Florida Senate - 2011 CONFERENCE COMMITTEE AMENDMENT
Bill No. SB 2098, 1st Eng.
Barcode 490478
LEGISLATIVE ACTION
Senate . House
.
.
.
Floor: AD/CR .
05/06/2011 05:46 PM .
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Conference Committee on SB 2098, 1st Eng. recommended the
following:
1 Senate Conference Committee Amendment (with title
2 amendment)
3
4 Delete everything after the enacting clause
5 and insert:
6 Section 1. Subsections (4), (5), and (6) of section 14.204,
7 Florida Statutes, are amended to read:
8 14.204 Agency for Enterprise Information Technology.—The
9 Agency for Enterprise Information Technology is created within
10 the Executive Office of the Governor.
11 (4) The agency shall have the following duties and
12 responsibilities:
13 (a) Develop strategies for the design, planning, project
14 management, delivery, and management of the enterprise
15 information technology services established in law, including
16 the state data center system service established in s. 282.201,
17 the information technology security service established in s.
18 282.318, and the statewide e-mail service established in s.
19 282.34.
20 (b) Monitor the implementation, delivery, and management of
21 the enterprise information technology services as established in
22 law.
23 (c) Make recommendations to the agency head and the
24 Legislature concerning other information technology services
25 that should be designed, delivered, and managed as enterprise
26 information technology services as defined in s. 282.0041.
27 (d) Plan and establish policies for managing proposed
28 statutorily authorized enterprise information technology
29 services, which includes:
30 1. Developing business cases that, when applicable, include
31 the components identified in s. 287.0571;
32 2. Establishing and coordinating project-management teams;
33 3. Establishing formal risk-assessment and mitigation
34 processes; and
35 4. Providing for independent monitoring of projects for
36 recommended corrective actions.
37 (e) Beginning October 1, 2010, Develop, publish, and
38 biennially update a long-term strategic enterprise information
39 technology plan that identifies and recommends strategies and
40 opportunities to improve the delivery of cost-effective and
41 efficient enterprise information technology services to be
42 proposed for establishment pursuant to s. 282.0056.
43 (f) Perform duties related to enterprise information
44 technology services, including the state data center system
45 established in as provided in s. 282.201, the information
46 technology security service established in s. 282.318, and the
47 statewide e-mail service established in s. 282.34.
48 (g) Coordinate technology resource acquisition planning,
49 and assist the Department of Management Service’s Division of
50 Purchasing with using aggregate buying methodologies whenever
51 possible and with procurement negotiations for hardware and
52 software products and services in order to improve the
53 efficiency and reduce the cost of enterprise information
54 technology services.
55 (h) In consultation with the Division of Purchasing in the
56 Department of Management Services, coordinate procurement
57 negotiations for information technology products as defined in
58 s. 282.0041 which will be used by multiple agencies.
59 (i) In coordination with, and through the services of, the
60 Division of Purchasing in the Department of Management Services,
61 establish best practices for the procurement of information
62 technology products as defined in s. 282.0041 in order to
63 achieve savings for the state.
64 (j) Develop information technology standards for the
65 efficient design, planning, project management, implementation,
66 and delivery of enterprise information technology services. All
67 state agencies must make the transition to the new standards.
68 (k) Provide annually, by December 31, recommendations to
69 the Legislature relating to techniques for consolidating the
70 purchase of information technology commodities and services,
71 which result in savings for the state, and for establishing a
72 process to achieve savings through consolidated purchases.
73 (5) The Office of Information Security shall be created
74 within the agency. The agency shall designate a state Chief
75 Information Security Officer who shall oversee the office and
76 report directly to the executive director.
77 (6) The agency shall operate in a manner that ensures the
78 participation and representation of state agencies and the
79 Agency Chief Information Officers Council established in s.
80 282.315.
81 Section 2. Subsection (10) of section 20.315, Florida
82 Statutes, is amended to read:
83 20.315 Department of Corrections.—There is created a
84 Department of Corrections.
85 (10) SINGLE INFORMATION AND RECORDS SYSTEM.—There shall be
86 Only one offender-based information and records computer system
87 shall be maintained by the Department of Corrections for the
88 joint use of the department and the Parole Commission. The This
89 data system shall be managed through the department’s office of
90 information technology Justice Data Center. The department shall
91 develop and maintain, in consultation with the Criminal and
92 Juvenile Justice Information Systems Council under s. 943.08,
93 such offender-based information, including clemency
94 administration information and other computer services to serve
95 the needs of both the department and the Parole Commission. The
96 department shall notify the commission of all violations of
97 parole and the circumstances thereof.
98 Section 3. Present subsections (4) through (30) of section
99 282.0041, Florida Statutes, are redesignated as subsections (2)
100 through (28), respectively, and present subsections (2), (3),
101 (14), and (19) of that section are amended, to read:
102 282.0041 Definitions.—As used in this chapter, the term:
103 (2) “Agency chief information officer” means the person
104 employed by the agency head to coordinate and manage the
105 information technology functions and responsibilities applicable
106 to that agency, to participate and represent the agency in
107 developing strategies for implementing enterprise information
108 technology services established pursuant to this part, and to
109 develop recommendations for enterprise information technology
110 policy.
111 (3) “Agency Chief Information Officers Council” means the
112 council created in s. 282.315.
113 (12)(14) “E-mail, messaging, and calendaring service” means
114 the enterprise information technology service that enables users
115 to send, receive, file, store, manage, and retrieve electronic
116 messages, attachments, appointments, and addresses. The e-mail,
117 messaging, and calendaring service must include e-mail account
118 management; help desk; technical support and user provisioning
119 services; disaster recovery and backup and restore capabilities;
120 antispam and antivirus capabilities; archiving and e-discovery;
121 and remote access and mobile messaging capabilities.
122 (17)(19) “Primary data center” means a state or nonstate
123 agency data center that is a recipient entity for consolidation
124 of nonprimary data centers and computing facilities and that is
125 established by. A primary data center may be authorized in law
126 or designated by the Agency for Enterprise Information
127 Technology pursuant to s. 282.201.
128 Section 4. Subsection (1) of section 282.0056, Florida
129 Statutes, is amended to read:
130 282.0056 Development of work plan; development of
131 implementation plans; and policy recommendations.—
132 (1) For the purposes of carrying out its responsibilities
133 under s. 282.0055, the Agency for Enterprise Information
134 Technology shall develop an annual work plan within 60 days
135 after the beginning of the fiscal year describing the activities
136 that the agency intends to undertake for that year, including
137 proposed outcomes and completion timeframes for the planning and
138 implementation of all enterprise information technology
139 services. The work plan must be presented at a public hearing
140 and that includes the Agency Chief Information Officers Council,
141 which may review and comment on the plan. The work plan must
142 thereafter be approved by the Governor and Cabinet, and
143 thereafter submitted to the President of the Senate and the
144 Speaker of the House of Representatives. The work plan may be
145 amended as needed, subject to approval by the Governor and
146 Cabinet.
147 Section 5. Subsections (2) and (3) of section 282.201,
148 Florida Statutes, are amended, present subsections (4) and (5)
149 of that section are amended and renumbered as subsections (5)
150 and (6), respectively, and a new subsection (4) is added to that
151 section, to read:
152 282.201 State data center system; agency duties and
153 limitations.—A state data center system that includes all
154 primary data centers, other nonprimary data centers, and
155 computing facilities, and that provides an enterprise
156 information technology service as defined in s. 282.0041, is
157 established.
158 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
159 The Agency for Enterprise Information Technology shall:
160 (a) Collect and maintain information necessary for
161 developing policies relating to the data center system,
162 including, but not limited to, an inventory of facilities.
163 (b) Annually approve cost-recovery mechanisms and rate
164 structures for primary data centers which recover costs through
165 charges to customer entities.
166 (c) By September 30 December 31 of each year, submit to the
167 Legislature, the Executive Office of the Governor, and the
168 primary data centers Legislature recommendations to improve the
169 efficiency and cost-effectiveness effectiveness of computing
170 services provided by state data center system facilities. Such
171 recommendations must may include, but need not be limited to:
172 1. Policies for improving the cost-effectiveness and
173 efficiency of the state data center system, which includes the
174 primary data centers being transferred to a shared, virtualized
175 server environment, and the associated cost savings resulting
176 from the implementation of such policies.
