SB 2098 Second Engrossed
20112098e2
1 A bill to be entitled
2 An act relating to the consolidation of state
3 information technology services; amending s. 14.204,
4 F.S.; revising the duties of the Agency for Enterprise
5 Information Technology; deleting references to the
6 Office of Information Security and the Agency Chief
7 Information Officers Council; amending s. 20.315,
8 F.S.; requiring that the Department of Corrections’
9 Office of Information Technology manage the
10 department’s data system; amending s. 282.0041, F.S.;
11 revising definitions; amending s. 282.0056, F.S.;
12 revising provisions relating to the agency’s annual
13 work plan; amending s. 282.201, F.S.; revising the
14 duties of the agency; requiring the agency to submit
15 certain recommendations to the Legislature, the
16 Executive Office of the Governor, and the primary data
17 centers; deleting obsolete provisions; conforming
18 provisions to changes made by the act; providing a
19 schedule for the consolidations of state agency data
20 centers; requiring agencies to update their service
21 level agreements and to develop consolidation plans;
22 requiring the Agency for Enterprise Information
23 Technology to submit a status report to the Governor
24 and Legislature and to develop a comprehensive
25 transition plan; requiring primary data centers to
26 develop transition plans; revising agency limitations
27 relating to technology services; amending s. 282.203,
28 F.S.; deleting obsolete provisions; revising duties of
29 primary data centers relating to state agency
30 resources and equipment relinquished to the centers;
31 requiring state agencies to relinquish all
32 administrative access rights to certain resources and
33 equipment upon consolidation; providing for the
34 appointment of alternate board members; revising
35 provisions relating to state agency representation on
36 data center boards; conforming a cross-reference;
37 amending s. 282.204, F.S.; establishing the Northwood
38 Shared Resource Center in the Department of Management
39 Services rather than the Department of Children and
40 Family Services; repealing s. 282.3055, F.S.,
41 requiring each agency to appoint an agency chief
42 information officer; repealing s. 282.315, F.S.,
43 relating to the Agency Chief Information Officers
44 Council; amending s. 282.318, F.S.; deleting
45 references to the Office of Information Security with
46 respect to responsibility for enterprise security;
47 deleting obsolete provisions; amending s. 282.33,
48 F.S.; deleting an obsolete provision; revising the
49 schedule for the Agency for Enterprise Information
50 Technology to submit certain recommendations to the
51 Legislature; amending s. 282.34, F.S.; revising
52 provisions relating to the statewide e-mail service;
53 deleting the schedule and requiring the agency to
54 develop and submit a plan to the Legislative Budget
55 Commission for the migration of state agencies to the
56 service; specifying what the plan must include;
57 prohibiting state agencies from executing contracts
58 for certain e-mail services; requiring the development
59 of an implementation plan; requiring state agencies to
60 provide all information necessary for the
61 implementation plan; amending ss. 287.042, F.S.;
62 conforming provisions to changes made by the act;
63 transferring the Northwood Shared Resource Center to
64 the Department of Management Services; requiring the
65 agency to coordinate with the Southwood Shared
66 Resource Center to provide a status report to the
67 Executive Office of the Governor and to the
68 Legislature; providing an effective date.
69
70 Be It Enacted by the Legislature of the State of Florida:
71
72 Section 1. Subsections (4), (5), and (6) of section 14.204,
73 Florida Statutes, are amended to read:
74 14.204 Agency for Enterprise Information Technology.—The
75 Agency for Enterprise Information Technology is created within
76 the Executive Office of the Governor.
77 (4) The agency shall have the following duties and
78 responsibilities:
79 (a) Develop strategies for the design, planning, project
80 management, delivery, and management of the enterprise
81 information technology services established in law, including
82 the state data center system service established in s. 282.201,
83 the information technology security service established in s.
84 282.318, and the statewide e-mail service established in s.
85 282.34.
86 (b) Monitor the implementation, delivery, and management of
87 the enterprise information technology services as established in
88 law.
89 (c) Make recommendations to the agency head and the
90 Legislature concerning other information technology services
91 that should be designed, delivered, and managed as enterprise
92 information technology services as defined in s. 282.0041.
93 (d) Plan and establish policies for managing proposed
94 statutorily authorized enterprise information technology
95 services, which includes:
96 1. Developing business cases that, when applicable, include
97 the components identified in s. 287.0571;
98 2. Establishing and coordinating project-management teams;
99 3. Establishing formal risk-assessment and mitigation
100 processes; and
101 4. Providing for independent monitoring of projects for
102 recommended corrective actions.
103 (e) Beginning October 1, 2010, Develop, publish, and
104 biennially update a long-term strategic enterprise information
105 technology plan that identifies and recommends strategies and
106 opportunities to improve the delivery of cost-effective and
107 efficient enterprise information technology services to be
108 proposed for establishment pursuant to s. 282.0056.
109 (f) Perform duties related to enterprise information
110 technology services, including the state data center system
111 established in as provided in s. 282.201, the information
112 technology security service established in s. 282.318, and the
113 statewide e-mail service established in s. 282.34.
114 (g) Coordinate technology resource acquisition planning,
115 and assist the Department of Management Service’s Division of
116 Purchasing with using aggregate buying methodologies whenever
117 possible and with procurement negotiations for hardware and
118 software products and services in order to improve the
119 efficiency and reduce the cost of enterprise information
120 technology services.
121 (h) In consultation with the Division of Purchasing in the
122 Department of Management Services, coordinate procurement
123 negotiations for information technology products as defined in
124 s. 282.0041 which will be used by multiple agencies.
125 (i) In coordination with, and through the services of, the
126 Division of Purchasing in the Department of Management Services,
127 establish best practices for the procurement of information
128 technology products as defined in s. 282.0041 in order to
129 achieve savings for the state.
130 (j) Develop information technology standards for the
131 efficient design, planning, project management, implementation,
132 and delivery of enterprise information technology services. All
133 state agencies must make the transition to the new standards.
134 (k) Provide annually, by December 31, recommendations to
135 the Legislature relating to techniques for consolidating the
136 purchase of information technology commodities and services,
137 which result in savings for the state, and for establishing a
138 process to achieve savings through consolidated purchases.
139 (5) The Office of Information Security shall be created
140 within the agency. The agency shall designate a state Chief
141 Information Security Officer who shall oversee the office and
142 report directly to the executive director.
143 (6) The agency shall operate in a manner that ensures the
144 participation and representation of state agencies and the
145 Agency Chief Information Officers Council established in s.
146 282.315.
147 Section 2. Subsection (10) of section 20.315, Florida
148 Statutes, is amended to read:
149 20.315 Department of Corrections.—There is created a
150 Department of Corrections.
151 (10) SINGLE INFORMATION AND RECORDS SYSTEM.—There shall be
152 Only one offender-based information and records computer system
153 shall be maintained by the Department of Corrections for the
154 joint use of the department and the Parole Commission. The This
155 data system shall be managed through the department’s office of
156 information technology Justice Data Center. The department shall
157 develop and maintain, in consultation with the Criminal and
158 Juvenile Justice Information Systems Council under s. 943.08,
159 such offender-based information, including clemency
160 administration information and other computer services to serve
161 the needs of both the department and the Parole Commission. The
162 department shall notify the commission of all violations of
163 parole and the circumstances thereof.
164 Section 3. Present subsections (4) through (30) of section
165 282.0041, Florida Statutes, are redesignated as subsections (2)
166 through (28), respectively, and present subsections (2), (3),
167 (14), and (19) of that section are amended, to read:
168 282.0041 Definitions.—As used in this chapter, the term:
169 (2) “Agency chief information officer” means the person
170 employed by the agency head to coordinate and manage the
171 information technology functions and responsibilities applicable
172 to that agency, to participate and represent the agency in
173 developing strategies for implementing enterprise information
174 technology services established pursuant to this part, and to
175 develop recommendations for enterprise information technology
176 policy.
177 (3) “Agency Chief Information Officers Council” means the
178 council created in s. 282.315.
