s. 10, ch. 91-221; s. 5, ch. 91-429; s. 3, ch. 92-98; s. 95, ch. 92-142; s. 14, ch. 94-226; s. 11, ch. 94-340; s. 9, ch. 97-286; s. 16, ch. 2000-164; s. 51, ch. 2001-61; s. 10, ch. 2001-261; s. 4, ch. 2007-105; s. 5, ch. 2008-116; s. 6, ch. 2009-80; s. 5, ch. 2010-78; s. 9, ch. 2010-148; s. 3, ch. 2011-50; s. 4, ch. 2014-189; s. 9, ch. 2014-221; ss. 58, 61, ch. 2018-10.

¹Note.—As amended by s. 9, ch. 2014-221. For a description of multiple acts in the same session affecting a statutory provision, see preface to the Florida Statutes, “Statutory Construction.” Subsection (5), redesignated as subsection (2) by s. 9, ch. 2014-221, was also amended by s. 4, ch. 2014-189, and that version reads:

(2) “Breach” has the same meaning as the term “breach of security” as defined in s. 501.171.

²Note.—

A. Section 58, ch. 2018-10, amended subsections (5) and (20) and added subsection (28) “[i]n order to implement Specific Appropriations 2911 through 2930 of the 2018-2019 General Appropriations Act.”

B. Section 61, ch. 2018-10, provides that “[t]he amendments made by this act to ss. 20.61, 282.0041, 282.0051, and 282.201, Florida Statutes, expire July 1, 2019, and the text of those sections shall revert to that in existence on June 30, 2018, except that any amendments to such text enacted other than by this act shall be preserved and continue to operate to the extent that such amendments are not dependent upon the portions of text which expire pursuant to this section.” Effective July 1, 2019, subsection (28) is deleted and subsections (5) and (20), as amended by s. 61, ch. 2018-10, will read:

(5) “Customer entity” means an entity that obtains services from the state data center.

* * * * *

(20) “Service-level agreement” means a written contract between the state data center and a customer entity which specifies the scope of services provided, service level, the duration of the agreement, the responsible parties, and service costs. A service-level agreement is not a rule pursuant to chapter 120.

Note.—Former s. 282.303.

282.0051 Agency for State Technology; powers, duties, and functions.—The Agency for State Technology shall have the following powers, duties, and functions:

(1) Develop and publish information technology policy for the management of the state’s information technology resources.

(2) Establish and publish information technology architecture standards to provide for the most efficient use of the state’s information technology resources and to ensure compatibility and alignment with the needs of state agencies. The agency shall assist state agencies in complying with the standards.

(3) By June 30, 2015, establish project management and oversight standards with which state agencies must comply when implementing information technology projects. The agency shall provide training opportunities to state agencies to assist in the adoption of the project management and oversight standards. To support data-driven decisionmaking, the standards must include, but are not limited to:

(a) Performance measurements and metrics that objectively reflect the status of an information technology project based on a defined and documented project scope, cost, and schedule.

(b) Methodologies for calculating acceptable variances in the projected versus actual scope, schedule, or cost of an information technology project.

(c) Reporting requirements, including requirements designed to alert all defined stakeholders that an information technology project has exceeded acceptable variances defined and documented in a project plan.

(d) Content, format, and frequency of project updates.

(4) Beginning January 1, 2015, perform project oversight on all state agency information technology projects that have total project costs of $10 million or more and that are funded in the General Appropriations Act or any other law. The agency shall report at least quarterly to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives on any information technology project that the agency identifies as high-risk due to the project exceeding acceptable variance ranges defined and documented in a project plan. The report must include a risk assessment, including fiscal risks, associated with proceeding to the next stage of the project, and a recommendation for corrective actions required, including suspension or termination of the project.

(5) By April 1, 2016, and biennially thereafter, identify opportunities for standardization and consolidation of information technology services that support business functions and operations, including administrative functions such as purchasing, accounting and reporting, cash management, and personnel, and that are common across state agencies. The agency shall provide recommendations for standardization and consolidation to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives. The agency is not precluded from providing recommendations before April 1, 2016.

(6) In collaboration with the Department of Management Services, establish best practices for the procurement of information technology products in order to reduce costs, increase productivity, or improve services. Such practices must include a provision requiring the agency to review all information technology purchases made by state agencies that have a total cost of $250,000 or more, unless a purchase is specifically mandated by the Legislature, for compliance with the standards established pursuant to this section.

(7)(a) Participate with the Department of Management Services in evaluating, conducting, and negotiating competitive solicitations for state term contracts for information technology commodities, consultant services, or staff augmentation contractual services pursuant to s. 287.0591.

(b) Collaborate with the Department of Management Services in information technology resource acquisition planning.

(8) Develop standards for information technology reports and updates, including, but not limited to, operational work plans, project spend plans, and project status reports, for use by state agencies.

(9) Upon request, assist state agencies in the development of information technology-related legislative budget requests.

(10) Beginning July 1, 2016, and annually thereafter, conduct annual assessments of state agencies to determine compliance with all information technology standards and guidelines developed and published by the agency, and beginning December 1, 2016, and annually thereafter, provide results of the assessments to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives.

¹(11) Provide operational management and oversight of the state data center established pursuant to s. 282.201, which includes:

(a) Implementing industry standards and best practices for the state data center’s facilities, operations, maintenance, planning, and management processes.

(b) Developing and implementing appropriate operating guidelines and procedures necessary for the state data center to perform its duties pursuant to s. 282.201. The guidelines and procedures must comply with applicable state and federal laws, regulations, and policies and conform to generally accepted governmental accounting and auditing standards. The guidelines and procedures must include, but not be limited to:

1. Implementing a consolidated administrative support structure responsible for providing procurement, transactions involving real or personal property, human resources, and operational support.

2. Standardizing and consolidating procurement and contracting practices.

(c) In collaboration with the Department of Law Enforcement, developing and implementing a process for detecting, reporting, and responding to information technology security incidents, breaches, and threats.

(d) Adopting rules relating to the operation of the state data center.

(e) Beginning May 1, 2016, and annually thereafter, conducting a market analysis to determine whether the state’s approach to the provision of data center services is the most effective and efficient manner by which its customer entities can acquire such services, based on federal, state, and local government trends; best practices in service provision; and the acquisition of new and emerging technologies. The results of the market analysis shall assist the state data center in making adjustments to its data center service offerings.

(12) Recommend other information technology services that should be designed, delivered, and managed as enterprise information technology services. Recommendations must include the identification of existing information technology resources associated with the services, if existing services must be transferred as a result of being delivered and managed as enterprise information technology services.

(13) Recommend additional consolidations of agency computing facilities or data centers into the state data center established pursuant to s. 282.201. Such recommendations shall include a proposed timeline for consolidation.

(14) In consultation with state agencies, propose a methodology and approach for identifying and collecting both current and planned information technology expenditure data at the state agency level.

(15)(a) Beginning January 1, 2015, and notwithstanding any other law, provide project oversight on any information technology project of the Department of Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer Services that has a total project cost of $25 million or more and that impacts one or more other agencies. Such information technology projects must also comply with the applicable information technology architecture, project management and oversight, and reporting standards established by the agency.

(b) When performing the project oversight function specified in paragraph (a), report at least quarterly to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives on any information technology project that the agency identifies as high-risk due to the project exceeding acceptable variance ranges defined and documented in the project plan. The report shall include a risk assessment, including fiscal risks, associated with proceeding to the next stage of the project and a recommendation for corrective actions required, including suspension or termination of the project.