177 2. Infrastructure improvements supporting the consolidation
178 of facilities or preempting the need to create additional data
179 centers or computing facilities.
180 3. Standards for an objective, credible energy performance
181 rating system that data center boards of trustees can use to
182 measure state data center energy consumption and efficiency on a
183 biannual basis.
184 3.4. Uniform disaster recovery standards.
185 4.5. Standards for primary data centers which provide cost
186 effective services and providing transparent financial data to
187 user agencies.
188 5.6. Consolidation of contract practices or coordination of
189 software, hardware, or other technology-related procurements and
190 the associated cost savings.
191 6.7. Improvements to data center governance structures.
192 (d) By October 1 of each year beginning in 2011, provide
193 recommendations 2009, recommend to the Governor and Legislature
194 relating to changes to the schedule for the consolidations of
195 state agency data centers as provided in subsection (4) at least
196 two nonprimary data centers for consolidation into a primary
197 data center or nonprimary data center facility.
198 1. The consolidation proposal must provide a transition
199 plan that includes:
200 a. Estimated transition costs for each data center or
201 computing facility recommended for consolidation;
202 b. Detailed timeframes for the complete transition of each
203 data center or computing facility recommended for consolidation;
204 c. Proposed recurring and nonrecurring fiscal impacts,
205 including increased or decreased costs and associated budget
206 impacts for affected budget entities;
207 d. Substantive legislative changes necessary to implement
208 the transition; and
209 e. Identification of computing resources to be transferred
210 and those that will remain in the agency. The transfer of
211 resources must include all hardware, software, staff, contracted
212 services, and facility resources performing data center
213 management and operations, security, backup and recovery,
214 disaster recovery, system administration, database
215 administration, system programming, job control, production
216 control, print, storage, technical support, help desk, and
217 managed services but excluding application development.
218 1.2. The recommendations must shall be based on the goal of
219 maximizing current and future cost savings by. The agency shall
220 consider the following criteria in selecting consolidations that
221 maximize efficiencies by providing the ability to:
222 a. Consolidating Consolidate purchase decisions;
223 b. Leveraging Leverage expertise and other resources to
224 gain economies of scale;
225 c. Implementing Implement state information technology
226 policies more effectively; and
227 d. Maintaining or improving Maintain or improve the level
228 of service provision to customer entities; and
229 e. Make progress towards the state’s goal of consolidating
230 data centers and computing facilities into primary data centers.
231 2.3. The agency shall establish workgroups as necessary to
232 ensure participation by affected agencies in the development of
233 recommendations related to consolidations.
234 (e) By December 31, 2010, the agency shall develop and
235 submit to the Legislature an overall consolidation plan for
236 state data centers. The plan shall indicate a timeframe for the
237 consolidation of all remaining nonprimary data centers into
238 primary data centers, including existing and proposed primary
239 data centers, by 2019.
240 (e)(f) Develop and establish rules relating to the
241 operation of the state data center system which comply with
242 applicable federal regulations, including 2 C.F.R. part 225 and
243 45 C.F.R. The agency shall publish notice of rule development in
244 the Florida Administrative Weekly by October 1, 2011. The rules
245 must may address:
246 1. Ensuring that financial information is captured and
247 reported consistently and accurately.
248 2. Identifying standards for hardware, including standards
249 for a shared, virtualized server environment, and operations
250 system software and other operational software, including
251 security and network infrastructure, for the primary data
252 centers; requiring compliance with such standards in order to
253 enable the efficient consolidation of the agency data centers or
254 computing facilities; and providing an exemption process from
255 compliance with such standards, which must be consistent with
256 paragraph (5)(b).
257 2. Requiring the establishment of service-level agreements
258 executed between a data center and its customer entities for
259 services provided.
260 3. Requiring annual full cost recovery on an equitable
261 rational basis. The cost-recovery methodology must ensure that
262 no service is subsidizing another service and may include
263 adjusting the subsequent year’s rates as a means to recover
264 deficits or refund surpluses from a prior year.
265 4. Requiring that any special assessment imposed to fund
266 expansion is based on a methodology that apportions the
267 assessment according to the proportional benefit to each
268 customer entity.
269 5. Requiring that rebates be given when revenues have
270 exceeded costs, that rebates be applied to offset charges to
271 those customer entities that have subsidized the costs of other
272 customer entities, and that such rebates may be in the form of
273 credits against future billings.
274 6. Requiring that all service-level agreements have a
275 contract term of up to 3 years, but may include an option to
276 renew for up to 3 additional years contingent on approval by the
277 board, and require at least a 180-day notice of termination.
278 7. Designating any nonstate data center as a primary data
279 center if the center:
280 a. Has an established governance structure that represents
281 customer entities proportionally.
282 b. Maintains an appropriate cost-allocation methodology
283 that accurately bills a customer entity based on the actual
284 direct and indirect costs to the customer entity, and prohibits
285 the subsidization of one customer entity’s costs by another
286 entity.
287 c. Has sufficient raised floor space, cooling, and
288 redundant power capacity, including uninterruptible power supply
289 and backup power generation, to accommodate the computer
290 processing platforms and support necessary to host the computing
291 requirements of additional customer entities.
292 8. Removing a nonstate data center from primary data center
293 designation if the nonstate data center fails to meet standards
294 necessary to ensure that the state’s data is maintained pursuant
295 to subparagraph 7.
296 (3) STATE AGENCY DUTIES.—
297 (a) For the purpose of completing its work activities as
298 described in subsection (1), each state agency shall provide to
299 the Agency for Enterprise Information Technology all requested
300 information and any other information relevant to the agency’s
301 ability to effectively transition its computer services into a
302 primary data center. The agency shall also participate as
303 required in workgroups relating to specific consolidation
304 planning and implementation tasks as assigned by the Agency for
305 Enterprise Information Technology and determined necessary to
306 accomplish consolidation goals.
307 (b) Each state agency shall submit to the Agency for
308 Enterprise Information Technology information relating to its
309 data centers and computing facilities as required in
310 instructions issued by July 1 of each year by the Agency for
311 Enterprise Information Technology. The information required may
312 include:
313 1. Amount of floor space used and available.
314 2. Numbers and capacities of mainframes and servers.
315 3. Storage and network capacity.
316 4. Amount of power used and the available capacity.
317 5. Estimated expenditures by service area, including
318 hardware and software, numbers of full-time equivalent
319 positions, personnel turnover, and position reclassifications.
320 6. A list of contracts in effect for the fiscal year,
321 including, but not limited to, contracts for hardware, software
322 and maintenance, including the expiration date, the contract
323 parties, and the cost of the contract.
324 7. Service-level agreements by customer entity.
325 (c) The chief information officer of each state agency
326 shall assist the Agency for Enterprise Information Technology at
327 the request of the Agency for Enterprise Information Technology.
328 (c)(d) Each state agency customer of a primary data center
329 shall notify the data center, by May 31 and November 30 of each
330 year, of any significant changes in anticipated utilization of
331 data center services pursuant to requirements established by the
332 boards of trustees of each primary data center.
333 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
334 (a) Consolidations of agency data centers shall be made by
335 the date and to the specified primary data center as provided in
336 this section and in accordance with budget adjustments contained
337 in the General Appropriations Act.
338 (b) By December 31, 2011, the following shall be
339 consolidated into the Northwest Regional Data Center:
340 1. The Department of Education’s Knott Data Center in the
341 Turlington Building.
342 2. The Department of Education’s Division of Vocational
343 Rehabilitation.
344 3. The Department of Education’s Division of Blind
345 Services, except for the division’s disaster recovery site in
346 Daytona Beach.
347 4. The FCAT Explorer.
348 5. FACTS.org.
349 (c) During the 2011-2012 fiscal year, the following shall
350 be consolidated into the Southwood Shared Resource Center:
351 1. By September 30, 2011, the Department of Corrections.
