ENROLLED
       2011 Legislature                          SB 2098, 2nd Engrossed
       
       
       
       
       
       
                                                             20112098er
    1  
    2         An act relating to the consolidation of state
    3         information technology services; amending s. 14.204,
    4         F.S.; revising the duties of the Agency for Enterprise
    5         Information Technology; deleting references to the
    6         Office of Information Security and the Agency Chief
    7         Information Officers Council; amending s. 20.315,
    8         F.S.; requiring that the Department of Corrections’
    9         Office of Information Technology manage the
   10         department’s data system; amending s. 282.0041, F.S.;
   11         revising definitions; amending s. 282.0056, F.S.;
   12         revising provisions relating to the agency’s annual
   13         work plan; amending s. 282.201, F.S.; revising the
   14         duties of the agency; requiring the agency to submit
   15         certain recommendations to the Legislature, the
   16         Executive Office of the Governor, and the primary data
   17         centers; deleting obsolete provisions; conforming
   18         provisions to changes made by the act; providing a
   19         schedule for the consolidations of state agency data
   20         centers; requiring agencies to update their service
   21         level agreements and to develop consolidation plans;
   22         requiring the Agency for Enterprise Information
   23         Technology to submit a status report to the Governor
   24         and Legislature and to develop a comprehensive
   25         transition plan; requiring primary data centers to
   26         develop transition plans; revising agency limitations
   27         relating to technology services; amending s. 282.203,
   28         F.S.; deleting obsolete provisions; revising duties of
   29         primary data centers relating to state agency
   30         resources and equipment relinquished to the centers;
   31         requiring state agencies to relinquish all
   32         administrative access rights to certain resources and
   33         equipment upon consolidation; providing for the
   34         appointment of alternate board members; revising
   35         provisions relating to state agency representation on
   36         data center boards; conforming a cross-reference;
   37         amending s. 282.204, F.S.; establishing the Northwood
   38         Shared Resource Center in the Department of Management
   39         Services rather than the Department of Children and
   40         Family Services; repealing s. 282.3055, F.S.,
   41         requiring each agency to appoint an agency chief
   42         information officer; repealing s. 282.315, F.S.,
   43         relating to the Agency Chief Information Officers
   44         Council; amending s. 282.318, F.S.; deleting
   45         references to the Office of Information Security with
   46         respect to responsibility for enterprise security;
   47         deleting obsolete provisions; amending s. 282.33,
   48         F.S.; deleting an obsolete provision; revising the
   49         schedule for the Agency for Enterprise Information
   50         Technology to submit certain recommendations to the
   51         Legislature; amending s. 282.34, F.S.; revising
   52         provisions relating to the statewide e-mail service;
   53         deleting the schedule and requiring the agency to
   54         develop and submit a plan to the Legislative Budget
   55         Commission for the migration of state agencies to the
   56         service; specifying what the plan must include;
   57         prohibiting state agencies from executing contracts
   58         for certain e-mail services; requiring the development
   59         of an implementation plan; requiring state agencies to
   60         provide all information necessary for the
   61         implementation plan; amending ss. 287.042, F.S.;
   62         conforming provisions to changes made by the act;
   63         transferring the Northwood Shared Resource Center to
   64         the Department of Management Services; requiring the
   65         agency to coordinate with the Southwood Shared
   66         Resource Center to provide a status report to the
   67         Executive Office of the Governor and to the
   68         Legislature; providing an effective date.
   69  
   70  Be It Enacted by the Legislature of the State of Florida:
   71  
   72         Section 1. Subsections (4), (5), and (6) of section 14.204,
   73  Florida Statutes, are amended to read:
   74         14.204 Agency for Enterprise Information Technology.—The
   75  Agency for Enterprise Information Technology is created within
   76  the Executive Office of the Governor.
   77         (4) The agency shall have the following duties and
   78  responsibilities:
   79         (a) Develop strategies for the design, planning, project
   80  management, delivery, and management of the enterprise
   81  information technology services established in law, including
   82  the state data center system service established in s. 282.201,
   83  the information technology security service established in s.
   84  282.318, and the statewide e-mail service established in s.
   85  282.34.
   86         (b) Monitor the implementation, delivery, and management of
   87  the enterprise information technology services as established in
   88  law.
   89         (c) Make recommendations to the agency head and the
   90  Legislature concerning other information technology services
   91  that should be designed, delivered, and managed as enterprise
   92  information technology services as defined in s. 282.0041.
   93         (d) Plan and establish policies for managing proposed
   94  statutorily authorized enterprise information technology
   95  services, which includes:
   96         1. Developing business cases that, when applicable, include
   97  the components identified in s. 287.0571;
   98         2. Establishing and coordinating project-management teams;
   99         3. Establishing formal risk-assessment and mitigation
  100  processes; and
  101         4. Providing for independent monitoring of projects for
  102  recommended corrective actions.
  103         (e) Beginning October 1, 2010, Develop, publish, and
  104  biennially update a long-term strategic enterprise information
  105  technology plan that identifies and recommends strategies and
  106  opportunities to improve the delivery of cost-effective and
  107  efficient enterprise information technology services to be
  108  proposed for establishment pursuant to s. 282.0056.
  109         (f) Perform duties related to enterprise information
  110  technology services, including the state data center system
  111  established in as provided in s. 282.201, the information
  112  technology security service established in s. 282.318, and the
  113  statewide e-mail service established in s. 282.34.
  114         (g) Coordinate technology resource acquisition planning,
  115  and assist the Department of Management Service’s Division of
  116  Purchasing with using aggregate buying methodologies whenever
  117  possible and with procurement negotiations for hardware and
  118  software products and services in order to improve the
  119  efficiency and reduce the cost of enterprise information
  120  technology services.
  121         (h) In consultation with the Division of Purchasing in the
  122  Department of Management Services, coordinate procurement
  123  negotiations for information technology products as defined in
  124  s. 282.0041 which will be used by multiple agencies.
  125         (i) In coordination with, and through the services of, the
  126  Division of Purchasing in the Department of Management Services,
  127  establish best practices for the procurement of information
  128  technology products as defined in s. 282.0041 in order to
  129  achieve savings for the state.
  130         (j) Develop information technology standards for the
  131  efficient design, planning, project management, implementation,
  132  and delivery of enterprise information technology services. All
  133  state agencies must make the transition to the new standards.
  134         (k) Provide annually, by December 31, recommendations to
  135  the Legislature relating to techniques for consolidating the
  136  purchase of information technology commodities and services,
  137  which result in savings for the state, and for establishing a
  138  process to achieve savings through consolidated purchases.
  139         (5) The Office of Information Security shall be created
  140  within the agency. The agency shall designate a state Chief
  141  Information Security Officer who shall oversee the office and
  142  report directly to the executive director.
  143         (6) The agency shall operate in a manner that ensures the
  144  participation and representation of state agencies and the
  145  Agency Chief Information Officers Council established in s.
  146  282.315.
  147         Section 2. Subsection (10) of section 20.315, Florida
  148  Statutes, is amended to read:
  149         20.315 Department of Corrections.—There is created a
  150  Department of Corrections.
  151         (10) SINGLE INFORMATION AND RECORDS SYSTEM.—There shall be
  152  Only one offender-based information and records computer system
  153  shall be maintained by the Department of Corrections for the
  154  joint use of the department and the Parole Commission. The This
  155  data system shall be managed through the department’s office of
  156  information technology Justice Data Center. The department shall
  157  develop and maintain, in consultation with the Criminal and
  158  Juvenile Justice Information Systems Council under s. 943.08,
  159  such offender-based information, including clemency
  160  administration information and other computer services to serve
  161  the needs of both the department and the Parole Commission. The
  162  department shall notify the commission of all violations of
  163  parole and the circumstances thereof.
  164         Section 3. Present subsections (4) through (30) of section
  165  282.0041, Florida Statutes, are redesignated as subsections (2)
  166  through (28), respectively, and present subsections (2), (3),
  167  (14), and (19) of that section are amended, to read:
  168         282.0041 Definitions.—As used in this chapter, the term:
  169         (2) “Agency chief information officer” means the person
  170  employed by the agency head to coordinate and manage the
  171  information technology functions and responsibilities applicable
  172  to that agency, to participate and represent the agency in
  173  developing strategies for implementing enterprise information
  174  technology services established pursuant to this part, and to
  175  develop recommendations for enterprise information technology
  176  policy.
  177         (3) “Agency Chief Information Officers Council” means the
  178  council created in s. 282.315.