179 (12)(14) “E-mail, messaging, and calendaring service” means
180 the enterprise information technology service that enables users
181 to send, receive, file, store, manage, and retrieve electronic
182 messages, attachments, appointments, and addresses. The e-mail,
183 messaging, and calendaring service must include e-mail account
184 management; help desk; technical support and user provisioning
185 services; disaster recovery and backup and restore capabilities;
186 antispam and antivirus capabilities; archiving and e-discovery;
187 and remote access and mobile messaging capabilities.
188 (17)(19) “Primary data center” means a state or nonstate
189 agency data center that is a recipient entity for consolidation
190 of nonprimary data centers and computing facilities and that is
191 established by. A primary data center may be authorized in law
192 or designated by the Agency for Enterprise Information
193 Technology pursuant to s. 282.201.
194 Section 4. Subsection (1) of section 282.0056, Florida
195 Statutes, is amended to read:
196 282.0056 Development of work plan; development of
197 implementation plans; and policy recommendations.—
198 (1) For the purposes of carrying out its responsibilities
199 under s. 282.0055, the Agency for Enterprise Information
200 Technology shall develop an annual work plan within 60 days
201 after the beginning of the fiscal year describing the activities
202 that the agency intends to undertake for that year, including
203 proposed outcomes and completion timeframes for the planning and
204 implementation of all enterprise information technology
205 services. The work plan must be presented at a public hearing
206 and that includes the Agency Chief Information Officers Council,
207 which may review and comment on the plan. The work plan must
208 thereafter be approved by the Governor and Cabinet, and
209 thereafter submitted to the President of the Senate and the
210 Speaker of the House of Representatives. The work plan may be
211 amended as needed, subject to approval by the Governor and
212 Cabinet.
213 Section 5. Subsections (2) and (3) of section 282.201,
214 Florida Statutes, are amended, present subsections (4) and (5)
215 of that section are amended and renumbered as subsections (5)
216 and (6), respectively, and a new subsection (4) is added to that
217 section, to read:
218 282.201 State data center system; agency duties and
219 limitations.—A state data center system that includes all
220 primary data centers, other nonprimary data centers, and
221 computing facilities, and that provides an enterprise
222 information technology service as defined in s. 282.0041, is
223 established.
224 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
225 The Agency for Enterprise Information Technology shall:
226 (a) Collect and maintain information necessary for
227 developing policies relating to the data center system,
228 including, but not limited to, an inventory of facilities.
229 (b) Annually approve cost-recovery mechanisms and rate
230 structures for primary data centers which recover costs through
231 charges to customer entities.
232 (c) By September 30 December 31 of each year, submit to the
233 Legislature, the Executive Office of the Governor, and the
234 primary data centers Legislature recommendations to improve the
235 efficiency and cost-effectiveness effectiveness of computing
236 services provided by state data center system facilities. Such
237 recommendations must may include, but need not be limited to:
238 1. Policies for improving the cost-effectiveness and
239 efficiency of the state data center system, which includes the
240 primary data centers being transferred to a shared, virtualized
241 server environment, and the associated cost savings resulting
242 from the implementation of such policies.
243 2. Infrastructure improvements supporting the consolidation
244 of facilities or preempting the need to create additional data
245 centers or computing facilities.
246 3. Standards for an objective, credible energy performance
247 rating system that data center boards of trustees can use to
248 measure state data center energy consumption and efficiency on a
249 biannual basis.
250 3.4. Uniform disaster recovery standards.
251 4.5. Standards for primary data centers which provide cost
252 effective services and providing transparent financial data to
253 user agencies.
254 5.6. Consolidation of contract practices or coordination of
255 software, hardware, or other technology-related procurements and
256 the associated cost savings.
257 6.7. Improvements to data center governance structures.
258 (d) By October 1 of each year beginning in 2011, provide
259 recommendations 2009, recommend to the Governor and Legislature
260 relating to changes to the schedule for the consolidations of
261 state agency data centers as provided in subsection (4) at least
262 two nonprimary data centers for consolidation into a primary
263 data center or nonprimary data center facility.
264 1. The consolidation proposal must provide a transition
265 plan that includes:
266 a. Estimated transition costs for each data center or
267 computing facility recommended for consolidation;
268 b. Detailed timeframes for the complete transition of each
269 data center or computing facility recommended for consolidation;
270 c. Proposed recurring and nonrecurring fiscal impacts,
271 including increased or decreased costs and associated budget
272 impacts for affected budget entities;
273 d. Substantive legislative changes necessary to implement
274 the transition; and
275 e. Identification of computing resources to be transferred
276 and those that will remain in the agency. The transfer of
277 resources must include all hardware, software, staff, contracted
278 services, and facility resources performing data center
279 management and operations, security, backup and recovery,
280 disaster recovery, system administration, database
281 administration, system programming, job control, production
282 control, print, storage, technical support, help desk, and
283 managed services but excluding application development.
284 1.2. The recommendations must shall be based on the goal of
285 maximizing current and future cost savings by. The agency shall
286 consider the following criteria in selecting consolidations that
287 maximize efficiencies by providing the ability to:
288 a. Consolidating Consolidate purchase decisions;
289 b. Leveraging Leverage expertise and other resources to
290 gain economies of scale;
291 c. Implementing Implement state information technology
292 policies more effectively; and
293 d. Maintaining or improving Maintain or improve the level
294 of service provision to customer entities; and
295 e. Make progress towards the state’s goal of consolidating
296 data centers and computing facilities into primary data centers.
297 2.3. The agency shall establish workgroups as necessary to
298 ensure participation by affected agencies in the development of
299 recommendations related to consolidations.
300 (e) By December 31, 2010, the agency shall develop and
301 submit to the Legislature an overall consolidation plan for
302 state data centers. The plan shall indicate a timeframe for the
303 consolidation of all remaining nonprimary data centers into
304 primary data centers, including existing and proposed primary
305 data centers, by 2019.
306 (e)(f) Develop and establish rules relating to the
307 operation of the state data center system which comply with
308 applicable federal regulations, including 2 C.F.R. part 225 and
309 45 C.F.R. The agency shall publish notice of rule development in
310 the Florida Administrative Weekly by October 1, 2011. The rules
311 must may address:
312 1. Ensuring that financial information is captured and
313 reported consistently and accurately.
314 2. Identifying standards for hardware, including standards
315 for a shared, virtualized server environment, and operations
316 system software and other operational software, including
317 security and network infrastructure, for the primary data
318 centers; requiring compliance with such standards in order to
319 enable the efficient consolidation of the agency data centers or
320 computing facilities; and providing an exemption process from
321 compliance with such standards, which must be consistent with
322 paragraph (5)(b).
323 2. Requiring the establishment of service-level agreements
324 executed between a data center and its customer entities for
325 services provided.
326 3. Requiring annual full cost recovery on an equitable
327 rational basis. The cost-recovery methodology must ensure that
328 no service is subsidizing another service and may include
329 adjusting the subsequent year’s rates as a means to recover
330 deficits or refund surpluses from a prior year.
331 4. Requiring that any special assessment imposed to fund
332 expansion is based on a methodology that apportions the
333 assessment according to the proportional benefit to each
334 customer entity.
335 5. Requiring that rebates be given when revenues have
336 exceeded costs, that rebates be applied to offset charges to
337 those customer entities that have subsidized the costs of other
338 customer entities, and that such rebates may be in the form of
339 credits against future billings.
340 6. Requiring that all service-level agreements have a
341 contract term of up to 3 years, but may include an option to
342 renew for up to 3 additional years contingent on approval by the
343 board, and require at least a 180-day notice of termination.
344 7. Designating any nonstate data center as a primary data
345 center if the center:
346 a. Has an established governance structure that represents
347 customer entities proportionally.
348 b. Maintains an appropriate cost-allocation methodology
349 that accurately bills a customer entity based on the actual
350 direct and indirect costs to the customer entity, and prohibits
351 the subsidization of one customer entity’s costs by another
352 entity.
353 c. Has sufficient raised floor space, cooling, and
354 redundant power capacity, including uninterruptible power supply
355 and backup power generation, to accommodate the computer
356 processing platforms and support necessary to host the computing
357 requirements of additional customer entities.
