SB 2098 First Engrossed
20112098e1
1 A bill to be entitled
2 An act relating to the consolidation of state
3 information technology services; transferring,
4 renumbering, and amending s. 14.204, F.S.;
5 establishing the Agency for Enterprise Information
6 Technology in the Department of Management Services
7 rather than the Executive Office of the Governor;
8 revising the duties of the agency to include the
9 planning, project management, and implementation of
10 the enterprise information technology services;
11 requiring the agency to submit a plan to the
12 Legislative Budget Commission for aggregating
13 information technology purchases; deleting references
14 to the Office of Information Security and the Agency
15 Chief Information Officers Council; amending s.
16 282.0041, F.S.; revising definitions; amending s.
17 282.0056, F.S.; revising provisions relating to the
18 agency’s annual work plan; amending s. 282.201, F.S.;
19 revising the duties of the agency; deleting obsolete
20 provisions; providing a schedule for the
21 consolidations of state agency data centers; requiring
22 agencies to update their service-level agreements and
23 to develop consolidation plans; requiring the Agency
24 for Enterprise Information Technology to submit a
25 status report to the Governor and Legislature and to
26 develop a comprehensive transition plan; requiring
27 primary data centers to develop transition plans;
28 revising agency limitations relating to technology
29 services; amending s. 282.203, F.S.; deleting obsolete
30 provisions; revising duties of primary data centers
31 relating to state agency resources and equipment
32 relinquished to the centers; requiring state agencies
33 to relinquish all administrative access rights to
34 certain resources and equipment upon consolidation;
35 providing for the appointment of alternate board
36 members; revising provisions relating to state agency
37 representation on data center boards; conforming a
38 cross-reference; amending s. 282.204, F.S.;
39 establishing the Northwood Shared Resource Center in
40 the Department of Management Services rather than the
41 Department of Children and Family Services; creating
42 s. 282.206, F.S.; establishing the Northwest Regional
43 Data Center as a primary data center; repealing s.
44 282.315, F.S., relating to the Agency Chief
45 Information Officers Council; amending s. 282.318,
46 F.S.; deleting references to the Office of Information
47 Security with respect to responsibility for enterprise
48 security; deleting obsolete provisions; amending s.
49 282.33, F.S.; deleting an obsolete provision; revising
50 the schedule for the Agency for Enterprise Information
51 Technology to submit certain recommendations to the
52 Legislature; amending s. 282.34, F.S.; revising the
53 schedule for migrating state agencies to the statewide
54 e-mail system; revising limitations on state agencies;
55 revising the requirements for rules adopted by the
56 Agency for Enterprise Information Technology; creating
57 s. 282.35, F.S.; providing for a statewide desktop
58 service as an enterprise information technology
59 service to be provided by the Department of Management
60 Services; requiring the Agency for Enterprise
61 Information Technology to develop a plan for the
62 establishment of the service and submit such plan to
63 the Governor and Legislature by a certain date;
64 specifying the contents of the plan; providing agency
65 limitations with respect to such services and
66 exceptions from such limitations if granted by the
67 agency; amending ss. 287.042 and 287.056, F.S.;
68 directing the department to adopt rules establishing
69 conditions under which an agency may be exempted from
70 using a state term contract or purchasing agreement;
71 conforming provisions to changes made by the act;
72 amending s. 287.057, F.S.; authorizing the department
73 to adopt rules to be used by agencies to manage
74 contracts; deleting a prohibition against an entity
75 contracting to provide a feasibility study on certain
76 subject matter from contracting with an agency for
77 that subject matter; amending s. 45 of chapter 2010
78 151, Laws of Florida; providing that certain contracts
79 are subject to transaction fees; transferring the
80 Agency for Enterprise Information Technology and the
81 Northwood Shared Resource Center to the Department of
82 Management Services; requiring the agency to
83 coordinate with the Southwood Shared Resource Center
84 to provide a status report to the Executive Office of
85 the Governor and to the Legislature; providing an
86 effective date.
87
88 Be It Enacted by the Legislature of the State of Florida:
89
90 Section 1. Section 14.204, Florida Statutes, is
91 transferred, renumbered as s. 282.0054, Florida Statutes, and
92 amended to read:
93 282.0054 14.204 Agency for Enterprise Information
94 Technology.—The Agency for Enterprise Information Technology is
95 created within the Department of Management Services Executive
96 Office of the Governor.
97 (1) The head of the agency shall be the Governor and
98 Cabinet.
99 (2) The agency is a separate budget entity and is not
100 subject to control, supervision, or direction by the department
101 Executive Office of the Governor, including, but not limited to,
102 purchasing, transactions involving real or personal property,
103 personnel, or budgetary matters.
104 (3) The agency shall have an executive director who is the
105 state’s Chief Information Officer and who must:
106 (a) Have a degree from an accredited postsecondary
107 institution;
108 (b) Have at least 7 years of executive-level experience in
109 managing information technology organizations; and
110 (c) Be appointed by the Governor and confirmed by the
111 Cabinet, subject to confirmation by the Senate, and serve at the
112 pleasure of the Governor and Cabinet.
113 (4) The agency shall have the following duties and
114 responsibilities:
115 (a) Develop strategies for the design, planning, project
116 management, implementation, delivery, and management of the
117 enterprise information technology services established in law,
118 including the state data center system service established in s.
119 282.201, the information technology security service established
120 in s. 282.318, and the statewide e-mail service established in
121 s. 282.34.
122 (b) Monitor the implementation, delivery, and management of
123 the enterprise information technology services as established in
124 law.
125 (c) Make recommendations to the agency head and the
126 Legislature concerning other information technology services
127 that should be designed, delivered, and managed as enterprise
128 information technology services as defined in s. 282.0041.
129 (d) Plan and establish policies for managing proposed
130 statutorily authorized enterprise information technology
131 services, which includes:
132 1. Developing business cases that, when applicable, include
133 the components identified in s. 287.0571;
134 2. Establishing and coordinating project-management teams;
135 3. Establishing formal risk-assessment and mitigation
136 processes; and
137 4. Providing for independent monitoring of projects for
138 recommended corrective actions.
139 (e) Beginning October 1, 2010, Develop, publish, and
140 biennially update a long-term strategic enterprise information
141 technology plan that identifies and recommends strategies and
142 opportunities to improve the delivery of cost-effective and
143 efficient enterprise information technology services to be
144 proposed for establishment pursuant to s. 282.0056.
145 (f) Perform duties related to enterprise information
146 technology services, including the state data center system
147 established in as provided in s. 282.201, the information
148 technology security service established in s. 282.318, and the
149 statewide e-mail service established in s. 282.34.
150 (g) Coordinate acquisition planning, using aggregate buying
151 methodologies whenever possible, and procurement negotiations
152 for hardware and software products and services in order to
153 improve the efficiency and reduce the cost of enterprise
154 information technology services.
155 1. State agencies must submit a copy of all information
156 relating to technology purchases for commodities and services in
157 excess of $10,000 to the agency for review in order to identify
158 areas suitable for future aggregation and standardization.
159 2. By December 31, 2011, the agency shall submit to the
160 Legislative Budget Commission for approval a plan recommending
161 information technology purchases of specific commodities and
162 services suitable for aggregate purchasing and providing
163 estimates of the savings from aggregating such purchases.
164 3. Contingent on approval of the plan under subparagraph
165 2., state agencies shall cooperate with the agency.
166 4. Exemptions from subparagraph 3. may be granted by the
167 department’s Division of Purchasing if in the best interest of
168 the state.
169 (h) In consultation with the Division of Purchasing in the
170 department of Management Services, coordinate procurement
171 negotiations for information technology products as defined in
172 s. 282.0041 which will be used by multiple agencies.
173 (i) In coordination with, and through the services of, the
174 Division of Purchasing in the department of Management Services,
175 establish best practices for the procurement of information
176 technology products as defined in s. 282.0041 in order to
177 achieve savings for the state.
178 (j) Develop information technology standards for the
179 efficient design, planning, project management, implementation,
180 and delivery of enterprise information technology services. All
181 state agencies must make the transition to the new standards.
182 (k) Provide annually, by December 31, recommendations to
183 the Legislature relating to techniques for consolidating the
184 purchase of information technology commodities and services,
185 which result in savings for the state, and for establishing a
186 process to achieve savings through consolidated purchases.
187 (5) The Office of Information Security shall be created
188 within the agency. The agency shall designate a state Chief
189 Information Security Officer who shall oversee the office and
190 report directly to the executive director.