(16) If an information technology project implemented by a state agency must be connected to or otherwise accommodated by an information technology system administered by the Department of Financial Services, the Department of Legal Affairs, or the Department of Agriculture and Consumer Services, consult with these departments regarding the risks and other effects of such projects on their information technology systems and work cooperatively with these departments regarding the connections, interfaces, timing, or accommodations required to implement such projects.

(17) If adherence to standards or policies adopted by or established pursuant to this section causes conflict with federal regulations or requirements imposed on a state agency and results in adverse action against the state agency or federal funding, work with the state agency to provide alternative standards, policies, or requirements that do not conflict with the federal regulation or requirement. Beginning July 1, 2015, the agency shall annually report such alternative standards to the Governor, the President of the Senate, and the Speaker of the House of Representatives.

(18) In collaboration with the Department of Management Services:

(a) Establish an information technology policy for all information technology-related state contracts, including state term contracts for information technology commodities, consultant services, and staff augmentation services. The information technology policy must include:

1. Identification of the information technology product and service categories to be included in state term contracts.

2. Requirements to be included in solicitations for state term contracts.

3. Evaluation criteria for the award of information technology-related state term contracts.

4. The term of each information technology-related state term contract.

5. The maximum number of vendors authorized on each state term contract.

(b) Evaluate vendor responses for state term contract solicitations and invitations to negotiate.

(d) Ensure that the information technology policy established pursuant to paragraph (a) is included in all solicitations and contracts which are administratively executed by the department.

(19) Adopt rules to administer this section.

History.—s. 10, ch. 2014-221; s. 3, ch. 2016-138; ss. 59, 61, ch. 2018-10.

¹Note.—

A. Section 59, ch. 2018-10, amended subsection (11) “[i]n order to implement Specific Appropriations 2911 through 2930 of the 2018-2019 General Appropriations Act.”

(11) Provide operational management and oversight of the state data center established pursuant to s. 282.201, which includes:

(a) Implementing industry standards and best practices for the state data center’s facilities, operations, maintenance, planning, and management processes.

(b) Developing and implementing cost-recovery mechanisms that recover the full direct and indirect cost of services through charges to applicable customer entities. Such cost-recovery mechanisms must comply with applicable state and federal regulations concerning distribution and use of funds and must ensure that, for any fiscal year, no service or customer entity subsidizes another service or customer entity.

(c) Developing and implementing appropriate operating guidelines and procedures necessary for the state data center to perform its duties pursuant to s. 282.201. The guidelines and procedures must comply with applicable state and federal laws, regulations, and policies and conform to generally accepted governmental accounting and auditing standards. The guidelines and procedures must include, but not be limited to:

1. Implementing a consolidated administrative support structure responsible for providing financial management, procurement, transactions involving real or personal property, human resources, and operational support.

2. Implementing an annual reconciliation process to ensure that each customer entity is paying for the full direct and indirect cost of each service as determined by the customer entity’s use of each service.

3. Providing rebates that may be credited against future billings to customer entities when revenues exceed costs.

4. Requiring customer entities to validate that sufficient funds exist in the appropriate data processing appropriation category or will be transferred into the appropriate data processing appropriation category before implementation of a customer entity’s request for a change in the type or level of service provided, if such change results in a net increase to the customer entity’s costs for that fiscal year.

5. By September 1 of each year, providing to each customer entity’s agency head the projected costs of providing data center services for the following fiscal year.

6. Providing a plan for consideration by the Legislative Budget Commission if the cost of a service is increased for a reason other than a customer entity’s request made pursuant to subparagraph 4. Such a plan is required only if the service cost increase results in a net increase to a customer entity for that fiscal year.

7. Standardizing and consolidating procurement and contracting practices.

(d) In collaboration with the Department of Law Enforcement, developing and implementing a process for detecting, reporting, and responding to information technology security incidents, breaches, and threats.

(e) Adopting rules relating to the operation of the state data center, including, but not limited to, budgeting and accounting procedures, cost-recovery methodologies, and operating procedures.

(f) Beginning May 1, 2016, and annually thereafter, conducting a market analysis to determine whether the state’s approach to the provision of data center services is the most effective and efficient manner by which its customer entities can acquire such services, based on federal, state, and local government trends; best practices in service provision; and the acquisition of new and emerging technologies. The results of the market analysis shall assist the state data center in making adjustments to its data center service offerings.

282.00515 Duties of Cabinet agencies.—The Department of Legal Affairs, the Department of Financial Services, and the Department of Agriculture and Consumer Services shall adopt the standards established in s. 282.0051(2), (3), and (8) or adopt alternative standards based on best practices and industry standards, and may contract with the Agency for State Technology to provide or perform any of the services and functions described in s. 282.0051 for the Department of Legal Affairs, the Department of Financial Services, or the Department of Agriculture and Consumer Services.

History.—s. 11, ch. 2014-221.

¹282.201 State data center.—The state data center is established within the Agency for State Technology and shall provide data center services that are hosted on premises or externally through a third-party provider as an enterprise information technology service. The provision of data center services must comply with applicable state and federal laws, regulations, and policies, including all applicable security, privacy, and auditing requirements.

(1) INTENT.—The Legislature finds that the most efficient and effective means of providing quality utility data processing services to state agencies requires that computing resources be concentrated in quality facilities that provide the proper security, disaster recovery, infrastructure, and staff resources to ensure that the state’s data is maintained reliably and safely, and is recoverable in the event of a disaster. Unless otherwise exempt by law, it is the intent of the Legislature that all agency data centers and computing facilities shall be consolidated into the state data center.

(2) STATE DATA CENTER DUTIES.—The state data center shall:

(a) Offer, develop, and support the services and applications defined in service-level agreements executed with its customer entities.

(b) Maintain performance of the state data center by ensuring proper data backup, data backup recovery, disaster recovery, and appropriate security, power, cooling, fire suppression, and capacity.

(c) Develop and implement a business continuity plan and a disaster recovery plan, and beginning July 1, 2015, and annually thereafter, conduct a live exercise of each plan.

¹(d) Enter into a service-level agreement with each customer entity to provide the required type and level of service or services. If a customer entity fails to execute an agreement within 60 days after commencement of a service, the state data center may cease service. A service-level agreement may not have a term exceeding 3 years and at a minimum must:

1. Identify the parties and their roles, duties, and responsibilities under the agreement.

2. State the duration of the contract term and specify the conditions for renewal.

3. Identify the scope of work.

4. Identify the products or services to be delivered with sufficient specificity to permit an external financial or performance audit.

5. Establish the services to be provided, the business standards that must be met for each service, the cost of each service, and the metrics and processes by which the business standards for each service are to be objectively measured and reported.

6. Provide a procedure for modifying the service-level agreement based on changes in the type, level, and cost of a service.

7. Include a right-to-audit clause to ensure that the parties to the agreement have access to records for audit purposes during the term of the service-level agreement.

8. Provide that a service-level agreement may be terminated by either party for cause only after giving the other party and the Agency for State Technology notice in writing of the cause for termination and an opportunity for the other party to resolve the identified cause within a reasonable period.

9. Provide for mediation of disputes by the Division of Administrative Hearings pursuant to s. 120.573.

(e) For purposes of chapter 273, be the custodian of resources and equipment located in and operated, supported, and managed by the state data center.

(f) Assume administrative access rights to resources and equipment, including servers, network components, and other devices, consolidated into the state data center.

