Florida Senate - 2011 (PROPOSED COMMITTEE BILL) SPB 7092
FOR CONSIDERATION By the Committee on Budget
576-02251B-11 20117092__
1 A bill to be entitled
2 An act relating to the consolidation of state
3 information technology services; transferring,
4 renumbering, and amending s. 14.204, F.S.;
5 establishing the Agency for Enterprise Information
6 Technology in the Department of Management Services
7 rather than the Executive Office of the Governor;
8 revising the duties of the agency to include the
9 planning, project management, and implementation of
10 the enterprise information technology services;
11 requiring the agency to submit a plan to the
12 Legislative Budget Commission for aggregating
13 information technology purchases; deleting references
14 to the Office of Information Security and the Agency
15 Chief Information Officers Council; amending s.
16 282.0041, F.S.; revising definitions; amending s.
17 282.0056, F.S.; revising provisions relating to the
18 agency’s annual work plan; amending s. 282.201, F.S.;
19 revising the duties of the agency; deleting obsolete
20 provisions; providing a schedule for the
21 consolidations of state agency data centers; requiring
22 agencies to update their service-level agreements and
23 to develop consolidation plans; requiring the Agency
24 for Enterprise Information Technology to submit a
25 status report to the Governor and Legislature and to
26 develop a comprehensive transition plan; requiring
27 primary data centers to develop transition plans;
28 revising agency limitations relating to technology
29 services; amending s. 282.203, F.S.; deleting obsolete
30 provisions; revising duties of primary data centers
31 relating to state agency resources and equipment
32 relinquished to the centers; requiring state agencies
33 to relinquish all administrative access rights to
34 certain resources and equipment upon consolidation;
35 providing for the appointment of alternate board
36 members; revising provisions relating to state agency
37 representation on data center boards; conforming a
38 cross-reference; amending s. 282.204, F.S.;
39 establishing the Northwood Shared Resource Center in
40 the Department of Management Services rather than the
41 Department of Children and Family Services; creating
42 s. 282.206, F.S.; establishing the Northwest Regional
43 Data Center as a primary data center; providing for a
44 board of trustees and subjecting the board to the
45 rules of the Agency for Enterprise Information
46 Technology; repealing s. 282.315, F.S., relating to
47 the Agency Chief Information Officers Council;
48 amending s. 282.318, F.S.; deleting references to the
49 Office of Information Security with respect to
50 responsibility for enterprise security; deleting
51 obsolete provisions; amending s. 282.33, F.S.;
52 deleting an obsolete provision; revising the schedule
53 for the Agency for Enterprise Information Technology
54 to submit certain recommendations to the Legislature;
55 amending s. 282.34, F.S.; revising the schedule for
56 migrating state agencies to the statewide e-mail
57 system; revising limitations on state agencies;
58 revising the requirements for rules adopted by the
59 Agency for Enterprise Information Technology; creating
60 s. 282.35, F.S.; providing for a statewide desktop
61 service as an enterprise information technology
62 service to be provided by the Department of Management
63 Services; requiring the Agency for Enterprise
64 Information Technology to develop a plan for the
65 establishment of the service and submit such plan to
66 the Governor and Legislature by a certain date;
67 specifying the contents of the plan; providing agency
68 limitations with respect to such services and
69 exceptions from such limitations if granted by the
70 agency; amending ss. 287.042 and 287.057, F.S.;
71 directing the department to adopt rules establishing
72 conditions under which an agency may be exempted from
73 using a state term contract or purchasing agreement;
74 conforming provisions to changes made by the act;
75 amending s. 287.057, F.S.; authorizing the department
76 to adopt rules to be used by agencies to manage
77 contracts; deleting a prohibition against an entity
78 contracting to provide a feasibility study on certain
79 subject matter from contracting with an agency for
80 that subject matter; amending s. 45 of chapter 2010
81 151, Laws of Florida; providing that certain contracts
82 are subject to transaction fees; transferring the
83 Agency for Enterprise Information Technology and the
84 Northwood Shared Resource Center to the Department of
85 Management Services; requiring the agency to
86 coordinate with the Southwood Shared Resource Center
87 to provide a status report to the Executive Office of
88 the Governor and to the Legislature; providing an
89 effective date.
90
91 Be It Enacted by the Legislature of the State of Florida:
92
93 Section 1. Section 14.204, Florida Statutes, is
94 transferred, renumbered as s. 282.0054, Florida Statutes, and
95 amended to read:
96 282.0054 14.204 Agency for Enterprise Information
97 Technology.—The Agency for Enterprise Information Technology is
98 created within the Department of Management Services Executive
99 Office of the Governor.
100 (1) The head of the agency shall be the Governor and
101 Cabinet.
102 (2) The agency is a separate budget entity and is not
103 subject to control, supervision, or direction by the department
104 Executive Office of the Governor, including, but not limited to,
105 purchasing, transactions involving real or personal property,
106 personnel, or budgetary matters.
107 (3) The agency shall have an executive director who is the
108 state’s Chief Information Officer and who must:
109 (a) Have a degree from an accredited postsecondary
110 institution;
111 (b) Have at least 7 years of executive-level experience in
112 managing information technology organizations; and
113 (c) Be appointed by the Governor and confirmed by the
114 Cabinet, subject to confirmation by the Senate, and serve at the
115 pleasure of the Governor and Cabinet.
116 (4) The agency shall have the following duties and
117 responsibilities:
118 (a) Develop strategies for the design, planning, project
119 management, implementation, delivery, and management of the
120 enterprise information technology services established in law,
121 including the state data center system service established in s.