191 (6) The agency shall operate in a manner that ensures the
192 participation and representation of state agencies and the
193 Agency Chief Information Officers Council established in s.
194 282.315.
195 (7) The agency may adopt rules to carry out its statutory
196 duties.
197 Section 2. Present subsections (4) through (30) of section
198 282.0041, Florida Statutes, are redesignated as subsections (3)
199 through (29), respectively, and present subsections (3), (4),
200 and (19) of that section are amended, to read:
201 282.0041 Definitions.—As used in this chapter, the term:
202 (3) “Agency Chief Information Officers Council” means the
203 council created in s. 282.315.
204 (3)(4) “Agency for Enterprise Information Technology” means
205 the agency created in s. 282.0054 14.204.
206 (18)(19) “Primary data center” means a state or nonstate
207 agency data center that is a recipient entity for consolidation
208 of nonprimary data centers and computing facilities and that is.
209 A primary data center may be authorized by in law or designated
210 by the Agency for Enterprise Information Technology pursuant to
211 s. 282.201.
212 Section 3. Subsection (1) of section 282.0056, Florida
213 Statutes, is amended to read:
214 282.0056 Development of work plan; development of
215 implementation plans; and policy recommendations.—
216 (1) For the purposes of carrying out its responsibilities
217 under s. 282.0055, the Agency for Enterprise Information
218 Technology shall develop an annual work plan within 60 days
219 after the beginning of the fiscal year describing the activities
220 that the agency intends to undertake for that year, including
221 proposed outcomes and completion timeframes for the planning and
222 implementation of all enterprise information technology
223 services. The work plan must be presented at a public hearing,
224 that includes the Agency Chief Information Officers Council,
225 which may review and comment on the plan. The work plan must
226 thereafter be approved by the Governor and Cabinet, and
227 submitted to the President of the Senate and the Speaker of the
228 House of Representatives. The work plan may be amended as
229 needed, subject to approval by the Governor and Cabinet.
230 Section 4. Subsection (2) of section 282.201, Florida
231 Statutes, is amended, present subsections (4) and (5) of that
232 section are renumbered as subsections (5) and (6), respectively,
233 and amended, a new subsection (4) is added to that section, to
234 read:
235 282.201 State data center system; agency duties and
236 limitations.—A state data center system that includes all
237 primary data centers, other nonprimary data centers, and
238 computing facilities, and that provides an enterprise
239 information technology service as defined in s. 282.0041, is
240 established.
241 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
242 The Agency for Enterprise Information Technology shall:
243 (a) Collect and maintain information necessary for
244 developing policies relating to the data center system,
245 including, but not limited to, an inventory of facilities.
246 (b) Annually approve cost-recovery mechanisms and rate
247 structures for primary data centers which recover costs through
248 charges to customer entities.
249 (c) By September 30 December 31 of each year, submit
250 recommendations to the Executive Office of the Governor and the
251 chairs of the legislative appropriations committees Legislature
252 recommendations to improve the efficiency and cost-effectiveness
253 effectiveness of computing services provided by state data
254 center system facilities. Such recommendations must may include,
255 but need not be limited to:
256 1. Policies for improving the cost-effectiveness and
257 efficiency of the state data center system and the associated
258 cost savings resulting from their implementation.
259 2. Infrastructure improvements supporting the consolidation
260 of facilities or preempting the need to create additional data
261 centers or computing facilities.
262 3. Standards for an objective, credible energy performance
263 rating system that data center boards of trustees can use to
264 measure state data center energy consumption and efficiency on a
265 biannual basis.
266 3.4. Uniform disaster recovery standards.
267 4.5. Standards for primary data centers which provide cost
268 effective services and providing transparent financial data to
269 user agencies.
270 5.6. Consolidation of contract practices or coordination of
271 software, hardware, or other technology-related procurements and
272 the associated cost savings.
273 6.7. Improvements to data center governance structures.
274 (d) By October 1 of each year beginning in 2011, provide
275 recommendations 2009, recommend to the Governor and Legislature
276 relating to changes to the schedule for the consolidations of
277 state agency data centers as provided in subsection (4) at least
278 two nonprimary data centers for consolidation into a primary
279 data center or nonprimary data center facility.
280 1. The consolidation proposal must provide a transition
281 plan that includes:
282 a. Estimated transition costs for each data center or
283 computing facility recommended for consolidation;
284 b. Detailed timeframes for the complete transition of each
285 data center or computing facility recommended for consolidation;
286 c. Proposed recurring and nonrecurring fiscal impacts,
287 including increased or decreased costs and associated budget
288 impacts for affected budget entities;
289 d. Substantive legislative changes necessary to implement
290 the transition; and
291 e. Identification of computing resources to be transferred
292 and those that will remain in the agency. The transfer of
293 resources must include all hardware, software, staff, contracted
294 services, and facility resources performing data center
295 management and operations, security, backup and recovery,
296 disaster recovery, system administration, database
297 administration, system programming, job control, production
298 control, print, storage, technical support, help desk, and
299 managed services but excluding application development.
300 1.2. The recommendations must shall be based on the goal of
301 maximizing current and future cost savings. The agency shall
302 consider the following criteria for managing and coordinating in
303 selecting consolidations that maximize efficiencies by providing
304 the ability to:
305 a. Consolidate purchase decisions;
306 b. Leverage expertise and other resources to gain economies
307 of scale;
308 c. Implement state information technology policies more
309 effectively;
310 d. Maintain or improve the level of service provision to
311 customer entities; and
312 e. Make progress towards the state’s goal of consolidating
313 data centers and computing facilities into primary data centers.
314 2.3. The agency shall establish workgroups as necessary to
315 ensure participation by affected agencies in the development of
316 recommendations related to consolidations.
317 (e) By December 31, 2010, the agency shall develop and
318 submit to the Legislature an overall consolidation plan for
319 state data centers. The plan shall indicate a timeframe for the
320 consolidation of all remaining nonprimary data centers into
321 primary data centers, including existing and proposed primary
322 data centers, by 2019.
323 (e)(f) Develop and establish rules relating to the
324 operation of the state data center system which comply with
325 applicable federal regulations, including 2 C.F.R. part 225 and
326 45 C.F.R. The agency shall publish notice of rule development in
327 the Florida Administrative Weekly by October 1, 2011. The rules
328 may address:
329 1. Ensuring that financial information is captured and
330 reported consistently and accurately.
331 2. Requiring compliance with standards for hardware and
332 operations software, including security and network
333 infrastructure for the primary data centers, to enable the
334 efficient consolidation of the agency data centers or computing
335 facilities, and providing an exemption process from compliance
336 with such standards, which must be consistent with s.
337 282.203(5)(b).
338 2. Requiring the establishment of service-level agreements
339 executed between a data center and its customer entities for
340 services provided.
341 3. Requiring annual full cost recovery on an equitable
342 rational basis. The cost-recovery methodology must ensure that
343 no service is subsidizing another service and may include
344 adjusting the subsequent year’s rates as a means to recover
345 deficits or refund surpluses from a prior year.
346 4. Requiring that any special assessment imposed to fund
347 expansion is based on a methodology that apportions the
348 assessment according to the proportional benefit to each
349 customer entity.
350 5. Requiring that rebates be given when revenues have
351 exceeded costs, that rebates be applied to offset charges to
352 those customer entities that have subsidized the costs of other
353 customer entities, and that such rebates may be in the form of
354 credits against future billings.
355 6. Requiring that all service-level agreements have a
356 contract term of up to 3 years, but may include an option to
357 renew for up to 3 additional years contingent on approval by the
358 board, and require at least a 180-day notice of termination.
359 7. Designating any nonstate data center as a primary data
360 center if the center:
361 a. Has an established governance structure that represents
362 customer entities proportionally.
363 b. Maintains an appropriate cost-allocation methodology
364 that accurately bills a customer entity based on the actual
365 direct and indirect costs to the customer entity, and prohibits
366 the subsidization of one customer entity’s costs by another
367 entity.
368 c. Has sufficient raised floor space, cooling, and
369 redundant power capacity, including uninterruptible power supply
370 and backup power generation, to accommodate the computer
371 processing platforms and support necessary to host the computing
372 requirements of additional customer entities.
373 8. Removing a nonstate data center from primary data center
374 designation if the nonstate data center fails to meet standards
375 necessary to ensure that the state’s data is maintained pursuant
376 to subparagraph 7.
