Florida Senate - 2011         (PROPOSED COMMITTEE BILL) SPB 7092
       
       
       
       FOR CONSIDERATION By the Committee on Budget
       
       
       
       
       576-02251B-11                                         20117092__
    1                        A bill to be entitled                      
    2         An act relating to the consolidation of state
    3         information technology services; transferring,
    4         renumbering, and amending s. 14.204, F.S.;
    5         establishing the Agency for Enterprise Information
    6         Technology in the Department of Management Services
    7         rather than the Executive Office of the Governor;
    8         revising the duties of the agency to include the
    9         planning, project management, and implementation of
   10         the enterprise information technology services;
   11         requiring the agency to submit a plan to the
   12         Legislative Budget Commission for aggregating
   13         information technology purchases; deleting references
   14         to the Office of Information Security and the Agency
   15         Chief Information Officers Council; amending s.
   16         282.0041, F.S.; revising definitions; amending s.
   17         282.0056, F.S.; revising provisions relating to the
   18         agency’s annual work plan; amending s. 282.201, F.S.;
   19         revising the duties of the agency; deleting obsolete
   20         provisions; providing a schedule for the
   21         consolidations of state agency data centers; requiring
   22         agencies to update their service-level agreements and
   23         to develop consolidation plans; requiring the Agency
   24         for Enterprise Information Technology to submit a
   25         status report to the Governor and Legislature and to
   26         develop a comprehensive transition plan; requiring
   27         primary data centers to develop transition plans;
   28         revising agency limitations relating to technology
   29         services; amending s. 282.203, F.S.; deleting obsolete
   30         provisions; revising duties of primary data centers
   31         relating to state agency resources and equipment
   32         relinquished to the centers; requiring state agencies
   33         to relinquish all administrative access rights to
   34         certain resources and equipment upon consolidation;
   35         providing for the appointment of alternate board
   36         members; revising provisions relating to state agency
   37         representation on data center boards; conforming a
   38         cross-reference; amending s. 282.204, F.S.;
   39         establishing the Northwood Shared Resource Center in
   40         the Department of Management Services rather than the
   41         Department of Children and Family Services; creating
   42         s. 282.206, F.S.; establishing the Northwest Regional
   43         Data Center as a primary data center; providing for a
   44         board of trustees and subjecting the board to the
   45         rules of the Agency for Enterprise Information
   46         Technology; repealing s. 282.315, F.S., relating to
   47         the Agency Chief Information Officers Council;
   48         amending s. 282.318, F.S.; deleting references to the
   49         Office of Information Security with respect to
   50         responsibility for enterprise security; deleting
   51         obsolete provisions; amending s. 282.33, F.S.;
   52         deleting an obsolete provision; revising the schedule
   53         for the Agency for Enterprise Information Technology
   54         to submit certain recommendations to the Legislature;
   55         amending s. 282.34, F.S.; revising the schedule for
   56         migrating state agencies to the statewide e-mail
   57         system; revising limitations on state agencies;
   58         revising the requirements for rules adopted by the
   59         Agency for Enterprise Information Technology; creating
   60         s. 282.35, F.S.; providing for a statewide desktop
   61         service as an enterprise information technology
   62         service to be provided by the Department of Management
   63         Services; requiring the Agency for Enterprise
   64         Information Technology to develop a plan for the
   65         establishment of the service and submit such plan to
   66         the Governor and Legislature by a certain date;
   67         specifying the contents of the plan; providing agency
   68         limitations with respect to such services and
   69         exceptions from such limitations if granted by the
   70         agency; amending ss. 287.042 and 287.057, F.S.;
   71         directing the department to adopt rules establishing
   72         conditions under which an agency may be exempted from
   73         using a state term contract or purchasing agreement;
   74         conforming provisions to changes made by the act;
   75         amending s. 287.057, F.S.; authorizing the department
   76         to adopt rules to be used by agencies to manage
   77         contracts; deleting a prohibition against an entity
   78         contracting to provide a feasibility study on certain
   79         subject matter from contracting with an agency for
   80         that subject matter; amending s. 45 of chapter 2010
   81         151, Laws of Florida; providing that certain contracts
   82         are subject to transaction fees; transferring the
   83         Agency for Enterprise Information Technology and the
   84         Northwood Shared Resource Center to the Department of
   85         Management Services; requiring the agency to
   86         coordinate with the Southwood Shared Resource Center
   87         to provide a status report to the Executive Office of
   88         the Governor and to the Legislature; providing an
   89         effective date.
   90  
   91  Be It Enacted by the Legislature of the State of Florida:
   92  
   93         Section 1. Section 14.204, Florida Statutes, is
   94  transferred, renumbered as s. 282.0054, Florida Statutes, and
   95  amended to read:
   96         282.0054 14.204 Agency for Enterprise Information
   97  Technology.—The Agency for Enterprise Information Technology is
   98  created within the Department of Management Services Executive
   99  Office of the Governor.
  100         (1) The head of the agency shall be the Governor and
  101  Cabinet.
  102         (2) The agency is a separate budget entity and is not
  103  subject to control, supervision, or direction by the department
  104  Executive Office of the Governor, including, but not limited to,
  105  purchasing, transactions involving real or personal property,
  106  personnel, or budgetary matters.
  107         (3) The agency shall have an executive director who is the
  108  state’s Chief Information Officer and who must:
  109         (a) Have a degree from an accredited postsecondary
  110  institution;
  111         (b) Have at least 7 years of executive-level experience in
  112  managing information technology organizations; and
  113         (c) Be appointed by the Governor and confirmed by the
  114  Cabinet, subject to confirmation by the Senate, and serve at the
  115  pleasure of the Governor and Cabinet.
  116         (4) The agency shall have the following duties and
  117  responsibilities:
  118         (a) Develop strategies for the design, planning, project
  119  management, implementation, delivery, and management of the
  120  enterprise information technology services established in law,
  121  including the state data center system service established in s.
  122  282.201, the information technology security service established
  123  in s. 282.318, and the statewide e-mail service established in
  124  s. 282.34.
  125         (b) Monitor the implementation, delivery, and management of
  126  the enterprise information technology services as established in
  127  law.
  128         (c) Make recommendations to the agency head and the
  129  Legislature concerning other information technology services
  130  that should be designed, delivered, and managed as enterprise
  131  information technology services as defined in s. 282.0041.
  132         (d) Plan and establish policies for managing proposed
  133  statutorily authorized enterprise information technology
  134  services, which includes:
  135         1. Developing business cases that, when applicable, include
  136  the components identified in s. 287.0571;
  137         2. Establishing and coordinating project-management teams;
  138         3. Establishing formal risk-assessment and mitigation
  139  processes; and
  140         4. Providing for independent monitoring of projects for
  141  recommended corrective actions.
  142         (e) Beginning October 1, 2010, Develop, publish, and
  143  biennially update a long-term strategic enterprise information
  144  technology plan that identifies and recommends strategies and
  145  opportunities to improve the delivery of cost-effective and
  146  efficient enterprise information technology services to be
  147  proposed for establishment pursuant to s. 282.0056.
  148         (f) Perform duties related to enterprise information
  149  technology services, including the state data center system
  150  established in as provided in s. 282.201, the information
  151  technology security service established in s. 282.318, and the
  152  statewide e-mail service established in s. 282.34.
  153         (g) Coordinate acquisition planning, using aggregate buying
  154  methodologies whenever possible, and procurement negotiations
  155  for hardware and software products and services in order to
  156  improve the efficiency and reduce the cost of enterprise
  157  information technology services.
  158         1. State agencies must submit a copy of all information
  159  relating to technology purchases for commodities and services in
  160  excess of $10,000 to the agency for review in order to identify
  161  areas suitable for future aggregation and standardization.
  162         2. By December 31, 2011, the agency shall submit to the
  163  Legislative Budget Commission for approval a plan recommending
  164  information technology purchases of specific commodities and
  165  services suitable for aggregate purchasing and providing
  166  estimates of the savings from aggregating such purchases.
  167         3. Contingent on approval of the plan under subparagraph
  168  2., state agencies shall cooperate with the agency.
  169         4. Exemptions from subparagraph 3. may be granted by the
  170  department’s Division of Purchasing if in the best interest of
  171  the state.
  172         (h) In consultation with the Division of Purchasing in the
  173  department of Management Services, coordinate procurement
  174  negotiations for information technology products as defined in
  175  s. 282.0041 which will be used by multiple agencies.
  176         (i) In coordination with, and through the services of, the
  177  Division of Purchasing in the department of Management Services,
  178  establish best practices for the procurement of information
  179  technology products as defined in s. 282.0041 in order to
  180  achieve savings for the state.
  181         (j) Develop information technology standards for the
  182  efficient design, planning, project management, implementation,
  183  and delivery of enterprise information technology services. All
  184  state agencies must make the transition to the new standards.
  185         (k) Provide annually, by December 31, recommendations to
  186  the Legislature relating to techniques for consolidating the
  187  purchase of information technology commodities and services,
  188  which result in savings for the state, and for establishing a
  189  process to achieve savings through consolidated purchases.