358 8. Removing a nonstate data center from primary data center
359 designation if the nonstate data center fails to meet standards
360 necessary to ensure that the state’s data is maintained pursuant
361 to subparagraph 7.
362 (3) STATE AGENCY DUTIES.—
363 (a) For the purpose of completing its work activities as
364 described in subsection (1), each state agency shall provide to
365 the Agency for Enterprise Information Technology all requested
366 information and any other information relevant to the agency’s
367 ability to effectively transition its computer services into a
368 primary data center. The agency shall also participate as
369 required in workgroups relating to specific consolidation
370 planning and implementation tasks as assigned by the Agency for
371 Enterprise Information Technology and determined necessary to
372 accomplish consolidation goals.
373 (b) Each state agency shall submit to the Agency for
374 Enterprise Information Technology information relating to its
375 data centers and computing facilities as required in
376 instructions issued by July 1 of each year by the Agency for
377 Enterprise Information Technology. The information required may
378 include:
379 1. Amount of floor space used and available.
380 2. Numbers and capacities of mainframes and servers.
381 3. Storage and network capacity.
382 4. Amount of power used and the available capacity.
383 5. Estimated expenditures by service area, including
384 hardware and software, numbers of full-time equivalent
385 positions, personnel turnover, and position reclassifications.
386 6. A list of contracts in effect for the fiscal year,
387 including, but not limited to, contracts for hardware, software
388 and maintenance, including the expiration date, the contract
389 parties, and the cost of the contract.
390 7. Service-level agreements by customer entity.
391 (c) The chief information officer of each state agency
392 shall assist the Agency for Enterprise Information Technology at
393 the request of the Agency for Enterprise Information Technology.
394 (c)(d) Each state agency customer of a primary data center
395 shall notify the data center, by May 31 and November 30 of each
396 year, of any significant changes in anticipated utilization of
397 data center services pursuant to requirements established by the
398 boards of trustees of each primary data center.
399 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
400 (a) Consolidations of agency data centers shall be made by
401 the date and to the specified primary data center as provided in
402 this section and in accordance with budget adjustments contained
403 in the General Appropriations Act.
404 (b) By December 31, 2011, the following shall be
405 consolidated into the Northwest Regional Data Center:
406 1. The Department of Education’s Knott Data Center in the
407 Turlington Building.
408 2. The Department of Education’s Division of Vocational
409 Rehabilitation.
410 3. The Department of Education’s Division of Blind
411 Services, except for the division’s disaster recovery site in
412 Daytona Beach.
413 4. The FCAT Explorer.
414 5. FACTS.org.
415 (c) During the 2011-2012 fiscal year, the following shall
416 be consolidated into the Southwood Shared Resource Center:
417 1. By September 30, 2011, the Department of Corrections.
418 2. By March 31, 2012, the Department of Transportation’s
419 Burns Building.
420 3. By March 31, 2012, the Department of Transportation’s
421 Survey & Mapping Office.
422 (d) During the 2011-2012 fiscal year, the following shall
423 be consolidated into the Northwood Shared Resource Center:
424 1. By July 1, 2011, the Department of Transportation’s
425 Office of Motor Carrier Compliance.
426 2. By March 31, 2012, the Department of Highway Safety and
427 Motor Vehicles.
428 (e) During the 2012-2013 fiscal year, the following shall
429 be consolidated into the Southwood Shared Resource Center:
430 1. By September 30, 2012, the Division of Emergency
431 Management and the Department of Community Affairs, except for
432 the Emergency Operation Center’s management system in
433 Tallahassee and the Camp Blanding Emergency Operations Center in
434 Starke.
435 2. By September 30, 2012, the Department of Revenue’s
436 Carlton Building and Imaging Center locations.
437 3. By December 31, 2012, the Department of Health’s Test
438 and Development Lab and all remaining data center resources
439 located at the Capital Circle Office Complex.
440 (f) During the 2012-2013 fiscal year, the following shall
441 be consolidated into the Northwood Shared Resource Center:
442 1. By July 1, 2012, the Agency for Health Care
443 Administration.
444 2. By December 31, 2012, the Department of Environmental
445 Protection’s Palmetto Commons.
446 3. By March 30, 2013, the Department of Law Enforcement’s
447 headquarters location.
448 (g) During the 2013-2014 fiscal year, the following
449 agencies shall work with the Agency for Enterprise Information
450 Technology to begin preliminary planning for consolidation into
451 a primary data center:
452 1. The Department of the Lottery’s headquarters location.
453 2. The Department of Legal Affairs.
454 3. The Fish and Wildlife Conservation Commission, except
455 for the commission’s Fish and Wildlife Research Institute in St.
456 Petersburg.
457 4. The Executive Office of the Governor.
458 5. The Department of Veterans’ Affairs.
459 6. The Department of Elderly Affairs.
460 7. The Department of Financial Services’ Hartman, Larson,
461 and Fletcher Building Data Centers.
462 8. The Department of Agriculture and Consumer Services’
463 Agriculture Management Information Center in the Mayo Building
464 and Division of Licensing.
465 (h) During the 2014-2015 fiscal year, the following
466 agencies shall work with the Agency for Enterprise Information
467 Technology to begin preliminary planning for consolidation into
468 a primary data center:
469 1. The Department of Health’s Jacksonville Lab Data Center.
470 2. The Department of Transportation’s district offices,
471 toll offices, and the District Materials Office.
472 3. The Department of Military Affairs’ Camp Blanding Joint
473 Training Center in Starke.
474 4. The Department of Community Affairs’ Camp Blanding
475 Emergency Operations Center in Starke.
476 5. The Department of Education’s Division of Blind Services
477 disaster recovery site in Daytona Beach.
478 6. The Department of Education’s disaster recovery site at
479 Santa Fe College.
480 7. The Department of the Lottery’s Disaster Recovery Backup
481 Data Center in Orlando.
482 8. The Fish and Wildlife Conservation Commission’s Fish and
483 Wildlife Research Institute in St. Petersburg.
484 9. The Department of Children and Family Services’ Suncoast
485 Data Center in Tampa.
486 10. The Department of Children and Family Services’ Florida
487 State Hospital in Chattahoochee.
488 (i) During the 2015-2016 fiscal year, all computing
489 resources remaining within an agency nonprimary data center or
490 computing facility shall be transferred to a primary data center
491 for consolidation unless otherwise required to remain in the
492 agency for specified financial, technical, or business reasons
493 that must be justified in writing and approved by the Agency for
494 Enterprise Information Technology. Such data centers, computing
495 facilities, and resources must be identified by the Agency for
496 Enterprise Information Technology by October 1, 2014.
497 (j) Any agency that is consolidating agency data centers
498 into a primary data center must execute a new or update an
499 existing service-level agreement within 60 days after the
500 specified consolidation date, as required by s. 282.203, in
501 order to specify the services and levels of service it is to
502 receive from the primary data center as a result of the
503 consolidation. If an agency is unable to execute a service-level
504 agreement by that date, the agency shall submit a report to the
505 Executive Office of the Governor and to the chairs of the
506 legislative appropriations committees within 5 working days
507 after that date which explains the specific issues preventing
508 execution and describing its plan and schedule for resolving
509 those issues.
510 (k) Beginning September 1, 2011, and every 6 months
511 thereafter until data center consolidations are complete, the
512 Agency for Enterprise Information Technology shall provide a
513 status report on the implementation of the consolidations that
514 must be completed during the fiscal year. The report shall be
515 submitted to the Executive Office of the Governor and the chairs
516 of the legislative appropriations committees. The report must,
517 at a minimum, describe:
518 1. Whether the consolidation is on schedule, including
519 progress on achieving the milestones necessary for successful
520 and timely consolidation of scheduled agency data centers and
521 computing facilities; and
522 2. The risks that may affect the progress or outcome of the
523 consolidation and how these risks are being addressed,
524 mitigated, or managed.