122 282.201, the information technology security service established
123 in s. 282.318, and the statewide e-mail service established in
124 s. 282.34.
125 (b) Monitor the implementation, delivery, and management of
126 the enterprise information technology services as established in
127 law.
128 (c) Make recommendations to the agency head and the
129 Legislature concerning other information technology services
130 that should be designed, delivered, and managed as enterprise
131 information technology services as defined in s. 282.0041.
132 (d) Plan and establish policies for managing proposed
133 statutorily authorized enterprise information technology
134 services, which includes:
135 1. Developing business cases that, when applicable, include
136 the components identified in s. 287.0571;
137 2. Establishing and coordinating project-management teams;
138 3. Establishing formal risk-assessment and mitigation
139 processes; and
140 4. Providing for independent monitoring of projects for
141 recommended corrective actions.
142 (e) Beginning October 1, 2010, Develop, publish, and
143 biennially update a long-term strategic enterprise information
144 technology plan that identifies and recommends strategies and
145 opportunities to improve the delivery of cost-effective and
146 efficient enterprise information technology services to be
147 proposed for establishment pursuant to s. 282.0056.
148 (f) Perform duties related to enterprise information
149 technology services, including the state data center system
150 established in as provided in s. 282.201, the information
151 technology security service established in s. 282.318, and the
152 statewide e-mail service established in s. 282.34.
153 (g) Coordinate acquisition planning, using aggregate buying
154 methodologies whenever possible, and procurement negotiations
155 for hardware and software products and services in order to
156 improve the efficiency and reduce the cost of enterprise
157 information technology services.
158 1. State agencies must submit a copy of all information
159 relating to technology purchases for commodities and services in
160 excess of $10,000 to the agency for review in order to identify
161 areas suitable for future aggregation and standardization.
162 2. By December 31, 2011, the agency shall submit to the
163 Legislative Budget Commission for approval a plan recommending
164 information technology purchases of specific commodities and
165 services suitable for aggregate purchasing and providing
166 estimates of the savings from aggregating such purchases.
167 3. Contingent on approval of the plan under subparagraph
168 2., state agencies shall cooperate with the agency.
169 4. Exemptions from subparagraph 3. may be granted by the
170 department’s Division of Purchasing if in the best interest of
171 the state.
172 (h) In consultation with the Division of Purchasing in the
173 department of Management Services, coordinate procurement
174 negotiations for information technology products as defined in
175 s. 282.0041 which will be used by multiple agencies.
176 (i) In coordination with, and through the services of, the
177 Division of Purchasing in the department of Management Services,
178 establish best practices for the procurement of information
179 technology products as defined in s. 282.0041 in order to
180 achieve savings for the state.
181 (j) Develop information technology standards for the
182 efficient design, planning, project management, implementation,
183 and delivery of enterprise information technology services. All
184 state agencies must make the transition to the new standards.
185 (k) Provide annually, by December 31, recommendations to
186 the Legislature relating to techniques for consolidating the
187 purchase of information technology commodities and services,
188 which result in savings for the state, and for establishing a
189 process to achieve savings through consolidated purchases.
190 (5) The Office of Information Security shall be created
191 within the agency. The agency shall designate a state Chief
192 Information Security Officer who shall oversee the office and
193 report directly to the executive director.
194 (6) The agency shall operate in a manner that ensures the
195 participation and representation of state agencies and the
196 Agency Chief Information Officers Council established in s.
197 282.315.
198 (7) The agency may adopt rules to carry out its statutory
199 duties.
200 Section 2. Present subsections (4) through (30) of section
201 282.0041, Florida Statutes, are redesignated as subsections (3)
202 through (29), respectively, and present subsections (3), (4),
203 and (19) of that section are amended, to read:
204 282.0041 Definitions.—As used in this chapter, the term:
205 (3) “Agency Chief Information Officers Council” means the
206 council created in s. 282.315.
207 (3)(4) “Agency for Enterprise Information Technology” means
208 the agency created in s. 282.0054 14.204.
209 (18)(19) “Primary data center” means a state or nonstate
210 agency data center that is a recipient entity for consolidation
211 of nonprimary data centers and computing facilities and that is.
212 A primary data center may be authorized by in law or designated
213 by the Agency for Enterprise Information Technology pursuant to
214 s. 282.201.
215 Section 3. Subsection (1) of section 282.0056, Florida
216 Statutes, is amended to read:
217 282.0056 Development of work plan; development of
218 implementation plans; and policy recommendations.—
219 (1) For the purposes of carrying out its responsibilities
220 under s. 282.0055, the Agency for Enterprise Information
221 Technology shall develop an annual work plan within 60 days
222 after the beginning of the fiscal year describing the activities
223 that the agency intends to undertake for that year, including
224 proposed outcomes and completion timeframes for the planning and
225 implementation of all enterprise information technology
226 services. The work plan must be presented at a public hearing,
227 that includes the Agency Chief Information Officers Council,
228 which may review and comment on the plan. The work plan must
229 thereafter be approved by the Governor and Cabinet, and
230 submitted to the President of the Senate and the Speaker of the
231 House of Representatives. The work plan may be amended as
232 needed, subject to approval by the Governor and Cabinet.
233 Section 4. Subsection (2) of section 282.201, Florida
234 Statutes, is amended, present subsections (4) and (5) of that
235 section are renumbered as subsections (5) and (6), respectively,
236 and amended, a new subsection (4) is added to that section, to
237 read:
238 282.201 State data center system; agency duties and
239 limitations.—A state data center system that includes all
240 primary data centers, other nonprimary data centers, and
241 computing facilities, and that provides an enterprise
242 information technology service as defined in s. 282.0041, is
243 established.