1. Upon the date of each consolidation specified in this section, the General Appropriations Act, or any other law, a state agency shall relinquish administrative rights to consolidated resources and equipment. State agencies required to comply with federal and state criminal justice information security rules and policies shall retain administrative access rights sufficient to comply with the management control provisions of those rules and policies; however, the state data center shall have the appropriate type or level of rights to allow the center to comply with its duties pursuant to this section. The Department of Law Enforcement shall serve as the arbiter of disputes pertaining to the appropriate type and level of administrative access rights pertaining to the provision of management control in accordance with the federal criminal justice information guidelines.

2. The state data center shall provide customer entities with access to applications, servers, network components, and other devices necessary for entities to perform business activities and functions, and as defined and documented in a service-level agreement.

(3) STATE AGENCY DUTIES.—

(a) Each state agency shall provide to the Agency for State Technology all requested information relating to its data centers and computing facilities and any other information relevant to the effective transition of an agency data center or computing facility into the state data center.

(b) Each state agency customer of the state data center shall notify the state data center, by May 31 and November 30 of each year, of any significant changes in anticipated utilization of state data center services pursuant to requirements established by the state data center.

(4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—

(a) Consolidations of agency data centers and computing facilities into the state data center shall be made by the dates specified in this section and in accordance with budget adjustments contained in the General Appropriations Act.

(b) During the 2013-2014 fiscal year, the following state agencies shall be consolidated by the specified date:

1. By October 31, 2013, the Department of Economic Opportunity.

2. By December 31, 2013, the Executive Office of the Governor, to include the Division of Emergency Management except for the Emergency Operation Center’s management system in Tallahassee and the Camp Blanding Emergency Operations Center in Starke.

3. By March 31, 2014, the Department of Elderly Affairs.

4. By October 30, 2013, the Fish and Wildlife Conservation Commission, except for the commission’s Fish and Wildlife Research Institute in St. Petersburg.

(c) The following are exempt from state data center consolidation under this section: the Department of Law Enforcement, the Department of the Lottery’s Gaming System, Systems Design and Development in the Office of Policy and Budget, the regional traffic management centers as described in s. 335.14(2) and the Office of Toll Operations of the Department of Transportation, the State Board of Administration, state attorneys, public defenders, criminal conflict and civil regional counsel, capital collateral regional counsel, and the Florida Housing Finance Corporation.

(d) A state agency that is consolidating its agency data center or computing facility into the state data center must execute a new or update an existing service-level agreement within 60 days after the commencement of the service. If a state agency and the state data center are unable to execute a service-level agreement by that date, the agency shall submit a report to the Executive Office of the Governor within 5 working days after that date which explains the specific issues preventing execution and describing the plan and schedule for resolving those issues.

(e) Each state agency scheduled for consolidation into the state data center shall submit a transition plan to the Agency for State Technology by July 1 of the fiscal year before the fiscal year in which the scheduled consolidation will occur. Transition plans shall be developed in consultation with the state data center and must include:

1. An inventory of the agency data center’s resources being consolidated, including all hardware and its associated life cycle replacement schedule, software, staff, contracted services, and facility resources performing data center management and operations, security, backup and recovery, disaster recovery, system administration, database administration, system programming, job control, production control, print, storage, technical support, help desk, and managed services, but excluding application development, and the agency’s costs supporting these resources.

2. A list of contracts in effect, including, but not limited to, contracts for hardware, software, and maintenance, which identifies the expiration date, the contract parties, and the cost of each contract.

3. A detailed description of the level of services needed to meet the technical and operational requirements of the platforms being consolidated.

4. A timetable with significant milestones for the completion of the consolidation.

(f) Each state agency scheduled for consolidation into the state data center shall submit with its respective legislative budget request the specific recurring and nonrecurring budget adjustments of resources by appropriation category into the appropriate data processing category pursuant to the legislative budget request instructions in s. 216.023.

(5) AGENCY LIMITATIONS.—

(a) Unless exempt from data center consolidation pursuant to this section or authorized by the Legislature or as provided in paragraph (b), a state agency may not:

1. Create a new agency computing facility or data center, or expand the capability to support additional computer equipment in an existing agency computing facility or data center;

2. Spend funds before the state agency’s scheduled consolidation into the state data center to purchase or modify hardware or operations software that does not comply with standards established by the Agency for State Technology pursuant to s. 282.0051;

3. Transfer existing computer services to any data center other than the state data center;

4. Terminate services with the state data center without giving written notice of intent to terminate services 180 days before such termination; or

5. Initiate a new computer service except with the state data center.

(b) Exceptions to the limitations in subparagraphs (a)1., 2., 3., and 5. may be granted by the Agency for State Technology if there is insufficient capacity in the state data center to absorb the workload associated with agency computing services, if expenditures are compatible with the standards established pursuant to s. 282.0051, or if the equipment or resources are needed to meet a critical agency business need that cannot be satisfied by the state data center. The Agency for State Technology shall establish requirements that a state agency must follow when submitting and documenting a request for an exception. The Agency for State Technology shall also publish guidelines for its consideration of exception requests. However, the decision of the Agency for State Technology regarding an exception request is not subject to chapter 120.

History.—s. 8, ch. 2008-116; s. 24, ch. 2009-21; s. 8, ch. 2009-80; s. 44, ch. 2010-5; s. 2, ch. 2010-148; s. 5, ch. 2011-50; s. 33, ch. 2012-96; s. 2, ch. 2012-134; s. 1, ch. 2012-142; s. 37, ch. 2013-15; ss. 47, 48, ch. 2013-41; s. 50, ch. 2014-19; ss. 13, 14, ch. 2014-221; ss. 60, 61, ch. 2018-10.

¹Note.—

A. Section 60, ch. 2018-10, amended the introductory paragraph to the section and paragraph (2)(d) “[i]n order to implement Specific Appropriations 2908 of the 2018-2019 General Appropriations Act.”

B. Section 61, ch. 2018-10, provides that “[t]he amendments made by this act to ss. 20.61, 282.0041, 282.0051, and 282.201, Florida Statutes, expire July 1, 2019, and the text of those sections shall revert to that in existence on June 30, 2018, except that any amendments to such text enacted other than by this act shall be preserved and continue to operate to the extent that such amendments are not dependent upon the portions of text which expire pursuant to this section.” Effective July 1, 2019, the introductory paragraph to the section and paragraph (2)(d), as amended by s. 60, ch. 2018-10, will read:

282.201 State data center.—The state data center is established within the Agency for State Technology and shall provide data center services that are hosted on premises or externally through a third-party provider as an enterprise information technology service. The provision of services must comply with applicable state and federal laws, regulations, and policies, including all applicable security, privacy, and auditing requirements.

* * * * *

(d) Enter into a service-level agreement with each customer entity to provide the required type and level of service or services. If a customer entity fails to execute an agreement within 60 days after commencement of a service, the state data center may cease service. A service-level agreement may not have a term exceeding 3 years and at a minimum must:

1. Identify the parties and their roles, duties, and responsibilities under the agreement.

2. State the duration of the contract term and specify the conditions for renewal.

3. Identify the scope of work.

4. Identify the products or services to be delivered with sufficient specificity to permit an external financial or performance audit.

6. Provide a timely billing methodology to recover the cost of services provided to the customer entity pursuant to s. 215.422.

7. Provide a procedure for modifying the service-level agreement based on changes in the type, level, and cost of a service.

8. Include a right-to-audit clause to ensure that the parties to the agreement have access to records for audit purposes during the term of the service-level agreement.

9. Provide that a service-level agreement may be terminated by either party for cause only after giving the other party and the Agency for State Technology notice in writing of the cause for termination and an opportunity for the other party to resolve the identified cause within a reasonable period.

10. Provide for mediation of disputes by the Division of Administrative Hearings pursuant to s. 120.573.

282.318 Security of data and information technology.—

(1) This section may be cited as the “ Information Technology Security Act.”