  190         (5) The Office of Information Security shall be created
  191  within the agency. The agency shall designate a state Chief
  192  Information Security Officer who shall oversee the office and
  193  report directly to the executive director.
  194         (6) The agency shall operate in a manner that ensures the
  195  participation and representation of state agencies and the
  196  Agency Chief Information Officers Council established in s.
  197  282.315.
  198         (7) The agency may adopt rules to carry out its statutory
  199  duties.
  200         Section 2. Present subsections (4) through (30) of section
  201  282.0041, Florida Statutes, are redesignated as subsections (3)
  202  through (29), respectively, and present subsections (3), (4),
  203  and (19) of that section are amended, to read:
  204         282.0041 Definitions.—As used in this chapter, the term:
  205         (3) “Agency Chief Information Officers Council” means the
  206  council created in s. 282.315.
  207         (3)(4) “Agency for Enterprise Information Technology” means
  208  the agency created in s. 282.0054 14.204.
  209         (18)(19) “Primary data center” means a state or nonstate
  210  agency data center that is a recipient entity for consolidation
  211  of nonprimary data centers and computing facilities and that is.
  212  A primary data center may be authorized by in law or designated
  213  by the Agency for Enterprise Information Technology pursuant to
  214  s. 282.201.
  215         Section 3. Subsection (1) of section 282.0056, Florida
  216  Statutes, is amended to read:
  217         282.0056 Development of work plan; development of
  218  implementation plans; and policy recommendations.—
  219         (1) For the purposes of carrying out its responsibilities
  220  under s. 282.0055, the Agency for Enterprise Information
  221  Technology shall develop an annual work plan within 60 days
  222  after the beginning of the fiscal year describing the activities
  223  that the agency intends to undertake for that year, including
  224  proposed outcomes and completion timeframes for the planning and
  225  implementation of all enterprise information technology
  226  services. The work plan must be presented at a public hearing,
  227  that includes the Agency Chief Information Officers Council,
  228  which may review and comment on the plan. The work plan must
  229  thereafter be approved by the Governor and Cabinet, and
  230  submitted to the President of the Senate and the Speaker of the
  231  House of Representatives. The work plan may be amended as
  232  needed, subject to approval by the Governor and Cabinet.
  233         Section 4. Subsection (2) of section 282.201, Florida
  234  Statutes, is amended, present subsections (4) and (5) of that
  235  section are renumbered as subsections (5) and (6), respectively,
  236  and amended, a new subsection (4) is added to that section, to
  237  read:
  238         282.201 State data center system; agency duties and
  239  limitations.—A state data center system that includes all
  240  primary data centers, other nonprimary data centers, and
  241  computing facilities, and that provides an enterprise
  242  information technology service as defined in s. 282.0041, is
  243  established.
  244         (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
  245  The Agency for Enterprise Information Technology shall:
  246         (a) Collect and maintain information necessary for
  247  developing policies relating to the data center system,
  248  including, but not limited to, an inventory of facilities.
  249         (b) Annually approve cost-recovery mechanisms and rate
  250  structures for primary data centers which recover costs through
  251  charges to customer entities.
  252         (c) By September 30 December 31 of each year, submit
  253  recommendations to the Executive Office of the Governor and the
  254  chairs of the legislative appropriations committees Legislature
  255  recommendations to improve the efficiency and cost-effectiveness
  256  effectiveness of computing services provided by state data
  257  center system facilities. Such recommendations must may include,
  258  but need not be limited to:
  259         1. Policies for improving the cost-effectiveness and
  260  efficiency of the state data center system and the associated
  261  cost savings resulting from their implementation.
  262         2. Infrastructure improvements supporting the consolidation
  263  of facilities or preempting the need to create additional data
  264  centers or computing facilities.
  265         3. Standards for an objective, credible energy performance
  266  rating system that data center boards of trustees can use to
  267  measure state data center energy consumption and efficiency on a
  268  biannual basis.
  269         3.4. Uniform disaster recovery standards.
  270         4.5. Standards for primary data centers which provide cost
  271  effective services and providing transparent financial data to
  272  user agencies.
  273         5.6. Consolidation of contract practices or coordination of
  274  software, hardware, or other technology-related procurements and
  275  the associated cost savings.
  276         6.7. Improvements to data center governance structures.
  277         (d) By October 1 of each year beginning in 2011, provide
  278  recommendations 2009, recommend to the Governor and Legislature
  279  relating to changes to the schedule for the consolidations of
  280  state agency data centers as provided in subsection (4) at least
  281  two nonprimary data centers for consolidation into a primary
  282  data center or nonprimary data center facility.
  283         1. The consolidation proposal must provide a transition
  284  plan that includes:
  285         a. Estimated transition costs for each data center or
  286  computing facility recommended for consolidation;
  287         b. Detailed timeframes for the complete transition of each
  288  data center or computing facility recommended for consolidation;
  289         c. Proposed recurring and nonrecurring fiscal impacts,
  290  including increased or decreased costs and associated budget
  291  impacts for affected budget entities;
  292         d. Substantive legislative changes necessary to implement
  293  the transition; and
  294         e. Identification of computing resources to be transferred
  295  and those that will remain in the agency. The transfer of
  296  resources must include all hardware, software, staff, contracted
  297  services, and facility resources performing data center
  298  management and operations, security, backup and recovery,
  299  disaster recovery, system administration, database
  300  administration, system programming, job control, production
  301  control, print, storage, technical support, help desk, and
  302  managed services but excluding application development.
  303         1.2.The recommendations must shall be based on the goal of
  304  maximizing current and future cost savings. The agency shall
  305  consider the following criteria for managing and coordinating in
  306  selecting consolidations that maximize efficiencies by providing
  307  the ability to:
  308         a. Consolidate purchase decisions;
  309         b. Leverage expertise and other resources to gain economies
  310  of scale;
  311         c. Implement state information technology policies more
  312  effectively;
  313         d. Maintain or improve the level of service provision to
  314  customer entities; and
  315         e. Make progress towards the state’s goal of consolidating
  316  data centers and computing facilities into primary data centers.
  317         2.3. The agency shall establish workgroups as necessary to
  318  ensure participation by affected agencies in the development of
  319  recommendations related to consolidations.
  320         (e) By December 31, 2010, the agency shall develop and
  321  submit to the Legislature an overall consolidation plan for
  322  state data centers. The plan shall indicate a timeframe for the
  323  consolidation of all remaining nonprimary data centers into
  324  primary data centers, including existing and proposed primary
  325  data centers, by 2019.
  326         (e)(f) Develop and establish rules relating to the
  327  operation of the state data center system which comply with
  328  applicable federal regulations, including 2 C.F.R. part 225 and
  329  45 C.F.R. The agency shall publish notice of rule development in
  330  the Florida Administrative weekly by October 1, 2011. The rules
  331  may address:
  332         1. Ensuring that financial information is captured and
  333  reported consistently and accurately.
  334         2. Requiring compliance with standards for hardware and
  335  operations software, including security and network
  336  infrastructure for the primary data centers, to enable the
  337  efficient consolidation of the agency data centers or computing
  338  facilities, and providing an exemption process from compliance
  339  with such standards, which must be consistent with s.
  340  282.203(5)(b).
  341         2. Requiring the establishment of service-level agreements
  342  executed between a data center and its customer entities for
  343  services provided.
  344         3. Requiring annual full cost recovery on an equitable
  345  rational basis. The cost-recovery methodology must ensure that
  346  no service is subsidizing another service and may include
  347  adjusting the subsequent year’s rates as a means to recover
  348  deficits or refund surpluses from a prior year.
  349         4. Requiring that any special assessment imposed to fund
  350  expansion is based on a methodology that apportions the
  351  assessment according to the proportional benefit to each
  352  customer entity.
  353         5. Requiring that rebates be given when revenues have
  354  exceeded costs, that rebates be applied to offset charges to
  355  those customer entities that have subsidized the costs of other
  356  customer entities, and that such rebates may be in the form of
  357  credits against future billings.
  358         6. Requiring that all service-level agreements have a
  359  contract term of up to 3 years, but may include an option to
  360  renew for up to 3 additional years contingent on approval by the
  361  board, and require at least a 180-day notice of termination.
  362         7. Designating any nonstate data center as a primary data
  363  center if the center:
  364         a. Has an established governance structure that represents
  365  customer entities proportionally.
  366         b. Maintains an appropriate cost-allocation methodology
  367  that accurately bills a customer entity based on the actual
  368  direct and indirect costs to the customer entity, and prohibits
  369  the subsidization of one customer entity’s costs by another
  370  entity.
  371         c. Has sufficient raised floor space, cooling, and
  372  redundant power capacity, including uninterruptible power supply
  373  and backup power generation, to accommodate the computer
  374  processing platforms and support necessary to host the computing
  375  requirements of additional customer entities.