244 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
245 The Agency for Enterprise Information Technology shall:
246 (a) Collect and maintain information necessary for
247 developing policies relating to the data center system,
248 including, but not limited to, an inventory of facilities.
249 (b) Annually approve cost-recovery mechanisms and rate
250 structures for primary data centers which recover costs through
251 charges to customer entities.
252 (c) By September 30 December 31 of each year, submit
253 recommendations to the Executive Office of the Governor and the
254 chairs of the legislative appropriations committees Legislature
255 recommendations to improve the efficiency and cost-effectiveness
256 effectiveness of computing services provided by state data
257 center system facilities. Such recommendations must may include,
258 but need not be limited to:
259 1. Policies for improving the cost-effectiveness and
260 efficiency of the state data center system and the associated
261 cost savings resulting from their implementation.
262 2. Infrastructure improvements supporting the consolidation
263 of facilities or preempting the need to create additional data
264 centers or computing facilities.
265 3. Standards for an objective, credible energy performance
266 rating system that data center boards of trustees can use to
267 measure state data center energy consumption and efficiency on a
268 biannual basis.
269 3.4. Uniform disaster recovery standards.
270 4.5. Standards for primary data centers which provide cost
271 effective services and providing transparent financial data to
272 user agencies.
273 5.6. Consolidation of contract practices or coordination of
274 software, hardware, or other technology-related procurements and
275 the associated cost savings.
276 6.7. Improvements to data center governance structures.
277 (d) By October 1 of each year beginning in 2011, provide
278 recommendations 2009, recommend to the Governor and Legislature
279 relating to changes to the schedule for the consolidations of
280 state agency data centers as provided in subsection (4) at least
281 two nonprimary data centers for consolidation into a primary
282 data center or nonprimary data center facility.
283 1. The consolidation proposal must provide a transition
284 plan that includes:
285 a. Estimated transition costs for each data center or
286 computing facility recommended for consolidation;
287 b. Detailed timeframes for the complete transition of each
288 data center or computing facility recommended for consolidation;
289 c. Proposed recurring and nonrecurring fiscal impacts,
290 including increased or decreased costs and associated budget
291 impacts for affected budget entities;
292 d. Substantive legislative changes necessary to implement
293 the transition; and
294 e. Identification of computing resources to be transferred
295 and those that will remain in the agency. The transfer of
296 resources must include all hardware, software, staff, contracted
297 services, and facility resources performing data center
298 management and operations, security, backup and recovery,
299 disaster recovery, system administration, database
300 administration, system programming, job control, production
301 control, print, storage, technical support, help desk, and
302 managed services but excluding application development.
303 1.2. The recommendations must shall be based on the goal of
304 maximizing current and future cost savings. The agency shall
305 consider the following criteria for managing and coordinating in
306 selecting consolidations that maximize efficiencies by providing
307 the ability to:
308 a. Consolidate purchase decisions;
309 b. Leverage expertise and other resources to gain economies
310 of scale;
311 c. Implement state information technology policies more
312 effectively;
313 d. Maintain or improve the level of service provision to
314 customer entities; and
315 e. Make progress towards the state’s goal of consolidating
316 data centers and computing facilities into primary data centers.
317 2.3. The agency shall establish workgroups as necessary to
318 ensure participation by affected agencies in the development of
319 recommendations related to consolidations.
320 (e) By December 31, 2010, the agency shall develop and
321 submit to the Legislature an overall consolidation plan for
322 state data centers. The plan shall indicate a timeframe for the
323 consolidation of all remaining nonprimary data centers into
324 primary data centers, including existing and proposed primary
325 data centers, by 2019.
326 (e)(f) Develop and establish rules relating to the
327 operation of the state data center system which comply with
328 applicable federal regulations, including 2 C.F.R. part 225 and
329 45 C.F.R. The agency shall publish notice of rule development in
330 the Florida Administrative weekly by October 1, 2011. The rules
331 may address:
332 1. Ensuring that financial information is captured and
333 reported consistently and accurately.
334 2. Requiring compliance with standards for hardware and
335 operations software, including security and network
336 infrastructure for the primary data centers, to enable the
337 efficient consolidation of the agency data centers or computing
338 facilities, and providing an exemption process from compliance
339 with such standards, which must be consistent with s.
340 282.203(5)(b).
341 2. Requiring the establishment of service-level agreements
342 executed between a data center and its customer entities for
343 services provided.
344 3. Requiring annual full cost recovery on an equitable
345 rational basis. The cost-recovery methodology must ensure that
346 no service is subsidizing another service and may include
347 adjusting the subsequent year’s rates as a means to recover
348 deficits or refund surpluses from a prior year.
349 4. Requiring that any special assessment imposed to fund
350 expansion is based on a methodology that apportions the
351 assessment according to the proportional benefit to each
352 customer entity.
353 5. Requiring that rebates be given when revenues have
354 exceeded costs, that rebates be applied to offset charges to
355 those customer entities that have subsidized the costs of other
356 customer entities, and that such rebates may be in the form of
357 credits against future billings.
358 6. Requiring that all service-level agreements have a
359 contract term of up to 3 years, but may include an option to
360 renew for up to 3 additional years contingent on approval by the
361 board, and require at least a 180-day notice of termination.
362 7. Designating any nonstate data center as a primary data
363 center if the center:
364 a. Has an established governance structure that represents
365 customer entities proportionally.