(2) As used in this section, the term “state agency” has the same meaning as provided in s. 282.0041, except that the term includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.

(3) The Agency for State Technology is responsible for establishing standards and processes consistent with generally accepted best practices for information technology security, to include cybersecurity, and adopting rules that safeguard an agency’s data, information, and information technology resources to ensure availability, confidentiality, and integrity and to mitigate risks. The agency shall also:

(a) Develop, and annually update by February 1, a statewide information technology security strategic plan that includes security goals and objectives for the strategic issues of information technology security policy, risk management, training, incident management, and disaster recovery planning.

(b) Develop and publish for use by state agencies an information technology security framework that, at a minimum, includes guidelines and processes for:

1. Establishing asset management procedures to ensure that an agency’s information technology resources are identified and managed consistent with their relative importance to the agency’s business objectives.

2. Using a standard risk assessment methodology that includes the identification of an agency’s priorities, constraints, risk tolerances, and assumptions necessary to support operational risk decisions.

3. Completing comprehensive risk assessments and information technology security audits, which may be completed by a private sector vendor, and submitting completed assessments and audits to the Agency for State Technology.

4. Identifying protection procedures to manage the protection of an agency’s information, data, and information technology resources.

5. Establishing procedures for accessing information and data to ensure the confidentiality, integrity, and availability of such information and data.

6. Detecting threats through proactive monitoring of events, continuous security monitoring, and defined detection processes.

7. Establishing agency computer security incident response teams and describing their responsibilities for responding to information technology security incidents, including breaches of personal information containing confidential or exempt data.

8. Recovering information and data in response to an information technology security incident. The recovery may include recommended improvements to the agency processes, policies, or guidelines.

9. Establishing an information technology security incident reporting process that includes procedures and tiered reporting timeframes for notifying the Agency for State Technology and the Department of Law Enforcement of information technology security incidents. The tiered reporting timeframes shall be based upon the level of severity of the information technology security incidents being reported.

10. Incorporating information obtained through detection and response activities into the agency’s information technology security incident response plans.

11. Developing agency strategic and operational information technology security plans required pursuant to this section.

12. Establishing the managerial, operational, and technical safeguards for protecting state government data and information technology resources that align with the state agency risk management strategy and that protect the confidentiality, integrity, and availability of information and data.

(d) In collaboration with the Cybercrime Office of the Department of Law Enforcement, annually provide training for state agency information security managers and computer security incident response team members that contains training on information technology security, including cybersecurity, threats, trends, and best practices.

(e) Annually review the strategic and operational information technology security plans of executive branch agencies.

(4) Each state agency head shall, at a minimum:

(a) Designate an information security manager to administer the information technology security program of the state agency. This designation must be provided annually in writing to the Agency for State Technology by January 1. A state agency’s information security manager, for purposes of these information security duties, shall report directly to the agency head.

(b) In consultation with the Agency for State Technology and the Cybercrime Office of the Department of Law Enforcement, establish an agency computer security incident response team to respond to an information technology security incident. The agency computer security incident response team shall convene upon notification of an information technology security incident and must comply with all applicable guidelines and processes established pursuant to paragraph (3)(b).

(c) Submit to the Agency for State Technology annually by July 31, the state agency’s strategic and operational information technology security plans developed pursuant to rules and guidelines established by the Agency for State Technology.

1. The state agency strategic information technology security plan must cover a 3-year period and, at a minimum, define security goals, intermediate objectives, and projected agency costs for the strategic issues of agency information security policy, risk management, security training, security incident response, and disaster recovery. The plan must be based on the statewide information technology security strategic plan created by the Agency for State Technology and include performance metrics that can be objectively measured to reflect the status of the state agency’s progress in meeting security goals and objectives identified in the agency’s strategic information security plan.

2. The state agency operational information technology security plan must include a progress report that objectively measures progress made towards the prior operational information technology security plan and a project plan that includes activities, timelines, and deliverables for security objectives that the state agency will implement during the current fiscal year.

(d) Conduct, and update every 3 years, a comprehensive risk assessment, which may be completed by a private sector vendor, to determine the security threats to the data, information, and information technology resources, including mobile devices and print environments, of the agency. The risk assessment must comply with the risk assessment methodology developed by the Agency for State Technology and is confidential and exempt from s. 119.07(1), except that such information shall be available to the Auditor General, the Agency for State Technology, the Cybercrime Office of the Department of Law Enforcement, and, for state agencies under the jurisdiction of the Governor, the Chief Inspector General.

(e) Develop, and periodically update, written internal policies and procedures, which include procedures for reporting information technology security incidents and breaches to the Cybercrime Office of the Department of Law Enforcement and the Agency for State Technology. Such policies and procedures must be consistent with the rules, guidelines, and processes established by the Agency for State Technology to ensure the security of the data, information, and information technology resources of the agency. The internal policies and procedures that, if disclosed, could facilitate the unauthorized modification, disclosure, or destruction of data or information technology resources are confidential information and exempt from s. 119.07(1), except that such information shall be available to the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the Agency for State Technology, and, for state agencies under the jurisdiction of the Governor, the Chief Inspector General.

(f) Implement managerial, operational, and technical safeguards and risk assessment remediation plans recommended by the Agency for State Technology to address identified risks to the data, information, and information technology resources of the agency.

(g) Ensure that periodic internal audits and evaluations of the agency’s information technology security program for the data, information, and information technology resources of the agency are conducted. The results of such audits and evaluations are confidential information and exempt from s. 119.07(1), except that such information shall be available to the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the Agency for State Technology, and, for agencies under the jurisdiction of the Governor, the Chief Inspector General.

(h) Include appropriate information technology security requirements in the written specifications for the solicitation of information technology and information technology resources and services, which are consistent with the rules and guidelines established by the Agency for State Technology in collaboration with the Department of Management Services.

(i) Provide information technology security and cybersecurity awareness training to all state agency employees in the first 30 days after commencing employment concerning information technology security risks and the responsibility of employees to comply with policies, standards, guidelines, and operating procedures adopted by the state agency to reduce those risks. The training may be provided in collaboration with the Cybercrime Office of the Department of Law Enforcement.

(j) Develop a process for detecting, reporting, and responding to threats, breaches, or information technology security incidents which is consistent with the security rules, guidelines, and processes established by the Agency for State Technology.

1. All information technology security incidents and breaches must be reported to the Agency for State Technology and the Cybercrime Office of the Department of Law Enforcement and must comply with the notification procedures and reporting timeframes established pursuant to paragraph (3)(b).

2. For information technology security breaches, state agencies shall provide notice in accordance with s. 501.171.

3. Records held by a state agency which identify detection, investigation, or response practices for suspected or confirmed information technology security incidents, including suspected or confirmed breaches, are confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution, if the disclosure of such records would facilitate unauthorized access to or the unauthorized modification, disclosure, or destruction of:

a. Data or information, whether physical or virtual; or

b. Information technology resources, which includes:

(I) Information relating to the security of the agency’s technologies, processes, and practices designed to protect networks, computers, data processing software, and data from attack, damage, or unauthorized access; or

(II) Security information, whether physical or virtual, which relates to the agency’s existing or proposed information technology systems.

Such records shall be available to the Auditor General, the Agency for State Technology, the Cybercrime Office of the Department of Law Enforcement, and, for state agencies under the jurisdiction of the Governor, the Chief Inspector General. Such records may be made available to a local government, another state agency, or a federal agency for information technology security purposes or in furtherance of the state agency’s official duties. This exemption applies to such records held by a state agency before, on, or after the effective date of this exemption. This subparagraph is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2021, unless reviewed and saved from repeal through reenactment by the Legislature.