377 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
378 (a) Consolidations of agency data centers shall be made by
379 the date and to the specified primary data center as provided in
380 this section and in accordance with budget adjustments contained
381 in the General Appropriations Act.
382 (b) During the 2011-2012 fiscal year, the following shall
383 be consolidated into the Northwest Regional Data Center:
384 1. By December 31, 2011, the College Center for Library
385 Automation.
386 2. By December 31, 2011, the Florida Center for Library
387 Automation.
388 3. By December 31, 2011, the Department of Education,
389 including the computing services and resources of:
390 a. The Knott Data Center in the Turlington Building;
391 b. The Division of Vocational Rehabilitation;
392 c. The Division of Blind Services, except for the
393 division’s disaster recovery site in Daytona Beach;
394 d. The FCAT Explorer; and
395 e. FACTS.org.
396 (c) During the 2011-2012 fiscal year, the following shall
397 be consolidated into the Southwood Shared Resource Center:
398 1. By September 30, 2011, the Department of Corrections.
399 2. By March 31, 2012, the Department of Transportation’s
400 Burns Office Building.
401 3. By March 31, 2012, the Department of Transportation’s
402 Survey & Mapping Office.
403 (d) During the 2011-2012 fiscal year, the following shall
404 be consolidated into the Northwood Shared Resource Center:
405 1. By July 1, 2011, the Department of Transportation’s
406 Office of Motor Carrier Compliance.
407 2. By December 31, 2011, the Department of Highway Safety
408 and Motor Vehicles.
409 (e) During the 2012-2013 fiscal year, the following are
410 proposed for consolidation into the Southwood Shared Resource
411 Center:
412 1. By September 30, 2012, the Division of Emergency
413 Management and the Department of Community Affairs, except for
414 the department’s Camp Blanding Emergency Operations Center in
415 Starke.
416 2. By September 30, 2012, the Department of Revenue’s
417 Carlton and Taxworld Building L locations.
418 3. By December 31, 2012, the Department of Health’s
419 laboratories and all remaining data center resources, except for
420 the department’s Jacksonville Lab Data Center.
421 (f) During the 2012-2013 fiscal year, the following are
422 proposed for consolidation into the Northwood Shared Resource
423 Center:
424 1. By July 1, 2012, the Agency for Health Care
425 Administration.
426 2. By December 31, 2012, the Department of Environmental
427 Protection.
428 3. By March 30, 2013, the Department of Law Enforcement.
429 (g) During the 2013-2014 fiscal year, the following
430 agencies shall work with the Agency for Enterprise Information
431 Technology to begin preliminary planning for consolidation into
432 a primary data center:
433 1. The Department of the Lottery’s headquarters.
434 2. The Department of Legal Affairs.
435 3. The Fish and Wildlife Conservation Commission, except
436 for the commission’s Fish and Wildlife Research Institute in St.
437 Petersburg.
438 4. The Executive Office of the Governor.
439 5. The Department of Veterans Affairs.
440 6. The Department of Elderly Affairs.
441 7. The Department of Financial Services’ Hartman, Larson,
442 and Fletcher Building Data Centers.
443 8. The Department of Agriculture and Consumer Services’
444 Agriculture Management Information Center in the Mayo Building
445 and Division of Licensing.
446 (h) During the 2014-2015 fiscal year, the following
447 agencies shall work with the Agency for Enterprise Information
448 Technology to begin preliminary planning for consolidation into
449 a primary data center:
450 1. The Department of Health’s Jacksonville Lab Data Center.
451 2. The Department of Transportation’s district offices,
452 toll offices, and the District Materials Office.
453 3. The Department of Military Affairs’ Camp Blanding Joint
454 Training Center in Starke.
455 4. The Department of Community Affairs’ Camp Blanding
456 Emergency Operations Center in Starke.
457 5. The Department of Education’s Division of Blind Services
458 disaster recovery site in Daytona Beach.
459 6. The Department of Education’s disaster recovery site in
460 Sante Fe College.
461 7. The Department of the Lottery’s Disaster Recovery Backup
462 Data Center in Orlando.
463 8. The Fish and Wildlife Conservation Commission’s Fish and
464 Wildlife Research Institute in St. Petersburg.
465 9. The Department of Children and Family Services’ Suncoast
466 Data Center in Tampa.
467 10. The Department of Children and Family Services’ Florida
468 State Hospital in Chattahoochee.
469 (i) During the 2015-2016 fiscal year, all computing
470 resources remaining within an agency nonprimary data center or
471 computing facility shall be transferred to a primary data center
472 for consolidation unless otherwise required to remain in the
473 agency for specific business reasons. Such data centers,
474 computing facilities, and resource shall be identified by the
475 Agency for Enterprise Information Technology by October 1, 2014.
476 (j) Any agency that is consolidating agency data centers
477 into a primary data center must execute or update its existing
478 service-level agreement within 2 months after the specified
479 consolidation date, as required by s. 282.203(1)(i), in order to
480 specify the services and levels of service it is to receive from
481 the primary data center as a result of the consolidation. If an
482 agency is unable to complete and execute a service-level
483 agreement by that date, the agency shall submit a report to the
484 Executive Office of the Governor and to the chairs of the
485 legislative appropriations committees within 5 working days,
486 explaining the specific issues preventing execution and
487 describing its plan and schedule for resolving those issues.
488 (k) Beginning September 1, 2011, and every 6 months
489 thereafter until data center consolidations are complete, the
490 Agency for Enterprise Information Technology shall provide a
491 status report on the consolidations that are required to be
492 completed during the fiscal year. The report shall be submitted
493 to the Executive Office of the Governor and the chairs of the
494 legislative appropriations committees. The report must, at a
495 minimum, describe:
496 1. Whether the consolidation is on schedule, including
497 progress on achieving the milestones necessary for successful
498 and timely consolidation of scheduled agency data centers and
499 computing facilities; and
500 2. The risks that may affect the progress or outcome of the
501 consolidation and how these risks are being addressed,
502 mitigated, or managed.
503 (l) Each agency required to plan for consolidation into a
504 primary data center shall submit a draft consolidation plan to
505 the Agency for Enterprise Information Technology by September 1
506 of the fiscal year before the fiscal year in which the scheduled
507 consolidation will occur. Transition plans shall be developed in
508 consultation with the appropriate primary data centers and the
509 Agency for Enterprise Information Technology, and must include:
510 1. A recommendation as to which primary data center is most
511 appropriate for the agency’s consolidation if not the one
512 proposed;
513 2. An inventory of the agency data center’s resources being
514 consolidated, including all hardware, software, staff, and
515 contracted services, and the facility resources performing data
516 center management and operations, security, backup and recovery,
517 disaster recovery, system administration, database
518 administration, system programming, job control, production
519 control, print, storage, technical support, help desk, and
520 managed services, but excluding application development;
521 3. A description of the level of services needed to meet
522 the technical and operational requirements of the platforms
523 being consolidated;
524 4. A description of resources for computing services
525 proposed to remain in the department;
526 5. A timetable with significant milestones for the
527 completion of the consolidation;
528 6. An estimate of the agency’s current-year cost to
529 support, house, and manage the data center functions in
530 subparagraph 2.; and
531 7. The specific recurring and nonrecurring budget
532 adjustments by appropriation category that are required during
533 the year in which the data center is consolidated in order to
534 transfer sufficient budget resources into the appropriate data
535 processing category pursuant to legislative budget instructions
536 as provided by s. 216.023.
537 (m) Each primary data center shall develop a transition
538 plan for absorbing the transfer of agency data center resources
539 based upon the timetables for transition as recommended by the
540 Agency for Enterprise Information Technology. The plan shall be
541 submitted to the Agency for Enterprise Information Technology,
542 the Executive Office of the Governor, and the chairs of the
543 legislative appropriations committees by September 30 of the
544 fiscal year before the fiscal year in which the scheduled
545 consolidations will occur. Each plan must include:
546 1. An estimate of the cost to provide data center services
547 for each agency scheduled for consolidation;
548 2. A staffing plan that identifies the projected staffing
549 needs and requirements based on the estimated workload
550 identified in the agency transition plan;
551 3. The fiscal year adjustments to budget categories in
552 order to absorb the transfer of agency data center resources
553 pursuant to the legislative budget request instructions provided
554 in s. 216.023;
555 4. An analysis of the cost effects resulting from the
556 planned consolidations on existing agency customers; and
557 5. A description of any issues that must be resolved in
558 order to accomplish as efficiently and effectively as possible
559 all consolidations required during the fiscal year.