366 b. Maintains an appropriate cost-allocation methodology
367 that accurately bills a customer entity based on the actual
368 direct and indirect costs to the customer entity, and prohibits
369 the subsidization of one customer entity’s costs by another
370 entity.
371 c. Has sufficient raised floor space, cooling, and
372 redundant power capacity, including uninterruptible power supply
373 and backup power generation, to accommodate the computer
374 processing platforms and support necessary to host the computing
375 requirements of additional customer entities.
376 8. Removing a nonstate data center from primary data center
377 designation if the nonstate data center fails to meet standards
378 necessary to ensure that the state’s data is maintained pursuant
379 to subparagraph 7.
380 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
381 (a) Consolidations of agency data centers shall be made by
382 the date and to the specified primary data center as provided in
383 this section and in accordance with budget adjustments contained
384 in the General Appropriations Act.
385 (b) During the 2011-2012 fiscal year, the following shall
386 be consolidated into the Northwest Regional Data Center:
387 1. By December 31, 2011, the College Center for Library
388 Automation.
389 2. By December 31, 2011, the Florida Center for Library
390 Automation.
391 3. By December 31, 2011, the Department of Education,
392 including the computing services and resources of:
393 a. The Knott Data Center in the Turlington Building;
394 b. The Division of Vocational Rehabilitation;
395 c. The Division of Blind Services, except for the
396 division’s disaster recovery site in Daytona Beach;
397 d. The FCAT Explorer; and
398 e. FACTS.org.
399 (c) During the 2011-2012 fiscal year, the following shall
400 be consolidated into the Southwood Shared Resource Center:
401 1. By September 30, 2011, the Department of Corrections.
402 2. By March 31, 2012, the Department of Transportation’s
403 Burns Office Building.
404 3. By March 31, 2012, the Department of Transportation’s
405 Survey & Mapping Office.
406 (d) During the 2011-2012 fiscal year, the following shall
407 be consolidated into the Northwood Shared Resource Center:
408 1. By July 1, 2011, the Department of Transportation’s
409 Office of Motor Carrier Compliance.
410 2. By December 31, 2011, the Department of Highway Safety
411 and Motor Vehicles.
412 (e) During the 2012-2013 fiscal year, the following are
413 proposed for consolidation into the Southwood Shared Resource
414 Center:
415 1. By September 30, 2012, the Division of Emergency
416 Management and the Department of Community Affairs, except for
417 the department’s Camp Blanding Emergency Operations Center in
418 Starke.
419 2. By September 30, 2012, the Department of Revenue’s
420 Carlton and Taxworld Building L locations.
421 3. By December 31, 2012, the Department of Health’s
422 laboratories and all remaining data center resources, except for
423 the department’s Jacksonville Lab Data Center.
424 (f) During the 2012-2013 fiscal year, the following are
425 proposed for consolidation into the Northwood Shared Resource
426 Center:
427 1. By July 1, 2012, the Agency for Health Care
428 Administration.
429 2. By December 31, 2012, the Department of Environmental
430 Protection.
431 3. By March 30, 2013, the Department of Law Enforcement.
432 (g) During the 2013-2014 fiscal year, the following
433 agencies shall work with the Agency for Enterprise Information
434 Technology to begin preliminary planning for consolidation into
435 a primary data center:
436 1. The Department of the Lottery’s headquarters.
437 2. The Department of Legal Affairs.
438 3. The Fish and Wildlife Conservation Commission, except
439 for the commission’s Fish and Wildlife Research Institute in St.
440 Petersburg.
441 4. The Executive Office of the Governor.
442 5. The Department of Veterans Affairs.
443 6. The Department of Elderly Affairs.
444 7. The Department of Financial Services’ Hartman, Larson,
445 and Fletcher Building Data Centers.
446 8. The Department of Agriculture and Consumer Services’
447 Agriculture Management Information Center in the Mayo Building
448 and Division of Licensing.
449 (h) During the 2014-2015 fiscal year, the following
450 agencies shall work with the Agency for Enterprise Information
451 Technology to begin preliminary planning for consolidation into
452 a primary data center:
453 1. The Department of Health’s Jacksonville Lab Data Center.
454 2. The Department of Transportation’s district offices,
455 toll offices, and the District Materials Office.
456 3. The Department of Military Affairs’ Camp Blanding Joint
457 Training Center in Starke.
458 4. The Department of Community Affairs’ Camp Blanding
459 Emergency Operations Center in Starke.
460 5. The Department of Education’s Division of Blind Services
461 disaster recovery site in Daytona Beach.
462 6. The Department of Education’s disaster recovery site in
463 Sante Fe College.
464 7. The Department of the Lottery’s Disaster Recovery Backup
465 Data Center in Orlando.
466 8. The Fish and Wildlife Conservation Commission’s Fish and
467 Wildlife Research Institute in St. Petersburg.
468 9. The Department of Children and Family Services’s
469 Suncoast Data Center in Tampa.
470 10. The Department of Children and Family Services’ Florida
471 State Hospital in Chattahoochee.
472 (i) During the 2015-2016 fiscal year, all computing
473 resources remaining within an agency nonprimary data center or
474 computing facility shall be transferred to a primary data center
475 for consolidation unless otherwise required to remain in the
476 agency for specific business reasons. Such data centers,
477 computing facilities, and resource shall be identified by the
478 Agency for Enterprise Information Technology by October 1, 2014.
479 (j) Any agency that is consolidating agency data centers
480 into a primary data center must execute or update its existing
481 service-level agreement within 2 months after the specified
482 consolidation date, as required by s. 282.203(1)(i), in order to
483 specify the services and levels of service it is to receive from
484 the primary data center as a result of the consolidation. If an
485 agency is unable to complete and execute a service-level
486 agreement by that date, the agency shall submit a report to the
487 Executive Office of the Governor and to the chairs of the
488 legislative appropriations committees within 5 working days,
489 explaining the specific issues preventing execution and
490 describing its plan and schedule for resolving those issues.