  376         8. Removing a nonstate data center from primary data center
  377  designation if the nonstate data center fails to meet standards
  378  necessary to ensure that the state’s data is maintained pursuant
  379  to subparagraph 7.
  380         (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
  381         (a) Consolidations of agency data centers shall be made by
  382  the date and to the specified primary data center as provided in
  383  this section and in accordance with budget adjustments contained
  384  in the General Appropriations Act.
  385         (b) During the 2011-2012 fiscal year, the following shall
  386  be consolidated into the Northwest Regional Data Center:
  387         1. By December 31, 2011, the College Center for Library
  388  Automation.
  389         2. By December 31, 2011, the Florida Center for Library
  390  Automation.
  391         3. By December 31, 2011, the Department of Education,
  392  including the computing services and resources of:
  393         a.The Knott Data Center in the Turlington Building;
  394         b. The Division of Vocational Rehabilitation;
  395         c. The Division of Blind Services, except for the
  396  division’s disaster recovery site in Daytona Beach;
  397         d. The FCAT Explorer; and
  398         e. FACTS.org.
  399         (c) During the 2011-2012 fiscal year, the following shall
  400  be consolidated into the Southwood Shared Resource Center:
  401         1. By September 30, 2011, the Department of Corrections.
  402         2. By March 31, 2012, the Department of Transportation’s
  403  Burns Office Building.
  404         3. By March 31, 2012, the Department of Transportation’s
  405  Survey & Mapping Office.
  406         (d) During the 2011-2012 fiscal year, the following shall
  407  be consolidated into the Northwood Shared Resource Center:
  408         1. By July 1, 2011, the Department of Transportation’s
  409  Office of Motor Carrier Compliance.
  410         2.By December 31, 2011, the Department of Highway Safety
  411  and Motor Vehicles.
  412         (e) During the 2012-2013 fiscal year, the following are
  413  proposed for consolidation into the Southwood Shared Resource
  414  Center:
  415         1. By September 30, 2012, the Division of Emergency
  416  Management and the Department of Community Affairs, except for
  417  the department’s Camp Blanding Emergency Operations Center in
  418  Starke.
  419         2. By September 30, 2012, the Department of Revenue’s
  420  Carlton and Taxworld Building L locations.
  421         3.By December 31, 2012, the Department of Health’s
  422  laboratories and all remaining data center resources, except for
  423  the department’s Jacksonville Lab Data Center.
  424         (f) During the 2012-2013 fiscal year, the following are
  425  proposed for consolidation into the Northwood Shared Resource
  426  Center:
  427         1. By July 1, 2012, the Agency for Health Care
  428  Administration.
  429         2. By December 31, 2012, the Department of Environmental
  430  Protection.
  431         3. By March 30, 2013, the Department of Law Enforcement.
  432         (g)During the 2013-2014 fiscal year, the following
  433  agencies shall work with the Agency for Enterprise Information
  434  Technology to begin preliminary planning for consolidation into
  435  a primary data center:
  436         1. The Department of the Lottery’s headquarters.
  437         2. The Department of Legal Affairs.
  438         3. The Fish and Wildlife Conservation Commission, except
  439  for the commission’s Fish and Wildlife Research Institute in St.
  440  Petersburg.
  441         4. The Executive Office of the Governor.
  442         5. The Department of Veterans Affairs.
  443         6. The Department of Elderly Affairs.
  444         7. The Department of Financial Services’ Hartman, Larson,
  445  and Fletcher Building Data Centers.
  446         8. The Department of Agriculture and Consumer Services’
  447  Agriculture Management Information Center in the Mayo Building
  448  and Division of Licensing.
  449         (h) During the 2014-2015 fiscal year, the following
  450  agencies shall work with the Agency for Enterprise Information
  451  Technology to begin preliminary planning for consolidation into
  452  a primary data center:
  453         1. The Department of Health’s Jacksonville Lab Data Center.
  454         2. The Department of Transportation’s district offices,
  455  toll offices, and the District Materials Office.
  456         3. The Department of Military Affairs’ Camp Blanding Joint
  457  Training Center in Starke.
  458         4. The Department of Community Affairs’ Camp Blanding
  459  Emergency Operations Center in Starke.
  460         5. The Department of Education’s Division of Blind Services
  461  disaster recovery site in Daytona Beach.
  462         6. The Department of Education’s disaster recovery site in
  463  Sante Fe College.
  464         7. The Department of the Lottery’s Disaster Recovery Backup
  465  Data Center in Orlando.
  466         8. The Fish and Wildlife Conservation Commission’s Fish and
  467  Wildlife Research Institute in St. Petersburg.
  468         9. The Department of Children and Family Services’s
  469  Suncoast Data Center in Tampa.
  470         10. The Department of Children and Family Services’ Florida
  471  State Hospital in Chattahoochee.
  472         (i)During the 2015-2016 fiscal year, all computing
  473  resources remaining within an agency nonprimary data center or
  474  computing facility shall be transferred to a primary data center
  475  for consolidation unless otherwise required to remain in the
  476  agency for specific business reasons. Such data centers,
  477  computing facilities, and resource shall be identified by the
  478  Agency for Enterprise Information Technology by October 1, 2014.
  479         (j)Any agency that is consolidating agency data centers
  480  into a primary data center must execute or update its existing
  481  service-level agreement within 2 months after the specified
  482  consolidation date, as required by s. 282.203(1)(i), in order to
  483  specify the services and levels of service it is to receive from
  484  the primary data center as a result of the consolidation. If an
  485  agency is unable to complete and execute a service-level
  486  agreement by that date, the agency shall submit a report to the
  487  Executive Office of the Governor and to the chairs of the
  488  legislative appropriations committees within 5 working days,
  489  explaining the specific issues preventing execution and
  490  describing its plan and schedule for resolving those issues.
  491         (k) Beginning September 1, 2011, and every 6 months
  492  thereafter until data center consolidations are complete, the
  493  Agency for Enterprise Information Technology shall provide a
  494  status report on the consolidations that are required to be
  495  completed during the fiscal year. The report shall be submitted
  496  to the Executive Office of the Governor and the chairs of the
  497  legislative appropriations committees. The report must, at a
  498  minimum, describe:
  499         1. Whether the consolidation is on schedule, including
  500  progress on achieving the milestones necessary for successful
  501  and timely consolidation of scheduled agency data centers and
  502  computing facilities; and
  503         2. The risks that may affect the progress or outcome of the
  504  consolidation and how these risks are being addressed,
  505  mitigated, or managed.
  506         (l) Each agency required to plan for consolidation into a
  507  primary data center shall submit a draft consolidation plan to
  508  the Agency for Enterprise Information Technology by September 1
  509  of the fiscal year before the fiscal year in which the scheduled
  510  consolidation will occur. Transition plans shall be developed in
  511  consultation with the appropriate primary data centers and the
  512  Agency for Enterprise Information Technology, and must include:
  513         1. A recommendation as to which primary data center is most
  514  appropriate for the agency’s consolidation if not the one
  515  proposed;
  516         2. An inventory of the agency data center’s resources being
  517  consolidated, including all hardware, software, staff, and
  518  contracted services, and the facility resources performing data
  519  center management and operations, security, backup and recovery,
  520  disaster recovery, system administration, database
  521  administration, system programming, job control, production
  522  control, print, storage, technical support, help desk, and
  523  managed services, but excluding application development;
  524         3. A description of the level of services needed to meet
  525  the technical and operational requirements of the platforms
  526  being consolidated;
  527         4. A description of resources for computing services
  528  proposed to remain in the department;
  529         5. A timetable with significant milestones for the
  530  completion of the consolidation;
  531         6. An estimate of the agency’s current-year cost to
  532  support, house, and manage the data center functions in
  533  subparagraph 2.; and
  534         7. The specific recurring and nonrecurring budget
  535  adjustments by appropriation category that are required during
  536  the year in which the data center is consolidated in order to
  537  transfer sufficient budget resources into the appropriate data
  538  processing category pursuant to legislative budget instructions
  539  as provided by s. 216.023.
  540         (m) Each primary data center shall develop a transition
  541  plan for absorbing the transfer of agency data center resources
  542  based upon the timetables for transition as recommended by the
  543  Agency for Enterprise Information Technology. The plan shall be
  544  submitted to the Agency for Enterprise Information Technology,
  545  the Executive Office of the Governor, and the chairs of the
  546  legislative appropriations committees by September 30 of the
  547  fiscal year before the fiscal year in which the scheduled
  548  consolidations will occur. Each plan must include:
  549         1. An estimate of the cost to provide data center services
  550  for each agency scheduled for consolidation;
  551         2. A staffing plan that identifies the projected staffing
  552  needs and requirements based on the estimated workload
  553  identified in the agency transition plan;
  554         3. The fiscal year adjustments to budget categories in
  555  order to absorb the transfer of agency data center resources
  556  pursuant to the legislative budget request instructions provided
  557  in s. 216.023;
  558         4. An analysis of the cost effects resulting from the
  559  planned consolidations on existing agency customers; and
  560         5. A description of any issues that must be resolved in
  561  order to accomplish as efficiently and effectively as possible
  562  all consolidations required during the fiscal year.