  179         (12)(14) “E-mail, messaging, and calendaring service” means
  180  the enterprise information technology service that enables users
  181  to send, receive, file, store, manage, and retrieve electronic
  182  messages, attachments, appointments, and addresses. The e-mail,
  183  messaging, and calendaring service must include e-mail account
  184  management; help desk; technical support and user provisioning
  185  services; disaster recovery and backup and restore capabilities;
  186  antispam and antivirus capabilities; archiving and e-discovery;
  187  and remote access and mobile messaging capabilities.
  188         (17)(19) “Primary data center” means a state or nonstate
  189  agency data center that is a recipient entity for consolidation
  190  of nonprimary data centers and computing facilities and that is
  191  established by. A primary data center may be authorized in law
  192  or designated by the Agency for Enterprise Information
  193  Technology pursuant to s. 282.201.
  194         Section 4. Subsection (1) of section 282.0056, Florida
  195  Statutes, is amended to read:
  196         282.0056 Development of work plan; development of
  197  implementation plans; and policy recommendations.—
  198         (1) For the purposes of carrying out its responsibilities
  199  under s. 282.0055, the Agency for Enterprise Information
  200  Technology shall develop an annual work plan within 60 days
  201  after the beginning of the fiscal year describing the activities
  202  that the agency intends to undertake for that year, including
  203  proposed outcomes and completion timeframes for the planning and
  204  implementation of all enterprise information technology
  205  services. The work plan must be presented at a public hearing
  206  and that includes the Agency Chief Information Officers Council,
  207  which may review and comment on the plan. The work plan must
  208  thereafter be approved by the Governor and Cabinet, and
  209  thereafter submitted to the President of the Senate and the
  210  Speaker of the House of Representatives. The work plan may be
  211  amended as needed, subject to approval by the Governor and
  212  Cabinet.
  213         Section 5. Subsections (2) and (3) of section 282.201,
  214  Florida Statutes, are amended, present subsections (4) and (5)
  215  of that section are amended and renumbered as subsections (5)
  216  and (6), respectively, and a new subsection (4) is added to that
  217  section, to read:
  218         282.201 State data center system; agency duties and
  219  limitations.—A state data center system that includes all
  220  primary data centers, other nonprimary data centers, and
  221  computing facilities, and that provides an enterprise
  222  information technology service as defined in s. 282.0041, is
  223  established.
  224         (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
  225  The Agency for Enterprise Information Technology shall:
  226         (a) Collect and maintain information necessary for
  227  developing policies relating to the data center system,
  228  including, but not limited to, an inventory of facilities.
  229         (b) Annually approve cost-recovery mechanisms and rate
  230  structures for primary data centers which recover costs through
  231  charges to customer entities.
  232         (c) By September 30 December 31 of each year, submit to the
  233  Legislature, the Executive Office of the Governor, and the
  234  primary data centers Legislature recommendations to improve the
  235  efficiency and cost-effectiveness effectiveness of computing
  236  services provided by state data center system facilities. Such
  237  recommendations must may include, but need not be limited to:
  238         1. Policies for improving the cost-effectiveness and
  239  efficiency of the state data center system, which includes the
  240  primary data centers being transferred to a shared, virtualized
  241  server environment, and the associated cost savings resulting
  242  from the implementation of such policies.
  243         2. Infrastructure improvements supporting the consolidation
  244  of facilities or preempting the need to create additional data
  245  centers or computing facilities.
  246         3. Standards for an objective, credible energy performance
  247  rating system that data center boards of trustees can use to
  248  measure state data center energy consumption and efficiency on a
  249  biannual basis.
  250         3.4. Uniform disaster recovery standards.
  251         4.5. Standards for primary data centers which provide cost
  252  effective services and providing transparent financial data to
  253  user agencies.
  254         5.6. Consolidation of contract practices or coordination of
  255  software, hardware, or other technology-related procurements and
  256  the associated cost savings.
  257         6.7. Improvements to data center governance structures.
  258         (d) By October 1 of each year beginning in 2011, provide
  259  recommendations 2009, recommend to the Governor and Legislature
  260  relating to changes to the schedule for the consolidations of
  261  state agency data centers as provided in subsection (4) at least
  262  two nonprimary data centers for consolidation into a primary
  263  data center or nonprimary data center facility.
  264         1. The consolidation proposal must provide a transition
  265  plan that includes:
  266         a. Estimated transition costs for each data center or
  267  computing facility recommended for consolidation;
  268         b. Detailed timeframes for the complete transition of each
  269  data center or computing facility recommended for consolidation;
  270         c. Proposed recurring and nonrecurring fiscal impacts,
  271  including increased or decreased costs and associated budget
  272  impacts for affected budget entities;
  273         d. Substantive legislative changes necessary to implement
  274  the transition; and
  275         e. Identification of computing resources to be transferred
  276  and those that will remain in the agency. The transfer of
  277  resources must include all hardware, software, staff, contracted
  278  services, and facility resources performing data center
  279  management and operations, security, backup and recovery,
  280  disaster recovery, system administration, database
  281  administration, system programming, job control, production
  282  control, print, storage, technical support, help desk, and
  283  managed services but excluding application development.
  284         1.2.The recommendations must shall be based on the goal of
  285  maximizing current and future cost savings by. The agency shall
  286  consider the following criteria in selecting consolidations that
  287  maximize efficiencies by providing the ability to:
  288         a. Consolidating Consolidate purchase decisions;
  289         b. Leveraging Leverage expertise and other resources to
  290  gain economies of scale;
  291         c. Implementing Implement state information technology
  292  policies more effectively; and
  293         d. Maintaining or improving Maintain or improve the level
  294  of service provision to customer entities; and
  295         e. Make progress towards the state’s goal of consolidating
  296  data centers and computing facilities into primary data centers.
  297         2.3. The agency shall establish workgroups as necessary to
  298  ensure participation by affected agencies in the development of
  299  recommendations related to consolidations.
  300         (e) By December 31, 2010, the agency shall develop and
  301  submit to the Legislature an overall consolidation plan for
  302  state data centers. The plan shall indicate a timeframe for the
  303  consolidation of all remaining nonprimary data centers into
  304  primary data centers, including existing and proposed primary
  305  data centers, by 2019.
  306         (e)(f) Develop and establish rules relating to the
  307  operation of the state data center system which comply with
  308  applicable federal regulations, including 2 C.F.R. part 225 and
  309  45 C.F.R. The agency shall publish notice of rule development in
  310  the Florida Administrative Weekly by October 1, 2011. The rules
  311  must may address:
  312         1. Ensuring that financial information is captured and
  313  reported consistently and accurately.
  314         2. Identifying standards for hardware, including standards
  315  for a shared, virtualized server environment, and operations
  316  system software and other operational software, including
  317  security and network infrastructure, for the primary data
  318  centers; requiring compliance with such standards in order to
  319  enable the efficient consolidation of the agency data centers or
  320  computing facilities; and providing an exemption process from
  321  compliance with such standards, which must be consistent with
  322  paragraph (5)(b).
  323         2. Requiring the establishment of service-level agreements
  324  executed between a data center and its customer entities for
  325  services provided.
  326         3. Requiring annual full cost recovery on an equitable
  327  rational basis. The cost-recovery methodology must ensure that
  328  no service is subsidizing another service and may include
  329  adjusting the subsequent year’s rates as a means to recover
  330  deficits or refund surpluses from a prior year.
  331         4. Requiring that any special assessment imposed to fund
  332  expansion is based on a methodology that apportions the
  333  assessment according to the proportional benefit to each
  334  customer entity.
  335         5. Requiring that rebates be given when revenues have
  336  exceeded costs, that rebates be applied to offset charges to
  337  those customer entities that have subsidized the costs of other
  338  customer entities, and that such rebates may be in the form of
  339  credits against future billings.
  340         6. Requiring that all service-level agreements have a
  341  contract term of up to 3 years, but may include an option to
  342  renew for up to 3 additional years contingent on approval by the
  343  board, and require at least a 180-day notice of termination.
  344         7. Designating any nonstate data center as a primary data
  345  center if the center:
  346         a. Has an established governance structure that represents
  347  customer entities proportionally.
  348         b. Maintains an appropriate cost-allocation methodology
  349  that accurately bills a customer entity based on the actual
  350  direct and indirect costs to the customer entity, and prohibits
  351  the subsidization of one customer entity’s costs by another
  352  entity.
  353         c. Has sufficient raised floor space, cooling, and
  354  redundant power capacity, including uninterruptible power supply
  355  and backup power generation, to accommodate the computer
  356  processing platforms and support necessary to host the computing
  357  requirements of additional customer entities.