491 (k) Beginning September 1, 2011, and every 6 months
492 thereafter until data center consolidations are complete, the
493 Agency for Enterprise Information Technology shall provide a
494 status report on the consolidations that are required to be
495 completed during the fiscal year. The report shall be submitted
496 to the Executive Office of the Governor and the chairs of the
497 legislative appropriations committees. The report must, at a
498 minimum, describe:
499 1. Whether the consolidation is on schedule, including
500 progress on achieving the milestones necessary for successful
501 and timely consolidation of scheduled agency data centers and
502 computing facilities; and
503 2. The risks that may affect the progress or outcome of the
504 consolidation and how these risks are being addressed,
505 mitigated, or managed.
506 (l) Each agency required to plan for consolidation into a
507 primary data center shall submit a draft consolidation plan to
508 the Agency for Enterprise Information Technology by September 1
509 of the fiscal year before the fiscal year in which the scheduled
510 consolidation will occur. Transition plans shall be developed in
511 consultation with the appropriate primary data centers and the
512 Agency for Enterprise Information Technology, and must include:
513 1. A recommendation as to which primary data center is most
514 appropriate for the agency’s consolidation if not the one
515 proposed;
516 2. An inventory of the agency data center’s resources being
517 consolidated, including all hardware, software, staff, and
518 contracted services, and the facility resources performing data
519 center management and operations, security, backup and recovery,
520 disaster recovery, system administration, database
521 administration, system programming, job control, production
522 control, print, storage, technical support, help desk, and
523 managed services, but excluding application development;
524 3. A description of the level of services needed to meet
525 the technical and operational requirements of the platforms
526 being consolidated;
527 4. A description of resources for computing services
528 proposed to remain in the department;
529 5. A timetable with significant milestones for the
530 completion of the consolidation;
531 6. An estimate of the agency’s current-year cost to
532 support, house, and manage the data center functions in
533 subparagraph 2.; and
534 7. The specific recurring and nonrecurring budget
535 adjustments by appropriation category that are required during
536 the year in which the data center is consolidated in order to
537 transfer sufficient budget resources into the appropriate data
538 processing category pursuant to legislative budget instructions
539 as provided by s. 216.023.
540 (m) Each primary data center shall develop a transition
541 plan for absorbing the transfer of agency data center resources
542 based upon the timetables for transition as recommended by the
543 Agency for Enterprise Information Technology. The plan shall be
544 submitted to the Agency for Enterprise Information Technology,
545 the Executive Office of the Governor, and the chairs of the
546 legislative appropriations committees by September 30 of the
547 fiscal year before the fiscal year in which the scheduled
548 consolidations will occur. Each plan must include:
549 1. An estimate of the cost to provide data center services
550 for each agency scheduled for consolidation;
551 2. A staffing plan that identifies the projected staffing
552 needs and requirements based on the estimated workload
553 identified in the agency transition plan;
554 3. The fiscal year adjustments to budget categories in
555 order to absorb the transfer of agency data center resources
556 pursuant to the legislative budget request instructions provided
557 in s. 216.023;
558 4. An analysis of the cost effects resulting from the
559 planned consolidations on existing agency customers; and
560 5. A description of any issues that must be resolved in
561 order to accomplish as efficiently and effectively as possible
562 all consolidations required during the fiscal year.
563 (n) The Agency for Enterprise Information Technology shall
564 develop a comprehensive transition plan, which shall be
565 submitted by October 15th of the fiscal year before the fiscal
566 year in which the scheduled consolidations will occur to each
567 primary data center, the Executive Office of the Governor, and
568 the chairs of the legislative appropriations committees. The
569 transition plan shall be developed in consultation with agencies
570 submitting agency transition plans and with the affected primary
571 data centers. The comprehensive transition plan must include:
572 1. Recommendations for accomplishing the proposed
573 transitions as efficiently and effectively as possible with
574 minimal disruption to customer agency business processes;
575 2. Strategies to minimize risks associated with any of the
576 proposed consolidations;
577 3. A compilation of the agency transition plans submitted
578 by agencies scheduled for consolidation for the following fiscal
579 year;
580 4. Revisions to any budget adjustments provided in the
581 agency or primary data center transition plans; and
582 5. Other revisions as appropriate, including recommended
583 changes in final primary data center destination or schedule for
584 any agency data center consolidation.
585 (o) Any data center planned for consolidation after the
586 2011-2012 fiscal year may move to a primary data center before
587 the scheduled consolidation date.
588 (5)(4) AGENCY LIMITATIONS.—
589 (a) Unless authorized by the Legislature or as provided in
590 paragraphs (b) and (c), a state agency may not:
591 1. Create a new computing facility or data center, or
592 expand the capability to support additional computer equipment
593 in an existing computing facility or nonprimary data center;
594 2. Spend funds before the agency’s scheduled consolidation
595 into a primary data center to purchase or modify hardware or
596 operations software that does not comply with hardware and
597 software standards established by the Agency for Enterprise
598 Information Technology pursuant to s. 282.202(2)(e) for the
599 efficient consolidation of the agency data centers or computing
600 facilities;
601 3.2. Transfer existing computer services to any data center
602 other than a primary nonprimary data center or computing
603 facility;
604 4.3. Terminate services with a primary data center or
605 transfer services between primary data centers without giving
606 written notice of intent to terminate or transfer services 180
607 days before such termination or transfer; or
608 5.4. Initiate a new computer service if it does not
609 currently have an internal data center except with a primary
610 data center.