  563         (n)The Agency for Enterprise Information Technology shall
  564  develop a comprehensive transition plan, which shall be
  565  submitted by October 15th of the fiscal year before the fiscal
  566  year in which the scheduled consolidations will occur to each
  567  primary data center, the Executive Office of the Governor, and
  568  the chairs of the legislative appropriations committees. The
  569  transition plan shall be developed in consultation with agencies
  570  submitting agency transition plans and with the affected primary
  571  data centers. The comprehensive transition plan must include:
  572         1. Recommendations for accomplishing the proposed
  573  transitions as efficiently and effectively as possible with
  574  minimal disruption to customer agency business processes;
  575         2. Strategies to minimize risks associated with any of the
  576  proposed consolidations;
  577         3. A compilation of the agency transition plans submitted
  578  by agencies scheduled for consolidation for the following fiscal
  579  year;
  580         4. Revisions to any budget adjustments provided in the
  581  agency or primary data center transition plans; and
  582         5. Other revisions as appropriate, including recommended
  583  changes in final primary data center destination or schedule for
  584  any agency data center consolidation.
  585         (o) Any data center planned for consolidation after the
  586  2011-2012 fiscal year may move to a primary data center before
  587  the scheduled consolidation date.
  588         (5)(4) AGENCY LIMITATIONS.—
  589         (a) Unless authorized by the Legislature or as provided in
  590  paragraphs (b) and (c), a state agency may not:
  591         1. Create a new computing facility or data center, or
  592  expand the capability to support additional computer equipment
  593  in an existing computing facility or nonprimary data center;
  594         2. Spend funds before the agency’s scheduled consolidation
  595  into a primary data center to purchase or modify hardware or
  596  operations software that does not comply with hardware and
  597  software standards established by the Agency for Enterprise
  598  Information Technology pursuant to s. 282.202(2)(e) for the
  599  efficient consolidation of the agency data centers or computing
  600  facilities;
  601         3.2. Transfer existing computer services to any data center
  602  other than a primary nonprimary data center or computing
  603  facility;
  604         4.3. Terminate services with a primary data center or
  605  transfer services between primary data centers without giving
  606  written notice of intent to terminate or transfer services 180
  607  days before such termination or transfer; or
  608         5.4. Initiate a new computer service if it does not
  609  currently have an internal data center except with a primary
  610  data center.
  611         (b) Exceptions to the limitations in subparagraphs (a)1.,
  612  2., 3., and 5. 4. may be granted by the Agency for Enterprise
  613  Information Technology if there is insufficient capacity in a
  614  primary data center to absorb the workload associated with
  615  agency computing services, if expenditures are compatible with
  616  the scheduled consolidation, or if the equipment or resources
  617  are needed to maintain agency data center services and cannot be
  618  satisfied from surplus equipment or resources of the primary
  619  data center until the agency data center is consolidated.
  620         1. A request for an exception must be submitted in writing
  621  to the Agency for Enterprise Information Technology. The agency
  622  must accept, accept with conditions, or deny the request within
  623  60 days after receipt of the written request. The agency’s
  624  decision is not subject to chapter 120.
  625         2. At a minimum, the agency may not approve a request
  626  unless it includes:
  627         a. Documentation approved by the primary data center’s
  628  board of trustees which confirms that the center cannot meet the
  629  capacity requirements of the agency requesting the exception
  630  within the current fiscal year.
  631         b. A description of the capacity requirements of the agency
  632  requesting the exception.
  633         c. Documentation from the agency demonstrating why it is
  634  critical to the agency’s mission that the expansion or transfer
  635  must be completed within the fiscal year rather than when
  636  capacity is established at a primary data center.
  637         (c) Exceptions to subparagraph (a)4. (a)3. may be granted
  638  by the board of trustees of the primary data center if the
  639  termination or transfer of services can be absorbed within the
  640  current cost-allocation plan.
  641         (d) Upon the termination of or transfer of agency computing
  642  services from the primary data center, the primary data center
  643  shall require information sufficient to determine compliance
  644  with this section. If a primary data center determines that an
  645  agency is in violation of this section, it shall report the
  646  violation to the Agency for Enterprise Information Technology.
  647         (6)(5) RULES.—The Agency for Enterprise Information
  648  Technology may is authorized to adopt rules pursuant to ss.
  649  120.536(1) and 120.54 to administer the provisions of this part
  650  relating to the state data center system including the primary
  651  data centers.
  652         Section 5. Paragraphs (f) through (l) of subsection (1),
  653  paragraph (a) of subsection (2), and paragraph (j) of subsection
  654  (3) of section 282.203, Florida Statutes, are amended to read:
  655         282.203 Primary data centers.—
  656         (1) DATA CENTER DUTIES.—Each primary data center shall:
  657         (f) By December 31, 2010, submit organizational plans that
  658  minimize the annual recurring cost of center operations and
  659  eliminate the need for state agency customers to maintain data
  660  center skills and staff within their agency. The plans shall:
  661         1. Establish an efficient organizational structure
  662  describing the roles and responsibilities of all positions and
  663  business units in the centers;
  664         2. Define a human resources planning and management process
  665  that shall be used to make required center staffing decisions;
  666  and
  667         3. Develop a process for projecting staffing requirements
  668  based on estimated workload identified in customer agency
  669  service level agreements.
  670         (f)(g) Maintain the performance of the facility, which
  671  includes ensuring proper data backup, data backup recovery, an
  672  effective disaster recovery plan, and appropriate security,
  673  power, cooling and fire suppression, and capacity.
  674         (g)(h) Develop a business continuity plan and conduct a
  675  live exercise of the plan at least annually. The plan must be
  676  approved by the board and the Agency for Enterprise Information
  677  Technology.
  678         (h)(i) Enter into a service-level agreement with each
  679  customer entity to provide services as defined and approved by
  680  the board in compliance with rules of the Agency for Enterprise
  681  Information Technology. A service-level agreement may not have a
  682  term exceeding 3 years but may include an option to renew for up
  683  to 3 years contingent on approval by the board.
  684         1. A service-level agreement, at a minimum, must:
  685         a. Identify the parties and their roles, duties, and
  686  responsibilities under the agreement;
  687         b. Identify the legal authority under which the service
  688  level agreement was negotiated and entered into by the parties;
  689         c. State the duration of the contractual term and specify
  690  the conditions for contract renewal;
  691         d. Prohibit the transfer of computing services between
  692  primary data center facilities without at least 180 days’ notice
  693  of service cancellation;
  694         e. Identify the scope of work;
  695         f. Identify the products or services to be delivered with
  696  sufficient specificity to permit an external financial or
  697  performance audit;
  698         g. Establish the services to be provided, the business
  699  standards that must be met for each service, the cost of each
  700  service, and the process by which the business standards for
  701  each service are to be objectively measured and reported;
  702         h. Identify applicable funds and funding streams for the
  703  services or products under contract;
  704         i. Provide a timely billing methodology for recovering the
  705  cost of services provided to the customer entity;
  706         j. Provide a procedure for modifying the service-level
  707  agreement to address changes in projected costs of service;
  708         k. Provide that a service-level agreement may be terminated
  709  by either party for cause only after giving the other party and
  710  the Agency for Enterprise Information Technology notice in
  711  writing of the cause for termination and an opportunity for the
  712  other party to resolve the identified cause within a reasonable
  713  period; and
  714         l. Provide for mediation of disputes by the Division of
  715  Administrative Hearings pursuant to s. 120.573.
  716         2. A service-level agreement may include:
  717         a. A dispute resolution mechanism, including alternatives
  718  to administrative or judicial proceedings;
  719         b. The setting of a surety or performance bond for service
  720  level agreements entered into with nonstate agency primary data
  721  centers established by law, which may be designated by the
  722  Agency for Enterprise Information Technology; or
  723         c. Additional terms and conditions as determined advisable
  724  by the parties if such additional terms and conditions do not
  725  conflict with the requirements of this section or rules adopted
  726  by the Agency for Enterprise Information Technology.
  727         3. The failure to execute a service-level agreement within
  728  60 days after service commencement shall, in the case of an
  729  existing customer entity, result in a continuation of the terms
  730  of the service-level agreement from the prior fiscal year,
  731  including any amendments that were formally proposed to the
  732  customer entity by the primary data center within the 3 months
  733  before service commencement, and a revised cost-of-service
  734  estimate. If a new customer entity fails to execute an agreement
  735  within 60 days after service commencement, the data center may
  736  cease services.
  737         (i)(j) Plan, design, establish pilot projects for, and
  738  conduct experiments with information technology resources, and
  739  implement enhancements in services if such implementation is
  740  cost-effective and approved by the board.
  741         (j)(k) Enter into a memorandum of understanding with the
  742  agency where the data center is administratively located which
  743  establishes the services to be provided by that agency to the
  744  data center and the cost of such services.