352 2. By March 31, 2012, the Department of Transportation’s
353 Burns Building.
354 3. By March 31, 2012, the Department of Transportation’s
355 Survey & Mapping Office.
356 (d) During the 2011-2012 fiscal year, the following shall
357 be consolidated into the Northwood Shared Resource Center:
358 1. By July 1, 2011, the Department of Transportation’s
359 Office of Motor Carrier Compliance.
360 2. By March 31, 2012, the Department of Highway Safety and
361 Motor Vehicles.
362 (e) During the 2012-2013 fiscal year, the following shall
363 be consolidated into the Southwood Shared Resource Center:
364 1. By September 30, 2012, the Division of Emergency
365 Management and the Department of Community Affairs, except for
366 the Emergency Operation Center’s management system in
367 Tallahassee and the Camp Blanding Emergency Operations Center in
368 Starke.
369 2. By September 30, 2012, the Department of Revenue’s
370 Carlton Building and Imaging Center locations.
371 3. By December 31, 2012, the Department of Health’s Test
372 and Development Lab and all remaining data center resources
373 located at the Capital Circle Office Complex.
374 (f) During the 2012-2013 fiscal year, the following shall
375 be consolidated into the Northwood Shared Resource Center:
376 1. By July 1, 2012, the Agency for Health Care
377 Administration.
378 2. By December 31, 2012, the Department of Environmental
379 Protection’s Palmetto Commons.
380 3. By March 30, 2013, the Department of Law Enforcement’s
381 headquarters location.
382 (g) During the 2013-2014 fiscal year, the following
383 agencies shall work with the Agency for Enterprise Information
384 Technology to begin preliminary planning for consolidation into
385 a primary data center:
386 1. The Department of the Lottery’s headquarters location.
387 2. The Department of Legal Affairs.
388 3. The Fish and Wildlife Conservation Commission, except
389 for the commission’s Fish and Wildlife Research Institute in St.
390 Petersburg.
391 4. The Executive Office of the Governor.
392 5. The Department of Veterans’ Affairs.
393 6. The Department of Elderly Affairs.
394 7. The Department of Financial Services’ Hartman, Larson,
395 and Fletcher Building Data Centers.
396 8. The Department of Agriculture and Consumer Services’
397 Agriculture Management Information Center in the Mayo Building
398 and Division of Licensing.
399 (h) During the 2014-2015 fiscal year, the following
400 agencies shall work with the Agency for Enterprise Information
401 Technology to begin preliminary planning for consolidation into
402 a primary data center:
403 1. The Department of Health’s Jacksonville Lab Data Center.
404 2. The Department of Transportation’s district offices,
405 toll offices, and the District Materials Office.
406 3. The Department of Military Affairs’ Camp Blanding Joint
407 Training Center in Starke.
408 4. The Department of Community Affairs’ Camp Blanding
409 Emergency Operations Center in Starke.
410 5. The Department of Education’s Division of Blind Services
411 disaster recovery site in Daytona Beach.
412 6. The Department of Education’s disaster recovery site at
413 Santa Fe College.
414 7. The Department of the Lottery’s Disaster Recovery Backup
415 Data Center in Orlando.
416 8. The Fish and Wildlife Conservation Commission’s Fish and
417 Wildlife Research Institute in St. Petersburg.
418 9. The Department of Children and Family Services’ Suncoast
419 Data Center in Tampa.
420 10. The Department of Children and Family Services’ Florida
421 State Hospital in Chattahoochee.
422 (i) During the 2015-2016 fiscal year, all computing
423 resources remaining within an agency nonprimary data center or
424 computing facility shall be transferred to a primary data center
425 for consolidation unless otherwise required to remain in the
426 agency for specified financial, technical, or business reasons
427 that must be justified in writing and approved by the Agency for
428 Enterprise Information Technology. Such data centers, computing
429 facilities, and resources must be identified by the Agency for
430 Enterprise Information Technology by October 1, 2014.
431 (j) Any agency that is consolidating agency data centers
432 into a primary data center must execute a new or update an
433 existing service-level agreement within 60 days after the
434 specified consolidation date, as required by s. 282.203, in
435 order to specify the services and levels of service it is to
436 receive from the primary data center as a result of the
437 consolidation. If an agency is unable to execute a service-level
438 agreement by that date, the agency shall submit a report to the
439 Executive Office of the Governor and to the chairs of the
440 legislative appropriations committees within 5 working days
441 after that date which explains the specific issues preventing
442 execution and describing its plan and schedule for resolving
443 those issues.
444 (k) Beginning September 1, 2011, and every 6 months
445 thereafter until data center consolidations are complete, the
446 Agency for Enterprise Information Technology shall provide a
447 status report on the implementation of the consolidations that
448 must be completed during the fiscal year. The report shall be
449 submitted to the Executive Office of the Governor and the chairs
450 of the legislative appropriations committees. The report must,
451 at a minimum, describe:
452 1. Whether the consolidation is on schedule, including
453 progress on achieving the milestones necessary for successful
454 and timely consolidation of scheduled agency data centers and
455 computing facilities; and
456 2. The risks that may affect the progress or outcome of the
457 consolidation and how these risks are being addressed,
458 mitigated, or managed.
459 (l) Each agency identified in this subsection for
460 consolidation into a primary data center shall submit a
461 transition plan to the Agency for Enterprise Information
462 Technology by September 1 of the fiscal year before the fiscal
463 year in which the scheduled consolidation will occur. Transition
464 plans shall be developed in consultation with the appropriate
465 primary data centers and the Agency for Enterprise Information
466 Technology, and must include:
467 1. An inventory of the agency data center’s resources being
468 consolidated, including all hardware, software, staff, and
469 contracted services, and the facility resources performing data
470 center management and operations, security, backup and recovery,
471 disaster recovery, system administration, database
472 administration, system programming, job control, production
473 control, print, storage, technical support, help desk, and
474 managed services, but excluding application development;
475 2. A description of the level of services needed to meet
476 the technical and operational requirements of the platforms
477 being consolidated and an estimate of the primary data center’s
478 cost for the provision of such services;
479 3. A description of resources for computing services
480 proposed to remain in the department;
481 4. A timetable with significant milestones for the
482 completion of the consolidation; and
483 5. The specific recurring and nonrecurring budget
484 adjustments of budget resources by appropriation category into
485 the appropriate data-processing category pursuant to the
486 legislative budget instructions in s. 216.023 necessary to
487 support agency costs for the transfer.
488 (m) Each primary data center shall develop a transition
489 plan for absorbing the transfer of agency data center resources
490 based upon the timetables for transition as provided in this
491 subsection. The plan shall be submitted to the Agency for
492 Enterprise Information Technology, the Executive Office of the
493 Governor, and the chairs of the legislative appropriations
494 committees by September 30 of the fiscal year before the fiscal
495 year in which the scheduled consolidations will occur. Each plan
496 must include:
497 1. An estimate of the cost to provide data center services
498 for each agency scheduled for consolidation;
499 2. A staffing plan that identifies the projected staffing
500 needs and requirements based on the estimated workload
501 identified in the agency transition plan;
502 3. The fiscal year adjustments to budget categories in
503 order to absorb the transfer of agency data center resources
504 pursuant to the legislative budget request instructions provided
505 in s. 216.023;
506 4. An analysis of the cost effects resulting from the
507 planned consolidations on existing agency customers; and
508 5. A description of any issues that must be resolved in
509 order to accomplish as efficiently and effectively as possible
510 all consolidations required during the fiscal year.
511 (n) The Agency for Enterprise Information Technology shall
512 develop a comprehensive transition plan, which shall be
513 submitted by October 15th of the fiscal year before the fiscal
514 year in which the scheduled consolidations will occur to each
515 primary data center, to the Executive Office of the Governor,
516 and the chairs of the legislative appropriations committees. The
517 transition plan shall be developed in consultation with agencies
518 submitting agency transition plans and with the affected primary
519 data centers. The comprehensive transition plan must include:
520 1. Recommendations for accomplishing the proposed
521 transitions as efficiently and effectively as possible with
522 minimal disruption to customer agency business processes;
523 2. Strategies to minimize risks associated with any of the
524 proposed consolidations;
525 3. A compilation of the agency transition plans submitted
526 by agencies scheduled for consolidation for the following fiscal
527 year; and
528 4. Revisions to any budget adjustments provided in the
529 agency or primary data center transition plans.