(5) The portions of risk assessments, evaluations, external audits, and other reports of a state agency’s information technology security program for the data, information, and information technology resources of the state agency which are held by a state agency are confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution if the disclosure of such portions of records would facilitate unauthorized access to or the unauthorized modification, disclosure, or destruction of:

(a) Data or information, whether physical or virtual; or

(b) Information technology resources, which include:

1. Information relating to the security of the agency’s technologies, processes, and practices designed to protect networks, computers, data processing software, and data from attack, damage, or unauthorized access; or

2. Security information, whether physical or virtual, which relates to the agency’s existing or proposed information technology systems.

Such portions of records shall be available to the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the Agency for State Technology, and, for agencies under the jurisdiction of the Governor, the Chief Inspector General. Such portions of records may be made available to a local government, another state agency, or a federal agency for information technology security purposes or in furtherance of the state agency’s official duties. For purposes of this subsection, “external audit” means an audit that is conducted by an entity other than the state agency that is the subject of the audit. This exemption applies to such records held by a state agency before, on, or after the effective date of this exemption. This subsection is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2021, unless reviewed and saved from repeal through reenactment by the Legislature.

(6) The Agency for State Technology shall adopt rules relating to information technology security and to administer this section.

History.—ss. 1, 2, 3, ch. 84-236; s. 28, ch. 87-137; s. 1, ch. 89-14; s. 7, ch. 90-160; s. 13, ch. 91-171; s. 234, ch. 92-279; s. 55, ch. 92-326; s. 22, ch. 94-340; s. 863, ch. 95-148; s. 131, ch. 96-406; s. 15, ch. 97-286; s. 25, ch. 2000-164; s. 26, ch. 2001-261; s. 18, ch. 2006-26; s. 10, ch. 2007-105; s. 12, ch. 2009-80; s. 46, ch. 2010-5; s. 9, ch. 2011-50; s. 5, ch. 2014-189; s. 16, ch. 2014-221; s. 1, ch. 2016-114; s. 2, ch. 2016-138.

PART II

ACCESSIBILITY OF INFORMATION
AND TECHNOLOGY

282.601 Accessibility of electronic information and information technology.

282.602 Definitions.

282.603 Access to electronic and information technology for persons with disabilities; undue burden; limitations.

282.604 Adoption of rules.

282.605 Exceptions.

282.606 Intent.

282.601 Accessibility of electronic information and information technology.—

(1) In order to improve the accessibility of electronic information and information technology and increase the successful education, employment, access to governmental information and services, and involvement in community life, the executive, legislative, and judicial branches of state government shall, when developing, competitively procuring, maintaining, or using electronic information or information technology acquired on or after July 1, 2006, ensure that state employees with disabilities have access to and are provided with information and data comparable to the access and use by state employees who are not individuals with disabilities, unless an undue burden would be imposed on the agency.

(2) Individuals with disabilities who are members of the public seeking information or services from state agencies that are subject to this part shall be provided with access to and use of information and data comparable to that provided to the public who are not individuals with disabilities, unless an undue burden would be imposed on the agency.

History.—s. 73, ch. 2006-227.

282.602 Definitions.—As used in this part, the term:

(1) “Accessible electronic information and information technology” means electronic information and information technology that conforms to the standards for accessible electronic information and information technology as set forth by s. 508 of the Rehabilitation Act of 1973, as amended, and 29 U.S.C. s. 794(d), including the regulations set forth under 36 C.F.R. part 1194.

(2) “Alternate methods” means a different means of providing information to people with disabilities, including product documentation. The term includes, but is not limited to, voice, facsimile, relay service, TTY, Internet posting, captioning, text-to-speech synthesis, and audio description.

(3) “Electronic information and information technology” includes information technology and any equipment or interconnected system or subsystem of equipment that is used in creating, converting, or duplicating data or information. The term includes, but is not limited to, telecommunications products such as telephones, information kiosks and transaction machines, Internet websites, multimedia systems, and office equipment such as copiers and facsimile machines. The term does not include any equipment that contains embedded information technology that is an integral part of the product if the principal function of the technology is not the acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.

(4) “Information technology” means any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term includes computers, ancillary equipment, software, firmware and similar procedures, services, and support services, and related resources.

(5) “Undue burden” means significant difficulty or expense. In determining whether an action would result in an undue burden, a state agency shall consider all agency resources that are available to the program or component for which the product is being developed, procured, maintained, or used.

(6) “State agency” means any agency of the executive, legislative, or judicial branch of state government.

History.—s. 73, ch. 2006-227.

282.603 Access to electronic and information technology for persons with disabilities; undue burden; limitations.—

(1) Each state agency shall develop, procure, maintain, and use accessible electronic information and information technology acquired on or after July 1, 2006, that conforms to the applicable provisions set forth by s. 508 of the Rehabilitation Act of 1973, as amended, and 29 U.S.C. s. 794(d), including the regulations set forth under 36 C.F.R. part 1194, except when compliance with this section imposes an undue burden; however, in such instance, a state agency must provide individuals with disabilities with the information and data involved by an alternative method of access that allows the individual to use the information and data.

(2) This section does not require a state agency to install specific accessibility-related software or attach an assistive technology device at a work station of a state employee who is not an individual with a disability.

(3) This section does not require a state agency, when providing the public with access to information or data through electronic information technology, to make products owned by the state agency available for access and use by individuals with disabilities at a location other than the location at which the electronic information and information technology are normally provided to the public. This section does not require a state agency to purchase products for access and use by individuals with disabilities at a location other than at the location where the electronic information and information technology are normally provided to the public.

History.—s. 73, ch. 2006-227.

282.604 Adoption of rules.—The Department of Management Services shall, with input from stakeholders, adopt rules pursuant to ss. 120.536(1) and 120.54 for the development, procurement, maintenance, and use of accessible electronic information technology by governmental units.

History.—s. 73, ch. 2006-227.

282.605 Exceptions.—

(1) This part does not apply to electronic information and information technology of the Department of Military Affairs or the Florida National Guard if the function, operation, or use of the information or technology involves intelligence activities or cryptologic activities related to national security, the command and control of military forces, equipment that is an integral part of a weapon or weapons system, or systems that are critical to the direct fulfillment of military or intelligence missions. Systems that are critical to the direct fulfillment of military or intelligence missions do not include a system that is used for routine administrative and business applications, including, but not limited to, payroll, finance, logistics, and personnel management applications.

(2) This part does not apply to electronic information and information technology of a state agency if the function, operation, or use of the information or technology involves criminal intelligence activities. Such activities do not include information or technology that is used for routine administrative and business applications, including, but not limited to, payroll, finance, logistics, and personnel management applications.

(3) This part does not apply to electronic information and information technology that is acquired by a contractor and that is incidental to the contract.

(4) This part applies to competitive solicitations issued or new systems developed by a state agency on or after July 1, 2006.

History.—s. 73, ch. 2006-227.

282.606 Intent.—It is the intent of the Legislature that, in construing this part, due consideration and great weight be given to the interpretations of the federal courts relating to comparable provisions of s. 508 of the Rehabilitation Act of 1973, as amended, and 29 U.S.C. s. 794(d), including the regulations set forth under 36 C.F.R. part 1194, as of July 1, 2006.

History.—s. 73, ch. 2006-227.