525 (l) Each agency identified in this subsection for
526 consolidation into a primary data center shall submit a
527 transition plan to the Agency for Enterprise Information
528 Technology by September 1 of the fiscal year before the fiscal
529 year in which the scheduled consolidation will occur. Transition
530 plans shall be developed in consultation with the appropriate
531 primary data centers and the Agency for Enterprise Information
532 Technology, and must include:
533 1. An inventory of the agency data center’s resources being
534 consolidated, including all hardware, software, staff, and
535 contracted services, and the facility resources performing data
536 center management and operations, security, backup and recovery,
537 disaster recovery, system administration, database
538 administration, system programming, job control, production
539 control, print, storage, technical support, help desk, and
540 managed services, but excluding application development;
541 2. A description of the level of services needed to meet
542 the technical and operational requirements of the platforms
543 being consolidated and an estimate of the primary data center’s
544 cost for the provision of such services;
545 3. A description of resources for computing services
546 proposed to remain in the department;
547 4. A timetable with significant milestones for the
548 completion of the consolidation; and
549 5. The specific recurring and nonrecurring budget
550 adjustments of budget resources by appropriation category into
551 the appropriate data-processing category pursuant to the
552 legislative budget instructions in s. 216.023 necessary to
553 support agency costs for the transfer.
554 (m) Each primary data center shall develop a transition
555 plan for absorbing the transfer of agency data center resources
556 based upon the timetables for transition as provided in this
557 subsection. The plan shall be submitted to the Agency for
558 Enterprise Information Technology, the Executive Office of the
559 Governor, and the chairs of the legislative appropriations
560 committees by September 30 of the fiscal year before the fiscal
561 year in which the scheduled consolidations will occur. Each plan
562 must include:
563 1. An estimate of the cost to provide data center services
564 for each agency scheduled for consolidation;
565 2. A staffing plan that identifies the projected staffing
566 needs and requirements based on the estimated workload
567 identified in the agency transition plan;
568 3. The fiscal year adjustments to budget categories in
569 order to absorb the transfer of agency data center resources
570 pursuant to the legislative budget request instructions provided
571 in s. 216.023;
572 4. An analysis of the cost effects resulting from the
573 planned consolidations on existing agency customers; and
574 5. A description of any issues that must be resolved in
575 order to accomplish as efficiently and effectively as possible
576 all consolidations required during the fiscal year.
577 (n) The Agency for Enterprise Information Technology shall
578 develop a comprehensive transition plan, which shall be
579 submitted by October 15th of the fiscal year before the fiscal
580 year in which the scheduled consolidations will occur to each
581 primary data center, to the Executive Office of the Governor,
582 and the chairs of the legislative appropriations committees. The
583 transition plan shall be developed in consultation with agencies
584 submitting agency transition plans and with the affected primary
585 data centers. The comprehensive transition plan must include:
586 1. Recommendations for accomplishing the proposed
587 transitions as efficiently and effectively as possible with
588 minimal disruption to customer agency business processes;
589 2. Strategies to minimize risks associated with any of the
590 proposed consolidations;
591 3. A compilation of the agency transition plans submitted
592 by agencies scheduled for consolidation for the following fiscal
593 year; and
594 4. Revisions to any budget adjustments provided in the
595 agency or primary data center transition plans.
596 (o) Any agency data center scheduled for consolidation
597 after the 2011-2012 fiscal year may consolidate into a primary
598 data center before its scheduled date contingent upon the
599 approval of the Agency for Enterprise Information Technology.
600 (5)(4) AGENCY LIMITATIONS.—
601 (a) Unless authorized by the Legislature or as provided in
602 paragraphs (b) and (c), a state agency may not:
603 1. Create a new computing facility or data center, or
604 expand the capability to support additional computer equipment
605 in an existing computing facility or nonprimary data center;
606 2. Spend funds before the agency’s scheduled consolidation
607 into a primary data center to purchase or modify hardware or
608 operations software that does not comply with hardware and
609 software standards established by the Agency for Enterprise
610 Information Technology pursuant to paragraph (2)(e) for the
611 efficient consolidation of the agency data centers or computing
612 facilities;
613 3.2. Transfer existing computer services to any data center
614 other than a primary nonprimary data center or computing
615 facility;
616 4.3. Terminate services with a primary data center or
617 transfer services between primary data centers without giving
618 written notice of intent to terminate or transfer services 180
619 days before such termination or transfer; or
620 5.4. Initiate a new computer service if it does not
621 currently have an internal data center except with a primary
622 data center.
623 (b) Exceptions to the limitations in subparagraphs (a)1.,
624 2., 3., and 5. 4. may be granted by the Agency for Enterprise
625 Information Technology if there is insufficient capacity in a
626 primary data center to absorb the workload associated with
627 agency computing services, if expenditures are compatible with
628 the scheduled consolidation and the standards established
629 pursuant to paragraph (2)(e), or if the equipment or resources
630 are needed to meet a critical agency business need that cannot
631 be satisfied from surplus equipment or resources of the primary
632 data center until the agency data center is consolidated.
633 1. A request for an exception must be submitted in writing
634 to the Agency for Enterprise Information Technology. The agency
635 must accept, accept with conditions, or deny the request within
636 60 days after receipt of the written request. The agency’s
637 decision is not subject to chapter 120.
638 2. At a minimum, the agency may not approve a request
639 unless it includes:
640 a. Documentation approved by the primary data center’s
641 board of trustees which confirms that the center cannot meet the
642 capacity requirements of the agency requesting the exception
643 within the current fiscal year.
644 b. A description of the capacity requirements of the agency
645 requesting the exception.
646 c. Documentation from the agency demonstrating why it is
647 critical to the agency’s mission that the expansion or transfer
648 must be completed within the fiscal year rather than when
649 capacity is established at a primary data center.
650 (c) Exceptions to subparagraph (a)4. (a)3. may be granted
651 by the board of trustees of the primary data center if the
652 termination or transfer of services can be absorbed within the
653 current cost-allocation plan.
654 (d) Upon the termination of or transfer of agency computing
655 services from the primary data center, the primary data center
656 shall require information sufficient to determine compliance
657 with this section. If a primary data center determines that an
658 agency is in violation of this section, it shall report the
659 violation to the Agency for Enterprise Information Technology.
660 (6)(5) RULES.—The Agency for Enterprise Information
661 Technology may is authorized to adopt rules pursuant to ss.
662 120.536(1) and 120.54 to administer the provisions of this part
663 relating to the state data center system including the primary
664 data centers.
665 Section 6. Paragraphs (f) through (l) of subsection (1),
666 paragraph (a) of subsection (2), and paragraph (j) of subsection
667 (3) of section 282.203, Florida Statutes, are amended to read:
668 282.203 Primary data centers.—
669 (1) DATA CENTER DUTIES.—Each primary data center shall:
670 (f) By December 31, 2010, submit organizational plans that
671 minimize the annual recurring cost of center operations and
672 eliminate the need for state agency customers to maintain data
673 center skills and staff within their agency. The plans shall:
674 1. Establish an efficient organizational structure
675 describing the roles and responsibilities of all positions and
676 business units in the centers;
677 2. Define a human resources planning and management process
678 that shall be used to make required center staffing decisions;
679 and
680 3. Develop a process for projecting staffing requirements
681 based on estimated workload identified in customer agency
682 service level agreements.
683 (f)(g) Maintain the performance of the facility, which
684 includes ensuring proper data backup, data backup recovery, an
685 effective disaster recovery plan, and appropriate security,
686 power, cooling and fire suppression, and capacity.
687 (g)(h) Develop a business continuity plan and conduct a
688 live exercise of the plan at least annually. The plan must be
689 approved by the board and the Agency for Enterprise Information
690 Technology.
691 (h)(i) Enter into a service-level agreement with each
692 customer entity to provide services as defined and approved by
693 the board in compliance with rules of the Agency for Enterprise
694 Information Technology. A service-level agreement may not have a
695 term exceeding 3 years but may include an option to renew for up
696 to 3 years contingent on approval by the board.