  358         8. Removing a nonstate data center from primary data center
  359  designation if the nonstate data center fails to meet standards
  360  necessary to ensure that the state’s data is maintained pursuant
  361  to subparagraph 7.
  362         (3) STATE AGENCY DUTIES.—
  363         (a) For the purpose of completing its work activities as
  364  described in subsection (1), each state agency shall provide to
  365  the Agency for Enterprise Information Technology all requested
  366  information and any other information relevant to the agency’s
  367  ability to effectively transition its computer services into a
  368  primary data center. The agency shall also participate as
  369  required in workgroups relating to specific consolidation
  370  planning and implementation tasks as assigned by the Agency for
  371  Enterprise Information Technology and determined necessary to
  372  accomplish consolidation goals.
  373         (b) Each state agency shall submit to the Agency for
  374  Enterprise Information Technology information relating to its
  375  data centers and computing facilities as required in
  376  instructions issued by July 1 of each year by the Agency for
  377  Enterprise Information Technology. The information required may
  378  include:
  379         1. Amount of floor space used and available.
  380         2. Numbers and capacities of mainframes and servers.
  381         3. Storage and network capacity.
  382         4. Amount of power used and the available capacity.
  383         5. Estimated expenditures by service area, including
  384  hardware and software, numbers of full-time equivalent
  385  positions, personnel turnover, and position reclassifications.
  386         6. A list of contracts in effect for the fiscal year,
  387  including, but not limited to, contracts for hardware, software
  388  and maintenance, including the expiration date, the contract
  389  parties, and the cost of the contract.
  390         7. Service-level agreements by customer entity.
  391         (c) The chief information officer of each state agency
  392  shall assist the Agency for Enterprise Information Technology at
  393  the request of the Agency for Enterprise Information Technology.
  394         (c)(d) Each state agency customer of a primary data center
  395  shall notify the data center, by May 31 and November 30 of each
  396  year, of any significant changes in anticipated utilization of
  397  data center services pursuant to requirements established by the
  398  boards of trustees of each primary data center.
  399         (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
  400         (a) Consolidations of agency data centers shall be made by
  401  the date and to the specified primary data center as provided in
  402  this section and in accordance with budget adjustments contained
  403  in the General Appropriations Act.
  404         (b) By December 31, 2011, the following shall be
  405  consolidated into the Northwest Regional Data Center:
  406         1. The Department of Education’s Knott Data Center in the
  407  Turlington Building.
  408         2. The Department of Education’s Division of Vocational
  409  Rehabilitation.
  410         3. The Department of Education’s Division of Blind
  411  Services, except for the division’s disaster recovery site in
  412  Daytona Beach.
  413         4. The FCAT Explorer.
  414         5. FACTS.org.
  415         (c) During the 2011-2012 fiscal year, the following shall
  416  be consolidated into the Southwood Shared Resource Center:
  417         1. By September 30, 2011, the Department of Corrections.
  418         2. By March 31, 2012, the Department of Transportation’s
  419  Burns Building.
  420         3. By March 31, 2012, the Department of Transportation’s
  421  Survey & Mapping Office.
  422         (d) During the 2011-2012 fiscal year, the following shall
  423  be consolidated into the Northwood Shared Resource Center:
  424         1. By July 1, 2011, the Department of Transportation’s
  425  Office of Motor Carrier Compliance.
  426         2. By March 31, 2012, the Department of Highway Safety and
  427  Motor Vehicles.
  428         (e) During the 2012-2013 fiscal year, the following shall
  429  be consolidated into the Southwood Shared Resource Center:
  430         1. By September 30, 2012, the Division of Emergency
  431  Management and the Department of Community Affairs, except for
  432  the Emergency Operation Center’s management system in
  433  Tallahassee and the Camp Blanding Emergency Operations Center in
  434  Starke.
  435         2. By September 30, 2012, the Department of Revenue’s
  436  Carlton Building and Imaging Center locations.
  437         3. By December 31, 2012, the Department of Health’s Test
  438  and Development Lab and all remaining data center resources
  439  located at the Capital Circle Office Complex.
  440         (f) During the 2012-2013 fiscal year, the following shall
  441  be consolidated into the Northwood Shared Resource Center:
  442         1. By July 1, 2012, the Agency for Health Care
  443  Administration.
  444         2. By December 31, 2012, the Department of Environmental
  445  Protection’s Palmetto Commons.
  446         3. By March 30, 2013, the Department of Law Enforcement’s
  447  headquarters location.
  448         (g) During the 2013-2014 fiscal year, the following
  449  agencies shall work with the Agency for Enterprise Information
  450  Technology to begin preliminary planning for consolidation into
  451  a primary data center:
  452         1. The Department of the Lottery’s headquarters location.
  453         2. The Department of Legal Affairs.
  454         3. The Fish and Wildlife Conservation Commission, except
  455  for the commission’s Fish and Wildlife Research Institute in St.
  456  Petersburg.
  457         4. The Executive Office of the Governor.
  458         5. The Department of Veterans’ Affairs.
  459         6. The Department of Elderly Affairs.
  460         7. The Department of Financial Services’ Hartman, Larson,
  461  and Fletcher Building Data Centers.
  462         8. The Department of Agriculture and Consumer Services’
  463  Agriculture Management Information Center in the Mayo Building
  464  and Division of Licensing.
  465         (h) During the 2014-2015 fiscal year, the following
  466  agencies shall work with the Agency for Enterprise Information
  467  Technology to begin preliminary planning for consolidation into
  468  a primary data center:
  469         1. The Department of Health’s Jacksonville Lab Data Center.
  470         2. The Department of Transportation’s district offices,
  471  toll offices, and the District Materials Office.
  472         3. The Department of Military Affairs’ Camp Blanding Joint
  473  Training Center in Starke.
  474         4. The Department of Community Affairs’ Camp Blanding
  475  Emergency Operations Center in Starke.
  476         5. The Department of Education’s Division of Blind Services
  477  disaster recovery site in Daytona Beach.
  478         6. The Department of Education’s disaster recovery site at
  479  Santa Fe College.
  480         7. The Department of the Lottery’s Disaster Recovery Backup
  481  Data Center in Orlando.
  482         8. The Fish and Wildlife Conservation Commission’s Fish and
  483  Wildlife Research Institute in St. Petersburg.
  484         9. The Department of Children and Family Services’ Suncoast
  485  Data Center in Tampa.
  486         10. The Department of Children and Family Services’ Florida
  487  State Hospital in Chattahoochee.
  488         (i) During the 2015-2016 fiscal year, all computing
  489  resources remaining within an agency nonprimary data center or
  490  computing facility shall be transferred to a primary data center
  491  for consolidation unless otherwise required to remain in the
  492  agency for specified financial, technical, or business reasons
  493  that must be justified in writing and approved by the Agency for
  494  Enterprise Information Technology. Such data centers, computing
  495  facilities, and resources must be identified by the Agency for
  496  Enterprise Information Technology by October 1, 2014.
  497         (j) Any agency that is consolidating agency data centers
  498  into a primary data center must execute a new or update an
  499  existing service-level agreement within 60 days after the
  500  specified consolidation date, as required by s. 282.203, in
  501  order to specify the services and levels of service it is to
  502  receive from the primary data center as a result of the
  503  consolidation. If an agency is unable to execute a service-level
  504  agreement by that date, the agency shall submit a report to the
  505  Executive Office of the Governor and to the chairs of the
  506  legislative appropriations committees within 5 working days
  507  after that date which explains the specific issues preventing
  508  execution and describing its plan and schedule for resolving
  509  those issues.
  510         (k) Beginning September 1, 2011, and every 6 months
  511  thereafter until data center consolidations are complete, the
  512  Agency for Enterprise Information Technology shall provide a
  513  status report on the implementation of the consolidations that
  514  must be completed during the fiscal year. The report shall be
  515  submitted to the Executive Office of the Governor and the chairs
  516  of the legislative appropriations committees. The report must,
  517  at a minimum, describe:
  518         1. Whether the consolidation is on schedule, including
  519  progress on achieving the milestones necessary for successful
  520  and timely consolidation of scheduled agency data centers and
  521  computing facilities; and
  522         2. The risks that may affect the progress or outcome of the
  523  consolidation and how these risks are being addressed,
  524  mitigated, or managed.