560 (n) The Agency for Enterprise Information Technology shall
561 develop a comprehensive transition plan, which shall be
562 submitted by October 15th of the fiscal year before the fiscal
563 year in which the scheduled consolidations will occur to each
564 primary data center, the Executive Office of the Governor, and
565 the chairs of the legislative appropriations committees. The
566 transition plan shall be developed in consultation with agencies
567 submitting agency transition plans and with the affected primary
568 data centers. The comprehensive transition plan must include:
569 1. Recommendations for accomplishing the proposed
570 transitions as efficiently and effectively as possible with
571 minimal disruption to customer agency business processes;
572 2. Strategies to minimize risks associated with any of the
573 proposed consolidations;
574 3. A compilation of the agency transition plans submitted
575 by agencies scheduled for consolidation for the following fiscal
576 year;
577 4. Revisions to any budget adjustments provided in the
578 agency or primary data center transition plans; and
579 5. Other revisions as appropriate, including recommended
580 changes in final primary data center destination or schedule for
581 any agency data center consolidation.
582 (o) Any data center planned for consolidation after the
583 2011-2012 fiscal year may move to a primary data center before
584 the scheduled consolidation date.
585 (5)(4) AGENCY LIMITATIONS.—
586 (a) Unless authorized by the Legislature or as provided in
587 paragraphs (b) and (c), a state agency may not:
588 1. Create a new computing facility or data center, or
589 expand the capability to support additional computer equipment
590 in an existing computing facility or nonprimary data center;
591 2. Spend funds before the agency’s scheduled consolidation
592 into a primary data center to purchase or modify hardware or
593 operations software that does not comply with hardware and
594 software standards established by the Agency for Enterprise
595 Information Technology pursuant to s. 282.202(2)(e) for the
596 efficient consolidation of the agency data centers or computing
597 facilities;
598 3.2. Transfer existing computer services to any data center
599 other than a primary nonprimary data center or computing
600 facility;
601 4.3. Terminate services with a primary data center or
602 transfer services between primary data centers without giving
603 written notice of intent to terminate or transfer services 180
604 days before such termination or transfer; or
605 5.4. Initiate a new computer service if it does not
606 currently have an internal data center except with a primary
607 data center.
608 (b) Exceptions to the limitations in subparagraphs (a)1.,
609 2., 3., and 5. 4. may be granted by the Agency for Enterprise
610 Information Technology if there is insufficient capacity in a
611 primary data center to absorb the workload associated with
612 agency computing services, if expenditures are compatible with
613 the scheduled consolidation, or if the equipment or resources
614 are needed to maintain agency data center services and cannot be
615 satisfied from surplus equipment or resources of the primary
616 data center until the agency data center is consolidated.
617 1. A request for an exception must be submitted in writing
618 to the Agency for Enterprise Information Technology. The agency
619 must accept, accept with conditions, or deny the request within
620 60 days after receipt of the written request. The agency’s
621 decision is not subject to chapter 120.
622 2. At a minimum, the agency may not approve a request
623 unless it includes:
624 a. Documentation approved by the primary data center’s
625 board of trustees which confirms that the center cannot meet the
626 capacity requirements of the agency requesting the exception
627 within the current fiscal year.
628 b. A description of the capacity requirements of the agency
629 requesting the exception.
630 c. Documentation from the agency demonstrating why it is
631 critical to the agency’s mission that the expansion or transfer
632 must be completed within the fiscal year rather than when
633 capacity is established at a primary data center.
634 (c) Exceptions to subparagraph (a)4. (a)3. may be granted
635 by the board of trustees of the primary data center if the
636 termination or transfer of services can be absorbed within the
637 current cost-allocation plan.
638 (d) Upon the termination of or transfer of agency computing
639 services from the primary data center, the primary data center
640 shall require information sufficient to determine compliance
641 with this section. If a primary data center determines that an
642 agency is in violation of this section, it shall report the
643 violation to the Agency for Enterprise Information Technology.
644 (6)(5) RULES.—The Agency for Enterprise Information
645 Technology may is authorized to adopt rules pursuant to ss.
646 120.536(1) and 120.54 to administer the provisions of this part
647 relating to the state data center system including the primary
648 data centers.
649 Section 5. Paragraphs (f) through (l) of subsection (1),
650 paragraph (a) of subsection (2), and paragraph (j) of subsection
651 (3) of section 282.203, Florida Statutes, are amended to read:
652 282.203 Primary data centers.—
653 (1) DATA CENTER DUTIES.—Each primary data center shall:
654 (f) By December 31, 2010, submit organizational plans that
655 minimize the annual recurring cost of center operations and
656 eliminate the need for state agency customers to maintain data
657 center skills and staff within their agency. The plans shall:
658 1. Establish an efficient organizational structure
659 describing the roles and responsibilities of all positions and
660 business units in the centers;
661 2. Define a human resources planning and management process
662 that shall be used to make required center staffing decisions;
663 and
664 3. Develop a process for projecting staffing requirements
665 based on estimated workload identified in customer agency
666 service level agreements.
667 (f)(g) Maintain the performance of the facility, which
668 includes ensuring proper data backup, data backup recovery, an
669 effective disaster recovery plan, and appropriate security,
670 power, cooling and fire suppression, and capacity.
671 (g)(h) Develop a business continuity plan and conduct a
672 live exercise of the plan at least annually. The plan must be
673 approved by the board and the Agency for Enterprise Information
674 Technology.
675 (h)(i) Enter into a service-level agreement with each
676 customer entity to provide services as defined and approved by
677 the board in compliance with rules of the Agency for Enterprise
678 Information Technology. A service-level agreement may not have a
679 term exceeding 3 years but may include an option to renew for up
680 to 3 years contingent on approval by the board.
681 1. A service-level agreement, at a minimum, must:
682 a. Identify the parties and their roles, duties, and
683 responsibilities under the agreement;
684 b. Identify the legal authority under which the service
685 level agreement was negotiated and entered into by the parties;
686 c. State the duration of the contractual term and specify
687 the conditions for contract renewal;
688 d. Prohibit the transfer of computing services between
689 primary data center facilities without at least 180 days’ notice
690 of service cancellation;
691 e. Identify the scope of work;
692 f. Identify the products or services to be delivered with
693 sufficient specificity to permit an external financial or
694 performance audit;
695 g. Establish the services to be provided, the business
696 standards that must be met for each service, the cost of each
697 service, and the process by which the business standards for
698 each service are to be objectively measured and reported;
699 h. Identify applicable funds and funding streams for the
700 services or products under contract;
701 i. Provide a timely billing methodology for recovering the
702 cost of services provided to the customer entity;
703 j. Provide a procedure for modifying the service-level
704 agreement to address changes in projected costs of service;
705 k. Provide that a service-level agreement may be terminated
706 by either party for cause only after giving the other party and
707 the Agency for Enterprise Information Technology notice in
708 writing of the cause for termination and an opportunity for the
709 other party to resolve the identified cause within a reasonable
710 period; and
711 l. Provide for mediation of disputes by the Division of
712 Administrative Hearings pursuant to s. 120.573.
713 2. A service-level agreement may include:
714 a. A dispute resolution mechanism, including alternatives
715 to administrative or judicial proceedings;
716 b. The setting of a surety or performance bond for service
717 level agreements entered into with nonstate agency primary data
718 centers established by law, which may be designated by the
719 Agency for Enterprise Information Technology; or
720 c. Additional terms and conditions as determined advisable
721 by the parties if such additional terms and conditions do not
722 conflict with the requirements of this section or rules adopted
723 by the Agency for Enterprise Information Technology.
724 3. The failure to execute a service-level agreement within
725 60 days after service commencement shall, in the case of an
726 existing customer entity, result in a continuation of the terms
727 of the service-level agreement from the prior fiscal year,
728 including any amendments that were formally proposed to the
729 customer entity by the primary data center within the 3 months
730 before service commencement, and a revised cost-of-service
731 estimate. If a new customer entity fails to execute an agreement
732 within 60 days after service commencement, the data center may
733 cease services.
734 (i)(j) Plan, design, establish pilot projects for, and
735 conduct experiments with information technology resources, and
736 implement enhancements in services if such implementation is
737 cost-effective and approved by the board.
738 (j)(k) Enter into a memorandum of understanding with the
739 agency where the data center is administratively located which
740 establishes the services to be provided by that agency to the
741 data center and the cost of such services.