697 1. A service-level agreement, at a minimum, must:
698 a. Identify the parties and their roles, duties, and
699 responsibilities under the agreement;
700 b. Identify the legal authority under which the service
701 level agreement was negotiated and entered into by the parties;
702 c. State the duration of the contractual term and specify
703 the conditions for contract renewal;
704 d. Prohibit the transfer of computing services between
705 primary data center facilities without at least 180 days’ notice
706 of service cancellation;
707 e. Identify the scope of work;
708 f. Identify the products or services to be delivered with
709 sufficient specificity to permit an external financial or
710 performance audit;
711 g. Establish the services to be provided, the business
712 standards that must be met for each service, the cost of each
713 service, and the process by which the business standards for
714 each service are to be objectively measured and reported;
715 h. Identify applicable funds and funding streams for the
716 services or products under contract;
717 i. Provide a timely billing methodology for recovering the
718 cost of services provided to the customer entity;
719 j. Provide a procedure for modifying the service-level
720 agreement to address changes in projected costs of service;
721 k. Provide that a service-level agreement may be terminated
722 by either party for cause only after giving the other party and
723 the Agency for Enterprise Information Technology notice in
724 writing of the cause for termination and an opportunity for the
725 other party to resolve the identified cause within a reasonable
726 period; and
727 l. Provide for mediation of disputes by the Division of
728 Administrative Hearings pursuant to s. 120.573.
729 2. A service-level agreement may include:
730 a. A dispute resolution mechanism, including alternatives
731 to administrative or judicial proceedings;
732 b. The setting of a surety or performance bond for service
733 level agreements entered into with nonstate agency primary data
734 centers established by law, which may be designated by the
735 Agency for Enterprise Information Technology; or
736 c. Additional terms and conditions as determined advisable
737 by the parties if such additional terms and conditions do not
738 conflict with the requirements of this section or rules adopted
739 by the Agency for Enterprise Information Technology.
740 3. The failure to execute a service-level agreement within
741 60 days after service commencement shall, in the case of an
742 existing customer entity, result in a continuation of the terms
743 of the service-level agreement from the prior fiscal year,
744 including any amendments that were formally proposed to the
745 customer entity by the primary data center within the 3 months
746 before service commencement, and a revised cost-of-service
747 estimate. If a new customer entity fails to execute an agreement
748 within 60 days after service commencement, the data center may
749 cease services.
750 (i)(j) Plan, design, establish pilot projects for, and
751 conduct experiments with information technology resources, and
752 implement enhancements in services if such implementation is
753 cost-effective and approved by the board.
754 (j)(k) Enter into a memorandum of understanding with the
755 agency where the data center is administratively located if the
756 data center requires the agency to provide any administrative
757 which establishes the services to be provided by that agency to
758 the data center and the cost of such services.
759 (k)(l) Be the custodian of resources and equipment that are
760 located, operated, supported, and managed by the center for the
761 purposes of chapter 273.
762 (l) Assume administrative access rights to the resources
763 and equipment, such as servers, network components, and other
764 devices that are consolidated into the primary data center.
765 1. Upon the date of each consolidation specified in s.
766 282.201, the General Appropriations Act, or the Laws of Florida,
767 each agency shall relinquish all administrative access rights to
768 such resources and equipment.
769 2. Each primary data center shall provide its customer
770 agencies with the appropriate level of access to applications,
771 servers, network components, and other devices necessary for
772 agencies to perform their core business activities and
773 functions.
774 (2) BOARD OF TRUSTEES.—Each primary data center shall be
775 headed by a board of trustees as defined in s. 20.03.
776 (a) The members of the board shall be appointed by the
777 agency head or chief executive officer of the representative
778 customer entities of the primary data center and shall serve at
779 the pleasure of the appointing customer entity. Each agency head
780 or chief executive officer may appoint an alternate member for
781 each board member appointed pursuant to this subsection.
782 1. During the first fiscal year that a state agency is to
783 consolidate its data center operations to a primary data center
784 and for the following full fiscal year, the agency shall have a
785 single trustee having one vote on the board of the state primary
786 data center where it is to consolidate, unless it is entitled in
787 the second year to a greater number of votes as provided in
788 subparagraph 3. For each of the first 2 fiscal years that a
789 center is in operation, membership shall be as provided in
790 subparagraph 3. based on projected customer entity usage rates
791 for the fiscal operating year of the primary data center.
792 However, at a minimum:
793 a. During the Southwood Shared Resource Center’s first 2
794 operating years, the Department of Transportation, the
795 Department of Highway Safety and Motor Vehicles, the Department
796 of Health, and the Department of Revenue must each have at least
797 one trustee.
798 b. During the Northwood Shared Resource Center’s first
799 operating year, the Department of State and the Department of
800 Education must each have at least one trustee.
801 2. Board After the second full year of operation,
802 membership shall be as provided in subparagraph 3. based on the
803 most recent estimate of customer entity usage rates for the
804 prior year and a projection of usage rates for the first 9
805 months of the next fiscal year. Such calculation must be
806 completed before the annual budget meeting held before the
807 beginning of the next fiscal year so that any decision to add or
808 remove board members can be voted on at the budget meeting and
809 become effective on July 1 of the subsequent fiscal year.
810 3. Each customer entity that has a projected usage rate of
811 4 percent or greater during the fiscal operating year of the
812 primary data center shall have one trustee on the board.
813 4. The total number of votes for each trustee shall be
814 apportioned as follows:
815 a. Customer entities of a primary data center whose usage
816 rate represents 4 but less than 15 percent of total usage shall
817 have one vote.
818 b. Customer entities of a primary data center whose usage
819 rate represents 15 but less than 30 percent of total usage shall
820 have two votes.
821 c. Customer entities of a primary data center whose usage
822 rate represents 30 but less than 50 percent of total usage shall
823 have three votes.
824 d. A customer entity of a primary data center whose usage
825 rate represents 50 percent or more of total usage shall have
826 four votes.
827 e. A single trustee having one vote shall represent those
828 customer entities that represent less than 4 percent of the
829 total usage. The trustee shall be selected by a process
830 determined by the board.
831 (3) BOARD DUTIES.—Each board of trustees of a primary data
832 center shall:
833 (j) Maintain the capabilities of the primary data center’s
834 facilities. Maintenance responsibilities include, but are not
835 limited to, ensuring that adequate conditioned floor space, fire
836 suppression, cooling, and power is in place; replacing aging
837 equipment when necessary; and making decisions related to data
838 center expansion and renovation, periodic upgrades, and
839 improvements that are required to ensure the ongoing suitability
840 of the facility as an enterprise data center consolidation site
841 in the state data center system. To the extent possible, the
842 board shall ensure that its approved annual cost-allocation plan
843 recovers sufficient funds from its customers to provide for
844 these needs pursuant to s. 282.201(2)(e).
845 Section 7. Section 282.204, Florida Statutes, is amended to
846 read:
847 282.204 Northwood Shared Resource Center.—The Northwood
848 Shared Resource Center is an agency established within the
849 Department of Management Services Children and Family Services
850 for administrative purposes only.
851 (1) The center is a primary data center and is shall be a
852 separate budget entity that is not subject to control,
853 supervision, or direction of the department in any manner,
854 including, but not limited to, purchasing, transactions
855 involving real or personal property, personnel, or budgetary
856 matters.
857 (2) The center shall be headed by a board of trustees as
858 provided in s. 282.203, who shall comply with all requirements
859 of that section related to the operation of the center and with
860 the rules of the Agency for Enterprise Information Technology
861 related to the design and delivery of enterprise information
862 technology services.
863 Section 8. Sections 282.3055 and 282.315, Florida Statutes,
864 are repealed.
865 Section 9. Subsections (3) through (7) of section 282.318,
866 Florida Statutes, are amended to read:
867 282.318 Enterprise security of data and information
868 technology.—
869 (3) The Office of Information Security within the Agency
870 for Enterprise Information Technology is responsible for
871 establishing rules and publishing guidelines for ensuring an
872 appropriate level of security for all data and information
873 technology resources for executive branch agencies. The agency
874 office shall also perform the following duties and
875 responsibilities:
876 (a) Develop, and annually update by February 1, an
877 enterprise information security strategic plan that includes
878 security goals and objectives for the strategic issues of
879 information security policy, risk management, training, incident
880 management, and survivability planning.