  525         (l) Each agency identified in this subsection for
  526  consolidation into a primary data center shall submit a
  527  transition plan to the Agency for Enterprise Information
  528  Technology by September 1 of the fiscal year before the fiscal
  529  year in which the scheduled consolidation will occur. Transition
  530  plans shall be developed in consultation with the appropriate
  531  primary data centers and the Agency for Enterprise Information
  532  Technology, and must include:
  533         1. An inventory of the agency data center’s resources being
  534  consolidated, including all hardware, software, staff, and
  535  contracted services, and the facility resources performing data
  536  center management and operations, security, backup and recovery,
  537  disaster recovery, system administration, database
  538  administration, system programming, job control, production
  539  control, print, storage, technical support, help desk, and
  540  managed services, but excluding application development;
  541         2. A description of the level of services needed to meet
  542  the technical and operational requirements of the platforms
  543  being consolidated and an estimate of the primary data center’s
  544  cost for the provision of such services;
  545         3. A description of resources for computing services
  546  proposed to remain in the department;
  547         4. A timetable with significant milestones for the
  548  completion of the consolidation; and
  549         5. The specific recurring and nonrecurring budget
  550  adjustments of budget resources by appropriation category into
  551  the appropriate data-processing category pursuant to the
  552  legislative budget instructions in s. 216.023 necessary to
  553  support agency costs for the transfer.
  554         (m) Each primary data center shall develop a transition
  555  plan for absorbing the transfer of agency data center resources
  556  based upon the timetables for transition as provided in this
  557  subsection. The plan shall be submitted to the Agency for
  558  Enterprise Information Technology, the Executive Office of the
  559  Governor, and the chairs of the legislative appropriations
  560  committees by September 30 of the fiscal year before the fiscal
  561  year in which the scheduled consolidations will occur. Each plan
  562  must include:
  563         1. An estimate of the cost to provide data center services
  564  for each agency scheduled for consolidation;
  565         2. A staffing plan that identifies the projected staffing
  566  needs and requirements based on the estimated workload
  567  identified in the agency transition plan;
  568         3. The fiscal year adjustments to budget categories in
  569  order to absorb the transfer of agency data center resources
  570  pursuant to the legislative budget request instructions provided
  571  in s. 216.023;
  572         4. An analysis of the cost effects resulting from the
  573  planned consolidations on existing agency customers; and
  574         5. A description of any issues that must be resolved in
  575  order to accomplish as efficiently and effectively as possible
  576  all consolidations required during the fiscal year.
  577         (n) The Agency for Enterprise Information Technology shall
  578  develop a comprehensive transition plan, which shall be
  579  submitted by October 15th of the fiscal year before the fiscal
  580  year in which the scheduled consolidations will occur to each
  581  primary data center, to the Executive Office of the Governor,
  582  and the chairs of the legislative appropriations committees. The
  583  transition plan shall be developed in consultation with agencies
  584  submitting agency transition plans and with the affected primary
  585  data centers. The comprehensive transition plan must include:
  586         1. Recommendations for accomplishing the proposed
  587  transitions as efficiently and effectively as possible with
  588  minimal disruption to customer agency business processes;
  589         2. Strategies to minimize risks associated with any of the
  590  proposed consolidations;
  591         3. A compilation of the agency transition plans submitted
  592  by agencies scheduled for consolidation for the following fiscal
  593  year; and
  594         4. Revisions to any budget adjustments provided in the
  595  agency or primary data center transition plans.
  596         (o) Any agency data center scheduled for consolidation
  597  after the 2011-2012 fiscal year may consolidate into a primary
  598  data center before its scheduled date contingent upon the
  599  approval of the Agency for Enterprise Information Technology.
  600         (5)(4) AGENCY LIMITATIONS.—
  601         (a) Unless authorized by the Legislature or as provided in
  602  paragraphs (b) and (c), a state agency may not:
  603         1. Create a new computing facility or data center, or
  604  expand the capability to support additional computer equipment
  605  in an existing computing facility or nonprimary data center;
  606         2. Spend funds before the agency’s scheduled consolidation
  607  into a primary data center to purchase or modify hardware or
  608  operations software that does not comply with hardware and
  609  software standards established by the Agency for Enterprise
  610  Information Technology pursuant to paragraph (2)(e) for the
  611  efficient consolidation of the agency data centers or computing
  612  facilities;
  613         3.2. Transfer existing computer services to any data center
  614  other than a primary nonprimary data center or computing
  615  facility;
  616         4.3. Terminate services with a primary data center or
  617  transfer services between primary data centers without giving
  618  written notice of intent to terminate or transfer services 180
  619  days before such termination or transfer; or
  620         5.4. Initiate a new computer service if it does not
  621  currently have an internal data center except with a primary
  622  data center.
  623         (b) Exceptions to the limitations in subparagraphs (a)1.,
  624  2., 3., and 5. 4. may be granted by the Agency for Enterprise
  625  Information Technology if there is insufficient capacity in a
  626  primary data center to absorb the workload associated with
  627  agency computing services, if expenditures are compatible with
  628  the scheduled consolidation and the standards established
  629  pursuant to paragraph (2)(e), or if the equipment or resources
  630  are needed to meet a critical agency business need that cannot
  631  be satisfied from surplus equipment or resources of the primary
  632  data center until the agency data center is consolidated.
  633         1. A request for an exception must be submitted in writing
  634  to the Agency for Enterprise Information Technology. The agency
  635  must accept, accept with conditions, or deny the request within
  636  60 days after receipt of the written request. The agency’s
  637  decision is not subject to chapter 120.
  638         2. At a minimum, the agency may not approve a request
  639  unless it includes:
  640         a. Documentation approved by the primary data center’s
  641  board of trustees which confirms that the center cannot meet the
  642  capacity requirements of the agency requesting the exception
  643  within the current fiscal year.
  644         b. A description of the capacity requirements of the agency
  645  requesting the exception.
  646         c. Documentation from the agency demonstrating why it is
  647  critical to the agency’s mission that the expansion or transfer
  648  must be completed within the fiscal year rather than when
  649  capacity is established at a primary data center.
  650         (c) Exceptions to subparagraph (a)4. (a)3. may be granted
  651  by the board of trustees of the primary data center if the
  652  termination or transfer of services can be absorbed within the
  653  current cost-allocation plan.
  654         (d) Upon the termination of or transfer of agency computing
  655  services from the primary data center, the primary data center
  656  shall require information sufficient to determine compliance
  657  with this section. If a primary data center determines that an
  658  agency is in violation of this section, it shall report the
  659  violation to the Agency for Enterprise Information Technology.
  660         (6)(5) RULES.—The Agency for Enterprise Information
  661  Technology may is authorized to adopt rules pursuant to ss.
  662  120.536(1) and 120.54 to administer the provisions of this part
  663  relating to the state data center system including the primary
  664  data centers.
  665         Section 6. Paragraphs (f) through (l) of subsection (1),
  666  paragraph (a) of subsection (2), and paragraph (j) of subsection
  667  (3) of section 282.203, Florida Statutes, are amended to read:
  668         282.203 Primary data centers.—
  669         (1) DATA CENTER DUTIES.—Each primary data center shall:
  670         (f) By December 31, 2010, submit organizational plans that
  671  minimize the annual recurring cost of center operations and
  672  eliminate the need for state agency customers to maintain data
  673  center skills and staff within their agency. The plans shall:
  674         1. Establish an efficient organizational structure
  675  describing the roles and responsibilities of all positions and
  676  business units in the centers;
  677         2. Define a human resources planning and management process
  678  that shall be used to make required center staffing decisions;
  679  and
  680         3. Develop a process for projecting staffing requirements
  681  based on estimated workload identified in customer agency
  682  service level agreements.
  683         (f)(g) Maintain the performance of the facility, which
  684  includes ensuring proper data backup, data backup recovery, an
  685  effective disaster recovery plan, and appropriate security,
  686  power, cooling and fire suppression, and capacity.
  687         (g)(h) Develop a business continuity plan and conduct a
  688  live exercise of the plan at least annually. The plan must be
  689  approved by the board and the Agency for Enterprise Information
  690  Technology.
  691         (h)(i) Enter into a service-level agreement with each
  692  customer entity to provide services as defined and approved by
  693  the board in compliance with rules of the Agency for Enterprise
  694  Information Technology. A service-level agreement may not have a
  695  term exceeding 3 years but may include an option to renew for up
  696  to 3 years contingent on approval by the board.