742 (k)(l) Be the custodian of resources and equipment that are
743 located, operated, supported, and managed by the center for the
744 purposes of chapter 273, except for resources and equipment
745 located, operated, supported, and managed by the Northwest
746 Regional Data Center.
747 (l) Assume administrative access rights to the resources
748 and equipment, such as servers, network components, and other
749 devices that are consolidated into the primary data center.
750 1. Upon the date of each consolidation specified in s.
751 282.201, the General Appropriations Act, or the Laws of Florida,
752 each agency shall relinquish all administrative access rights to
753 such resources and equipment.
754 2. Each primary data center shall provide its customer
755 agencies with the appropriate level of access to applications,
756 servers, network components, and other devices necessary for
757 agencies to perform their core business activities and
758 functions.
759 (2) BOARD OF TRUSTEES.—Each primary data center shall be
760 headed by a board of trustees as defined in s. 20.03.
761 (a) The members of the board shall be appointed by the
762 agency head or chief executive officer of the representative
763 customer entities of the primary data center and shall serve at
764 the pleasure of the appointing customer entity. Each agency head
765 or chief executive officer may appoint an alternate member for
766 each board member appointed pursuant to this subsection.
767 1. During the first fiscal year that a state agency is to
768 consolidate its data center operations to a primary data center
769 and for the following full fiscal year, the agency shall have a
770 single trustee having one vote on the board of the state primary
771 data center where it is to consolidate, unless it is entitled in
772 the second year to a greater number of votes as provided in
773 subparagraph 3. For each of the first 2 fiscal years that a
774 center is in operation, membership shall be as provided in
775 subparagraph 3. based on projected customer entity usage rates
776 for the fiscal operating year of the primary data center.
777 However, at a minimum:
778 a. During the Southwood Shared Resource Center’s first 2
779 operating years, the Department of Transportation, the
780 Department of Highway Safety and Motor Vehicles, the Department
781 of Health, and the Department of Revenue must each have at least
782 one trustee.
783 b. During the Northwood Shared Resource Center’s first
784 operating year, the Department of State and the Department of
785 Education must each have at least one trustee.
786 2. Board After the second full year of operation,
787 membership shall be as provided in subparagraph 3. based on the
788 most recent estimate of customer entity usage rates for the
789 prior year and a projection of usage rates for the first 9
790 months of the next fiscal year. Such calculation must be
791 completed before the annual budget meeting held before the
792 beginning of the next fiscal year so that any decision to add or
793 remove board members can be voted on at the budget meeting and
794 become effective on July 1 of the subsequent fiscal year.
795 3. Each customer entity that has a projected usage rate of
796 4 percent or greater during the fiscal operating year of the
797 primary data center shall have one trustee on the board.
798 4. The total number of votes for each trustee shall be
799 apportioned as follows:
800 a. Customer entities of a primary data center whose usage
801 rate represents 4 but less than 15 percent of total usage shall
802 have one vote.
803 b. Customer entities of a primary data center whose usage
804 rate represents 15 but less than 30 percent of total usage shall
805 have two votes.
806 c. Customer entities of a primary data center whose usage
807 rate represents 30 but less than 50 percent of total usage shall
808 have three votes.
809 d. A customer entity of a primary data center whose usage
810 rate represents 50 percent or more of total usage shall have
811 four votes.
812 e. A single trustee having one vote shall represent those
813 customer entities that represent less than 4 percent of the
814 total usage. The trustee shall be selected by a process
815 determined by the board.
816 (3) BOARD DUTIES.—Each board of trustees of a primary data
817 center shall:
818 (j) Maintain the capabilities of the primary data center’s
819 facilities. Maintenance responsibilities include, but are not
820 limited to, ensuring that adequate conditioned floor space, fire
821 suppression, cooling, and power is in place; replacing aging
822 equipment when necessary; and making decisions related to data
823 center expansion and renovation, periodic upgrades, and
824 improvements that are required to ensure the ongoing suitability
825 of the facility as an enterprise data center consolidation site
826 in the state data center system. To the extent possible, the
827 board shall ensure that its approved annual cost-allocation plan
828 recovers sufficient funds from its customers to provide for
829 these needs pursuant to s. 282.201(2)(e).
830 Section 6. Section 282.204, Florida Statutes, is amended to
831 read:
832 282.204 Northwood Shared Resource Center.—The Northwood
833 Shared Resource Center is an agency established within the
834 department of Children and Family Services for administrative
835 purposes only.
836 (1) The center is a primary data center and is shall be a
837 separate budget entity that is not subject to control,
838 supervision, or direction of the department in any manner,
839 including, but not limited to, purchasing, transactions
840 involving real or personal property, personnel, or budgetary
841 matters.
842 (2) The center shall be headed by a board of trustees as
843 provided in s. 282.203, who shall comply with all requirements
844 of that section related to the operation of the center and with
845 the rules of the Agency for Enterprise Information Technology
846 related to the design and delivery of enterprise information
847 technology services.
848 Section 7. Section 282.206, Florida Statutes, is created to
849 read:
850 282.206 Northwest Regional Data Center.—The Northwest
851 Regional Data Center at Florida State University is designated
852 as a primary data center.
853 Section 8. Section 282.315, Florida Statutes, is repealed.
854 Section 9. Subsections (3) through (7) of section 282.318,
855 Florida Statutes, are amended to read:
856 282.318 Enterprise security of data and information
857 technology.—
858 (3) The Office of Information Security within the Agency
859 for Enterprise Information Technology is responsible for
860 establishing rules and publishing guidelines for ensuring an
861 appropriate level of security for all data and information
862 technology resources for executive branch agencies. The agency
863 office shall also perform the following duties and
864 responsibilities:
865 (a) Develop, and annually update by February 1, an
866 enterprise information security strategic plan that includes
867 security goals and objectives for the strategic issues of
868 information security policy, risk management, training, incident
869 management, and survivability planning.
870 (b) Develop enterprise security rules and published
871 guidelines for:
872 1. Comprehensive risk analyses and information security
873 audits conducted by state agencies.
874 2. Responding to suspected or confirmed information
875 security incidents, including suspected or confirmed breaches of
876 personal information or exempt data.
877 3. Agency security plans, including strategic security
878 plans and security program plans.
879 4. The recovery of information technology and data
880 following a disaster.
881 5. The managerial, operational, and technical safeguards
882 for protecting state government data and information technology
883 resources.
884 (c) Assist agencies in complying with the provisions of
885 this section.
886 (d) Pursue appropriate funding for the purpose of enhancing
887 domestic security.
888 (e) Provide training for agency information security
889 managers.
890 (f) Annually review the strategic and operational
891 information security plans of executive branch agencies.
892 (4) To assist the Agency for Enterprise Information
893 Technology Office of Information Security in carrying out its
894 responsibilities, each agency head shall, at a minimum:
895 (a) Designate an information security manager to administer
896 the security program of the agency for its data and information
897 technology resources. This designation must be provided annually
898 in writing to the Agency for Enterprise Information Technology
899 office by January 1.
900 (b) Submit to the Agency for Enterprise Information
901 Technology office annually by July 31, the agency’s strategic
902 and operational information security plans developed pursuant to
903 the rules and guidelines established by the Agency for
904 Enterprise Information Technology office.
905 1. The agency strategic information security plan must
906 cover a 3-year period and define security goals, intermediate
907 objectives, and projected agency costs for the strategic issues
908 of agency information security policy, risk management, security
909 training, security incident response, and survivability. The
910 plan must be based on the enterprise strategic information
911 security plan created by the Agency for Enterprise Information
912 Technology office. Additional issues may be included.
913 2. The agency operational information security plan must
914 include a progress report for the prior operational information
915 security plan and a project plan that includes activities,
916 timelines, and deliverables for security objectives that,
917 subject to current resources, the agency will implement during
918 the current fiscal year. The cost of implementing the portions
919 of the plan which cannot be funded from current resources must
920 be identified in the plan.
921 (c) Conduct, and update every 3 years, a comprehensive risk
922 analysis to determine the security threats to the data,
923 information, and information technology resources of the agency.
924 The risk analysis information is confidential and exempt from
925 the provisions of s. 119.07(1), except that such information
926 shall be available to the Auditor General and the Agency for
927 Enterprise Information Technology for performing postauditing
928 duties.