PART III

COMMUNICATION INFORMATION
TECHNOLOGY SERVICES

282.701 Short title.

282.702 Powers and duties.

282.703 SUNCOM Network; exemptions from the required use.

282.704 Use of state SUNCOM Network by municipalities.

282.705 Use of state SUNCOM Network by nonprofit corporations.

282.706 Use of SUNCOM Network by libraries.

282.707 SUNCOM Network; criteria for usage.

282.708 Emergency assumption of control.

282.709 State agency law enforcement radio system and interoperability network.

282.7101 Statewide system of regional law enforcement communications.

282.711 Remote electronic access services.

282.701 Short title.—This part may be cited as the “Communication Information Technology Services Act.”

History.—s. 16, ch. 2009-80.

282.702 Powers and duties.—The Department of Management Services shall have the following powers, duties, and functions:

(1) To publish electronically the portfolio of services available from the department, including pricing information; the policies and procedures governing usage of available services; and a forecast of the department’s priorities for each telecommunications service.

(2) To adopt technical standards by rule for the state telecommunications network which ensure the interconnection and operational security of computer networks, telecommunications, and information systems of agencies.

(3) To enter into agreements related to information technology and telecommunications services with state agencies and political subdivisions of the state.

(4) To purchase from or contract with information technology providers for information technology, including private line services.

(5) To apply for, receive, and hold authorizations, patents, copyrights, trademarks, service marks, licenses, and allocations or channels and frequencies to carry out the purposes of this part.

(6) To purchase, lease, or otherwise acquire and to hold, sell, transfer, license, or otherwise dispose of real, personal, and intellectual property, including, but not limited to, patents, trademarks, copyrights, and service marks.

(7) To cooperate with any federal, state, or local emergency management agency in providing for emergency telecommunications services.

(8) To control and approve the purchase, lease, or acquisition and the use of telecommunications services, software, circuits, and equipment provided as part of any other total telecommunications system to be used by the state or its agencies.

(9) To adopt rules pursuant to ss. 120.536(1) and 120.54 relating to telecommunications and to administer the provisions of this part.

(10) To apply for and accept federal funds for the purposes of this part as well as gifts and donations from individuals, foundations, and private organizations.

(11) To monitor issues relating to telecommunications facilities and services before the Florida Public Service Commission and the Federal Communications Commission and, if necessary, prepare position papers, prepare testimony, appear as a witness, and retain witnesses on behalf of state agencies in proceedings before the commissions.

(12) Unless delegated to the agencies by the department, to manage and control, but not intercept or interpret, telecommunications within the SUNCOM Network by:

(a) Establishing technical standards to physically interface with the SUNCOM Network.

(b) Specifying how telecommunications are transmitted within the SUNCOM Network.

(d) Establishing standards, policies, and procedures for access to and the security of the SUNCOM Network.

(e) Ensuring orderly and reliable telecommunications services in accordance with the service level agreements executed with state agencies.

(13) To plan, design, and conduct experiments for telecommunications services, equipment, and technologies, and to implement enhancements in the state telecommunications network if in the public interest and cost-effective. Funding for such experiments must be derived from SUNCOM Network service revenues and may not exceed 2 percent of the annual budget for the SUNCOM Network for any fiscal year or as provided in the General Appropriations Act. New services offered as a result of this subsection may not affect existing rates for facilities or services.

(14) To enter into contracts or agreements, with or without competitive bidding or procurement, to make available, on a fair, reasonable, and nondiscriminatory basis, property and other structures under departmental control for the placement of new facilities by any wireless provider of mobile service as defined in 47 U.S.C. s. 153(27) or s. 332(d) and any telecommunications company as defined in s. 364.02 if it is practical and feasible to make such property or other structures available. The department may, without adopting a rule, charge a just, reasonable, and nondiscriminatory fee for the placement of the facilities, payable annually, based on the fair market value of space used by comparable telecommunications facilities in the state. The department and a wireless provider or telecommunications company may negotiate the reduction or elimination of a fee in consideration of services provided to the department by the wireless provider or telecommunications company. All such fees collected by the department shall be deposited directly into the Law Enforcement Radio Operating Trust Fund, and may be used by the department to construct, maintain, or support the system.

(15) Establish policies that ensure that the department’s cost-recovery methodologies, billings, receivables, expenditures, budgeting, and accounting data are captured and reported timely, consistently, accurately, and transparently and are in compliance with all applicable federal and state laws and rules. The department shall annually submit to the Governor, the President of the Senate, and the Speaker of the House of Representatives a report that describes each service and its cost, the billing methodology for recovering the cost of the service, and, if applicable, the identity of those services that are subsidized.

History.—s. 22, ch. 69-106; s. 1, ch. 70-327; s. 36, ch. 83-334; s. 11, ch. 87-137; s. 220, ch. 92-279; s. 55, ch. 92-326; s. 16, ch. 95-143; s. 1, ch. 96-357; s. 9, ch. 96-390; s. 11, ch. 97-286; s. 65, ch. 98-279; s. 5, ch. 2000-164; s. 11, ch. 2001-261; s. 36, ch. 2002-1; s. 18, ch. 2007-105; s. 17, ch. 2009-80; s. 48, ch. 2010-5; s. 10, ch. 2010-148.

Note.—Former s. 287.25; s. 282.102.

282.703 SUNCOM Network; exemptions from the required use.—

(1) The SUNCOM Network is established within the department as the state enterprise telecommunications system for providing local and long-distance communications services to state agencies, political subdivisions of the state, municipalities, and nonprofit corporations pursuant to this part. The SUNCOM Network shall be developed to transmit all types of telecommunications signals, including, but not limited to, voice, data, video, image, and radio. State agencies shall cooperate and assist in the development and joint use of telecommunications systems and services.

(2) The department shall design, engineer, implement, manage, and operate through state ownership, commercial leasing, contracted services, or some combination thereof, the facilities, equipment, and contracts providing SUNCOM Network services, and shall develop a system of equitable billings and charges for telecommunications services.

(3) The department shall own, manage, and establish standards for the telecommunications addressing and numbering plans for the SUNCOM Network. This includes distributing or revoking numbers and addresses to authorized users of the network and delegating or revoking the delegation of management of subsidiary groups of numbers and addresses to authorized users of the network.

(4) The department shall maintain a directory of information and services which provides the names, phone numbers, and e-mail addresses for employees, agencies, and network devices that are served, in whole or in part, by the SUNCOM Network. State agencies and political subdivisions of the state shall cooperate with the department by providing timely and accurate directory information in the manner established by the department.

(5) All state agencies shall use the SUNCOM Network for agency telecommunications services as the services become available; however, an agency is not relieved of responsibility for maintaining telecommunications services necessary for effective management of its programs and functions. The department may provide such communications services to a state university if requested by the university.

(a) If a SUNCOM Network service does not meet the telecommunications requirements of an agency, the agency must notify the department in writing and detail the requirements for that service. If the department is unable to meet an agency’s requirements by enhancing SUNCOM Network service, the department may grant the agency an exemption from the required use of specified SUNCOM Network services.

(b) Unless an exemption has been granted by the department, effective October 1, 2010, all customers of a state primary data center, excluding state universities, must use the shared SUNCOM Network telecommunications services connecting the state primary data center to SUNCOM services for all telecommunications needs in accordance with department rules.

1. Upon discovery of customer noncompliance with this paragraph, the department shall provide the affected customer with a schedule for transferring to the shared telecommunications services provided by the SUNCOM Network and an estimate of all associated costs. The state primary data centers and their customers shall cooperate with the department to accomplish the transfer.

2. Customers may request an exemption from this paragraph in the same manner as authorized in paragraph (a).

(6) This section may not be construed to require a state university to use SUNCOM Network communication services.