  697         1. A service-level agreement, at a minimum, must:
  698         a. Identify the parties and their roles, duties, and
  699  responsibilities under the agreement;
  700         b. Identify the legal authority under which the service
  701  level agreement was negotiated and entered into by the parties;
  702         c. State the duration of the contractual term and specify
  703  the conditions for contract renewal;
  704         d. Prohibit the transfer of computing services between
  705  primary data center facilities without at least 180 days’ notice
  706  of service cancellation;
  707         e. Identify the scope of work;
  708         f. Identify the products or services to be delivered with
  709  sufficient specificity to permit an external financial or
  710  performance audit;
  711         g. Establish the services to be provided, the business
  712  standards that must be met for each service, the cost of each
  713  service, and the process by which the business standards for
  714  each service are to be objectively measured and reported;
  715         h. Identify applicable funds and funding streams for the
  716  services or products under contract;
  717         i. Provide a timely billing methodology for recovering the
  718  cost of services provided to the customer entity;
  719         j. Provide a procedure for modifying the service-level
  720  agreement to address changes in projected costs of service;
  721         k. Provide that a service-level agreement may be terminated
  722  by either party for cause only after giving the other party and
  723  the Agency for Enterprise Information Technology notice in
  724  writing of the cause for termination and an opportunity for the
  725  other party to resolve the identified cause within a reasonable
  726  period; and
  727         l. Provide for mediation of disputes by the Division of
  728  Administrative Hearings pursuant to s. 120.573.
  729         2. A service-level agreement may include:
  730         a. A dispute resolution mechanism, including alternatives
  731  to administrative or judicial proceedings;
  732         b. The setting of a surety or performance bond for service
  733  level agreements entered into with nonstate agency primary data
  734  centers established by law, which may be designated by the
  735  Agency for Enterprise Information Technology; or
  736         c. Additional terms and conditions as determined advisable
  737  by the parties if such additional terms and conditions do not
  738  conflict with the requirements of this section or rules adopted
  739  by the Agency for Enterprise Information Technology.
  740         3. The failure to execute a service-level agreement within
  741  60 days after service commencement shall, in the case of an
  742  existing customer entity, result in a continuation of the terms
  743  of the service-level agreement from the prior fiscal year,
  744  including any amendments that were formally proposed to the
  745  customer entity by the primary data center within the 3 months
  746  before service commencement, and a revised cost-of-service
  747  estimate. If a new customer entity fails to execute an agreement
  748  within 60 days after service commencement, the data center may
  749  cease services.
  750         (i)(j) Plan, design, establish pilot projects for, and
  751  conduct experiments with information technology resources, and
  752  implement enhancements in services if such implementation is
  753  cost-effective and approved by the board.
  754         (j)(k) Enter into a memorandum of understanding with the
  755  agency where the data center is administratively located if the
  756  data center requires the agency to provide any administrative
  757  which establishes the services to be provided by that agency to
  758  the data center and the cost of such services.
  759         (k)(l) Be the custodian of resources and equipment that are
  760  located, operated, supported, and managed by the center for the
  761  purposes of chapter 273.
  762         (l) Assume administrative access rights to the resources
  763  and equipment, such as servers, network components, and other
  764  devices that are consolidated into the primary data center.
  765         1. Upon the date of each consolidation specified in s.
  766  282.201, the General Appropriations Act, or the Laws of Florida,
  767  each agency shall relinquish all administrative access rights to
  768  such resources and equipment.
  769         2. Each primary data center shall provide its customer
  770  agencies with the appropriate level of access to applications,
  771  servers, network components, and other devices necessary for
  772  agencies to perform their core business activities and
  773  functions.
  774         (2) BOARD OF TRUSTEES.—Each primary data center shall be
  775  headed by a board of trustees as defined in s. 20.03.
  776         (a) The members of the board shall be appointed by the
  777  agency head or chief executive officer of the representative
  778  customer entities of the primary data center and shall serve at
  779  the pleasure of the appointing customer entity. Each agency head
  780  or chief executive officer may appoint an alternate member for
  781  each board member appointed pursuant to this subsection.
  782         1. During the first fiscal year that a state agency is to
  783  consolidate its data center operations to a primary data center
  784  and for the following full fiscal year, the agency shall have a
  785  single trustee having one vote on the board of the state primary
  786  data center where it is to consolidate, unless it is entitled in
  787  the second year to a greater number of votes as provided in
  788  subparagraph 3. For each of the first 2 fiscal years that a
  789  center is in operation, membership shall be as provided in
  790  subparagraph 3. based on projected customer entity usage rates
  791  for the fiscal operating year of the primary data center.
  792  However, at a minimum:
  793         a. During the Southwood Shared Resource Center’s first 2
  794  operating years, the Department of Transportation, the
  795  Department of Highway Safety and Motor Vehicles, the Department
  796  of Health, and the Department of Revenue must each have at least
  797  one trustee.
  798         b. During the Northwood Shared Resource Center’s first
  799  operating year, the Department of State and the Department of
  800  Education must each have at least one trustee.
  801         2. Board After the second full year of operation,
  802  membership shall be as provided in subparagraph 3. based on the
  803  most recent estimate of customer entity usage rates for the
  804  prior year and a projection of usage rates for the first 9
  805  months of the next fiscal year. Such calculation must be
  806  completed before the annual budget meeting held before the
  807  beginning of the next fiscal year so that any decision to add or
  808  remove board members can be voted on at the budget meeting and
  809  become effective on July 1 of the subsequent fiscal year.
  810         3. Each customer entity that has a projected usage rate of
  811  4 percent or greater during the fiscal operating year of the
  812  primary data center shall have one trustee on the board.
  813         4. The total number of votes for each trustee shall be
  814  apportioned as follows:
  815         a. Customer entities of a primary data center whose usage
  816  rate represents 4 but less than 15 percent of total usage shall
  817  have one vote.
  818         b. Customer entities of a primary data center whose usage
  819  rate represents 15 but less than 30 percent of total usage shall
  820  have two votes.
  821         c. Customer entities of a primary data center whose usage
  822  rate represents 30 but less than 50 percent of total usage shall
  823  have three votes.
  824         d. A customer entity of a primary data center whose usage
  825  rate represents 50 percent or more of total usage shall have
  826  four votes.
  827         e. A single trustee having one vote shall represent those
  828  customer entities that represent less than 4 percent of the
  829  total usage. The trustee shall be selected by a process
  830  determined by the board.
  831         (3) BOARD DUTIES.—Each board of trustees of a primary data
  832  center shall:
  833         (j) Maintain the capabilities of the primary data center’s
  834  facilities. Maintenance responsibilities include, but are not
  835  limited to, ensuring that adequate conditioned floor space, fire
  836  suppression, cooling, and power is in place; replacing aging
  837  equipment when necessary; and making decisions related to data
  838  center expansion and renovation, periodic upgrades, and
  839  improvements that are required to ensure the ongoing suitability
  840  of the facility as an enterprise data center consolidation site
  841  in the state data center system. To the extent possible, the
  842  board shall ensure that its approved annual cost-allocation plan
  843  recovers sufficient funds from its customers to provide for
  844  these needs pursuant to s. 282.201(2)(e).
  845         Section 7. Section 282.204, Florida Statutes, is amended to
  846  read:
  847         282.204 Northwood Shared Resource Center.—The Northwood
  848  Shared Resource Center is an agency established within the
  849  Department of Management Services Children and Family Services
  850  for administrative purposes only.
  851         (1) The center is a primary data center and is shall be a
  852  separate budget entity that is not subject to control,
  853  supervision, or direction of the department in any manner,
  854  including, but not limited to, purchasing, transactions
  855  involving real or personal property, personnel, or budgetary
  856  matters.
  857         (2) The center shall be headed by a board of trustees as
  858  provided in s. 282.203, who shall comply with all requirements
  859  of that section related to the operation of the center and with
  860  the rules of the Agency for Enterprise Information Technology
  861  related to the design and delivery of enterprise information
  862  technology services.
  863         Section 8. Sections 282.3055 and 282.315, Florida Statutes,
  864  are repealed.
  865         Section 9. Subsections (3) through (7) of section 282.318,
  866  Florida Statutes, are amended to read:
  867         282.318 Enterprise security of data and information
  868  technology.—
  869         (3) The Office of Information Security within the Agency
  870  for Enterprise Information Technology is responsible for
  871  establishing rules and publishing guidelines for ensuring an
  872  appropriate level of security for all data and information
  873  technology resources for executive branch agencies. The agency
  874  office shall also perform the following duties and
  875  responsibilities:
  876         (a) Develop, and annually update by February 1, an
  877  enterprise information security strategic plan that includes
  878  security goals and objectives for the strategic issues of
  879  information security policy, risk management, training, incident
  880  management, and survivability planning.