  745         (k)(l) Be the custodian of resources and equipment that are
  746  located, operated, supported, and managed by the center for the
  747  purposes of chapter 273, except for resources and equipment
  748  located, operated, supported, and managed by the Northwest
  749  Regional Data Center.
  750         (l) Assume administrative access rights to the resources
  751  and equipment, such as servers, network components, and other
  752  devices that are consolidated into the primary data center.
  753         1. Upon the date of each consolidation specified in s.
  754  282.201, the General Appropriations Act, or the Laws of Florida,
  755  each agency shall relinquish all administrative access rights to
  756  such resources and equipment.
  757         2. Each primary data center shall provide its customer
  758  agencies with the appropriate level of access to applications,
  759  servers, network components, and other devices necessary for
  760  agencies to perform their core business activities and
  761  functions.
  762         (2) BOARD OF TRUSTEES.—Each primary data center shall be
  763  headed by a board of trustees as defined in s. 20.03.
  764         (a) The members of the board shall be appointed by the
  765  agency head or chief executive officer of the representative
  766  customer entities of the primary data center and shall serve at
  767  the pleasure of the appointing customer entity. Each agency head
  768  or chief executive officer may appoint an alternate member for
  769  each board member appointed pursuant to this subsection.
  770         1. During the first fiscal year that a state agency is to
  771  consolidate its data center operations to a primary data center
  772  and for the following full fiscal year, the agency shall have a
  773  single trustee having one vote on the board of the state primary
  774  data center where it is to consolidate, unless it is entitled in
  775  the second year to a greater number of votes as provided in
  776  subparagraph 3. For each of the first 2 fiscal years that a
  777  center is in operation, membership shall be as provided in
  778  subparagraph 3. based on projected customer entity usage rates
  779  for the fiscal operating year of the primary data center.
  780  However, at a minimum:
  781         a. During the Southwood Shared Resource Center’s first 2
  782  operating years, the Department of Transportation, the
  783  Department of Highway Safety and Motor Vehicles, the Department
  784  of Health, and the Department of Revenue must each have at least
  785  one trustee.
  786         b. During the Northwood Shared Resource Center’s first
  787  operating year, the Department of State and the Department of
  788  Education must each have at least one trustee.
  789         2. Board After the second full year of operation,
  790  membership shall be as provided in subparagraph 3. based on the
  791  most recent estimate of customer entity usage rates for the
  792  prior year and a projection of usage rates for the first 9
  793  months of the next fiscal year. Such calculation must be
  794  completed before the annual budget meeting held before the
  795  beginning of the next fiscal year so that any decision to add or
  796  remove board members can be voted on at the budget meeting and
  797  become effective on July 1 of the subsequent fiscal year.
  798         3. Each customer entity that has a projected usage rate of
  799  4 percent or greater during the fiscal operating year of the
  800  primary data center shall have one trustee on the board.
  801         4. The total number of votes for each trustee shall be
  802  apportioned as follows:
  803         a. Customer entities of a primary data center whose usage
  804  rate represents 4 but less than 15 percent of total usage shall
  805  have one vote.
  806         b. Customer entities of a primary data center whose usage
  807  rate represents 15 but less than 30 percent of total usage shall
  808  have two votes.
  809         c. Customer entities of a primary data center whose usage
  810  rate represents 30 but less than 50 percent of total usage shall
  811  have three votes.
  812         d. A customer entity of a primary data center whose usage
  813  rate represents 50 percent or more of total usage shall have
  814  four votes.
  815         e. A single trustee having one vote shall represent those
  816  customer entities that represent less than 4 percent of the
  817  total usage. The trustee shall be selected by a process
  818  determined by the board.
  819         (3) BOARD DUTIES.—Each board of trustees of a primary data
  820  center shall:
  821         (j) Maintain the capabilities of the primary data center’s
  822  facilities. Maintenance responsibilities include, but are not
  823  limited to, ensuring that adequate conditioned floor space, fire
  824  suppression, cooling, and power is in place; replacing aging
  825  equipment when necessary; and making decisions related to data
  826  center expansion and renovation, periodic upgrades, and
  827  improvements that are required to ensure the ongoing suitability
  828  of the facility as an enterprise data center consolidation site
  829  in the state data center system. To the extent possible, the
  830  board shall ensure that its approved annual cost-allocation plan
  831  recovers sufficient funds from its customers to provide for
  832  these needs pursuant to s. 282.201(2)(e).
  833         Section 6. Section 282.204, Florida Statutes, is amended to
  834  read:
  835         282.204 Northwood Shared Resource Center.—The Northwood
  836  Shared Resource Center is an agency established within the
  837  department of Children and Family Services for administrative
  838  purposes only.
  839         (1) The center is a primary data center and is shall be a
  840  separate budget entity that is not subject to control,
  841  supervision, or direction of the department in any manner,
  842  including, but not limited to, purchasing, transactions
  843  involving real or personal property, personnel, or budgetary
  844  matters.
  845         (2) The center shall be headed by a board of trustees as
  846  provided in s. 282.203, who shall comply with all requirements
  847  of that section related to the operation of the center and with
  848  the rules of the Agency for Enterprise Information Technology
  849  related to the design and delivery of enterprise information
  850  technology services.
  851         Section 7. Section 282.206, Florida Statutes, is created to
  852  read:
  853         282.206Northwest Regional Data Center.—The Northwest
  854  Regional Data Center at Florida State University is designated
  855  as a primary data center. The center shall be headed by a board
  856  of trustees as provided in s. 282.203, who shall comply with all
  857  requirements of that section related to the operation of the
  858  center and with the rules of the Agency for Enterprise
  859  Information Technology related to the design and delivery of
  860  enterprise information technology services for state agencies.
  861         Section 8. Section 282.315, Florida Statutes, is repealed.
  862         Section 9. Subsections (3) through (7) of section 282.318,
  863  Florida Statutes, are amended to read:
  864         282.318 Enterprise security of data and information
  865  technology.—
  866         (3) The Office of Information Security within the Agency
  867  for Enterprise Information Technology is responsible for
  868  establishing rules and publishing guidelines for ensuring an
  869  appropriate level of security for all data and information
  870  technology resources for executive branch agencies. The agency
  871  office shall also perform the following duties and
  872  responsibilities:
  873         (a) Develop, and annually update by February 1, an
  874  enterprise information security strategic plan that includes
  875  security goals and objectives for the strategic issues of
  876  information security policy, risk management, training, incident
  877  management, and survivability planning.
  878         (b) Develop enterprise security rules and published
  879  guidelines for:
  880         1. Comprehensive risk analyses and information security
  881  audits conducted by state agencies.
  882         2. Responding to suspected or confirmed information
  883  security incidents, including suspected or confirmed breaches of
  884  personal information or exempt data.
  885         3. Agency security plans, including strategic security
  886  plans and security program plans.
  887         4. The recovery of information technology and data
  888  following a disaster.
  889         5. The managerial, operational, and technical safeguards
  890  for protecting state government data and information technology
  891  resources.
  892         (c) Assist agencies in complying with the provisions of
  893  this section.
  894         (d) Pursue appropriate funding for the purpose of enhancing
  895  domestic security.
  896         (e) Provide training for agency information security
  897  managers.
  898         (f) Annually review the strategic and operational
  899  information security plans of executive branch agencies.
  900         (4) To assist the Agency for Enterprise Information
  901  Technology Office of Information Security in carrying out its
  902  responsibilities, each agency head shall, at a minimum:
  903         (a) Designate an information security manager to administer
  904  the security program of the agency for its data and information
  905  technology resources. This designation must be provided annually
  906  in writing to the Agency for Enterprise Information Technology
  907  office by January 1.
  908         (b) Submit to the Agency for Enterprise Information
  909  Technology office annually by July 31, the agency’s strategic
  910  and operational information security plans developed pursuant to
  911  the rules and guidelines established by the Agency for
  912  Enterprise Information Technology office.
  913         1. The agency strategic information security plan must
  914  cover a 3-year period and define security goals, intermediate
  915  objectives, and projected agency costs for the strategic issues
  916  of agency information security policy, risk management, security
  917  training, security incident response, and survivability. The
  918  plan must be based on the enterprise strategic information
  919  security plan created by the Agency for Enterprise Information
  920  Technology office. Additional issues may be included.
  921         2. The agency operational information security plan must
  922  include a progress report for the prior operational information
  923  security plan and a project plan that includes activities,
  924  timelines, and deliverables for security objectives that,
  925  subject to current resources, the agency will implement during
  926  the current fiscal year. The cost of implementing the portions
  927  of the plan which cannot be funded from current resources must
  928  be identified in the plan.
  929         (c) Conduct, and update every 3 years, a comprehensive risk
  930  analysis to determine the security threats to the data,
  931  information, and information technology resources of the agency.
  932  The risk analysis information is confidential and exempt from
  933  the provisions of s. 119.07(1), except that such information
  934  shall be available to the Auditor General and the Agency for
  935  Enterprise Information Technology for performing postauditing
  936  duties.