611 (b) Exceptions to the limitations in subparagraphs (a)1.,
612 2., 3., and 5. 4. may be granted by the Agency for Enterprise
613 Information Technology if there is insufficient capacity in a
614 primary data center to absorb the workload associated with
615 agency computing services, if expenditures are compatible with
616 the scheduled consolidation, or if the equipment or resources
617 are needed to maintain agency data center services and cannot be
618 satisfied from surplus equipment or resources of the primary
619 data center until the agency data center is consolidated.
620 1. A request for an exception must be submitted in writing
621 to the Agency for Enterprise Information Technology. The agency
622 must accept, accept with conditions, or deny the request within
623 60 days after receipt of the written request. The agency’s
624 decision is not subject to chapter 120.
625 2. At a minimum, the agency may not approve a request
626 unless it includes:
627 a. Documentation approved by the primary data center’s
628 board of trustees which confirms that the center cannot meet the
629 capacity requirements of the agency requesting the exception
630 within the current fiscal year.
631 b. A description of the capacity requirements of the agency
632 requesting the exception.
633 c. Documentation from the agency demonstrating why it is
634 critical to the agency’s mission that the expansion or transfer
635 must be completed within the fiscal year rather than when
636 capacity is established at a primary data center.
637 (c) Exceptions to subparagraph (a)4. (a)3. may be granted
638 by the board of trustees of the primary data center if the
639 termination or transfer of services can be absorbed within the
640 current cost-allocation plan.
641 (d) Upon the termination of or transfer of agency computing
642 services from the primary data center, the primary data center
643 shall require information sufficient to determine compliance
644 with this section. If a primary data center determines that an
645 agency is in violation of this section, it shall report the
646 violation to the Agency for Enterprise Information Technology.
647 (6)(5) RULES.—The Agency for Enterprise Information
648 Technology may is authorized to adopt rules pursuant to ss.
649 120.536(1) and 120.54 to administer the provisions of this part
650 relating to the state data center system including the primary
651 data centers.
652 Section 5. Paragraphs (f) through (l) of subsection (1),
653 paragraph (a) of subsection (2), and paragraph (j) of subsection
654 (3) of section 282.203, Florida Statutes, are amended to read:
655 282.203 Primary data centers.—
656 (1) DATA CENTER DUTIES.—Each primary data center shall:
657 (f) By December 31, 2010, submit organizational plans that
658 minimize the annual recurring cost of center operations and
659 eliminate the need for state agency customers to maintain data
660 center skills and staff within their agency. The plans shall:
661 1. Establish an efficient organizational structure
662 describing the roles and responsibilities of all positions and
663 business units in the centers;
664 2. Define a human resources planning and management process
665 that shall be used to make required center staffing decisions;
666 and
667 3. Develop a process for projecting staffing requirements
668 based on estimated workload identified in customer agency
669 service level agreements.
670 (f)(g) Maintain the performance of the facility, which
671 includes ensuring proper data backup, data backup recovery, an
672 effective disaster recovery plan, and appropriate security,
673 power, cooling and fire suppression, and capacity.
674 (g)(h) Develop a business continuity plan and conduct a
675 live exercise of the plan at least annually. The plan must be
676 approved by the board and the Agency for Enterprise Information
677 Technology.
678 (h)(i) Enter into a service-level agreement with each
679 customer entity to provide services as defined and approved by
680 the board in compliance with rules of the Agency for Enterprise
681 Information Technology. A service-level agreement may not have a
682 term exceeding 3 years but may include an option to renew for up
683 to 3 years contingent on approval by the board.
684 1. A service-level agreement, at a minimum, must:
685 a. Identify the parties and their roles, duties, and
686 responsibilities under the agreement;
687 b. Identify the legal authority under which the service
688 level agreement was negotiated and entered into by the parties;
689 c. State the duration of the contractual term and specify
690 the conditions for contract renewal;
691 d. Prohibit the transfer of computing services between
692 primary data center facilities without at least 180 days’ notice
693 of service cancellation;
694 e. Identify the scope of work;
695 f. Identify the products or services to be delivered with
696 sufficient specificity to permit an external financial or
697 performance audit;
698 g. Establish the services to be provided, the business
699 standards that must be met for each service, the cost of each
700 service, and the process by which the business standards for
701 each service are to be objectively measured and reported;
702 h. Identify applicable funds and funding streams for the
703 services or products under contract;
704 i. Provide a timely billing methodology for recovering the
705 cost of services provided to the customer entity;
706 j. Provide a procedure for modifying the service-level
707 agreement to address changes in projected costs of service;
708 k. Provide that a service-level agreement may be terminated
709 by either party for cause only after giving the other party and
710 the Agency for Enterprise Information Technology notice in
711 writing of the cause for termination and an opportunity for the
712 other party to resolve the identified cause within a reasonable
713 period; and
714 l. Provide for mediation of disputes by the Division of
715 Administrative Hearings pursuant to s. 120.573.
716 2. A service-level agreement may include:
717 a. A dispute resolution mechanism, including alternatives
718 to administrative or judicial proceedings;
719 b. The setting of a surety or performance bond for service
720 level agreements entered into with nonstate agency primary data
721 centers established by law, which may be designated by the
722 Agency for Enterprise Information Technology; or
723 c. Additional terms and conditions as determined advisable
724 by the parties if such additional terms and conditions do not
725 conflict with the requirements of this section or rules adopted
726 by the Agency for Enterprise Information Technology.