  881         (b) Develop enterprise security rules and published
  882  guidelines for:
  883         1. Comprehensive risk analyses and information security
  884  audits conducted by state agencies.
  885         2. Responding to suspected or confirmed information
  886  security incidents, including suspected or confirmed breaches of
  887  personal information or exempt data.
  888         3. Agency security plans, including strategic security
  889  plans and security program plans.
  890         4. The recovery of information technology and data
  891  following a disaster.
  892         5. The managerial, operational, and technical safeguards
  893  for protecting state government data and information technology
  894  resources.
  895         (c) Assist agencies in complying with the provisions of
  896  this section.
  897         (d) Pursue appropriate funding for the purpose of enhancing
  898  domestic security.
  899         (e) Provide training for agency information security
  900  managers.
  901         (f) Annually review the strategic and operational
  902  information security plans of executive branch agencies.
  903         (4) To assist the Agency for Enterprise Information
  904  Technology Office of Information Security in carrying out its
  905  responsibilities, each agency head shall, at a minimum:
  906         (a) Designate an information security manager to administer
  907  the security program of the agency for its data and information
  908  technology resources. This designation must be provided annually
  909  in writing to the Agency for Enterprise Information Technology
  910  office by January 1.
  911         (b) Submit to the Agency for Enterprise Information
  912  Technology office annually by July 31, the agency’s strategic
  913  and operational information security plans developed pursuant to
  914  the rules and guidelines established by the Agency for
  915  Enterprise Information Technology office.
  916         1. The agency strategic information security plan must
  917  cover a 3-year period and define security goals, intermediate
  918  objectives, and projected agency costs for the strategic issues
  919  of agency information security policy, risk management, security
  920  training, security incident response, and survivability. The
  921  plan must be based on the enterprise strategic information
  922  security plan created by the Agency for Enterprise Information
  923  Technology office. Additional issues may be included.
  924         2. The agency operational information security plan must
  925  include a progress report for the prior operational information
  926  security plan and a project plan that includes activities,
  927  timelines, and deliverables for security objectives that,
  928  subject to current resources, the agency will implement during
  929  the current fiscal year. The cost of implementing the portions
  930  of the plan which cannot be funded from current resources must
  931  be identified in the plan.
  932         (c) Conduct, and update every 3 years, a comprehensive risk
  933  analysis to determine the security threats to the data,
  934  information, and information technology resources of the agency.
  935  The risk analysis information is confidential and exempt from
  936  the provisions of s. 119.07(1), except that such information
  937  shall be available to the Auditor General and the Agency for
  938  Enterprise Information Technology for performing postauditing
  939  duties.
  940         (d) Develop, and periodically update, written internal
  941  policies and procedures, which include procedures for notifying
  942  the Agency for Enterprise Information Technology office when a
  943  suspected or confirmed breach, or an information security
  944  incident, occurs. Such policies and procedures must be
  945  consistent with the rules and guidelines established by the
  946  Agency for Enterprise Information Technology office to ensure
  947  the security of the data, information, and information
  948  technology resources of the agency. The internal policies and
  949  procedures that, if disclosed, could facilitate the unauthorized
  950  modification, disclosure, or destruction of data or information
  951  technology resources are confidential information and exempt
  952  from s. 119.07(1), except that such information shall be
  953  available to the Auditor General and the Agency for Enterprise
  954  Information Technology for performing postauditing duties.
  955         (e) Implement appropriate cost-effective safeguards to
  956  address identified risks to the data, information, and
  957  information technology resources of the agency.
  958         (f) Ensure that periodic internal audits and evaluations of
  959  the agency’s security program for the data, information, and
  960  information technology resources of the agency are conducted.
  961  The results of such audits and evaluations are confidential
  962  information and exempt from s. 119.07(1), except that such
  963  information shall be available to the Auditor General and the
  964  Agency for Enterprise Information Technology for performing
  965  postauditing duties.
  966         (g) Include appropriate security requirements in the
  967  written specifications for the solicitation of information
  968  technology and information technology resources and services,
  969  which are consistent with the rules and guidelines established
  970  by the Agency for Enterprise Information Technology office.
  971         (h) Provide security awareness training to employees and
  972  users of the agency’s communication and information resources
  973  concerning information security risks and the responsibility of
  974  employees and users to comply with policies, standards,
  975  guidelines, and operating procedures adopted by the agency to
  976  reduce those risks.
  977         (i) Develop a process for detecting, reporting, and
  978  responding to suspected or confirmed security incidents,
  979  including suspected or confirmed breaches consistent with the
  980  security rules and guidelines established by the Agency for
  981  Enterprise Information Technology office.
  982         1. Suspected or confirmed information security incidents
  983  and breaches must be immediately reported to the Agency for
  984  Enterprise Information Technology office.
  985         2. For incidents involving breaches, agencies shall provide
  986  notice in accordance with s. 817.5681 and to the Agency for
  987  Enterprise Information Technology office in accordance with this
  988  subsection.
  989         (5) Each state agency shall include appropriate security
  990  requirements in the specifications for the solicitation of
  991  contracts for procuring information technology or information
  992  technology resources or services which are consistent with the
  993  rules and guidelines established by the Agency for Enterprise
  994  Information Technology Office of Information Security.
  995         (6) The Agency for Enterprise Information Technology may
  996  adopt rules relating to information security and to administer
  997  the provisions of this section.
  998         (7) By December 31, 2010, the Agency for Enterprise
  999  Information Technology shall develop, and submit to the
 1000  Governor, the President of the Senate, and the Speaker of the
 1001  House of Representatives a proposed implementation plan for
 1002  information technology security. The agency shall describe the
 1003  scope of operation, conduct costs and requirements analyses,
 1004  conduct an inventory of all existing security information
 1005  technology resources, and develop strategies, timeframes, and
 1006  resources necessary for statewide migration.
 1007         Section 10. Subsections (2), (3), and (4) of section
 1008  282.33, Florida Statutes, are amended to read:
 1009         282.33 Objective standards for data center energy
 1010  efficiency.—
 1011         (2) State shared resource data centers and other data
 1012  centers that the Agency for Enterprise Information Technology
 1013  has determined will be recipients for consolidating data
 1014  centers, which are designated by the Agency for Enterprise
 1015  Information Technology, shall evaluate their data center
 1016  facilities for energy efficiency using the standards established
 1017  in this section.
 1018         (a) Results of these evaluations shall be reported to the
 1019  Agency for Enterprise Information Technology, the President of
 1020  the Senate, and the Speaker of the House of Representatives.
 1021  Reports shall enable the tracking of energy performance over
 1022  time and comparisons between facilities.
 1023         (b) Beginning By December 31, 2010, and every 3 years
 1024  biennially thereafter, the Agency for Enterprise Information
 1025  Technology shall submit to the Legislature recommendations for
 1026  reducing energy consumption and improving the energy efficiency
 1027  of state primary data centers.
 1028         (3) The primary means of achieving maximum energy savings
 1029  across all state data centers and computing facilities shall be
 1030  the consolidation of data centers and computing facilities as
 1031  determined by the Agency for Enterprise Information Technology.
 1032  State data centers and computing facilities in the state data
 1033  center system shall be established as an enterprise information
 1034  technology service as defined in s. 282.0041. The Agency for
 1035  Enterprise Information Technology shall make recommendations on
 1036  consolidating state data centers and computing facilities,
 1037  pursuant to s. 282.0056, by December 31, 2009.
 1038         (3)(4)If When the total cost of ownership of an energy
 1039  efficient product is less than or equal to the cost of the
 1040  existing data center facility or infrastructure, technical
 1041  specifications for energy-efficient products should be
 1042  incorporated in the plans and processes for replacing,
 1043  upgrading, or expanding data center facilities or
 1044  infrastructure, including, but not limited to, network, storage,
 1045  or computer equipment and software.
 1046         Section 11. Section 282.34, Florida Statutes, is amended to
 1047  read:
 1048         282.34 Statewide e-mail service.—A statewide state e-mail
 1049  service system that includes the delivery and support of e-mail,
 1050  messaging, and calendaring capabilities is established as an
 1051  enterprise information technology service as defined in s.
 1052  282.0041. The service shall be designed to meet the needs of all
 1053  executive branch agencies, and may also be used by nonstate
 1054  agency entities. The primary goals of the service are to
 1055  minimize the state investment required to establish, operate,
 1056  and support the statewide service; reduce the cost of current e
 1057  mail operations and the number of duplicative e-mail systems;
 1058  and eliminate the need for each state agency to maintain its own
 1059  e-mail staff.