530 (o) Any agency data center scheduled for consolidation
531 after the 2011-2012 fiscal year may consolidate into a primary
532 data center before its scheduled date contingent upon the
533 approval of the Agency for Enterprise Information Technology.
534 (5)(4) AGENCY LIMITATIONS.—
535 (a) Unless authorized by the Legislature or as provided in
536 paragraphs (b) and (c), a state agency may not:
537 1. Create a new computing facility or data center, or
538 expand the capability to support additional computer equipment
539 in an existing computing facility or nonprimary data center;
540 2. Spend funds before the agency’s scheduled consolidation
541 into a primary data center to purchase or modify hardware or
542 operations software that does not comply with hardware and
543 software standards established by the Agency for Enterprise
544 Information Technology pursuant to paragraph (2)(e) for the
545 efficient consolidation of the agency data centers or computing
546 facilities;
547 3.2. Transfer existing computer services to any data center
548 other than a primary nonprimary data center or computing
549 facility;
550 4.3. Terminate services with a primary data center or
551 transfer services between primary data centers without giving
552 written notice of intent to terminate or transfer services 180
553 days before such termination or transfer; or
554 5.4. Initiate a new computer service if it does not
555 currently have an internal data center except with a primary
556 data center.
557 (b) Exceptions to the limitations in subparagraphs (a)1.,
558 2., 3., and 5. 4. may be granted by the Agency for Enterprise
559 Information Technology if there is insufficient capacity in a
560 primary data center to absorb the workload associated with
561 agency computing services, if expenditures are compatible with
562 the scheduled consolidation and the standards established
563 pursuant to paragraph (2)(e), or if the equipment or resources
564 are needed to meet a critical agency business need that cannot
565 be satisfied from surplus equipment or resources of the primary
566 data center until the agency data center is consolidated.
567 1. A request for an exception must be submitted in writing
568 to the Agency for Enterprise Information Technology. The agency
569 must accept, accept with conditions, or deny the request within
570 60 days after receipt of the written request. The agency’s
571 decision is not subject to chapter 120.
572 2. At a minimum, the agency may not approve a request
573 unless it includes:
574 a. Documentation approved by the primary data center’s
575 board of trustees which confirms that the center cannot meet the
576 capacity requirements of the agency requesting the exception
577 within the current fiscal year.
578 b. A description of the capacity requirements of the agency
579 requesting the exception.
580 c. Documentation from the agency demonstrating why it is
581 critical to the agency’s mission that the expansion or transfer
582 must be completed within the fiscal year rather than when
583 capacity is established at a primary data center.
584 (c) Exceptions to subparagraph (a)4. (a)3. may be granted
585 by the board of trustees of the primary data center if the
586 termination or transfer of services can be absorbed within the
587 current cost-allocation plan.
588 (d) Upon the termination of or transfer of agency computing
589 services from the primary data center, the primary data center
590 shall require information sufficient to determine compliance
591 with this section. If a primary data center determines that an
592 agency is in violation of this section, it shall report the
593 violation to the Agency for Enterprise Information Technology.
594 (6)(5) RULES.—The Agency for Enterprise Information
595 Technology may is authorized to adopt rules pursuant to ss.
596 120.536(1) and 120.54 to administer the provisions of this part
597 relating to the state data center system including the primary
598 data centers.
599 Section 6. Paragraphs (f) through (l) of subsection (1),
600 paragraph (a) of subsection (2), and paragraph (j) of subsection
601 (3) of section 282.203, Florida Statutes, are amended to read:
602 282.203 Primary data centers.—
603 (1) DATA CENTER DUTIES.—Each primary data center shall:
604 (f) By December 31, 2010, submit organizational plans that
605 minimize the annual recurring cost of center operations and
606 eliminate the need for state agency customers to maintain data
607 center skills and staff within their agency. The plans shall:
608 1. Establish an efficient organizational structure
609 describing the roles and responsibilities of all positions and
610 business units in the centers;
611 2. Define a human resources planning and management process
612 that shall be used to make required center staffing decisions;
613 and
614 3. Develop a process for projecting staffing requirements
615 based on estimated workload identified in customer agency
616 service level agreements.
617 (f)(g) Maintain the performance of the facility, which
618 includes ensuring proper data backup, data backup recovery, an
619 effective disaster recovery plan, and appropriate security,
620 power, cooling and fire suppression, and capacity.
621 (g)(h) Develop a business continuity plan and conduct a
622 live exercise of the plan at least annually. The plan must be
623 approved by the board and the Agency for Enterprise Information
624 Technology.
625 (h)(i) Enter into a service-level agreement with each
626 customer entity to provide services as defined and approved by
627 the board in compliance with rules of the Agency for Enterprise
628 Information Technology. A service-level agreement may not have a
629 term exceeding 3 years but may include an option to renew for up
630 to 3 years contingent on approval by the board.
631 1. A service-level agreement, at a minimum, must:
632 a. Identify the parties and their roles, duties, and
633 responsibilities under the agreement;
634 b. Identify the legal authority under which the service
635 level agreement was negotiated and entered into by the parties;
636 c. State the duration of the contractual term and specify
637 the conditions for contract renewal;
638 d. Prohibit the transfer of computing services between
639 primary data center facilities without at least 180 days’ notice
640 of service cancellation;
641 e. Identify the scope of work;
642 f. Identify the products or services to be delivered with
643 sufficient specificity to permit an external financial or
644 performance audit;
645 g. Establish the services to be provided, the business
646 standards that must be met for each service, the cost of each
647 service, and the process by which the business standards for
648 each service are to be objectively measured and reported;
649 h. Identify applicable funds and funding streams for the
650 services or products under contract;
651 i. Provide a timely billing methodology for recovering the
652 cost of services provided to the customer entity;
653 j. Provide a procedure for modifying the service-level
654 agreement to address changes in projected costs of service;
655 k. Provide that a service-level agreement may be terminated
656 by either party for cause only after giving the other party and
657 the Agency for Enterprise Information Technology notice in
658 writing of the cause for termination and an opportunity for the
659 other party to resolve the identified cause within a reasonable
660 period; and
661 l. Provide for mediation of disputes by the Division of
662 Administrative Hearings pursuant to s. 120.573.
663 2. A service-level agreement may include:
664 a. A dispute resolution mechanism, including alternatives
665 to administrative or judicial proceedings;
666 b. The setting of a surety or performance bond for service
667 level agreements entered into with nonstate agency primary data
668 centers established by law, which may be designated by the
669 Agency for Enterprise Information Technology; or
670 c. Additional terms and conditions as determined advisable
671 by the parties if such additional terms and conditions do not
672 conflict with the requirements of this section or rules adopted
673 by the Agency for Enterprise Information Technology.
674 3. The failure to execute a service-level agreement within
675 60 days after service commencement shall, in the case of an
676 existing customer entity, result in a continuation of the terms
677 of the service-level agreement from the prior fiscal year,
678 including any amendments that were formally proposed to the
679 customer entity by the primary data center within the 3 months
680 before service commencement, and a revised cost-of-service
681 estimate. If a new customer entity fails to execute an agreement
682 within 60 days after service commencement, the data center may
683 cease services.
684 (i)(j) Plan, design, establish pilot projects for, and
685 conduct experiments with information technology resources, and
686 implement enhancements in services if such implementation is
687 cost-effective and approved by the board.
688 (j)(k) Enter into a memorandum of understanding with the
689 agency where the data center is administratively located if the
690 data center requires the agency to provide any administrative
691 which establishes the services to be provided by that agency to
692 the data center and the cost of such services.
693 (k)(l) Be the custodian of resources and equipment that are
694 located, operated, supported, and managed by the center for the
695 purposes of chapter 273.
696 (l) Assume administrative access rights to the resources
697 and equipment, such as servers, network components, and other
698 devices that are consolidated into the primary data center.
699 1. Upon the date of each consolidation specified in s.
700 282.201, the General Appropriations Act, or the Laws of Florida,
701 each agency shall relinquish all administrative access rights to
702 such resources and equipment.