929 (d) Develop, and periodically update, written internal
930 policies and procedures, which include procedures for notifying
931 the Agency for Enterprise Information Technology office when a
932 suspected or confirmed breach, or an information security
933 incident, occurs. Such policies and procedures must be
934 consistent with the rules and guidelines established by the
935 Agency for Enterprise Information Technology office to ensure
936 the security of the data, information, and information
937 technology resources of the agency. The internal policies and
938 procedures that, if disclosed, could facilitate the unauthorized
939 modification, disclosure, or destruction of data or information
940 technology resources are confidential information and exempt
941 from s. 119.07(1), except that such information shall be
942 available to the Auditor General and the Agency for Enterprise
943 Information Technology for performing postauditing duties.
944 (e) Implement appropriate cost-effective safeguards to
945 address identified risks to the data, information, and
946 information technology resources of the agency.
947 (f) Ensure that periodic internal audits and evaluations of
948 the agency’s security program for the data, information, and
949 information technology resources of the agency are conducted.
950 The results of such audits and evaluations are confidential
951 information and exempt from s. 119.07(1), except that such
952 information shall be available to the Auditor General and the
953 Agency for Enterprise Information Technology for performing
954 postauditing duties.
955 (g) Include appropriate security requirements in the
956 written specifications for the solicitation of information
957 technology and information technology resources and services,
958 which are consistent with the rules and guidelines established
959 by the Agency for Enterprise Information Technology office.
960 (h) Provide security awareness training to employees and
961 users of the agency’s communication and information resources
962 concerning information security risks and the responsibility of
963 employees and users to comply with policies, standards,
964 guidelines, and operating procedures adopted by the agency to
965 reduce those risks.
966 (i) Develop a process for detecting, reporting, and
967 responding to suspected or confirmed security incidents,
968 including suspected or confirmed breaches consistent with the
969 security rules and guidelines established by the Agency for
970 Enterprise Information Technology office.
971 1. Suspected or confirmed information security incidents
972 and breaches must be immediately reported to the Agency for
973 Enterprise Information Technology office.
974 2. For incidents involving breaches, agencies shall provide
975 notice in accordance with s. 817.5681 and to the Agency for
976 Enterprise Information Technology office in accordance with this
977 subsection.
978 (5) Each state agency shall include appropriate security
979 requirements in the specifications for the solicitation of
980 contracts for procuring information technology or information
981 technology resources or services which are consistent with the
982 rules and guidelines established by the Agency for Enterprise
983 Information Technology Office of Information Security.
984 (6) The Agency for Enterprise Information Technology may
985 adopt rules relating to information security and to administer
986 the provisions of this section.
987 (7) By December 31, 2010, the Agency for Enterprise
988 Information Technology shall develop, and submit to the
989 Governor, the President of the Senate, and the Speaker of the
990 House of Representatives a proposed implementation plan for
991 information technology security. The agency shall describe the
992 scope of operation, conduct costs and requirements analyses,
993 conduct an inventory of all existing security information
994 technology resources, and develop strategies, timeframes, and
995 resources necessary for statewide migration.
996 Section 10. Subsections (3) and (4) of section 282.33,
997 Florida Statutes, are amended to read:
998 282.33 Objective standards for data center energy
999 efficiency.—
1000 (2) State shared resource data centers and other data
1001 centers that the Agency for Enterprise Information Technology
1002 has determined will be recipients for consolidating data
1003 centers, which are designated by the Agency for Enterprise
1004 Information Technology, shall evaluate their data center
1005 facilities for energy efficiency using the standards established
1006 in this section.
1007 (a) Results of these evaluations shall be reported to the
1008 Agency for Enterprise Information Technology, the President of
1009 the Senate, and the Speaker of the House of Representatives.
1010 Reports shall enable the tracking of energy performance over
1011 time and comparisons between facilities.
1012 (b) Beginning By December 31, 2010, and every 3 years
1013 biennially thereafter, the Agency for Enterprise Information
1014 Technology shall submit to the Legislature recommendations for
1015 reducing energy consumption and improving the energy efficiency
1016 of state primary data centers.
1017 (3) The primary means of achieving maximum energy savings
1018 across all state data centers and computing facilities shall be
1019 the consolidation of data centers and computing facilities as
1020 determined by the Agency for Enterprise Information Technology.
1021 State data centers and computing facilities in the state data
1022 center system shall be established as an enterprise information
1023 technology service as defined in s. 282.0041. The Agency for
1024 Enterprise Information Technology shall make recommendations on
1025 consolidating state data centers and computing facilities,
1026 pursuant to s. 282.0056, by December 31, 2009.
1027 (3)(4) If When the total cost of ownership of an energy
1028 efficient product is less than or equal to the cost of the
1029 existing data center facility or infrastructure, technical
1030 specifications for energy-efficient products should be
1031 incorporated in the plans and processes for replacing,
1032 upgrading, or expanding data center facilities or
1033 infrastructure, including, but not limited to, network, storage,
1034 or computer equipment and software.
1035 Section 11. Subsections (4) through (11) of section 282.34,
1036 Florida Statutes, are amended to read:
1037 282.34 Statewide e-mail service.—A state e-mail system that
1038 includes the delivery and support of e-mail, messaging, and
1039 calendaring capabilities is established as an enterprise
1040 information technology service as defined in s. 282.0041. The
1041 service shall be designed to meet the needs of all executive
1042 branch agencies. The primary goals of the service are to
1043 minimize the state investment required to establish, operate,
1044 and support the statewide service; reduce the cost of current e
1045 mail operations and the number of duplicative e-mail systems;
1046 and eliminate the need for each state agency to maintain its own
1047 e-mail staff.
1048 (4) All agencies must be completely migrated to the
1049 statewide e-mail service as soon as financially and
1050 operationally feasible, but no later than December 31, 2012 June
1051 30, 2015.
1052 (a) The Agency for Enterprise Information Technology, in
1053 consultation with the Southwood Shared Resource Center and the
1054 statewide e-mail service provider, shall establish a schedule
1055 for the following statewide e-mail service implementation
1056 schedule if different from the schedule provided in this
1057 subsection. is established for state agencies:
1058 1. Phase 1.—The following agencies must be completely
1059 migrated to the statewide e-mail system by June 30, 2012: the
1060 Agency for Enterprise Information Technology; the Agency for
1061 Persons With Disabilities; the Department of Business and
1062 Professional Regulation; the Department of Children and Family
1063 Services; the Department of Education, including the Board of
1064 Governors; the Department of Elderly Affairs; the Department of
1065 Citrus; the Department of Community Affairs, including the
1066 Division of Emergency Management; the Department of Corrections;
1067 the Department of Health; the Department of Highway Safety and
1068 Motor Vehicles; the Department of Management Services, including
1069 the Division of Administrative Hearings, the Division of
1070 Retirement, the Commission on Human Relations, the Northwood
1071 Shared Resource Center, and the Public Employees Relations
1072 Commission; the Southwood Shared Resource Center; the Department
1073 of State; the Department of Transportation; and the Department
1074 of Revenue.
1075 2. Phase 2.—The following agencies must be completely
1076 migrated to the statewide e-mail system by December 31, 2012
1077 June 30, 2013: the Agency for Health Care Administration; the
1078 Agency for Workforce Innovation; the Executive Office of the
1079 Governor, including the Office of Emergency Management; the
1080 Department of Community Affairs, the Department of Agriculture
1081 and Consumer Services; the Department of Financial Services,
1082 including the Office of Financial Regulation and the Office of
1083 Insurance Regulation; the Fish and Wildlife Conservation
1084 Commission; the State Board of Administration; the Department of
1085 Corrections the Department of Business and Professional
1086 Regulation; the Department of Education, including the Board of
1087 Governors; the Department of Environmental Protection; the
1088 Department of Juvenile Justice; the Department of the Lottery;
1089 the Department of State; the Department of Law Enforcement; the
1090 Department of Veterans’ Affairs; the Judicial Administration
1091 Commission; the Public Service Commission; and the Statewide
1092 Guardian Ad Litem Office.
1093 3. Phase 3.—The following agencies must be completely
1094 migrated to the statewide e-mail system by June 30, 2014: the
1095 Agency for Health Care Administration; the Agency for Workforce
1096 Innovation; the Department of Financial Services, including the
1097 Office of Financial Regulation and the Office of Insurance
1098 Regulation; the Department of Agriculture and Consumer Services;
1099 the Executive Office of the Governor; the Department of
1100 Transportation; the Fish and Wildlife Conservation Commission;
1101 the Agency for Persons With Disabilities; the Northwood Shared
1102 Resource Center; and the State Board of Administration.
1103 4. Phase 4.—The following agencies must be completely
1104 migrated to the statewide e-mail system by June 30, 2015: the
1105 Department of Children and Family Services; the Department of
1106 Citrus; the Department of Elderly Affairs; and the Department of
1107 Legal Affairs.
1108 (b) Agency requests to modify their scheduled implementing
1109 date must be submitted in writing to the Agency for Enterprise
1110 Information Technology. Any exceptions or modifications to the
1111 schedule must be approved by the Agency for Enterprise
1112 Information Technology based only on the following criteria:
1113 1. Avoiding nonessential investment in agency e-mail
1114 hardware or software refresh, upgrade, or replacement.