727 3. The failure to execute a service-level agreement within
728 60 days after service commencement shall, in the case of an
729 existing customer entity, result in a continuation of the terms
730 of the service-level agreement from the prior fiscal year,
731 including any amendments that were formally proposed to the
732 customer entity by the primary data center within the 3 months
733 before service commencement, and a revised cost-of-service
734 estimate. If a new customer entity fails to execute an agreement
735 within 60 days after service commencement, the data center may
736 cease services.
737 (i)(j) Plan, design, establish pilot projects for, and
738 conduct experiments with information technology resources, and
739 implement enhancements in services if such implementation is
740 cost-effective and approved by the board.
741 (j)(k) Enter into a memorandum of understanding with the
742 agency where the data center is administratively located which
743 establishes the services to be provided by that agency to the
744 data center and the cost of such services.
745 (k)(l) Be the custodian of resources and equipment that are
746 located, operated, supported, and managed by the center for the
747 purposes of chapter 273, except for resources and equipment
748 located, operated, supported, and managed by the Northwest
749 Regional Data Center.
750 (l) Assume administrative access rights to the resources
751 and equipment, such as servers, network components, and other
752 devices that are consolidated into the primary data center.
753 1. Upon the date of each consolidation specified in s.
754 282.201, the General Appropriations Act, or the Laws of Florida,
755 each agency shall relinquish all administrative access rights to
756 such resources and equipment.
757 2. Each primary data center shall provide its customer
758 agencies with the appropriate level of access to applications,
759 servers, network components, and other devices necessary for
760 agencies to perform their core business activities and
761 functions.
762 (2) BOARD OF TRUSTEES.—Each primary data center shall be
763 headed by a board of trustees as defined in s. 20.03.
764 (a) The members of the board shall be appointed by the
765 agency head or chief executive officer of the representative
766 customer entities of the primary data center and shall serve at
767 the pleasure of the appointing customer entity. Each agency head
768 or chief executive officer may appoint an alternate member for
769 each board member appointed pursuant to this subsection.
770 1. During the first fiscal year that a state agency is to
771 consolidate its data center operations to a primary data center
772 and for the following full fiscal year, the agency shall have a
773 single trustee having one vote on the board of the state primary
774 data center where it is to consolidate, unless it is entitled in
775 the second year to a greater number of votes as provided in
776 subparagraph 3. For each of the first 2 fiscal years that a
777 center is in operation, membership shall be as provided in
778 subparagraph 3. based on projected customer entity usage rates
779 for the fiscal operating year of the primary data center.
780 However, at a minimum:
781 a. During the Southwood Shared Resource Center’s first 2
782 operating years, the Department of Transportation, the
783 Department of Highway Safety and Motor Vehicles, the Department
784 of Health, and the Department of Revenue must each have at least
785 one trustee.
786 b. During the Northwood Shared Resource Center’s first
787 operating year, the Department of State and the Department of
788 Education must each have at least one trustee.
789 2. Board After the second full year of operation,
790 membership shall be as provided in subparagraph 3. based on the
791 most recent estimate of customer entity usage rates for the
792 prior year and a projection of usage rates for the first 9
793 months of the next fiscal year. Such calculation must be
794 completed before the annual budget meeting held before the
795 beginning of the next fiscal year so that any decision to add or
796 remove board members can be voted on at the budget meeting and
797 become effective on July 1 of the subsequent fiscal year.
798 3. Each customer entity that has a projected usage rate of
799 4 percent or greater during the fiscal operating year of the
800 primary data center shall have one trustee on the board.
801 4. The total number of votes for each trustee shall be
802 apportioned as follows:
803 a. Customer entities of a primary data center whose usage
804 rate represents 4 but less than 15 percent of total usage shall
805 have one vote.
806 b. Customer entities of a primary data center whose usage
807 rate represents 15 but less than 30 percent of total usage shall
808 have two votes.
809 c. Customer entities of a primary data center whose usage
810 rate represents 30 but less than 50 percent of total usage shall
811 have three votes.
812 d. A customer entity of a primary data center whose usage
813 rate represents 50 percent or more of total usage shall have
814 four votes.
815 e. A single trustee having one vote shall represent those
816 customer entities that represent less than 4 percent of the
817 total usage. The trustee shall be selected by a process
818 determined by the board.
819 (3) BOARD DUTIES.—Each board of trustees of a primary data
820 center shall:
821 (j) Maintain the capabilities of the primary data center’s
822 facilities. Maintenance responsibilities include, but are not
823 limited to, ensuring that adequate conditioned floor space, fire
824 suppression, cooling, and power is in place; replacing aging
825 equipment when necessary; and making decisions related to data
826 center expansion and renovation, periodic upgrades, and
827 improvements that are required to ensure the ongoing suitability
828 of the facility as an enterprise data center consolidation site
829 in the state data center system. To the extent possible, the
830 board shall ensure that its approved annual cost-allocation plan
831 recovers sufficient funds from its customers to provide for
832 these needs pursuant to s. 282.201(2)(e).
833 Section 6. Section 282.204, Florida Statutes, is amended to
834 read:
835 282.204 Northwood Shared Resource Center.—The Northwood
836 Shared Resource Center is an agency established within the
837 department of Children and Family Services for administrative
838 purposes only.