881 (b) Develop enterprise security rules and published
882 guidelines for:
883 1. Comprehensive risk analyses and information security
884 audits conducted by state agencies.
885 2. Responding to suspected or confirmed information
886 security incidents, including suspected or confirmed breaches of
887 personal information or exempt data.
888 3. Agency security plans, including strategic security
889 plans and security program plans.
890 4. The recovery of information technology and data
891 following a disaster.
892 5. The managerial, operational, and technical safeguards
893 for protecting state government data and information technology
894 resources.
895 (c) Assist agencies in complying with the provisions of
896 this section.
897 (d) Pursue appropriate funding for the purpose of enhancing
898 domestic security.
899 (e) Provide training for agency information security
900 managers.
901 (f) Annually review the strategic and operational
902 information security plans of executive branch agencies.
903 (4) To assist the Agency for Enterprise Information
904 Technology Office of Information Security in carrying out its
905 responsibilities, each agency head shall, at a minimum:
906 (a) Designate an information security manager to administer
907 the security program of the agency for its data and information
908 technology resources. This designation must be provided annually
909 in writing to the Agency for Enterprise Information Technology
910 office by January 1.
911 (b) Submit to the Agency for Enterprise Information
912 Technology office annually by July 31, the agency’s strategic
913 and operational information security plans developed pursuant to
914 the rules and guidelines established by the Agency for
915 Enterprise Information Technology office.
916 1. The agency strategic information security plan must
917 cover a 3-year period and define security goals, intermediate
918 objectives, and projected agency costs for the strategic issues
919 of agency information security policy, risk management, security
920 training, security incident response, and survivability. The
921 plan must be based on the enterprise strategic information
922 security plan created by the Agency for Enterprise Information
923 Technology office. Additional issues may be included.
924 2. The agency operational information security plan must
925 include a progress report for the prior operational information
926 security plan and a project plan that includes activities,
927 timelines, and deliverables for security objectives that,
928 subject to current resources, the agency will implement during
929 the current fiscal year. The cost of implementing the portions
930 of the plan which cannot be funded from current resources must
931 be identified in the plan.
932 (c) Conduct, and update every 3 years, a comprehensive risk
933 analysis to determine the security threats to the data,
934 information, and information technology resources of the agency.
935 The risk analysis information is confidential and exempt from
936 the provisions of s. 119.07(1), except that such information
937 shall be available to the Auditor General and the Agency for
938 Enterprise Information Technology for performing postauditing
939 duties.
940 (d) Develop, and periodically update, written internal
941 policies and procedures, which include procedures for notifying
942 the Agency for Enterprise Information Technology office when a
943 suspected or confirmed breach, or an information security
944 incident, occurs. Such policies and procedures must be
945 consistent with the rules and guidelines established by the
946 Agency for Enterprise Information Technology office to ensure
947 the security of the data, information, and information
948 technology resources of the agency. The internal policies and
949 procedures that, if disclosed, could facilitate the unauthorized
950 modification, disclosure, or destruction of data or information
951 technology resources are confidential information and exempt
952 from s. 119.07(1), except that such information shall be
953 available to the Auditor General and the Agency for Enterprise
954 Information Technology for performing postauditing duties.
955 (e) Implement appropriate cost-effective safeguards to
956 address identified risks to the data, information, and
957 information technology resources of the agency.
958 (f) Ensure that periodic internal audits and evaluations of
959 the agency’s security program for the data, information, and
960 information technology resources of the agency are conducted.
961 The results of such audits and evaluations are confidential
962 information and exempt from s. 119.07(1), except that such
963 information shall be available to the Auditor General and the
964 Agency for Enterprise Information Technology for performing
965 postauditing duties.
966 (g) Include appropriate security requirements in the
967 written specifications for the solicitation of information
968 technology and information technology resources and services,
969 which are consistent with the rules and guidelines established
970 by the Agency for Enterprise Information Technology office.
971 (h) Provide security awareness training to employees and
972 users of the agency’s communication and information resources
973 concerning information security risks and the responsibility of
974 employees and users to comply with policies, standards,
975 guidelines, and operating procedures adopted by the agency to
976 reduce those risks.
977 (i) Develop a process for detecting, reporting, and
978 responding to suspected or confirmed security incidents,
979 including suspected or confirmed breaches consistent with the
980 security rules and guidelines established by the Agency for
981 Enterprise Information Technology office.
982 1. Suspected or confirmed information security incidents
983 and breaches must be immediately reported to the Agency for
984 Enterprise Information Technology office.
985 2. For incidents involving breaches, agencies shall provide
986 notice in accordance with s. 817.5681 and to the Agency for
987 Enterprise Information Technology office in accordance with this
988 subsection.
989 (5) Each state agency shall include appropriate security
990 requirements in the specifications for the solicitation of
991 contracts for procuring information technology or information
992 technology resources or services which are consistent with the
993 rules and guidelines established by the Agency for Enterprise
994 Information Technology Office of Information Security.
995 (6) The Agency for Enterprise Information Technology may
996 adopt rules relating to information security and to administer
997 the provisions of this section.
998 (7) By December 31, 2010, the Agency for Enterprise
999 Information Technology shall develop, and submit to the
1000 Governor, the President of the Senate, and the Speaker of the
1001 House of Representatives a proposed implementation plan for
1002 information technology security. The agency shall describe the
1003 scope of operation, conduct costs and requirements analyses,
1004 conduct an inventory of all existing security information
1005 technology resources, and develop strategies, timeframes, and
1006 resources necessary for statewide migration.
1007 Section 10. Subsections (2), (3), and (4) of section
1008 282.33, Florida Statutes, are amended to read:
1009 282.33 Objective standards for data center energy
1010 efficiency.—
1011 (2) State shared resource data centers and other data
1012 centers that the Agency for Enterprise Information Technology
1013 has determined will be recipients for consolidating data
1014 centers, which are designated by the Agency for Enterprise
1015 Information Technology, shall evaluate their data center
1016 facilities for energy efficiency using the standards established
1017 in this section.
1018 (a) Results of these evaluations shall be reported to the
1019 Agency for Enterprise Information Technology, the President of
1020 the Senate, and the Speaker of the House of Representatives.
1021 Reports shall enable the tracking of energy performance over
1022 time and comparisons between facilities.
1023 (b) Beginning By December 31, 2010, and every 3 years
1024 biennially thereafter, the Agency for Enterprise Information
1025 Technology shall submit to the Legislature recommendations for
1026 reducing energy consumption and improving the energy efficiency
1027 of state primary data centers.
1028 (3) The primary means of achieving maximum energy savings
1029 across all state data centers and computing facilities shall be
1030 the consolidation of data centers and computing facilities as
1031 determined by the Agency for Enterprise Information Technology.
1032 State data centers and computing facilities in the state data
1033 center system shall be established as an enterprise information
1034 technology service as defined in s. 282.0041. The Agency for
1035 Enterprise Information Technology shall make recommendations on
1036 consolidating state data centers and computing facilities,
1037 pursuant to s. 282.0056, by December 31, 2009.
1038 (3)(4) If When the total cost of ownership of an energy
1039 efficient product is less than or equal to the cost of the
1040 existing data center facility or infrastructure, technical
1041 specifications for energy-efficient products should be
1042 incorporated in the plans and processes for replacing,
1043 upgrading, or expanding data center facilities or
1044 infrastructure, including, but not limited to, network, storage,
1045 or computer equipment and software.
1046 Section 11. Section 282.34, Florida Statutes, is amended to
1047 read:
1048 282.34 Statewide e-mail service.—A statewide state e-mail
1049 service system that includes the delivery and support of e-mail,
1050 messaging, and calendaring capabilities is established as an
1051 enterprise information technology service as defined in s.
1052 282.0041. The service shall be designed to meet the needs of all
1053 executive branch agencies, and may also be used by nonstate
1054 agency entities. The primary goals of the service are to
1055 minimize the state investment required to establish, operate,
1056 and support the statewide service; reduce the cost of current e
1057 mail operations and the number of duplicative e-mail systems;
1058 and eliminate the need for each state agency to maintain its own
1059 e-mail staff.