History.—s. 22, ch. 69-106; s. 13, ch. 87-137; s. 3, ch. 91-171; s. 222, ch. 92-279; s. 55, ch. 92-326; s. 10, ch. 96-390; s. 66, ch. 98-279; s. 6, ch. 2000-164; s. 12, ch. 2001-261; s. 935, ch. 2002-387; s. 19, ch. 2007-105; s. 18, ch. 2009-80; s. 6, ch. 2010-78; s. 11, ch. 2010-148.

Note.—Former s. 287.27; s. 282.103.

282.704 Use of state SUNCOM Network by municipalities.—Any municipality may request the department to provide any or all of the SUNCOM Network’s portfolio of communications services upon such terms and conditions as the department may establish. The requesting municipality shall pay its share of installation and recurring costs according to the published rates for SUNCOM Network services and as invoiced by the department. Such municipality shall also pay for any requested modifications to existing SUNCOM Network services, if any charges apply.

History.—s. 3, ch. 82-56; s. 1, ch. 83-70; s. 14, ch. 87-137; s. 11, ch. 96-390; s. 67, ch. 98-279; s. 7, ch. 2000-164; s. 13, ch. 2001-261; s. 19, ch. 2009-80.

Note.—Former s. 287.251; s. 282.104.

282.705 Use of state SUNCOM Network by nonprofit corporations.—

(1) The department shall provide a means whereby private nonprofit corporations under contract with state agencies or political subdivisions of the state may use the state SUNCOM Network, subject to the limitations in this section. In order to qualify to use the state SUNCOM Network, a nonprofit corporation shall:

(a) Expend the majority of its total direct revenues for the provision of contractual services to the state, a municipality, or a political subdivision; and

(b) Receive only a small portion of its total revenues from any source other than a state agency, a municipality, or a political subdivision during the time SUNCOM Network services are requested.

(2) Each nonprofit corporation seeking authorization to use the state SUNCOM Network shall provide to the department, upon request, proof of compliance with subsection (1).

(3) Nonprofit corporations established pursuant to general law and an association of municipal governments which is wholly owned by the municipalities are eligible to use the state SUNCOM Network, subject to the terms and conditions of the department.

(4) Institutions qualified to participate in the William L. Boyd, IV, ¹Effective Access to Student Education Grant Program pursuant to s. 1009.89 are eligible to use the state SUNCOM Network, subject to the terms and conditions of the department. Such entities are not required to satisfy the other criteria of this section.

(5) Private, nonprofit elementary and secondary schools are eligible for rates and services on the same basis as public schools if such schools do not have an endowment in excess of $50 million.

History.—s. 1, ch. 80-107; s. 2, ch. 82-56; s. 3, ch. 83-70; s. 15, ch. 87-137; s. 223, ch. 92-279; s. 55, ch. 92-326; s. 197, ch. 95-148; s. 12, ch. 96-390; s. 19, ch. 97-296; s. 68, ch. 98-279; s. 36, ch. 99-399; s. 8, ch. 2000-164; s. 14, ch. 2001-261; s. 936, ch. 2002-387; s. 20, ch. 2009-80; s. 25, ch. 2018-4.

¹Note.—Section 25, ch. 2018-4, directs the Division of Law Revision and Information “to substitute the term ‘Effective Access to Student Education Grant Program’ for ‘Florida Resident Access Grant Program’ and the term ‘Effective Access to Student Education grant’ for ‘Florida resident access grant’ wherever those terms appear in the Florida Statutes.”

Note.—Former s. 287.272; s. 282.105.

282.706 Use of SUNCOM Network by libraries.—The department may provide SUNCOM Network services to any library in the state, including libraries in public schools, community colleges, state universities, and nonprofit private postsecondary educational institutions, and libraries owned and operated by municipalities and political subdivisions. This section may not be construed to require a state university library to use SUNCOM Network services.

History.—s. 2, ch. 96-357; s. 9, ch. 2000-164; s. 15, ch. 2001-261; s. 937, ch. 2002-387; s. 21, ch. 2009-80; s. 7, ch. 2010-78.

Note.—Former s. 282.106.

282.707 SUNCOM Network; criteria for usage.—

(1) The department and customers served by the department shall periodically review the qualifications of subscribers using the state SUNCOM Network and terminate services provided to a facility not qualified under this part or rules adopted hereunder. In the event of nonpayment of invoices by subscribers whose SUNCOM Network invoices are paid from sources other than legislative appropriations, such nonpayment represents good and sufficient reason to terminate service.

(2) The department shall adopt rules for implementing and operating the state SUNCOM Network, which include procedures for withdrawing and restoring authorization to use the state SUNCOM Network. Such rules shall provide a minimum of 30 days’ notice to affected parties before terminating voice communications service.

(3) This section does not limit or restrict the ability of the Florida Public Service Commission to set jurisdictional tariffs of telecommunications companies.

History.—s. 1, ch. 82-56; s. 2, ch. 83-70; s. 16, ch. 87-137; s. 13, ch. 96-390; s. 33, ch. 2000-152; s. 10, ch. 2000-164; s. 20, ch. 2007-105; s. 22, ch. 2009-80; s. 12, ch. 2010-148.

Note.—Former s. 287.255; s. 282.107.

282.708 Emergency assumption of control.—In the event of an emergency, the Governor may direct emergency management assumption of control over all or part of the state communications system.

History.—s. 22, ch. 69-106; s. 37, ch. 83-334; s. 23, ch. 2009-80.

Note.—Former s. 287.28; s. 282.109.

282.709 State agency law enforcement radio system and interoperability network.—

(1) The department may acquire and administer a statewide radio communications system to serve law enforcement units of state agencies, and to serve local law enforcement agencies through mutual aid channels.

(a) The department shall, in conjunction with the Department of Law Enforcement and the Division of Emergency Management, establish policies, procedures, and standards to be incorporated into a comprehensive management plan for the use and operation of the statewide radio communications system.

(b) The department shall bear the overall responsibility for the design, engineering, acquisition, and implementation of the statewide radio communications system and for ensuring the proper operation and maintenance of all common system equipment.

(c)1. The department may rent or lease space on any tower under its control and refuse to lease space on any tower at any site.

2. The department may rent, lease, or sublease ground space as necessary to locate equipment to support antennae on the towers. The costs for the use of such space shall be established by the department for each site if it is determined to be practicable and feasible to make space available.

3. The department may rent, lease, or sublease ground space on lands acquired by the department for the construction of privately owned or publicly owned towers. The department may, as a part of such rental, lease, or sublease agreement, require space on such towers for antennae as necessary for the construction and operation of the state agency law enforcement radio system or any other state need.

4. All moneys collected by the department for rents, leases, and subleases under this subsection shall be deposited directly into the State Agency Law Enforcement Radio System Trust Fund established in subsection (3) and may be used by the department to construct, maintain, or support the system.

5. The positions necessary for the department to accomplish its duties under this subsection shall be established in the General Appropriations Act and funded by the Law Enforcement Radio Operating Trust Fund or other revenue sources.

(d) The department shall exercise its powers and duties under this part to plan, manage, and administer the mutual aid channels in the statewide radio communication system.

1. In implementing such powers and duties, the department shall consult and act in conjunction with the Department of Law Enforcement and the Division of Emergency Management, and shall manage and administer the mutual aid channels in a manner that reasonably addresses the needs and concerns of the involved law enforcement agencies and emergency response agencies and entities.

2. The department may make the mutual aid channels available to federal agencies, state agencies, and agencies of the political subdivisions of the state for the purpose of public safety and domestic security.

(e) The department may allow other state agencies to use the statewide radio communications system under terms and conditions established by the department.