  937         (d) Develop, and periodically update, written internal
  938  policies and procedures, which include procedures for notifying
  939  the Agency for Enterprise Information Technology office when a
  940  suspected or confirmed breach, or an information security
  941  incident, occurs. Such policies and procedures must be
  942  consistent with the rules and guidelines established by the
  943  Agency for Enterprise Information Technology office to ensure
  944  the security of the data, information, and information
  945  technology resources of the agency. The internal policies and
  946  procedures that, if disclosed, could facilitate the unauthorized
  947  modification, disclosure, or destruction of data or information
  948  technology resources are confidential information and exempt
  949  from s. 119.07(1), except that such information shall be
  950  available to the Auditor General and the Agency for Enterprise
  951  Information Technology for performing postauditing duties.
  952         (e) Implement appropriate cost-effective safeguards to
  953  address identified risks to the data, information, and
  954  information technology resources of the agency.
  955         (f) Ensure that periodic internal audits and evaluations of
  956  the agency’s security program for the data, information, and
  957  information technology resources of the agency are conducted.
  958  The results of such audits and evaluations are confidential
  959  information and exempt from s. 119.07(1), except that such
  960  information shall be available to the Auditor General and the
  961  Agency for Enterprise Information Technology for performing
  962  postauditing duties.
  963         (g) Include appropriate security requirements in the
  964  written specifications for the solicitation of information
  965  technology and information technology resources and services,
  966  which are consistent with the rules and guidelines established
  967  by the Agency for Enterprise Information Technology office.
  968         (h) Provide security awareness training to employees and
  969  users of the agency’s communication and information resources
  970  concerning information security risks and the responsibility of
  971  employees and users to comply with policies, standards,
  972  guidelines, and operating procedures adopted by the agency to
  973  reduce those risks.
  974         (i) Develop a process for detecting, reporting, and
  975  responding to suspected or confirmed security incidents,
  976  including suspected or confirmed breaches consistent with the
  977  security rules and guidelines established by the Agency for
  978  Enterprise Information Technology office.
  979         1. Suspected or confirmed information security incidents
  980  and breaches must be immediately reported to the Agency for
  981  Enterprise Information Technology office.
  982         2. For incidents involving breaches, agencies shall provide
  983  notice in accordance with s. 817.5681 and to the Agency for
  984  Enterprise Information Technology office in accordance with this
  985  subsection.
  986         (5) Each state agency shall include appropriate security
  987  requirements in the specifications for the solicitation of
  988  contracts for procuring information technology or information
  989  technology resources or services which are consistent with the
  990  rules and guidelines established by the Agency for Enterprise
  991  Information Technology Office of Information Security.
  992         (6) The Agency for Enterprise Information Technology may
  993  adopt rules relating to information security and to administer
  994  the provisions of this section.
  995         (7) By December 31, 2010, the Agency for Enterprise
  996  Information Technology shall develop, and submit to the
  997  Governor, the President of the Senate, and the Speaker of the
  998  House of Representatives a proposed implementation plan for
  999  information technology security. The agency shall describe the
 1000  scope of operation, conduct costs and requirements analyses,
 1001  conduct an inventory of all existing security information
 1002  technology resources, and develop strategies, timeframes, and
 1003  resources necessary for statewide migration.
 1004         Section 10. Subsections (3) and (4) of section 282.33,
 1005  Florida Statutes, are amended to read:
 1006         282.33 Objective standards for data center energy
 1007  efficiency.—
 1008         (2) State shared resource data centers and other data
 1009  centers that the Agency for Enterprise Information Technology
 1010  has determined will be recipients for consolidating data
 1011  centers, which are designated by the Agency for Enterprise
 1012  Information Technology, shall evaluate their data center
 1013  facilities for energy efficiency using the standards established
 1014  in this section.
 1015         (a) Results of these evaluations shall be reported to the
 1016  Agency for Enterprise Information Technology, the President of
 1017  the Senate, and the Speaker of the House of Representatives.
 1018  Reports shall enable the tracking of energy performance over
 1019  time and comparisons between facilities.
 1020         (b) Beginning By December 31, 2010, and every 3 years
 1021  biennially thereafter, the Agency for Enterprise Information
 1022  Technology shall submit to the Legislature recommendations for
 1023  reducing energy consumption and improving the energy efficiency
 1024  of state primary data centers.
 1025         (3) The primary means of achieving maximum energy savings
 1026  across all state data centers and computing facilities shall be
 1027  the consolidation of data centers and computing facilities as
 1028  determined by the Agency for Enterprise Information Technology.
 1029  State data centers and computing facilities in the state data
 1030  center system shall be established as an enterprise information
 1031  technology service as defined in s. 282.0041. The Agency for
 1032  Enterprise Information Technology shall make recommendations on
 1033  consolidating state data centers and computing facilities,
 1034  pursuant to s. 282.0056, by December 31, 2009.
 1035         (3)(4)If When the total cost of ownership of an energy
 1036  efficient product is less than or equal to the cost of the
 1037  existing data center facility or infrastructure, technical
 1038  specifications for energy-efficient products should be
 1039  incorporated in the plans and processes for replacing,
 1040  upgrading, or expanding data center facilities or
 1041  infrastructure, including, but not limited to, network, storage,
 1042  or computer equipment and software.
 1043         Section 11. Subsections (4) through (11) of section 282.34,
 1044  Florida Statutes, are amended to read:
 1045         282.34 Statewide e-mail service.—A state e-mail system that
 1046  includes the delivery and support of e-mail, messaging, and
 1047  calendaring capabilities is established as an enterprise
 1048  information technology service as defined in s. 282.0041. The
 1049  service shall be designed to meet the needs of all executive
 1050  branch agencies. The primary goals of the service are to
 1051  minimize the state investment required to establish, operate,
 1052  and support the statewide service; reduce the cost of current e
 1053  mail operations and the number of duplicative e-mail systems;
 1054  and eliminate the need for each state agency to maintain its own
 1055  e-mail staff.
 1056         (4) All agencies must be completely migrated to the
 1057  statewide e-mail service as soon as financially and
 1058  operationally feasible, but no later than December 31, 2012 June
 1059  30, 2015.
 1060         (a) The Agency for Enterprise Information Technology, in
 1061  consultation with the Southwood Shared Resource Center and the
 1062  statewide e-mail service provider, shall establish a schedule
 1063  for the following statewide e-mail service implementation
 1064  schedule if different from the schedule provided in this
 1065  subsection. is established for state agencies:
 1066         1. Phase 1.—The following agencies must be completely
 1067  migrated to the statewide e-mail system by June 30, 2012: the
 1068  Agency for Enterprise Information Technology; the Agency for
 1069  Persons With Disabilities; the Department of Business and
 1070  Professional Regulation; the Department of Children and Family
 1071  Services; the Department of Education, including the Board of
 1072  Governors; the Department of Elderly Affairs; the Department of
 1073  Citrus; the Department of Community Affairs, including the
 1074  Division of Emergency Management; the Department of Corrections;
 1075  the Department of Health; the Department of Highway Safety and
 1076  Motor Vehicles; the Department of Management Services, including
 1077  the Division of Administrative Hearings, the Division of
 1078  Retirement, the Commission on Human Relations, the Northwood
 1079  Shared Resource Center, and the Public Employees Relations
 1080  Commission; the Southwood Shared Resource Center; the Department
 1081  of State; the Department of Transportation; and the Department
 1082  of Revenue.
 1083         2. Phase 2.—The following agencies must be completely
 1084  migrated to the statewide e-mail system by December 31, 2012
 1085  June 30, 2013: the Agency for Health Care Administration; the
 1086  Agency for Workforce Innovation; the Executive Office of the
 1087  Governor, including the Office of Emergency Management; the
 1088  Department of Community Affairs, the Department of Agriculture
 1089  and Consumer Services; the Department of Financial Services,
 1090  including the Office of Financial Regulation and the Office of
 1091  Insurance Regulation; the Fish and Wildlife Conservation
 1092  Commission; the State Board of Administration; the Department of
 1093  Corrections the Department of Business and Professional
 1094  Regulation; the Department of Education, including the Board of
 1095  Governors; the Department of Environmental Protection; the
 1096  Department of Juvenile Justice; the Department of the Lottery;
 1097  the Department of State; the Department of Law Enforcement; the
 1098  Department of Veterans’ Affairs; the Judicial Administration
 1099  Commission; the Public Service Commission; and the Statewide
 1100  Guardian Ad Litem Office.
 1101         3. Phase 3.—The following agencies must be completely
 1102  migrated to the statewide e-mail system by June 30, 2014: the
 1103  Agency for Health Care Administration; the Agency for Workforce
 1104  Innovation; the Department of Financial Services, including the
 1105  Office of Financial Regulation and the Office of Insurance
 1106  Regulation; the Department of Agriculture and Consumer Services;
 1107  the Executive Office of the Governor; the Department of
 1108  Transportation; the Fish and Wildlife Conservation Commission;
 1109  the Agency for Persons With Disabilities; the Northwood Shared
 1110  Resource Center; and the State Board of Administration.
 1111         4. Phase 4.—The following agencies must be completely
 1112  migrated to the statewide e-mail system by June 30, 2015: the
 1113  Department of Children and Family Services; the Department of
 1114  Citrus; the Department of Elderly Affairs; and the Department of
 1115  Legal Affairs.
 1116         (b) Agency requests to modify their scheduled implementing
 1117  date must be submitted in writing to the Agency for Enterprise
 1118  Information Technology. Any exceptions or modifications to the
 1119  schedule must be approved by the Agency for Enterprise
 1120  Information Technology based only on the following criteria:
 1121         1. Avoiding nonessential investment in agency e-mail
 1122  hardware or software refresh, upgrade, or replacement.