1060 (1) The Southwood Shared Resource Center, a primary data
1061 center, shall be the provider of the statewide e-mail service
1062 for all state agencies. The center shall centrally host, manage,
1063 operate, and support the service, or outsource the hosting,
1064 management, operational, or support components of the service in
1065 order to achieve the primary goals identified in this section.
1066 (2) The Agency for Enterprise Information Technology, in
1067 cooperation and consultation with all state agencies, shall
1068 prepare and submit for approval by the Legislative Budget
1069 Commission at a meeting scheduled before June 30, 2011, a
1070 proposed plan for the migration of all state agencies to the
1071 statewide e-mail service. The plan for migration must include:
1072 (a) A cost-benefit analysis that compares the total
1073 recurring and nonrecurring operating costs of the current agency
1074 e-mail systems, including monthly mailbox costs, staffing,
1075 licensing and maintenance costs, hardware, and other related e
1076 mail product and service costs to the costs associated with the
1077 proposed statewide e-mail service. The analysis must also
1078 include:
1079 1. A comparison of the estimated total 7-year life-cycle
1080 cost of the current agency e-mail systems versus the feasibility
1081 of funding the migration and operation of the statewide e-mail
1082 service.
1083 2. An estimate of recurring costs associated with the
1084 energy consumption of current agency e-mail equipment, and the
1085 basis for the estimate.
1086 3. An identification of the overall cost savings resulting
1087 from state agencies migrating to the statewide e-mail service
1088 and decommissioning their agency e-mail systems.
1089 (b) A proposed migration date for all state agencies to be
1090 migrated to the statewide e-mail service. The Agency for
1091 Enterprise Information Technology shall work with the Executive
1092 Office of the Governor to develop the schedule for migrating all
1093 state agencies to the statewide e-mail service except for the
1094 Department of Legal Affairs. The Department of Legal Affairs
1095 shall provide to the Agency for Enterprise Information
1096 Technology by June 1, 2011, a proposed migration date based upon
1097 its decision to participate in the statewide e-mail service and
1098 the identification of any issues that require resolution in
1099 order to migrate to the statewide e-mail service.
1100 (c) A budget amendment, submitted pursuant to chapter 216,
1101 for adjustments to each agency’s approved operating budget
1102 necessary to transfer sufficient budget resources into the
1103 appropriate data processing category to support its statewide e
1104 mail service costs.
1105 (d) A budget amendment, submitted pursuant to chapter 216,
1106 for adjustments to the Southwood Shared Resource Center approved
1107 operating budget to include adjustments in the number of
1108 authorized positions, salary budget and associated rate,
1109 necessary to implement the statewide e-mail service.
1110 (3) Contingent upon approval by the Legislative Budget
1111 Commission, the Southwood Shared Resource Center may contract
1112 for the provision of a statewide e-mail service. Executive
1113 branch agencies must be completely migrated to the statewide e
1114 mail service based upon the migration date included in the
1115 proposed plan approved by the Legislative Budget Commission.
1116 (4) Notwithstanding chapter 216, General Revenue funds may
1117 be increased or decreased for each agency provided the net
1118 change to General Revenue in total for all agencies is zero or
1119 less.
1120 (5) Subsequent to the approval of the consolidated budget
1121 amendment to reflect budget adjustments necessary to migrate to
1122 the statewide e-mail service, an agency may make adjustments
1123 subject to s. 216.177, notwithstanding provisions in chapter 216
1124 which may require such adjustments to be approved by the
1125 Legislative Budget Commission.
1126 (6) No agency may initiate a new e-mail service or execute
1127 a new e-mail contract or amend a current e-mail contract, other
1128 than with the Southwood Shared Resource Center, for nonessential
1129 products or services unless the Legislative Budget Commission
1130 denies approval for the Southwood Shared Resource Center to
1131 enter into a contract for the statewide e-mail service.
1132 (7) The Agency for Enterprise Information Technology shall
1133 work with the Southwood Shared Resource Center to develop an
1134 implementation plan that identifies and describes the detailed
1135 processes and timelines for an agency’s migration to the
1136 statewide e-mail service based on the migration date approved by
1137 the Legislative Budget Commission. The agency may establish and
1138 coordinate workgroups consisting of agency e-mail management,
1139 information technology, budget, and administrative staff to
1140 assist the agency in the development of the plan.
1141 (8) Each executive branch agency shall provide all
1142 information necessary to develop the implementation plan,
1143 including, but not limited to, required mailbox features and the
1144 number of mailboxes that will require migration services. Each
1145 agency must also identify any known business, operational, or
1146 technical plans, limitations, or constraints that should be
1147 considered when developing the plan.
1148 (2) The Agency for Enterprise Information Technology, in
1149 consultation with the Southwood Shared Resource Center, shall
1150 establish and coordinate a multiagency project team to develop a
1151 competitive solicitation for establishing the statewide e-mail
1152 service.
1153 (a) The Southwood Shared Resource Center shall issue the
1154 competitive solicitation by August 31, 2010, with vendor
1155 responses required by October 15, 2010. Issuance of the
1156 competitive solicitation does not obligate the agency and the
1157 center to conduct further negotiations or to execute a contract.
1158 The decision to conduct or conclude negotiations, or execute a
1159 contract, must be made solely at the discretion of the agency.
1160 (b) The competitive solicitation must include detailed
1161 specifications describing:
1162 1. The current e-mail approach for state agencies and the
1163 specific business objectives met by the present system.
1164 2. The minimum functional requirements necessary for
1165 successful statewide implementation and the responsibilities of
1166 the prospective service provider and the agency.
1167 3. The form and required content for submitted proposals,
1168 including, but not limited to, a description of the proposed
1169 system and its internal and external sourcing options, a 5-year
1170 life-cycle-based pricing based on cost per mailbox per month,
1171 and a decommissioning approach for current e-mail systems; an
1172 implementation schedule and implementation services; a
1173 description of e-mail account management, help desk, technical
1174 support, and user provisioning services; disaster recovery and
1175 backup and restore capabilities; antispam and antivirus
1176 capabilities; remote access and mobile messaging capabilities;
1177 and staffing requirements.
1178 (c) Other optional requirements specifications may be
1179 included in the competitive solicitation if not in conflict with
1180 the primary goals of the statewide e-mail service.
1181 (d) The competitive solicitation must permit alternative
1182 financial and operational models to be proposed, including, but
1183 not limited to:
1184 1. Leasing or usage-based subscription fees;
1185 2. Installing and operating the e-mail service within the
1186 Southwood Shared Resource Center or in a data center operated by
1187 an external service provider; or
1188 3. Provisioning the e-mail service as an Internet-based
1189 offering provided to state agencies. Specifications for proposed
1190 models must be optimized to meet the primary goals of the e-mail
1191 service.
1192 (3) By December 31, 2010, or within 1 month after
1193 negotiations are complete, whichever is later, the multiagency
1194 project team and the Agency for Enterprise Information
1195 Technology shall prepare a business case analysis containing its
1196 recommendations for procuring the statewide e-mail service for
1197 submission to the Governor and Cabinet, the President of the
1198 Senate, and the Speaker of the House of Representatives. The
1199 business case is not subject to challenge or protest pursuant to
1200 chapter 120. The business case must include, at a minimum:
1201 (a) An assessment of the major risks that must be managed
1202 for each proposal compared to the risks for the current state
1203 agency e-mail system and the major benefits that are associated
1204 with each.
1205 (b) A cost-benefit analysis that estimates all major cost
1206 elements associated with each sourcing option, focusing on the
1207 nonrecurring and recurring life-cycle costs of each option. The
1208 analysis must include a comparison of the estimated total 5-year
1209 life-cycle cost of the current agency e-mail systems versus each
1210 enterprise e-mail sourcing option in order to determine the
1211 feasibility of funding the migration and operation of the
1212 statewide e-mail service and the overall level of savings that
1213 can be expected. The 5-year life-cycle costs for each state
1214 agency must include, but are not limited to:
1215 1. The total recurring operating costs of the current
1216 agency e-mail systems, including monthly mailbox costs,
1217 staffing, licensing and maintenance costs, hardware, and other
1218 related e-mail product and service costs.