1115 2. Avoiding nonessential investment in new software or
1116 hardware licensing agreements, maintenance or support
1117 agreements, or e-mail staffing for current e-mail systems.
1118 3. Resolving known agency e-mail problems through migration
1119 to the statewide e-mail service.
1120 4. Accommodating unique agency circumstances that require
1121 an acceleration or delay of the implementation date.
1122 (5) In order to develop the implementation plan for the
1123 statewide e-mail service, the Agency for Enterprise Information
1124 Technology shall establish and coordinate a statewide e-mail
1125 project team. The agency shall also consult with and, as
1126 necessary, form workgroups consisting of agency e-mail
1127 management staff, agency chief information officers, agency
1128 budget directors, and other administrative staff. The statewide
1129 e-mail implementation plan must be submitted to the Governor,
1130 the President of the Senate, and the Speaker of the House of
1131 Representatives by July 1, 2011, or 120 calendar days after the
1132 contract for statewide e-mail services is signed, whichever is
1133 later.
1134 (6) Unless authorized by the Legislature or as provided in
1135 subsection (7), a state agency may not:
1136 (a) Initiate a new e-mail service or execute a new e-mail
1137 contract or new e-mail contract amendment for nonessential
1138 products or services with any entity other than the provider of
1139 the statewide e-mail service;
1140 (b) Purchase equipment or make expenditures to expand,
1141 support, or enhance an existing agency e-mail service Terminate
1142 a statewide e-mail service without giving written notice of
1143 termination 180 days in advance; or
1144 (c) Transfer e-mail system services from the provider of
1145 the statewide e-mail service.
1146 (7) Exceptions to paragraphs (6)(a), (b), and (c) may be
1147 granted by the Agency for Enterprise Information Technology only
1148 if the Southwood Shared Resource Center is unable to meet agency
1149 business requirements or provide the necessary equipment,
1150 resources, or support for the agency e-mail service, and if such
1151 requirements are essential to maintain agency operations.
1152 Requests for exceptions must be submitted in writing to the
1153 Agency for Enterprise Information Technology and include
1154 documented confirmation by the Southwood Shared Resource Center
1155 board of trustees that it cannot meet the requesting agency’s e
1156 mail service requirements.
1157 (8) Each agency shall include the budget issues necessary
1158 for migrating to the statewide e-mail service in its legislative
1159 budget request before the first full year it is scheduled to
1160 migrate to the statewide service in accordance with budget
1161 instructions developed pursuant to s. 216.023.
1162 (9) The Agency for Enterprise Information Technology shall
1163 adopt rules to standardize the format for state agency e-mail
1164 addresses, ensure the sufficiency and transparency of financial
1165 information relating to the enterprise e-mail service, and
1166 establish a process to resolve complaints from state agency
1167 customers regarding the scope, cost, and provision of the
1168 statewide e-mail service.
1169 (10) State agencies must fully cooperate with the Agency
1170 for Enterprise Information Technology in the performance of its
1171 responsibilities established in this section.
1172 (11) The Agency for Enterprise Information Technology may
1173 approve shall recommend changes to an agency’s scheduled date
1174 for migration to the statewide e-mail service pursuant to this
1175 section, annually by December 31, until migration to the
1176 statewide service is complete.
1177 Section 12. Section 282.35, Florida Statutes, is created to
1178 read:
1179 282.35 Statewide desktop service.—A state desktop service
1180 that includes the service delivery and support to enable the use
1181 of standard office automation functions is established as an
1182 enterprise information technology service. The service shall be
1183 designed to meet the needs of all executive branch agencies and
1184 reduce the current cost of operation and support.
1185 (1) The department shall be the provider of the statewide
1186 desktop service. The primary goals of the service are to
1187 minimize the state investment required to establish, operate,
1188 and support the statewide desktop service; reduce the cost of
1189 current desktop operations and the number of duplicative desktop
1190 management systems; and eliminate the need for each state agency
1191 to maintain its own desktop support staff. The department shall
1192 centrally host, manage, and provide desktop services to achieve
1193 these goals.
1194 (2) By December 31, 2011, the Agency for Enterprise
1195 Information Technology shall submit a proposed plan for the
1196 establishment of the desktop service to the Governor, the
1197 President of the Senate, and the Speaker of the House of
1198 Representatives. The plan shall be developed to reduce costs to
1199 the state and must, at a minimum, include:
1200 (a) An analysis of the in-house and external sourcing
1201 options that should be considered for delivery and support of
1202 the service. At a minimum, the analysis must include a lease
1203 option, a seat management option, hosted virtual desktop option,
1204 and, if technically and operationally beneficial, a combined in
1205 house and external sourcing option.
1206 (b) Estimated expenditures for desktop services in each
1207 state agency for the 2011-2012 fiscal year.
1208 (c) A cost-benefit analysis that estimates all major cost
1209 elements associated with each sourcing option, including the
1210 nonrecurring and recurring costs of each option. The analysis
1211 must also include a comparison of the total cost of existing
1212 desktop services with the total cost of each sourcing option for
1213 desktop services in order to determine the level of savings
1214 which can be expected.
1215 (d) A complete description of the scope of functionality,
1216 service requirements, operations and management processes, and
1217 required resources, standards, and governance associated with
1218 each sourcing option.
1219 (e) A concise analysis of the ability of each sourcing
1220 option to provide needed functionality and meet major service
1221 requirements, including federal and state requirements for
1222 confidentiality, privacy, security, and records retention.
1223 (f) A reliable schedule for migrating all state agency
1224 desktop resources to the new service beginning no later than
1225 July 1, 2013, and completing by June 30, 2015.
1226 (3) In order to develop the recommended plan for the new
1227 system, the Agency for Enterprise Information Technology shall
1228 consult with, and, as necessary, form workgroups consisting of,
1229 agency program management staff, agency chief information
1230 officers, and agency budget directors. State agencies must
1231 cooperate with the Agency for Enterprise Technology in its
1232 development of the plan.
1233 (4) Unless authorized by the Legislature or as provided in
1234 subsection (5), a state agency may not:
1235 (a) Initiate a new desktop service with any entity other
1236 than the provider of the statewide desktop service;
1237 (b) Terminate a statewide desktop service without giving
1238 written notice of termination 180 days in advance; or
1239 (c) Transfer desktop services from the provider of the
1240 statewide desktop service.
1241 (5) Exceptions to paragraphs (4)(a), (b), and (c) may be
1242 granted by the Agency for Enterprise Information Technology only
1243 if the department is unable to meet agency desktop service
1244 requirements. Requests for exceptions must be submitted in
1245 writing to the Agency for Enterprise Information Technology and
1246 must include confirmation by the secretary of the department
1247 that the department cannot meet the requesting agency’s desktop
1248 service requirements.
1249 Section 13. Paragraph (a) of subsection (2), paragraph (h)
1250 of subsection (3), paragraph (b) of subsection (4), and
1251 subsection (15) of section 287.042, Florida Statutes, are
1252 amended to read:
1253 287.042 Powers, duties, and functions.—The department shall
1254 have the following powers, duties, and functions:
1255 (2)(a) To establish purchasing agreements and procure state
1256 term contracts for commodities and contractual services,
1257 pursuant to s. 287.057, under which state agencies shall, and
1258 eligible users may, make purchases pursuant to s. 287.056. The
1259 department may restrict purchases from some term contracts to
1260 state agencies only for those term contracts where the inclusion
1261 of other governmental entities will have an adverse effect on
1262 competition or to those federal facilities located in this
1263 state. The department may adopt rules establishing the
1264 conditions under which an agency may be exempted from using a
1265 state term contract or purchasing agreement if the department
1266 determines that the use of such exemption is in the best
1267 interest of the state. In such planning or purchasing the Office
1268 of Supplier Diversity may monitor to ensure that opportunities
1269 are afforded for contracting with minority business enterprises.