 1060         (1) The Southwood Shared Resource Center, a primary data
 1061  center, shall be the provider of the statewide e-mail service
 1062  for all state agencies. The center shall centrally host, manage,
 1063  operate, and support the service, or outsource the hosting,
 1064  management, operational, or support components of the service in
 1065  order to achieve the primary goals identified in this section.
 1066         (2) The Agency for Enterprise Information Technology, in
 1067  cooperation and consultation with all state agencies, shall
 1068  prepare and submit for approval by the Legislative Budget
 1069  Commission at a meeting scheduled before June 30, 2011, a
 1070  proposed plan for the migration of all state agencies to the
 1071  statewide e-mail service. The plan for migration must include:
 1072         (a) A cost-benefit analysis that compares the total
 1073  recurring and nonrecurring operating costs of the current agency
 1074  e-mail systems, including monthly mailbox costs, staffing,
 1075  licensing and maintenance costs, hardware, and other related e
 1076  mail product and service costs to the costs associated with the
 1077  proposed statewide e-mail service. The analysis must also
 1078  include:
 1079         1. A comparison of the estimated total 7-year life-cycle
 1080  cost of the current agency e-mail systems versus the feasibility
 1081  of funding the migration and operation of the statewide e-mail
 1082  service.
 1083         2. An estimate of recurring costs associated with the
 1084  energy consumption of current agency e-mail equipment, and the
 1085  basis for the estimate.
 1086         3. An identification of the overall cost savings resulting
 1087  from state agencies migrating to the statewide e-mail service
 1088  and decommissioning their agency e-mail systems.
 1089         (b) A proposed migration date for all state agencies to be
 1090  migrated to the statewide e-mail service. The Agency for
 1091  Enterprise Information Technology shall work with the Executive
 1092  Office of the Governor to develop the schedule for migrating all
 1093  state agencies to the statewide e-mail service except for the
 1094  Department of Legal Affairs. The Department of Legal Affairs
 1095  shall provide to the Agency for Enterprise Information
 1096  Technology by June 1, 2011, a proposed migration date based upon
 1097  its decision to participate in the statewide e-mail service and
 1098  the identification of any issues that require resolution in
 1099  order to migrate to the statewide e-mail service.
 1100         (c) A budget amendment, submitted pursuant to chapter 216,
 1101  for adjustments to each agency’s approved operating budget
 1102  necessary to transfer sufficient budget resources into the
 1103  appropriate data processing category to support its statewide e
 1104  mail service costs.
 1105         (d) A budget amendment, submitted pursuant to chapter 216,
 1106  for adjustments to the Southwood Shared Resource Center approved
 1107  operating budget to include adjustments in the number of
 1108  authorized positions, salary budget and associated rate,
 1109  necessary to implement the statewide e-mail service.
 1110         (3) Contingent upon approval by the Legislative Budget
 1111  Commission, the Southwood Shared Resource Center may contract
 1112  for the provision of a statewide e-mail service. Executive
 1113  branch agencies must be completely migrated to the statewide e
 1114  mail service based upon the migration date included in the
 1115  proposed plan approved by the Legislative Budget Commission.
 1116         (4) Notwithstanding chapter 216, General Revenue funds may
 1117  be increased or decreased for each agency provided the net
 1118  change to General Revenue in total for all agencies is zero or
 1119  less.
 1120         (5) Subsequent to the approval of the consolidated budget
 1121  amendment to reflect budget adjustments necessary to migrate to
 1122  the statewide e-mail service, an agency may make adjustments
 1123  subject to s. 216.177, notwithstanding provisions in chapter 216
 1124  which may require such adjustments to be approved by the
 1125  Legislative Budget Commission.
 1126         (6) No agency may initiate a new e-mail service or execute
 1127  a new e-mail contract or amend a current e-mail contract, other
 1128  than with the Southwood Shared Resource Center, for nonessential
 1129  products or services unless the Legislative Budget Commission
 1130  denies approval for the Southwood Shared Resource Center to
 1131  enter into a contract for the statewide e-mail service.
 1132         (7) The Agency for Enterprise Information Technology shall
 1133  work with the Southwood Shared Resource Center to develop an
 1134  implementation plan that identifies and describes the detailed
 1135  processes and timelines for an agency’s migration to the
 1136  statewide e-mail service based on the migration date approved by
 1137  the Legislative Budget Commission. The agency may establish and
 1138  coordinate workgroups consisting of agency e-mail management,
 1139  information technology, budget, and administrative staff to
 1140  assist the agency in the development of the plan.
 1141         (8) Each executive branch agency shall provide all
 1142  information necessary to develop the implementation plan,
 1143  including, but not limited to, required mailbox features and the
 1144  number of mailboxes that will require migration services. Each
 1145  agency must also identify any known business, operational, or
 1146  technical plans, limitations, or constraints that should be
 1147  considered when developing the plan.
 1148         (2) The Agency for Enterprise Information Technology, in
 1149  consultation with the Southwood Shared Resource Center, shall
 1150  establish and coordinate a multiagency project team to develop a
 1151  competitive solicitation for establishing the statewide e-mail
 1152  service.
 1153         (a) The Southwood Shared Resource Center shall issue the
 1154  competitive solicitation by August 31, 2010, with vendor
 1155  responses required by October 15, 2010. Issuance of the
 1156  competitive solicitation does not obligate the agency and the
 1157  center to conduct further negotiations or to execute a contract.
 1158  The decision to conduct or conclude negotiations, or execute a
 1159  contract, must be made solely at the discretion of the agency.
 1160         (b) The competitive solicitation must include detailed
 1161  specifications describing:
 1162         1. The current e-mail approach for state agencies and the
 1163  specific business objectives met by the present system.
 1164         2. The minimum functional requirements necessary for
 1165  successful statewide implementation and the responsibilities of
 1166  the prospective service provider and the agency.
 1167         3. The form and required content for submitted proposals,
 1168  including, but not limited to, a description of the proposed
 1169  system and its internal and external sourcing options, a 5-year
 1170  life-cycle-based pricing based on cost per mailbox per month,
 1171  and a decommissioning approach for current e-mail systems; an
 1172  implementation schedule and implementation services; a
 1173  description of e-mail account management, help desk, technical
 1174  support, and user provisioning services; disaster recovery and
 1175  backup and restore capabilities; antispam and antivirus
 1176  capabilities; remote access and mobile messaging capabilities;
 1177  and staffing requirements.
 1178         (c) Other optional requirements specifications may be
 1179  included in the competitive solicitation if not in conflict with
 1180  the primary goals of the statewide e-mail service.
 1181         (d) The competitive solicitation must permit alternative
 1182  financial and operational models to be proposed, including, but
 1183  not limited to:
 1184         1. Leasing or usage-based subscription fees;
 1185         2. Installing and operating the e-mail service within the
 1186  Southwood Shared Resource Center or in a data center operated by
 1187  an external service provider; or
 1188         3. Provisioning the e-mail service as an Internet-based
 1189  offering provided to state agencies. Specifications for proposed
 1190  models must be optimized to meet the primary goals of the e-mail
 1191  service.
 1192         (3) By December 31, 2010, or within 1 month after
 1193  negotiations are complete, whichever is later, the multiagency
 1194  project team and the Agency for Enterprise Information
 1195  Technology shall prepare a business case analysis containing its
 1196  recommendations for procuring the statewide e-mail service for
 1197  submission to the Governor and Cabinet, the President of the
 1198  Senate, and the Speaker of the House of Representatives. The
 1199  business case is not subject to challenge or protest pursuant to
 1200  chapter 120. The business case must include, at a minimum:
 1201         (a) An assessment of the major risks that must be managed
 1202  for each proposal compared to the risks for the current state
 1203  agency e-mail system and the major benefits that are associated
 1204  with each.
 1205         (b) A cost-benefit analysis that estimates all major cost
 1206  elements associated with each sourcing option, focusing on the
 1207  nonrecurring and recurring life-cycle costs of each option. The
 1208  analysis must include a comparison of the estimated total 5-year
 1209  life-cycle cost of the current agency e-mail systems versus each
 1210  enterprise e-mail sourcing option in order to determine the
 1211  feasibility of funding the migration and operation of the
 1212  statewide e-mail service and the overall level of savings that
 1213  can be expected. The 5-year life-cycle costs for each state
 1214  agency must include, but are not limited to:
 1215         1. The total recurring operating costs of the current
 1216  agency e-mail systems, including monthly mailbox costs,
 1217  staffing, licensing and maintenance costs, hardware, and other
 1218  related e-mail product and service costs.