1219 2. An estimate of nonrecurring hardware and software
1220 refresh, upgrade, or replacement costs based on the expected 5
1221 year obsolescence of current e-mail software products and
1222 equipment through the 2014 fiscal year, and the basis for the
1223 estimate.
1224 3. An estimate of recurring costs associated with the
1225 energy consumption of current agency e-mail equipment, and the
1226 basis for the estimate.
1227 4. Any other critical costs associated with the current
1228 agency e-mail systems which can reasonably be estimated and
1229 included in the business case analysis.
1230 (c) A comparison of the migrating schedules of each
1231 sourcing option to the statewide e-mail service, including the
1232 approach and schedule for the decommissioning of all current
1233 state agency e-mail systems beginning with phase 1 and phase 2
1234 as provided in subsection (4).
1235 (4) All agencies must be completely migrated to the
1236 statewide e-mail service as soon as financially and
1237 operationally feasible, but no later than June 30, 2015.
1238 (a) The following statewide e-mail service implementation
1239 schedule is established for state agencies:
1240 1. Phase 1.—The following agencies must be completely
1241 migrated to the statewide e-mail system by June 30, 2012: the
1242 Agency for Enterprise Information Technology; the Department of
1243 Community Affairs, including the Division of Emergency
1244 Management; the Department of Corrections; the Department of
1245 Health; the Department of Highway Safety and Motor Vehicles; the
1246 Department of Management Services, including the Division of
1247 Administrative Hearings, the Division of Retirement, the
1248 Commission on Human Relations, and the Public Employees
1249 Relations Commission; the Southwood Shared Resource Center; and
1250 the Department of Revenue.
1251 2. Phase 2.—The following agencies must be completely
1252 migrated to the statewide e-mail system by June 30, 2013: the
1253 Department of Business and Professional Regulation; the
1254 Department of Education, including the Board of Governors; the
1255 Department of Environmental Protection; the Department of
1256 Juvenile Justice; the Department of the Lottery; the Department
1257 of State; the Department of Law Enforcement; the Department of
1258 Veterans’ Affairs; the Judicial Administration Commission; the
1259 Public Service Commission; and the Statewide Guardian Ad Litem
1260 Office.
1261 3. Phase 3.—The following agencies must be completely
1262 migrated to the statewide e-mail system by June 30, 2014: the
1263 Agency for Health Care Administration; the Agency for Workforce
1264 Innovation; the Department of Financial Services, including the
1265 Office of Financial Regulation and the Office of Insurance
1266 Regulation; the Department of Agriculture and Consumer Services;
1267 the Executive Office of the Governor; the Department of
1268 Transportation; the Fish and Wildlife Conservation Commission;
1269 the Agency for Persons With Disabilities; the Northwood Shared
1270 Resource Center; and the State Board of Administration.
1271 4. Phase 4.—The following agencies must be completely
1272 migrated to the statewide e-mail system by June 30, 2015: the
1273 Department of Children and Family Services; the Department of
1274 Citrus; the Department of Elderly Affairs; and the Department of
1275 Legal Affairs.
1276 (b) Agency requests to modify their scheduled implementing
1277 date must be submitted in writing to the Agency for Enterprise
1278 Information Technology. Any exceptions or modifications to the
1279 schedule must be approved by the Agency for Enterprise
1280 Information Technology based only on the following criteria:
1281 1. Avoiding nonessential investment in agency e-mail
1282 hardware or software refresh, upgrade, or replacement.
1283 2. Avoiding nonessential investment in new software or
1284 hardware licensing agreements, maintenance or support
1285 agreements, or e-mail staffing for current e-mail systems.
1286 3. Resolving known agency e-mail problems through migration
1287 to the statewide e-mail service.
1288 4. Accommodating unique agency circumstances that require
1289 an acceleration or delay of the implementation date.
1290 (5) In order to develop the implementation plan for the
1291 statewide e-mail service, the Agency for Enterprise Information
1292 Technology shall establish and coordinate a statewide e-mail
1293 project team. The agency shall also consult with and, as
1294 necessary, form workgroups consisting of agency e-mail
1295 management staff, agency chief information officers, agency
1296 budget directors, and other administrative staff. The statewide
1297 e-mail implementation plan must be submitted to the Governor,
1298 the President of the Senate, and the Speaker of the House of
1299 Representatives by July 1, 2011.
1300 (6) Unless authorized by the Legislature or as provided in
1301 subsection (7), a state agency may not:
1302 (a) Initiate a new e-mail service or execute a new e-mail
1303 contract or new e-mail contract amendment for nonessential
1304 products or services with any entity other than the provider of
1305 the statewide e-mail service;
1306 (b) Terminate a statewide e-mail service without giving
1307 written notice of termination 180 days in advance; or
1308 (c) Transfer e-mail system services from the provider of
1309 the statewide e-mail service.
1310 (7) Exceptions to paragraphs (6)(a), (b), and (c) may be
1311 granted by the Agency for Enterprise Information Technology only
1312 if the Southwood Shared Resource Center is unable to meet agency
1313 business requirements for the e-mail service, and if such
1314 requirements are essential to maintain agency operations.
1315 Requests for exceptions must be submitted in writing to the
1316 Agency for Enterprise Information Technology and include
1317 documented confirmation by the Southwood Shared Resource Center
1318 board of trustees that it cannot meet the requesting agency’s e
1319 mail service requirements.
1320 (8) Each agency shall include the budget issues necessary
1321 for migrating to the statewide e-mail service in its legislative
1322 budget request before the first full year it is scheduled to
1323 migrate to the statewide service in accordance with budget
1324 instructions developed pursuant to s. 216.023.
1325 (9) The Agency for Enterprise Information Technology shall
1326 adopt rules to standardize the format for state agency e-mail
1327 addresses.
1328 (10) State agencies must fully cooperate with the Agency
1329 for Enterprise Information Technology in the performance of its
1330 responsibilities established in this section.
1331 (11) The Agency for Enterprise Information Technology shall
1332 recommend changes to an agency’s scheduled date for migration to
1333 the statewide e-mail service pursuant to this section, annually
1334 by December 31, until migration to the statewide service is
1335 complete.
1336 Section 12. Paragraph (h) of subsection (3) and paragraph
1337 (b) of subsection (4) of section 287.042, Florida Statutes, are
1338 amended to read:
1339 287.042 Powers, duties, and functions.—The department shall
1340 have the following powers, duties, and functions:
1341 (3) To establish a system of coordinated, uniform
1342 procurement policies, procedures, and practices to be used by
1343 agencies in acquiring commodities and contractual services,
1344 which shall include, but not be limited to:
1345 (h) Development, in consultation with the Agency Chief
1346 Information Officers Council, of procedures to be used by state
1347 agencies when procuring information technology commodities and
1348 contractual services to ensure compliance with public records
1349 requirements and records retention and archiving requirements.
1350 (4)
1351 (b) To prescribe, in consultation with the Agency Chief
1352 Information Officers Council, procedures for procuring
1353 information technology and information technology consultant
1354 services which provide for public announcement and
1355 qualification, competitive solicitations, contract award, and
1356 prohibition against contingent fees. Such procedures are shall
1357 be limited to information technology consultant contracts for
1358 which the total project costs, or planning or study activities,
1359 are estimated to exceed the threshold amount provided for in s.
1360 287.017, for CATEGORY TWO.
1361 Section 13. The Northwood Shared Resource Center is
1362 transferred by a type one transfer, as defined in s. 20.06(1),
1363 Florida Statutes, from the Department of Children and Family
1364 Services to the Department of Management Services.
1365 Section 14. The Agency for Enterprise Information
1366 Technology, in coordination with the Southwood Shared Resource
1367 Center, shall provide a written status report to the Executive
1368 Office of the Governor and to the chairs of the legislative
1369 appropriations committees detailing the progress made by the
1370 agencies required to migrate to the statewide e-mail service by
1371 the required migration date. The status report must be provided
1372 every 6 months, beginning September 1, 2011, until
1373 implementation is complete.
1374 Section 15. This act shall take effect upon becoming a law.