703 2. Each primary data center shall provide its customer
704 agencies with the appropriate level of access to applications,
705 servers, network components, and other devices necessary for
706 agencies to perform their core business activities and
707 functions.
708 (2) BOARD OF TRUSTEES.—Each primary data center shall be
709 headed by a board of trustees as defined in s. 20.03.
710 (a) The members of the board shall be appointed by the
711 agency head or chief executive officer of the representative
712 customer entities of the primary data center and shall serve at
713 the pleasure of the appointing customer entity. Each agency head
714 or chief executive officer may appoint an alternate member for
715 each board member appointed pursuant to this subsection.
716 1. During the first fiscal year that a state agency is to
717 consolidate its data center operations to a primary data center
718 and for the following full fiscal year, the agency shall have a
719 single trustee having one vote on the board of the state primary
720 data center where it is to consolidate, unless it is entitled in
721 the second year to a greater number of votes as provided in
722 subparagraph 3. For each of the first 2 fiscal years that a
723 center is in operation, membership shall be as provided in
724 subparagraph 3. based on projected customer entity usage rates
725 for the fiscal operating year of the primary data center.
726 However, at a minimum:
727 a. During the Southwood Shared Resource Center’s first 2
728 operating years, the Department of Transportation, the
729 Department of Highway Safety and Motor Vehicles, the Department
730 of Health, and the Department of Revenue must each have at least
731 one trustee.
732 b. During the Northwood Shared Resource Center’s first
733 operating year, the Department of State and the Department of
734 Education must each have at least one trustee.
735 2. Board After the second full year of operation,
736 membership shall be as provided in subparagraph 3. based on the
737 most recent estimate of customer entity usage rates for the
738 prior year and a projection of usage rates for the first 9
739 months of the next fiscal year. Such calculation must be
740 completed before the annual budget meeting held before the
741 beginning of the next fiscal year so that any decision to add or
742 remove board members can be voted on at the budget meeting and
743 become effective on July 1 of the subsequent fiscal year.
744 3. Each customer entity that has a projected usage rate of
745 4 percent or greater during the fiscal operating year of the
746 primary data center shall have one trustee on the board.
747 4. The total number of votes for each trustee shall be
748 apportioned as follows:
749 a. Customer entities of a primary data center whose usage
750 rate represents 4 but less than 15 percent of total usage shall
751 have one vote.
752 b. Customer entities of a primary data center whose usage
753 rate represents 15 but less than 30 percent of total usage shall
754 have two votes.
755 c. Customer entities of a primary data center whose usage
756 rate represents 30 but less than 50 percent of total usage shall
757 have three votes.
758 d. A customer entity of a primary data center whose usage
759 rate represents 50 percent or more of total usage shall have
760 four votes.
761 e. A single trustee having one vote shall represent those
762 customer entities that represent less than 4 percent of the
763 total usage. The trustee shall be selected by a process
764 determined by the board.
765 (3) BOARD DUTIES.—Each board of trustees of a primary data
766 center shall:
767 (j) Maintain the capabilities of the primary data center’s
768 facilities. Maintenance responsibilities include, but are not
769 limited to, ensuring that adequate conditioned floor space, fire
770 suppression, cooling, and power is in place; replacing aging
771 equipment when necessary; and making decisions related to data
772 center expansion and renovation, periodic upgrades, and
773 improvements that are required to ensure the ongoing suitability
774 of the facility as an enterprise data center consolidation site
775 in the state data center system. To the extent possible, the
776 board shall ensure that its approved annual cost-allocation plan
777 recovers sufficient funds from its customers to provide for
778 these needs pursuant to s. 282.201(2)(e).
779 Section 7. Section 282.204, Florida Statutes, is amended to
780 read:
781 282.204 Northwood Shared Resource Center.—The Northwood
782 Shared Resource Center is an agency established within the
783 Department of Management Services Children and Family Services
784 for administrative purposes only.
785 (1) The center is a primary data center and is shall be a
786 separate budget entity that is not subject to control,
787 supervision, or direction of the department in any manner,
788 including, but not limited to, purchasing, transactions
789 involving real or personal property, personnel, or budgetary
790 matters.
791 (2) The center shall be headed by a board of trustees as
792 provided in s. 282.203, who shall comply with all requirements
793 of that section related to the operation of the center and with
794 the rules of the Agency for Enterprise Information Technology
795 related to the design and delivery of enterprise information
796 technology services.
797 Section 8. Sections 282.3055 and 282.315, Florida Statutes,
798 are repealed.
799 Section 9. Subsections (3) through (7) of section 282.318,
800 Florida Statutes, are amended to read:
801 282.318 Enterprise security of data and information
802 technology.—
803 (3) The Office of Information Security within the Agency
804 for Enterprise Information Technology is responsible for
805 establishing rules and publishing guidelines for ensuring an
806 appropriate level of security for all data and information
807 technology resources for executive branch agencies. The agency
808 office shall also perform the following duties and
809 responsibilities:
810 (a) Develop, and annually update by February 1, an
811 enterprise information security strategic plan that includes
812 security goals and objectives for the strategic issues of
813 information security policy, risk management, training, incident
814 management, and survivability planning.
815 (b) Develop enterprise security rules and published
816 guidelines for:
817 1. Comprehensive risk analyses and information security
818 audits conducted by state agencies.
819 2. Responding to suspected or confirmed information
820 security incidents, including suspected or confirmed breaches of
821 personal information or exempt data.
822 3. Agency security plans, including strategic security
823 plans and security program plans.
824 4. The recovery of information technology and data
825 following a disaster.
826 5. The managerial, operational, and technical safeguards
827 for protecting state government data and information technology
828 resources.
829 (c) Assist agencies in complying with the provisions of
830 this section.
831 (d) Pursue appropriate funding for the purpose of enhancing
832 domestic security.
833 (e) Provide training for agency information security
834 managers.
835 (f) Annually review the strategic and operational
836 information security plans of executive branch agencies.
837 (4) To assist the Agency for Enterprise Information
838 Technology Office of Information Security in carrying out its
839 responsibilities, each agency head shall, at a minimum:
840 (a) Designate an information security manager to administer
841 the security program of the agency for its data and information
842 technology resources. This designation must be provided annually
843 in writing to the Agency for Enterprise Information Technology
844 office by January 1.
845 (b) Submit to the Agency for Enterprise Information
846 Technology office annually by July 31, the agency’s strategic
847 and operational information security plans developed pursuant to
848 the rules and guidelines established by the Agency for
849 Enterprise Information Technology office.
850 1. The agency strategic information security plan must
851 cover a 3-year period and define security goals, intermediate
852 objectives, and projected agency costs for the strategic issues
853 of agency information security policy, risk management, security
854 training, security incident response, and survivability. The
855 plan must be based on the enterprise strategic information
856 security plan created by the Agency for Enterprise Information
857 Technology office. Additional issues may be included.
858 2. The agency operational information security plan must
859 include a progress report for the prior operational information
860 security plan and a project plan that includes activities,
861 timelines, and deliverables for security objectives that,
862 subject to current resources, the agency will implement during
863 the current fiscal year. The cost of implementing the portions
864 of the plan which cannot be funded from current resources must
865 be identified in the plan.
866 (c) Conduct, and update every 3 years, a comprehensive risk
867 analysis to determine the security threats to the data,
868 information, and information technology resources of the agency.
869 The risk analysis information is confidential and exempt from
870 the provisions of s. 119.07(1), except that such information
871 shall be available to the Auditor General and the Agency for
872 Enterprise Information Technology for performing postauditing
873 duties.
874 (d) Develop, and periodically update, written internal
875 policies and procedures, which include procedures for notifying
876 the Agency for Enterprise Information Technology office when a
877 suspected or confirmed breach, or an information security
878 incident, occurs. Such policies and procedures must be
879 consistent with the rules and guidelines established by the
880 Agency for Enterprise Information Technology office to ensure
881 the security of the data, information, and information
882 technology resources of the agency. The internal policies and
883 procedures that, if disclosed, could facilitate the unauthorized
884 modification, disclosure, or destruction of data or information
885 technology resources are confidential information and exempt
886 from s. 119.07(1), except that such information shall be
887 available to the Auditor General and the Agency for Enterprise
888 Information Technology for performing postauditing duties.
889 (e) Implement appropriate cost-effective safeguards to
890 address identified risks to the data, information, and
891 information technology resources of the agency.