1270 The department, for state term contracts, and all agencies, for
1271 multiyear contractual services or term contracts, shall explore
1272 reasonable and economical means to utilize certified minority
1273 business enterprises. Purchases by any county, municipality,
1274 private nonprofit community transportation coordinator
1275 designated pursuant to chapter 427, while conducting business
1276 related solely to the Commission for the Transportation
1277 Disadvantaged, or other local public agency under the provisions
1278 in the state purchasing contracts, and purchases, from the
1279 corporation operating the correctional work programs, of
1280 products or services that are subject to paragraph (1)(f), are
1281 exempt from the competitive solicitation requirements otherwise
1282 applying to their purchases.
1283 (3) To establish a system of coordinated, uniform
1284 procurement policies, procedures, and practices to be used by
1285 agencies in acquiring commodities and contractual services,
1286 which shall include, but not be limited to:
1287 (h) The development, in consultation with the Agency Chief
1288 Information Officers Council, of procedures to be used by state
1289 agencies when procuring information technology commodities and
1290 contractual services that to ensure compliance with public
1291 records requirements and records retention and archiving
1292 requirements.
1293 (4)
1294 (b) To prescribe, in consultation with the Agency Chief
1295 Information Officers Council, procedures for procuring
1296 information technology and information technology consultant
1297 services that which provide for public announcement and
1298 qualification, competitive solicitations, contract award, and
1299 prohibition against contingent fees. Such procedures are shall
1300 be limited to information technology consultant contracts for
1301 which the total project costs, or planning or study activities,
1302 are estimated to exceed the threshold amount provided for in s.
1303 287.017, for CATEGORY TWO.
1304 (15) To initiate or enter into joint agreements with
1305 governmental agencies, as defined in s. 163.3164(10), for the
1306 purpose of pooling funds for the purchase of commodities or
1307 information technology that can be used by multiple agencies.
1308 (a) Each agency that has been appropriated or has existing
1309 funds for such purchase, shall, upon contract award by the
1310 department, transfer their portion of the funds into the
1311 department’s Operating Trust Fund for payment by the department.
1312 The funds shall be transferred by the Executive Office of the
1313 Governor pursuant to the agency budget amendment request
1314 provisions under in chapter 216.
1315 (b) Agencies that sign the joint agreements are financially
1316 obligated for their portion of the agreed-upon funds. If an
1317 agency becomes more than 90 days delinquent in paying the funds,
1318 the department shall certify to the Chief Financial Officer the
1319 amount due, and the Chief Financial Officer shall transfer the
1320 amount due to the Operating Trust Fund of the department from
1321 any of the agency’s available funds. The Chief Financial Officer
1322 shall report these transfers and the reasons for the transfers
1323 to the Executive Office of the Governor and the legislative
1324 appropriations committees.
1325 Section 14. Section 287.056, Florida Statutes, is amended
1326 to read:
1327 287.056 Purchases from purchasing agreements and state term
1328 contracts.—
1329 (1) Agencies shall, and eligible users may, purchase
1330 commodities and contractual services from purchasing agreements
1331 established and state term contracts procured by the department,
1332 pursuant to s. 287.057, by the department. The department may
1333 adopt rules establishing the conditions under which an agency
1334 may be exempted from using a state term contract or purchasing
1335 agreement if the department determines that the use of such
1336 exemption is in the best interest of the state. Each agency
1337 agreement made under this subsection shall include:
1338 (a) A provision specifying a scope of work that clearly
1339 establishes all tasks that the contractor is required to
1340 perform.
1341 (b) A provision dividing the contract into quantifiable,
1342 measurable, and verifiable units of deliverables that must be
1343 received and accepted in writing by the contract manager before
1344 payment. Each deliverable must be directly related to the scope
1345 of work and specify the required minimum level of service to be
1346 performed and the criteria for evaluating the successful
1347 completion of each deliverable.
1348 (2) Agencies may have the option to purchase commodities or
1349 contractual services from state term contracts procured,
1350 pursuant to s. 287.057, by the department.
1351 (2)(3) Agencies and eligible users may use a request for
1352 quote to obtain written pricing or services information from a
1353 state term contract vendor for commodities or contractual
1354 services available on state term contract from that vendor. The
1355 purpose of a request for quote is to determine whether a price,
1356 term, or condition more favorable to the agency or eligible user
1357 than that provided in the state term contract is available. Use
1358 of a request for quote does not constitute a decision or
1359 intended decision that is subject to protest under s. 120.57(3).
1360 Section 15. Subsections (14) and (17) of section 287.057,
1361 Florida Statutes, are amended to read:
1362 287.057 Procurement of commodities or contractual
1363 services.—
1364 (14) For each contractual services contract, the agency
1365 shall designate an employee to function as contract manager who
1366 shall be responsible for enforcing performance of the contract
1367 terms and conditions and serve as a liaison with the contractor.
1368 Each contract manager who is responsible for contracts in excess
1369 of the threshold amount for CATEGORY TWO must attend training
1370 conducted by the Chief Financial Officer for accountability in
1371 contracts and grant management. The Chief Financial Officer
1372 shall establish and disseminate uniform procedures pursuant to
1373 s. 17.03(3) to ensure that contractual services have been
1374 rendered in accordance with the contract terms before the agency
1375 processes the invoice for payment. The procedures shall include,
1376 but need not be limited to, procedures for monitoring and
1377 documenting contractor performance, reviewing and documenting
1378 all deliverables for which payment is requested by vendors, and
1379 providing written certification by contract managers of the
1380 agency’s receipt of goods and services. The Department shall
1381 adopt rules to be used by agencies to manage contracts.
1382 (17)(a)1. Each agency must avoid, neutralize, or mitigate
1383 significant potential organizational conflicts of interest
1384 before a contract is awarded.
1385 1. If the agency elects to mitigate the significant
1386 potential organizational conflict or conflicts of interest, an
1387 adequate mitigation plan, including organizational, physical,
1388 and electronic barriers, shall be developed.
1389 2. If a conflict cannot be avoided or mitigated, an agency
1390 may proceed with the contract award if the agency head certifies
1391 that the award is in the best interests of the state. The agency
1392 head must specify in writing the basis for the certification.
1393 (b)1. An agency head may not proceed with a contract award
1394 under subparagraph (a)2. if a conflict of interest is based upon
1395 the vendor gaining an unfair competitive advantage.
1396 2. An unfair competitive advantage exists if when the
1397 vendor competing for the award of a contract obtained:
1398 1.a. Access to information that is not available to the
1399 public and would assist the vendor in obtaining the contract; or
1400 2.b. Source selection information that is relevant to the
1401 contract but is not available to all competitors and that would
1402 assist the vendor in obtaining the contract.
1403 (c) A person who receives a contract that has not been
1404 procured pursuant to subsections (1)-(3) to perform a
1405 feasibility study of the potential implementation of a
1406 subsequent contract, who participates in the drafting of a
1407 solicitation or who develops a program for future
1408 implementation, is not eligible to contract with the agency for
1409 any other contracts dealing with that specific subject matter,
1410 and any firm in which such person has any interest is not
1411 eligible to receive such contract. However, this prohibition
1412 does not prevent a vendor who responds to a request for
1413 information from being eligible to contract with an agency.
1414 Section 16. Section 45 of chapter 2010-151, Laws of
1415 Florida, is amended to read:
1416 Section 45. Contracts for academic program reviews,
1417 auditing services, health services, or Medicaid services are
1418 subject to the transaction or user fees imposed under ss.
1419 287.042(1)(h) and 287.057(22), Florida Statutes, only to the
1420 extent that such contracts were not subject to such transaction
1421 or user fees before July 1, 2010.
1422 Section 17. The Agency for Enterprise Information
1423 Technology is transferred by a type one transfer, as defined in
1424 s. 20.06(1), Florida Statutes, from the Executive Office of the
1425 Governor to the Department of Management Services.
1426 Section 18. The Northwood Shared Resource Center is
1427 transferred by a type one transfer, as defined in s. 20.06(1),
1428 Florida Statutes, from the Department of Children and Family
1429 Services to the Department of Management Services.
1430 Section 19. The Agency for Enterprise Information
1431 Technology, in coordination with the Southwood Shared Resource
1432 Center, shall provide a written status report to the Executive
1433 Office of the Governor and to the chairs of the legislative
1434 appropriations committees detailing the progress made by the
1435 agencies required to migrate, pursuant to s. 282.34(4)(a)1.,
1436 Florida Statutes, to the statewide e-mail service by June 30,
1437 2012. The status report must be provided every 6 months,
1438 beginning September 1, 2011, until implementation is complete.
1439 Section 20. This act shall take effect July 1, 2011.