 1219         2. An estimate of nonrecurring hardware and software
 1220  refresh, upgrade, or replacement costs based on the expected 5
 1221  year obsolescence of current e-mail software products and
 1222  equipment through the 2014 fiscal year, and the basis for the
 1223  estimate.
 1224         3. An estimate of recurring costs associated with the
 1225  energy consumption of current agency e-mail equipment, and the
 1226  basis for the estimate.
 1227         4. Any other critical costs associated with the current
 1228  agency e-mail systems which can reasonably be estimated and
 1229  included in the business case analysis.
 1230         (c) A comparison of the migrating schedules of each
 1231  sourcing option to the statewide e-mail service, including the
 1232  approach and schedule for the decommissioning of all current
 1233  state agency e-mail systems beginning with phase 1 and phase 2
 1234  as provided in subsection (4).
 1235         (4) All agencies must be completely migrated to the
 1236  statewide e-mail service as soon as financially and
 1237  operationally feasible, but no later than June 30, 2015.
 1238         (a) The following statewide e-mail service implementation
 1239  schedule is established for state agencies:
 1240         1. Phase 1.—The following agencies must be completely
 1241  migrated to the statewide e-mail system by June 30, 2012: the
 1242  Agency for Enterprise Information Technology; the Department of
 1243  Community Affairs, including the Division of Emergency
 1244  Management; the Department of Corrections; the Department of
 1245  Health; the Department of Highway Safety and Motor Vehicles; the
 1246  Department of Management Services, including the Division of
 1247  Administrative Hearings, the Division of Retirement, the
 1248  Commission on Human Relations, and the Public Employees
 1249  Relations Commission; the Southwood Shared Resource Center; and
 1250  the Department of Revenue.
 1251         2. Phase 2.—The following agencies must be completely
 1252  migrated to the statewide e-mail system by June 30, 2013: the
 1253  Department of Business and Professional Regulation; the
 1254  Department of Education, including the Board of Governors; the
 1255  Department of Environmental Protection; the Department of
 1256  Juvenile Justice; the Department of the Lottery; the Department
 1257  of State; the Department of Law Enforcement; the Department of
 1258  Veterans’ Affairs; the Judicial Administration Commission; the
 1259  Public Service Commission; and the Statewide Guardian Ad Litem
 1260  Office.
 1261         3. Phase 3.—The following agencies must be completely
 1262  migrated to the statewide e-mail system by June 30, 2014: the
 1263  Agency for Health Care Administration; the Agency for Workforce
 1264  Innovation; the Department of Financial Services, including the
 1265  Office of Financial Regulation and the Office of Insurance
 1266  Regulation; the Department of Agriculture and Consumer Services;
 1267  the Executive Office of the Governor; the Department of
 1268  Transportation; the Fish and Wildlife Conservation Commission;
 1269  the Agency for Persons With Disabilities; the Northwood Shared
 1270  Resource Center; and the State Board of Administration.
 1271         4. Phase 4.—The following agencies must be completely
 1272  migrated to the statewide e-mail system by June 30, 2015: the
 1273  Department of Children and Family Services; the Department of
 1274  Citrus; the Department of Elderly Affairs; and the Department of
 1275  Legal Affairs.
 1276         (b) Agency requests to modify their scheduled implementing
 1277  date must be submitted in writing to the Agency for Enterprise
 1278  Information Technology. Any exceptions or modifications to the
 1279  schedule must be approved by the Agency for Enterprise
 1280  Information Technology based only on the following criteria:
 1281         1. Avoiding nonessential investment in agency e-mail
 1282  hardware or software refresh, upgrade, or replacement.
 1283         2. Avoiding nonessential investment in new software or
 1284  hardware licensing agreements, maintenance or support
 1285  agreements, or e-mail staffing for current e-mail systems.
 1286         3. Resolving known agency e-mail problems through migration
 1287  to the statewide e-mail service.
 1288         4. Accommodating unique agency circumstances that require
 1289  an acceleration or delay of the implementation date.
 1290         (5) In order to develop the implementation plan for the
 1291  statewide e-mail service, the Agency for Enterprise Information
 1292  Technology shall establish and coordinate a statewide e-mail
 1293  project team. The agency shall also consult with and, as
 1294  necessary, form workgroups consisting of agency e-mail
 1295  management staff, agency chief information officers, agency
 1296  budget directors, and other administrative staff. The statewide
 1297  e-mail implementation plan must be submitted to the Governor,
 1298  the President of the Senate, and the Speaker of the House of
 1299  Representatives by July 1, 2011.
 1300         (6) Unless authorized by the Legislature or as provided in
 1301  subsection (7), a state agency may not:
 1302         (a) Initiate a new e-mail service or execute a new e-mail
 1303  contract or new e-mail contract amendment for nonessential
 1304  products or services with any entity other than the provider of
 1305  the statewide e-mail service;
 1306         (b) Terminate a statewide e-mail service without giving
 1307  written notice of termination 180 days in advance; or
 1308         (c) Transfer e-mail system services from the provider of
 1309  the statewide e-mail service.
 1310         (7) Exceptions to paragraphs (6)(a), (b), and (c) may be
 1311  granted by the Agency for Enterprise Information Technology only
 1312  if the Southwood Shared Resource Center is unable to meet agency
 1313  business requirements for the e-mail service, and if such
 1314  requirements are essential to maintain agency operations.
 1315  Requests for exceptions must be submitted in writing to the
 1316  Agency for Enterprise Information Technology and include
 1317  documented confirmation by the Southwood Shared Resource Center
 1318  board of trustees that it cannot meet the requesting agency’s e
 1319  mail service requirements.
 1320         (8) Each agency shall include the budget issues necessary
 1321  for migrating to the statewide e-mail service in its legislative
 1322  budget request before the first full year it is scheduled to
 1323  migrate to the statewide service in accordance with budget
 1324  instructions developed pursuant to s. 216.023.
 1325         (9) The Agency for Enterprise Information Technology shall
 1326  adopt rules to standardize the format for state agency e-mail
 1327  addresses.
 1328         (10) State agencies must fully cooperate with the Agency
 1329  for Enterprise Information Technology in the performance of its
 1330  responsibilities established in this section.
 1331         (11) The Agency for Enterprise Information Technology shall
 1332  recommend changes to an agency’s scheduled date for migration to
 1333  the statewide e-mail service pursuant to this section, annually
 1334  by December 31, until migration to the statewide service is
 1335  complete.
 1336         Section 12. Paragraph (h) of subsection (3) and paragraph
 1337  (b) of subsection (4) of section 287.042, Florida Statutes, are
 1338  amended to read:
 1339         287.042 Powers, duties, and functions.—The department shall
 1340  have the following powers, duties, and functions:
 1341         (3) To establish a system of coordinated, uniform
 1342  procurement policies, procedures, and practices to be used by
 1343  agencies in acquiring commodities and contractual services,
 1344  which shall include, but not be limited to:
 1345         (h) Development, in consultation with the Agency Chief
 1346  Information Officers Council, of procedures to be used by state
 1347  agencies when procuring information technology commodities and
 1348  contractual services to ensure compliance with public records
 1349  requirements and records retention and archiving requirements.
 1350         (4)
 1351         (b) To prescribe, in consultation with the Agency Chief
 1352  Information Officers Council, procedures for procuring
 1353  information technology and information technology consultant
 1354  services which provide for public announcement and
 1355  qualification, competitive solicitations, contract award, and
 1356  prohibition against contingent fees. Such procedures are shall
 1357  be limited to information technology consultant contracts for
 1358  which the total project costs, or planning or study activities,
 1359  are estimated to exceed the threshold amount provided for in s.
 1360  287.017, for CATEGORY TWO.
 1361         Section 13. The Northwood Shared Resource Center is
 1362  transferred by a type one transfer, as defined in s. 20.06(1),
 1363  Florida Statutes, from the Department of Children and Family
 1364  Services to the Department of Management Services.
 1365         Section 14. The Agency for Enterprise Information
 1366  Technology, in coordination with the Southwood Shared Resource
 1367  Center, shall provide a written status report to the Executive
 1368  Office of the Governor and to the chairs of the legislative
 1369  appropriations committees detailing the progress made by the
 1370  agencies required to migrate to the statewide e-mail service by
 1371  the required migration date. The status report must be provided
 1372  every 6 months, beginning September 1, 2011, until
 1373  implementation is complete.
 1374         Section 15. This act shall take effect upon becoming a law.