892 (f) Ensure that periodic internal audits and evaluations of
893 the agency’s security program for the data, information, and
894 information technology resources of the agency are conducted.
895 The results of such audits and evaluations are confidential
896 information and exempt from s. 119.07(1), except that such
897 information shall be available to the Auditor General and the
898 Agency for Enterprise Information Technology for performing
899 postauditing duties.
900 (g) Include appropriate security requirements in the
901 written specifications for the solicitation of information
902 technology and information technology resources and services,
903 which are consistent with the rules and guidelines established
904 by the Agency for Enterprise Information Technology office.
905 (h) Provide security awareness training to employees and
906 users of the agency’s communication and information resources
907 concerning information security risks and the responsibility of
908 employees and users to comply with policies, standards,
909 guidelines, and operating procedures adopted by the agency to
910 reduce those risks.
911 (i) Develop a process for detecting, reporting, and
912 responding to suspected or confirmed security incidents,
913 including suspected or confirmed breaches consistent with the
914 security rules and guidelines established by the Agency for
915 Enterprise Information Technology office.
916 1. Suspected or confirmed information security incidents
917 and breaches must be immediately reported to the Agency for
918 Enterprise Information Technology office.
919 2. For incidents involving breaches, agencies shall provide
920 notice in accordance with s. 817.5681 and to the Agency for
921 Enterprise Information Technology office in accordance with this
922 subsection.
923 (5) Each state agency shall include appropriate security
924 requirements in the specifications for the solicitation of
925 contracts for procuring information technology or information
926 technology resources or services which are consistent with the
927 rules and guidelines established by the Agency for Enterprise
928 Information Technology Office of Information Security.
929 (6) The Agency for Enterprise Information Technology may
930 adopt rules relating to information security and to administer
931 the provisions of this section.
932 (7) By December 31, 2010, the Agency for Enterprise
933 Information Technology shall develop, and submit to the
934 Governor, the President of the Senate, and the Speaker of the
935 House of Representatives a proposed implementation plan for
936 information technology security. The agency shall describe the
937 scope of operation, conduct costs and requirements analyses,
938 conduct an inventory of all existing security information
939 technology resources, and develop strategies, timeframes, and
940 resources necessary for statewide migration.
941 Section 10. Subsections (2), (3), and (4) of section
942 282.33, Florida Statutes, are amended to read:
943 282.33 Objective standards for data center energy
944 efficiency.—
945 (2) State shared resource data centers and other data
946 centers that the Agency for Enterprise Information Technology
947 has determined will be recipients for consolidating data
948 centers, which are designated by the Agency for Enterprise
949 Information Technology, shall evaluate their data center
950 facilities for energy efficiency using the standards established
951 in this section.
952 (a) Results of these evaluations shall be reported to the
953 Agency for Enterprise Information Technology, the President of
954 the Senate, and the Speaker of the House of Representatives.
955 Reports shall enable the tracking of energy performance over
956 time and comparisons between facilities.
957 (b) Beginning By December 31, 2010, and every 3 years
958 biennially thereafter, the Agency for Enterprise Information
959 Technology shall submit to the Legislature recommendations for
960 reducing energy consumption and improving the energy efficiency
961 of state primary data centers.
962 (3) The primary means of achieving maximum energy savings
963 across all state data centers and computing facilities shall be
964 the consolidation of data centers and computing facilities as
965 determined by the Agency for Enterprise Information Technology.
966 State data centers and computing facilities in the state data
967 center system shall be established as an enterprise information
968 technology service as defined in s. 282.0041. The Agency for
969 Enterprise Information Technology shall make recommendations on
970 consolidating state data centers and computing facilities,
971 pursuant to s. 282.0056, by December 31, 2009.
972 (3)(4) If When the total cost of ownership of an energy
973 efficient product is less than or equal to the cost of the
974 existing data center facility or infrastructure, technical
975 specifications for energy-efficient products should be
976 incorporated in the plans and processes for replacing,
977 upgrading, or expanding data center facilities or
978 infrastructure, including, but not limited to, network, storage,
979 or computer equipment and software.
980 Section 11. Section 282.34, Florida Statutes, is amended to
981 read:
982 282.34 Statewide e-mail service.—A statewide state e-mail
983 service system that includes the delivery and support of e-mail,
984 messaging, and calendaring capabilities is established as an
985 enterprise information technology service as defined in s.
986 282.0041. The service shall be designed to meet the needs of all
987 executive branch agencies, and may also be used by nonstate
988 agency entities. The primary goals of the service are to
989 minimize the state investment required to establish, operate,
990 and support the statewide service; reduce the cost of current e
991 mail operations and the number of duplicative e-mail systems;
992 and eliminate the need for each state agency to maintain its own
993 e-mail staff.
994 (1) The Southwood Shared Resource Center, a primary data
995 center, shall be the provider of the statewide e-mail service
996 for all state agencies. The center shall centrally host, manage,
997 operate, and support the service, or outsource the hosting,
998 management, operational, or support components of the service in
999 order to achieve the primary goals identified in this section.
1000 (2) The Agency for Enterprise Information Technology, in
1001 cooperation and consultation with all state agencies, shall
1002 prepare and submit for approval by the Legislative Budget
1003 Commission at a meeting scheduled before June 30, 2011, a
1004 proposed plan for the migration of all state agencies to the
1005 statewide e-mail service. The plan for migration must include:
1006 (a) A cost-benefit analysis that compares the total
1007 recurring and nonrecurring operating costs of the current agency
1008 e-mail systems, including monthly mailbox costs, staffing,
1009 licensing and maintenance costs, hardware, and other related e
1010 mail product and service costs to the costs associated with the
1011 proposed statewide e-mail service. The analysis must also
1012 include:
1013 1. A comparison of the estimated total 7-year life-cycle
1014 cost of the current agency e-mail systems versus the feasibility
1015 of funding the migration and operation of the statewide e-mail
1016 service.
1017 2. An estimate of recurring costs associated with the
1018 energy consumption of current agency e-mail equipment, and the
1019 basis for the estimate.
1020 3. An identification of the overall cost savings resulting
1021 from state agencies migrating to the statewide e-mail service
1022 and decommissioning their agency e-mail systems.
1023 (b) A proposed migration date for all state agencies to be
1024 migrated to the statewide e-mail service. The Agency for
1025 Enterprise Information Technology shall work with the Executive
1026 Office of the Governor to develop the schedule for migrating all
1027 state agencies to the statewide e-mail service except for the
1028 Department of Legal Affairs. The Department of Legal Affairs
1029 shall provide to the Agency for Enterprise Information
1030 Technology by June 1, 2011, a proposed migration date based upon
1031 its decision to participate in the statewide e-mail service and
1032 the identification of any issues that require resolution in
1033 order to migrate to the statewide e-mail service.
1034 (c) A budget amendment, submitted pursuant to chapter 216,
1035 for adjustments to each agency’s approved operating budget
1036 necessary to transfer sufficient budget resources into the
1037 appropriate data processing category to support its statewide e
1038 mail service costs.
1039 (d) A budget amendment, submitted pursuant to chapter 216,
1040 for adjustments to the Southwood Shared Resource Center approved
1041 operating budget to include adjustments in the number of
1042 authorized positions, salary budget and associated rate,
1043 necessary to implement the statewide email service.
1044 (3) Contingent upon approval by the Legislative Budget
1045 Commission, the Southwood Shared Resource Center may contract
1046 for the provision of a statewide e-mail service. Executive
1047 branch agencies must be completely migrated to the statewide e
1048 mail service based upon the migration date included in the
1049 proposed plan approved by the Legislative Budget Commission.
1050 (4) Notwithstanding chapter 216, General Revenue funds may
1051 be increased or decreased for each agency provided the net
1052 change to General Revenue in total for all agencies is zero or
1053 less.