 1123         2. Avoiding nonessential investment in new software or
 1124  hardware licensing agreements, maintenance or support
 1125  agreements, or e-mail staffing for current e-mail systems.
 1126         3. Resolving known agency e-mail problems through migration
 1127  to the statewide e-mail service.
 1128         4. Accommodating unique agency circumstances that require
 1129  an acceleration or delay of the implementation date.
 1130         (5) In order to develop the implementation plan for the
 1131  statewide e-mail service, the Agency for Enterprise Information
 1132  Technology shall establish and coordinate a statewide e-mail
 1133  project team. The agency shall also consult with and, as
 1134  necessary, form workgroups consisting of agency e-mail
 1135  management staff, agency chief information officers, agency
 1136  budget directors, and other administrative staff. The statewide
 1137  e-mail implementation plan must be submitted to the Governor,
 1138  the President of the Senate, and the Speaker of the House of
 1139  Representatives by July 1, 2011, or 120 calendar days after the
 1140  contract for statewide e-mail services is signed, whichever is
 1141  later.
 1142         (6) Unless authorized by the Legislature or as provided in
 1143  subsection (7), a state agency may not:
 1144         (a) Initiate a new e-mail service or execute a new e-mail
 1145  contract or new e-mail contract amendment for nonessential
 1146  products or services with any entity other than the provider of
 1147  the statewide e-mail service;
 1148         (b) Purchase equipment or make expenditures to expand,
 1149  support, or enhance an existing agency e-mail service Terminate
 1150  a statewide e-mail service without giving written notice of
 1151  termination 180 days in advance; or
 1152         (c) Transfer e-mail system services from the provider of
 1153  the statewide e-mail service.
 1154         (7) Exceptions to paragraphs (6)(a), (b), and (c) may be
 1155  granted by the Agency for Enterprise Information Technology only
 1156  if the Southwood Shared Resource Center is unable to meet agency
 1157  business requirements or provide the necessary equipment,
 1158  resources, or support for the agency e-mail service, and if such
 1159  requirements are essential to maintain agency operations.
 1160  Requests for exceptions must be submitted in writing to the
 1161  Agency for Enterprise Information Technology and include
 1162  documented confirmation by the Southwood Shared Resource Center
 1163  board of trustees that it cannot meet the requesting agency’s e
 1164  mail service requirements.
 1165         (8) Each agency shall include the budget issues necessary
 1166  for migrating to the statewide e-mail service in its legislative
 1167  budget request before the first full year it is scheduled to
 1168  migrate to the statewide service in accordance with budget
 1169  instructions developed pursuant to s. 216.023.
 1170         (9) The Agency for Enterprise Information Technology shall
 1171  adopt rules to standardize the format for state agency e-mail
 1172  addresses, ensure the sufficiency and transparency of financial
 1173  information relating to the enterprise e-mail service, and
 1174  establish a process to resolve complaints from state agency
 1175  customers regarding the scope, cost, and provision of the
 1176  statewide e-mail service.
 1177         (10) State agencies must fully cooperate with the Agency
 1178  for Enterprise Information Technology in the performance of its
 1179  responsibilities established in this section.
 1180         (11) The Agency for Enterprise Information Technology may
 1181  approve shall recommend changes to an agency’s scheduled date
 1182  for migration to the statewide e-mail service pursuant to this
 1183  section, annually by December 31, until migration to the
 1184  statewide service is complete.
 1185         Section 12. Section 282.35, Florida Statutes, is created to
 1186  read:
 1187         282.35Statewide desktop service.—A state desktop service
 1188  that includes the service delivery and support to enable the use
 1189  of standard office automation functions is established as an
 1190  enterprise information technology service. The service shall be
 1191  designed to meet the needs of all executive branch agencies and
 1192  reduce the current cost of operation and support.
 1193         (1) The department shall be the provider of the statewide
 1194  desktop service. The primary goals of the service are to
 1195  minimize the state investment required to establish, operate,
 1196  and support the statewide desktop service; reduce the cost of
 1197  current desktop operations and the number of duplicative desktop
 1198  management systems; and eliminate the need for each state agency
 1199  to maintain its own desktop support staff. The department shall
 1200  centrally host, manage, and provide desktop services to achieve
 1201  these goals.
 1202         (2) By December 31, 2011, the Agency for Enterprise
 1203  Information Technology shall submit a proposed plan for the
 1204  establishment of the desktop service to the Governor, the
 1205  President of the Senate, and the Speaker of the House of
 1206  Representatives. The plan shall be developed to reduce costs to
 1207  the state and must, at a minimum, include:
 1208         (a) An analysis of the in-house and external sourcing
 1209  options that should be considered for delivery and support of
 1210  the service. At a minimum, the analysis must include a lease
 1211  option, a seat management option, hosted virtual desktop option,
 1212  and, if technically and operationally beneficial, a combined in
 1213  house and external sourcing option.
 1214         (b) Estimated expenditures for desktop services in each
 1215  state agency for the 2011-2012 fiscal year.
 1216         (c) A cost-benefit analysis that estimates all major cost
 1217  elements associated with each sourcing option, including the
 1218  nonrecurring and recurring costs of each option. The analysis
 1219  must also include a comparison of the total cost of existing
 1220  desktop services with the total cost of each sourcing option for
 1221  desktop services in order to determine the level of savings
 1222  which can be expected.
 1223         (d) A complete description of the scope of functionality,
 1224  service requirements, operations and management processes, and
 1225  required resources, standards, and governance associated with
 1226  each sourcing option.
 1227         (e) A concise analysis of the ability of each sourcing
 1228  option to provide needed functionality and meet major service
 1229  requirements, including federal and state requirements for
 1230  confidentiality, privacy, security, and records retention.
 1231         (f) A reliable schedule for migrating all state agency
 1232  desktop resources to the new service beginning no later than
 1233  July 1, 2013, and completing by June 30, 2015.
 1234         (3) In order to develop the recommended plan for the new
 1235  system, the Agency for Enterprise Information Technology shall
 1236  consult with, and, as necessary, form workgroups consisting of,
 1237  agency program management staff, agency chief information
 1238  officers, and agency budget directors. State agencies must
 1239  cooperate with the Agency for Enterprise Technology in its
 1240  development of the plan.
 1241         (4) Unless authorized by the Legislature or as provided in
 1242  subsection (5), a state agency may not:
 1243         (a) Initiate a new desktop service with any entity other
 1244  than the provider of the statewide desktop service;
 1245         (b) Terminate a statewide desktop service without giving
 1246  written notice of termination 180 days in advance; or
 1247         (c) Transfer desktop services from the provider of the
 1248  statewide desktop service.
 1249         (5) Exceptions to paragraphs (4)(a), (b), and (c) may be
 1250  granted by the Agency for Enterprise Information Technology only
 1251  if the department is unable to meet agency desktop service
 1252  requirements. Requests for exceptions must be submitted in
 1253  writing to the Agency for Enterprise Information Technology and
 1254  must include confirmation by the secretary of the department
 1255  that the department cannot meet the requesting agency’s desktop
 1256  service requirements.
 1257         Section 13. Paragraph (a) of subsection (2), paragraph (h)
 1258  of subsection (3), paragraph (b) of subsection (4), and
 1259  subsection (15) of section 287.042, Florida Statutes, are
 1260  amended to read:
 1261         287.042 Powers, duties, and functions.—The department shall
 1262  have the following powers, duties, and functions:
 1263         (2)(a) To establish purchasing agreements and procure state
 1264  term contracts for commodities and contractual services,
 1265  pursuant to s. 287.057, under which state agencies shall, and
 1266  eligible users may, make purchases pursuant to s. 287.056. The
 1267  department may restrict purchases from some term contracts to
 1268  state agencies only for those term contracts where the inclusion
 1269  of other governmental entities will have an adverse effect on
 1270  competition or to those federal facilities located in this
 1271  state. The department may adopt rules establishing the
 1272  conditions under which an agency may be exempted from using a
 1273  state term contract or purchasing agreement if the department
 1274  determines that the use of such exemption is in the best
 1275  interest of the state. In such planning or purchasing the Office
 1276  of Supplier Diversity may monitor to ensure that opportunities
 1277  are afforded for contracting with minority business enterprises.