(2) The Joint Task Force on State Agency Law Enforcement Communications is created adjunct to the department to advise the department of member-agency needs relating to the planning, designing, and establishment of the statewide communication system.

(a) The Joint Task Force on State Agency Law Enforcement Communications shall consist of the following members:

1. A representative of the Division of Alcoholic Beverages and Tobacco of the Department of Business and Professional Regulation who shall be appointed by the secretary of the department.

2. A representative of the Division of Florida Highway Patrol of the Department of Highway Safety and Motor Vehicles who shall be appointed by the executive director of the department.

3. A representative of the Department of Law Enforcement who shall be appointed by the executive director of the department.

4. A representative of the Fish and Wildlife Conservation Commission who shall be appointed by the executive director of the commission.

5. A representative of the Department of Corrections who shall be appointed by the secretary of the department.

6. A representative of the Department of Financial Services who shall be appointed by the Chief Financial Officer.

7. A representative of the Department of Agriculture and Consumer Services who shall be appointed by the Commissioner of Agriculture.

8. A representative of the Florida Sheriffs Association who shall be appointed by the president of the Florida Sheriffs Association.

(b) Each appointed member of the joint task force shall serve at the pleasure of the appointing official. Any vacancy on the joint task force shall be filled in the same manner as the original appointment. A joint task force member may, upon notification to the chair before the beginning of any scheduled meeting, appoint an alternative to represent the member on the task force and vote on task force business in his or her absence.

(c) The joint task force shall elect a chair from among its members to serve a 1-year term. A vacancy in the chair of the joint task force must be filled for the remainder of the unexpired term by an election of the joint task force members.

(d) The joint task force shall meet as necessary, but at least quarterly, at the call of the chair and at the time and place designated by him or her.

(e) The per diem and travel expenses incurred by a member of the joint task force who represents a state agency in attending task force meetings and in attending to task force affairs shall be paid pursuant to s. 112.061, from funds budgeted to the state agency that the member represents. The per diem and travel expenses incurred by the member of the task force who represents the Florida Sheriffs Association in attending task force meetings and in attending to task force affairs shall be paid pursuant to s. 112.061, by the sheriff’s office that employs the representative.

(f) The department shall provide technical support to the joint task force.

(3) The State Agency Law Enforcement Radio System Trust Fund is established in the department and funded from surcharges collected under ss. 318.18, 320.0802, and 328.72. Upon appropriation, moneys in the trust fund may be used by the department to acquire by competitive procurement the equipment, software, and engineering, administrative, and maintenance services it needs to construct, operate, and maintain the statewide radio system. Moneys in the trust fund from surcharges shall be used to help fund the costs of the system. Upon completion of the system, moneys in the trust fund may also be used by the department for payment of the recurring maintenance costs of the system.

(4) The department may create and administer an interoperability network to enable interoperability between various radio communications technologies and to serve federal agencies, state agencies, and agencies of political subdivisions of the state for the purpose of public safety and domestic security.

(a) The department shall, in conjunction with the Department of Law Enforcement and the Division of Emergency Management, exercise its powers and duties pursuant to this chapter to plan, manage, and administer the interoperability network. The office may:

1. Enter into mutual aid agreements among federal agencies, state agencies, and political subdivisions of the state for the use of the interoperability network.

2. Establish the cost of maintenance and operation of the interoperability network and charge subscribing federal and local law enforcement agencies for access and use of the network. The department may not charge state law enforcement agencies identified in paragraph (2)(a) to use the network.

3. In consultation with the Department of Law Enforcement and the Division of Emergency Management, amend and enhance the statewide radio communications system as necessary to implement the interoperability network.

(b) The department, in consultation with the Joint Task Force on State Agency Law Enforcement Communications, and in conjunction with the Department of Law Enforcement and the Division of Emergency Management, shall establish policies, procedures, and standards to incorporate into a comprehensive management plan for the use and operation of the interoperability network.

History.—s. 1, ch. 88-144; s. 1, ch. 92-72; s. 224, ch. 92-279; s. 55, ch. 92-326; s. 30, ch. 94-218; s. 111, ch. 94-356; s. 860, ch. 95-148; s. 5, ch. 95-283; s. 1, ch. 96-312; s. 5, ch. 96-357; s. 10, ch. 96-388; s. 14, ch. 96-390; s. 6, ch. 98-251; s. 69, ch. 98-279; s. 81, ch. 99-245; s. 3, ch. 99-289; s. 37, ch. 99-399; s. 11, ch. 2000-164; s. 16, ch. 2001-261; s. 2, ch. 2003-153; s. 308, ch. 2003-261; s. 24, ch. 2009-80; s. 24, ch. 2011-47; s. 125, ch. 2011-142; s. 10, ch. 2012-88; s. 21, ch. 2012-119; s. 5, ch. 2014-18; ss. 29, 30, 66, ch. 2014-53; s. 4, ch. 2014-150; ss. 42, 43, ch. 2015-222; ss. 71, 72, ch. 2016-62; s. 27, ch. 2016-165; s. 26, ch. 2017-71; s. 1, ch. 2018-67.

Note.—Former s. 282.1095.

282.7101 Statewide system of regional law enforcement communications.—

(1) It is the intent and purpose of the Legislature that a statewide system of regional law enforcement communications be developed whereby maximum efficiency in the use of existing radio channels is achieved in order to deal more effectively with the apprehension of criminals and the prevention of crime. To this end, all law enforcement agencies within the state are directed to provide the department with any information the department requests for the purpose of implementing the provisions of subsection (2).

(2) The department is hereby authorized and directed to develop and maintain a statewide system of regional law enforcement communications. In formulating such a system, the department shall divide the state into appropriate regions and shall develop a program that includes, but is not limited to:

(a) The communications requirements for each county and municipality comprising the region.

(b) An interagency communications provision that depicts the communication interfaces between municipal, county, and state law enforcement entities operating within the region.

(c) A frequency allocation and use provision that includes, on an entity basis, each assigned and planned radio channel and the type of operation, simplex, duplex, or half-duplex, on each channel.

(3) The department shall adopt any necessary rules and regulations for administering and coordinating the statewide system of regional law enforcement communications.

(4) The secretary of the department or his or her designee is designated as the director of the statewide system of regional law enforcement communications and, for the purpose of carrying out the provisions of this section, may coordinate the activities of the system with other interested state agencies and local law enforcement agencies.

(5) A law enforcement communications system may not be established or expanded without the prior approval of the department.

(6) Within the limits of its capability, the Department of Law Enforcement is encouraged to lend assistance to the department in the development of the statewide system of regional law enforcement communications proposed by this section.

History.—ss. 1, 2, 3, 4, 5, 6, ch. 72-296; s. 1, ch. 77-174; s. 12, ch. 79-8; s. 225, ch. 92-279; s. 55, ch. 92-326; s. 11, ch. 96-388; s. 15, ch. 96-390; s. 7, ch. 98-251; s. 70, ch. 98-279; s. 42, ch. 99-399; s. 12, ch. 2000-164; s. 17, ch. 2001-261; s. 25, ch. 2009-80.

Note.—Former s. 287.29; s. 282.111.

282.711 Remote electronic access services.—The department may collect fees for providing remote electronic access pursuant to s. 119.07(2). The fees may be imposed on individual transactions or as a fixed subscription for a designated period of time. All fees collected under this section shall be deposited in the appropriate trust fund of the program or activity that made the remote electronic access available.

History.—s. 13, ch. 97-241; s. 14, ch. 2000-164; s. 19, ch. 2001-261; s. 37, ch. 2004-335; s. 26, ch. 2009-80.

Note.—Former s. 282.21.