1054 (5) Subsequent to the approval of the consolidated budget
1055 amendment to reflect budget adjustments necessary to migrate to
1056 the statewide e-mail service, an agency may make adjustments
1057 subject to s. 216.177, notwithstanding provisions in chapter 216
1058 which may require such adjustments to be approved by the
1059 Legislative Budget Commission.
1060 (6) No agency may initiate a new e-mail service or execute
1061 a new e-mail contract or amend a current e-mail contract, other
1062 than with the Southwood Shared Resource Center, for nonessential
1063 products or services unless the Legislative Budget Commission
1064 denies approval for the Southwood Shared Resource Center to
1065 enter into a contract for the statewide e-mail service.
1066 (7) The Agency for Enterprise Information Technology shall
1067 work with the Southwood Shared Resource Center to develop an
1068 implementation plan that identifies and describes the detailed
1069 processes and timelines for an agency’s migration to the
1070 statewide e-mail service based on the migration date approved by
1071 the Legislative Budget Commission. The agency may establish and
1072 coordinate workgroups consisting of agency e-mail management,
1073 information technology, budget, and administrative staff to
1074 assist the agency in the development of the plan.
1075 (8) Each executive branch agency shall provide all
1076 information necessary to develop the implementation plan,
1077 including, but not limited to, required mailbox features and the
1078 number of mailboxes that will require migration services. Each
1079 agency must also identify any known business, operational, or
1080 technical plans, limitations, or constraints that should be
1081 considered when developing the plan.
1082 (2) The Agency for Enterprise Information Technology, in
1083 consultation with the Southwood Shared Resource Center, shall
1084 establish and coordinate a multiagency project team to develop a
1085 competitive solicitation for establishing the statewide e-mail
1086 service.
1087 (a) The Southwood Shared Resource Center shall issue the
1088 competitive solicitation by August 31, 2010, with vendor
1089 responses required by October 15, 2010. Issuance of the
1090 competitive solicitation does not obligate the agency and the
1091 center to conduct further negotiations or to execute a contract.
1092 The decision to conduct or conclude negotiations, or execute a
1093 contract, must be made solely at the discretion of the agency.
1094 (b) The competitive solicitation must include detailed
1095 specifications describing:
1096 1. The current e-mail approach for state agencies and the
1097 specific business objectives met by the present system.
1098 2. The minimum functional requirements necessary for
1099 successful statewide implementation and the responsibilities of
1100 the prospective service provider and the agency.
1101 3. The form and required content for submitted proposals,
1102 including, but not limited to, a description of the proposed
1103 system and its internal and external sourcing options, a 5-year
1104 life-cycle-based pricing based on cost per mailbox per month,
1105 and a decommissioning approach for current e-mail systems; an
1106 implementation schedule and implementation services; a
1107 description of e-mail account management, help desk, technical
1108 support, and user provisioning services; disaster recovery and
1109 backup and restore capabilities; antispam and antivirus
1110 capabilities; remote access and mobile messaging capabilities;
1111 and staffing requirements.
1112 (c) Other optional requirements specifications may be
1113 included in the competitive solicitation if not in conflict with
1114 the primary goals of the statewide e-mail service.
1115 (d) The competitive solicitation must permit alternative
1116 financial and operational models to be proposed, including, but
1117 not limited to:
1118 1. Leasing or usage-based subscription fees;
1119 2. Installing and operating the e-mail service within the
1120 Southwood Shared Resource Center or in a data center operated by
1121 an external service provider; or
1122 3. Provisioning the e-mail service as an Internet-based
1123 offering provided to state agencies. Specifications for proposed
1124 models must be optimized to meet the primary goals of the e-mail
1125 service.
1126 (3) By December 31, 2010, or within 1 month after
1127 negotiations are complete, whichever is later, the multiagency
1128 project team and the Agency for Enterprise Information
1129 Technology shall prepare a business case analysis containing its
1130 recommendations for procuring the statewide e-mail service for
1131 submission to the Governor and Cabinet, the President of the
1132 Senate, and the Speaker of the House of Representatives. The
1133 business case is not subject to challenge or protest pursuant to
1134 chapter 120. The business case must include, at a minimum:
1135 (a) An assessment of the major risks that must be managed
1136 for each proposal compared to the risks for the current state
1137 agency e-mail system and the major benefits that are associated
1138 with each.
1139 (b) A cost-benefit analysis that estimates all major cost
1140 elements associated with each sourcing option, focusing on the
1141 nonrecurring and recurring life-cycle costs of each option. The
1142 analysis must include a comparison of the estimated total 5-year
1143 life-cycle cost of the current agency e-mail systems versus each
1144 enterprise e-mail sourcing option in order to determine the
1145 feasibility of funding the migration and operation of the
1146 statewide e-mail service and the overall level of savings that
1147 can be expected. The 5-year life-cycle costs for each state
1148 agency must include, but are not limited to:
1149 1. The total recurring operating costs of the current
1150 agency e-mail systems, including monthly mailbox costs,
1151 staffing, licensing and maintenance costs, hardware, and other
1152 related e-mail product and service costs.
1153 2. An estimate of nonrecurring hardware and software
1154 refresh, upgrade, or replacement costs based on the expected 5
1155 year obsolescence of current e-mail software products and
1156 equipment through the 2014 fiscal year, and the basis for the
1157 estimate.
1158 3. An estimate of recurring costs associated with the
1159 energy consumption of current agency e-mail equipment, and the
1160 basis for the estimate.
1161 4. Any other critical costs associated with the current
1162 agency e-mail systems which can reasonably be estimated and
1163 included in the business case analysis.
1164 (c) A comparison of the migrating schedules of each
1165 sourcing option to the statewide e-mail service, including the
1166 approach and schedule for the decommissioning of all current
1167 state agency e-mail systems beginning with phase 1 and phase 2
1168 as provided in subsection (4).
1169 (4) All agencies must be completely migrated to the
1170 statewide e-mail service as soon as financially and
1171 operationally feasible, but no later than June 30, 2015.
1172 (a) The following statewide e-mail service implementation
1173 schedule is established for state agencies:
1174 1. Phase 1.—The following agencies must be completely
1175 migrated to the statewide e-mail system by June 30, 2012: the
1176 Agency for Enterprise Information Technology; the Department of
1177 Community Affairs, including the Division of Emergency
1178 Management; the Department of Corrections; the Department of
1179 Health; the Department of Highway Safety and Motor Vehicles; the
1180 Department of Management Services, including the Division of
1181 Administrative Hearings, the Division of Retirement, the
1182 Commission on Human Relations, and the Public Employees
1183 Relations Commission; the Southwood Shared Resource Center; and
1184 the Department of Revenue.
1185 2. Phase 2.—The following agencies must be completely
1186 migrated to the statewide e-mail system by June 30, 2013: the
1187 Department of Business and Professional Regulation; the
1188 Department of Education, including the Board of Governors; the
1189 Department of Environmental Protection; the Department of
1190 Juvenile Justice; the Department of the Lottery; the Department
1191 of State; the Department of Law Enforcement; the Department of
1192 Veterans’ Affairs; the Judicial Administration Commission; the
1193 Public Service Commission; and the Statewide Guardian Ad Litem
1194 Office.
1195 3. Phase 3.—The following agencies must be completely
1196 migrated to the statewide e-mail system by June 30, 2014: the
1197 Agency for Health Care Administration; the Agency for Workforce
1198 Innovation; the Department of Financial Services, including the
1199 Office of Financial Regulation and the Office of Insurance
1200 Regulation; the Department of Agriculture and Consumer Services;
1201 the Executive Office of the Governor; the Department of
1202 Transportation; the Fish and Wildlife Conservation Commission;
1203 the Agency for Persons With Disabilities; the Northwood Shared
1204 Resource Center; and the State Board of Administration.
1205 4. Phase 4.—The following agencies must be completely
1206 migrated to the statewide e-mail system by June 30, 2015: the
1207 Department of Children and Family Services; the Department of
1208 Citrus; the Department of Elderly Affairs; and the Department of
1209 Legal Affairs.
1210 (b) Agency requests to modify their scheduled implementing
1211 date must be submitted in writing to the Agency for Enterprise
1212 Information Technology. Any exceptions or modifications to the
1213 schedule must be approved by the Agency for Enterprise
1214 Information Technology based only on the following criteria:
1215 1. Avoiding nonessential investment in agency e-mail
1216 hardware or software refresh, upgrade, or replacement.