 1278  The department, for state term contracts, and all agencies, for
 1279  multiyear contractual services or term contracts, shall explore
 1280  reasonable and economical means to utilize certified minority
 1281  business enterprises. Purchases by any county, municipality,
 1282  private nonprofit community transportation coordinator
 1283  designated pursuant to chapter 427, while conducting business
 1284  related solely to the Commission for the Transportation
 1285  Disadvantaged, or other local public agency under the provisions
 1286  in the state purchasing contracts, and purchases, from the
 1287  corporation operating the correctional work programs, of
 1288  products or services that are subject to paragraph (1)(f), are
 1289  exempt from the competitive solicitation requirements otherwise
 1290  applying to their purchases.
 1291         (3) To establish a system of coordinated, uniform
 1292  procurement policies, procedures, and practices to be used by
 1293  agencies in acquiring commodities and contractual services,
 1294  which shall include, but not be limited to:
 1295         (h) The development, in consultation with the Agency Chief
 1296  Information Officers Council, of procedures to be used by state
 1297  agencies when procuring information technology commodities and
 1298  contractual services that to ensure compliance with public
 1299  records requirements and records retention and archiving
 1300  requirements.
 1301         (4)
 1302         (b) To prescribe, in consultation with the Agency Chief
 1303  Information Officers Council, procedures for procuring
 1304  information technology and information technology consultant
 1305  services that which provide for public announcement and
 1306  qualification, competitive solicitations, contract award, and
 1307  prohibition against contingent fees. Such procedures are shall
 1308  be limited to information technology consultant contracts for
 1309  which the total project costs, or planning or study activities,
 1310  are estimated to exceed the threshold amount provided for in s.
 1311  287.017, for CATEGORY TWO.
 1312         (15) To initiate or enter into joint agreements with
 1313  governmental agencies, as defined in s. 163.3164(10), for the
 1314  purpose of pooling funds for the purchase of commodities or
 1315  information technology that can be used by multiple agencies.
 1316         (a) Each agency that has been appropriated or has existing
 1317  funds for such purchase, shall, upon contract award by the
 1318  department, transfer their portion of the funds into the
 1319  department’s Operating Trust Fund for payment by the department.
 1320  The funds shall be transferred by the Executive Office of the
 1321  Governor pursuant to the agency budget amendment request
 1322  provisions under in chapter 216.
 1323         (b) Agencies that sign the joint agreements are financially
 1324  obligated for their portion of the agreed-upon funds. If an
 1325  agency becomes more than 90 days delinquent in paying the funds,
 1326  the department shall certify to the Chief Financial Officer the
 1327  amount due, and the Chief Financial Officer shall transfer the
 1328  amount due to the Operating Trust Fund of the department from
 1329  any of the agency’s available funds. The Chief Financial Officer
 1330  shall report these transfers and the reasons for the transfers
 1331  to the Executive Office of the Governor and the legislative
 1332  appropriations committees.
 1333         Section 14. Section 287.056, Florida Statutes, is amended
 1334  to read:
 1335         287.056 Purchases from purchasing agreements and state term
 1336  contracts.—
 1337         (1) Agencies shall, and eligible users may, purchase
 1338  commodities and contractual services from purchasing agreements
 1339  established and state term contracts procured by the department,
 1340  pursuant to s. 287.057, by the department. The department may
 1341  adopt rules establishing the conditions under which an agency
 1342  may be exempted from using a state term contract or purchasing
 1343  agreement if the department determines that the use of such
 1344  exemption is in the best interest of the state. Each agency
 1345  agreement made under this subsection shall include:
 1346         (a) A provision specifying a scope of work that clearly
 1347  establishes all tasks that the contractor is required to
 1348  perform.
 1349         (b) A provision dividing the contract into quantifiable,
 1350  measurable, and verifiable units of deliverables that must be
 1351  received and accepted in writing by the contract manager before
 1352  payment. Each deliverable must be directly related to the scope
 1353  of work and specify the required minimum level of service to be
 1354  performed and the criteria for evaluating the successful
 1355  completion of each deliverable.
 1356         (2) Agencies may have the option to purchase commodities or
 1357  contractual services from state term contracts procured,
 1358  pursuant to s. 287.057, by the department.
 1359         (2)(3) Agencies and eligible users may use a request for
 1360  quote to obtain written pricing or services information from a
 1361  state term contract vendor for commodities or contractual
 1362  services available on state term contract from that vendor. The
 1363  purpose of a request for quote is to determine whether a price,
 1364  term, or condition more favorable to the agency or eligible user
 1365  than that provided in the state term contract is available. Use
 1366  of a request for quote does not constitute a decision or
 1367  intended decision that is subject to protest under s. 120.57(3).
 1368         Section 15. Subsections (14) and (17) of section 287.057,
 1369  Florida Statutes, are amended to read:
 1370         287.057 Procurement of commodities or contractual
 1371  services.—
 1372         (14) For each contractual services contract, the agency
 1373  shall designate an employee to function as contract manager who
 1374  shall be responsible for enforcing performance of the contract
 1375  terms and conditions and serve as a liaison with the contractor.
 1376  Each contract manager who is responsible for contracts in excess
 1377  of the threshold amount for CATEGORY TWO must attend training
 1378  conducted by the Chief Financial Officer for accountability in
 1379  contracts and grant management. The Chief Financial Officer
 1380  shall establish and disseminate uniform procedures pursuant to
 1381  s. 17.03(3) to ensure that contractual services have been
 1382  rendered in accordance with the contract terms before the agency
 1383  processes the invoice for payment. The procedures shall include,
 1384  but need not be limited to, procedures for monitoring and
 1385  documenting contractor performance, reviewing and documenting
 1386  all deliverables for which payment is requested by vendors, and
 1387  providing written certification by contract managers of the
 1388  agency’s receipt of goods and services. The Department shall
 1389  adopt rules to be used by agencies to manage contracts.
 1390         (17)(a)1. Each agency must avoid, neutralize, or mitigate
 1391  significant potential organizational conflicts of interest
 1392  before a contract is awarded.
 1393         1. If the agency elects to mitigate the significant
 1394  potential organizational conflict or conflicts of interest, an
 1395  adequate mitigation plan, including organizational, physical,
 1396  and electronic barriers, shall be developed.
 1397         2. If a conflict cannot be avoided or mitigated, an agency
 1398  may proceed with the contract award if the agency head certifies
 1399  that the award is in the best interests of the state. The agency
 1400  head must specify in writing the basis for the certification.
 1401         (b)1. An agency head may not proceed with a contract award
 1402  under subparagraph (a)2. if a conflict of interest is based upon
 1403  the vendor gaining an unfair competitive advantage.
 1404         2. An unfair competitive advantage exists if when the
 1405  vendor competing for the award of a contract obtained:
 1406         1.a. Access to information that is not available to the
 1407  public and would assist the vendor in obtaining the contract; or
 1408         2.b. Source selection information that is relevant to the
 1409  contract but is not available to all competitors and that would
 1410  assist the vendor in obtaining the contract.
 1411         (c) A person who receives a contract that has not been
 1412  procured pursuant to subsections (1)-(3) to perform a
 1413  feasibility study of the potential implementation of a
 1414  subsequent contract, who participates in the drafting of a
 1415  solicitation or who develops a program for future
 1416  implementation, is not eligible to contract with the agency for
 1417  any other contracts dealing with that specific subject matter,
 1418  and any firm in which such person has any interest is not
 1419  eligible to receive such contract. However, this prohibition
 1420  does not prevent a vendor who responds to a request for
 1421  information from being eligible to contract with an agency.
 1422         Section 16. Section 45 of chapter 2010-151, Laws of
 1423  Florida, is amended to read:
 1424         Section 45. Contracts for academic program reviews,
 1425  auditing services, health services, or Medicaid services are
 1426  subject to the transaction or user fees imposed under ss.
 1427  287.042(1)(h) and 287.057(22), Florida Statutes, only to the
 1428  extent that such contracts were not subject to such transaction
 1429  or user fees before July 1, 2010.
 1430         Section 17. The Agency for Enterprise Information
 1431  Technology is transferred by a type one transfer, as defined in
 1432  s. 20.06(1), Florida Statutes, from the Executive Office of the
 1433  Governor to the Department of Management Services.
 1434         Section 18. The Northwood Shared Resource Center is
 1435  transferred by a type one transfer, as defined in s. 20.06(1),
 1436  Florida Statutes, from the Department of Children and Family
 1437  Services to the Department of Management Services.
 1438         Section 19. The Agency for Enterprise Information
 1439  Technology, in coordination with the Southwood Shared Resource
 1440  Center, shall provide a written status report to the Executive
 1441  Office of the Governor and to the chairs of the legislative
 1442  appropriations committees detailing the progress made by the
 1443  agencies required to migrate, pursuant to s. 282.34(4)(a)1.,
 1444  Florida Statutes, to the statewide e-mail service by June 30,
 1445  2012. The status report must be provided every 6 months,
 1446  beginning September 1, 2011, until implementation is compete.
 1447         Section 20. This act shall take effect July 1, 2011.