1217 2. Avoiding nonessential investment in new software or
1218 hardware licensing agreements, maintenance or support
1219 agreements, or e-mail staffing for current e-mail systems.
1220 3. Resolving known agency e-mail problems through migration
1221 to the statewide e-mail service.
1222 4. Accommodating unique agency circumstances that require
1223 an acceleration or delay of the implementation date.
1224 (5) In order to develop the implementation plan for the
1225 statewide e-mail service, the Agency for Enterprise Information
1226 Technology shall establish and coordinate a statewide e-mail
1227 project team. The agency shall also consult with and, as
1228 necessary, form workgroups consisting of agency e-mail
1229 management staff, agency chief information officers, agency
1230 budget directors, and other administrative staff. The statewide
1231 e-mail implementation plan must be submitted to the Governor,
1232 the President of the Senate, and the Speaker of the House of
1233 Representatives by July 1, 2011.
1234 (6) Unless authorized by the Legislature or as provided in
1235 subsection (7), a state agency may not:
1236 (a) Initiate a new e-mail service or execute a new e-mail
1237 contract or new e-mail contract amendment for nonessential
1238 products or services with any entity other than the provider of
1239 the statewide e-mail service;
1240 (b) Terminate a statewide e-mail service without giving
1241 written notice of termination 180 days in advance; or
1242 (c) Transfer e-mail system services from the provider of
1243 the statewide e-mail service.
1244 (7) Exceptions to paragraphs (6)(a), (b), and (c) may be
1245 granted by the Agency for Enterprise Information Technology only
1246 if the Southwood Shared Resource Center is unable to meet agency
1247 business requirements for the e-mail service, and if such
1248 requirements are essential to maintain agency operations.
1249 Requests for exceptions must be submitted in writing to the
1250 Agency for Enterprise Information Technology and include
1251 documented confirmation by the Southwood Shared Resource Center
1252 board of trustees that it cannot meet the requesting agency’s e
1253 mail service requirements.
1254 (8) Each agency shall include the budget issues necessary
1255 for migrating to the statewide e-mail service in its legislative
1256 budget request before the first full year it is scheduled to
1257 migrate to the statewide service in accordance with budget
1258 instructions developed pursuant to s. 216.023.
1259 (9) The Agency for Enterprise Information Technology shall
1260 adopt rules to standardize the format for state agency e-mail
1261 addresses.
1262 (10) State agencies must fully cooperate with the Agency
1263 for Enterprise Information Technology in the performance of its
1264 responsibilities established in this section.
1265 (11) The Agency for Enterprise Information Technology shall
1266 recommend changes to an agency’s scheduled date for migration to
1267 the statewide e-mail service pursuant to this section, annually
1268 by December 31, until migration to the statewide service is
1269 complete.
1270 Section 12. Paragraph (h) of subsection (3) and paragraph
1271 (b) of subsection (4) of section 287.042, Florida Statutes, are
1272 amended to read:
1273 287.042 Powers, duties, and functions.—The department shall
1274 have the following powers, duties, and functions:
1275 (3) To establish a system of coordinated, uniform
1276 procurement policies, procedures, and practices to be used by
1277 agencies in acquiring commodities and contractual services,
1278 which shall include, but not be limited to:
1279 (h) Development, in consultation with the Agency Chief
1280 Information Officers Council, of procedures to be used by state
1281 agencies when procuring information technology commodities and
1282 contractual services to ensure compliance with public records
1283 requirements and records retention and archiving requirements.
1284 (4)
1285 (b) To prescribe, in consultation with the Agency Chief
1286 Information Officers Council, procedures for procuring
1287 information technology and information technology consultant
1288 services which provide for public announcement and
1289 qualification, competitive solicitations, contract award, and
1290 prohibition against contingent fees. Such procedures are shall
1291 be limited to information technology consultant contracts for
1292 which the total project costs, or planning or study activities,
1293 are estimated to exceed the threshold amount provided for in s.
1294 287.017, for CATEGORY TWO.
1295 Section 13. The Northwood Shared Resource Center is
1296 transferred by a type one transfer, as defined in s. 20.06(1),
1297 Florida Statutes, from the Department of Children and Family
1298 Services to the Department of Management Services.
1299 Section 14. The Agency for Enterprise Information
1300 Technology, in coordination with the Southwood Shared Resource
1301 Center, shall provide a written status report to the Executive
1302 Office of the Governor and to the chairs of the legislative
1303 appropriations committees detailing the progress made by the
1304 agencies required to migrate to the statewide e-mail service by
1305 the required migration date. The status report must be provided
1306 every 6 months, beginning September 1, 2011, until
1307 implementation is complete.
1308 Section 15. This act shall upon becoming a law.
1309
1310 ================= T I T L E A M E N D M E N T ================
1311 And the title is amended as follows:
1312 Delete everything before the enacting clause
1313 and insert:
1314 A bill to be entitled
1315 An act relating to the consolidation of state
1316 information technology services; amending s. 14.204,
1317 F.S.; revising the duties of the Agency for Enterprise
1318 Information Technology; deleting references to the
1319 Office of Information Security and the Agency Chief
1320 Information Officers Council; amending s. 20.315,
1321 F.S.; requiring that the Department of Corrections’
1322 Office of Information Technology manage the
1323 department’s data system; amending s. 282.0041, F.S.;
1324 revising definitions; amending s. 282.0056, F.S.;
1325 revising provisions relating to the agency’s annual
1326 work plan; amending s. 282.201, F.S.; revising the
1327 duties of the agency; requiring the agency to submit
1328 certain recommendations to the Legislature, the
1329 Executive Office of the Governor, and the primary data
1330 centers; deleting obsolete provisions; conforming
1331 provisions to changes made by the act; providing a
1332 schedule for the consolidations of state agency data
1333 centers; requiring agencies to update their service
1334 level agreements and to develop consolidation plans;
1335 requiring the Agency for Enterprise Information
1336 Technology to submit a status report to the Governor
1337 and Legislature and to develop a comprehensive
1338 transition plan; requiring primary data centers to
1339 develop transition plans; revising agency limitations
1340 relating to technology services; amending s. 282.203,
1341 F.S.; deleting obsolete provisions; revising duties of
1342 primary data centers relating to state agency
1343 resources and equipment relinquished to the centers;
1344 requiring state agencies to relinquish all
1345 administrative access rights to certain resources and
1346 equipment upon consolidation; providing for the
1347 appointment of alternate board members; revising
1348 provisions relating to state agency representation on
1349 data center boards; conforming a cross-reference;
1350 amending s. 282.204, F.S.; establishing the Northwood
1351 Shared Resource Center in the Department of Management
1352 Services rather than the Department of Children and
1353 Family Services; repealing s. 282.3055, F.S.,
1354 requiring each agency to appoint an agency chief
1355 information officer; repealing s. 282.315, F.S.,
1356 relating to the Agency Chief Information Officers
1357 Council; amending s. 282.318, F.S.; deleting
1358 references to the Office of Information Security with
1359 respect to responsibility for enterprise security;
1360 deleting obsolete provisions; amending s. 282.33,
1361 F.S.; deleting an obsolete provision; revising the
1362 schedule for the Agency for Enterprise Information
1363 Technology to submit certain recommendations to the
1364 Legislature; amending s. 282.34, F.S.; revising
1365 provisions relating to the statewide e-mail service;
1366 deleting the schedule and requiring the agency to
1367 develop and submit a plan to the Legislative Budget
1368 Commission for the migration of state agencies to the
1369 service; specifying what the plan must include;
1370 prohibiting state agencies from executing contracts
1371 for certain e-mail services; requiring the development
1372 of an implementation plan; requiring state agencies to
1373 provide all information necessary for the
1374 implementation plan; amending ss. 287.042, F.S.;
1375 conforming provisions to changes made by the act;
1376 transferring the Northwood Shared Resource Center to
1377 the Department of Management Services; requiring the
1378 agency to coordinate with the Southwood Shared
1379 Resource Center to provide a status report to the
1380 Executive Office of the Governor and to the
1381 Legislature; providing an effective date.