839 (1) The center is a primary data center and is shall be a
840 separate budget entity that is not subject to control,
841 supervision, or direction of the department in any manner,
842 including, but not limited to, purchasing, transactions
843 involving real or personal property, personnel, or budgetary
844 matters.
845 (2) The center shall be headed by a board of trustees as
846 provided in s. 282.203, who shall comply with all requirements
847 of that section related to the operation of the center and with
848 the rules of the Agency for Enterprise Information Technology
849 related to the design and delivery of enterprise information
850 technology services.
851 Section 7. Section 282.206, Florida Statutes, is created to
852 read:
853 282.206 Northwest Regional Data Center.—The Northwest
854 Regional Data Center at Florida State University is designated
855 as a primary data center. The center shall be headed by a board
856 of trustees as provided in s. 282.203, who shall comply with all
857 requirements of that section related to the operation of the
858 center and with the rules of the Agency for Enterprise
859 Information Technology related to the design and delivery of
860 enterprise information technology services for state agencies.
861 Section 8. Section 282.315, Florida Statutes, is repealed.
862 Section 9. Subsections (3) through (7) of section 282.318,
863 Florida Statutes, are amended to read:
864 282.318 Enterprise security of data and information
865 technology.—
866 (3) The Office of Information Security within the Agency
867 for Enterprise Information Technology is responsible for
868 establishing rules and publishing guidelines for ensuring an
869 appropriate level of security for all data and information
870 technology resources for executive branch agencies. The agency
871 office shall also perform the following duties and
872 responsibilities:
873 (a) Develop, and annually update by February 1, an
874 enterprise information security strategic plan that includes
875 security goals and objectives for the strategic issues of
876 information security policy, risk management, training, incident
877 management, and survivability planning.
878 (b) Develop enterprise security rules and published
879 guidelines for:
880 1. Comprehensive risk analyses and information security
881 audits conducted by state agencies.
882 2. Responding to suspected or confirmed information
883 security incidents, including suspected or confirmed breaches of
884 personal information or exempt data.
885 3. Agency security plans, including strategic security
886 plans and security program plans.
887 4. The recovery of information technology and data
888 following a disaster.
889 5. The managerial, operational, and technical safeguards
890 for protecting state government data and information technology
891 resources.
892 (c) Assist agencies in complying with the provisions of
893 this section.
894 (d) Pursue appropriate funding for the purpose of enhancing
895 domestic security.
896 (e) Provide training for agency information security
897 managers.
898 (f) Annually review the strategic and operational
899 information security plans of executive branch agencies.
900 (4) To assist the Agency for Enterprise Information
901 Technology Office of Information Security in carrying out its
902 responsibilities, each agency head shall, at a minimum:
903 (a) Designate an information security manager to administer
904 the security program of the agency for its data and information
905 technology resources. This designation must be provided annually
906 in writing to the Agency for Enterprise Information Technology
907 office by January 1.
908 (b) Submit to the Agency for Enterprise Information
909 Technology office annually by July 31, the agency’s strategic
910 and operational information security plans developed pursuant to
911 the rules and guidelines established by the Agency for
912 Enterprise Information Technology office.
913 1. The agency strategic information security plan must
914 cover a 3-year period and define security goals, intermediate
915 objectives, and projected agency costs for the strategic issues
916 of agency information security policy, risk management, security
917 training, security incident response, and survivability. The
918 plan must be based on the enterprise strategic information
919 security plan created by the Agency for Enterprise Information
920 Technology office. Additional issues may be included.
921 2. The agency operational information security plan must
922 include a progress report for the prior operational information
923 security plan and a project plan that includes activities,
924 timelines, and deliverables for security objectives that,
925 subject to current resources, the agency will implement during
926 the current fiscal year. The cost of implementing the portions
927 of the plan which cannot be funded from current resources must
928 be identified in the plan.
929 (c) Conduct, and update every 3 years, a comprehensive risk
930 analysis to determine the security threats to the data,
931 information, and information technology resources of the agency.
932 The risk analysis information is confidential and exempt from
933 the provisions of s. 119.07(1), except that such information
934 shall be available to the Auditor General and the Agency for
935 Enterprise Information Technology for performing postauditing
936 duties.
937 (d) Develop, and periodically update, written internal
938 policies and procedures, which include procedures for notifying
939 the Agency for Enterprise Information Technology office when a
940 suspected or confirmed breach, or an information security
941 incident, occurs. Such policies and procedures must be
942 consistent with the rules and guidelines established by the
943 Agency for Enterprise Information Technology office to ensure
944 the security of the data, information, and information
945 technology resources of the agency. The internal policies and
946 procedures that, if disclosed, could facilitate the unauthorized
947 modification, disclosure, or destruction of data or information
948 technology resources are confidential information and exempt
949 from s. 119.07(1), except that such information shall be
950 available to the Auditor General and the Agency for Enterprise
951 Information Technology for performing postauditing duties.
952 (e) Implement appropriate cost-effective safeguards to
953 address identified risks to the data, information, and
954 information technology resources of the agency.
955 (f) Ensure that periodic internal audits and evaluations of
956 the agency’s security program for the data, information, and
957 information technology resources of the agency are conducted.
958 The results of such audits and evaluations are confidential
959 information and exempt from s. 119.07(1), except that such
960 information shall be available to the Auditor General and the
961 Agency for Enterprise Information Technology for performing
962 postauditing duties.
963 (g) Include appropriate security requirements in the
964 written specifications for the solicitation of information
965 technology and information technology resources and services,
966 which are consistent with the rules and guidelines established
967 by the Agency for Enterprise Information Technology office.
968 (h) Provide security awareness training to employees and
969 users of the agency’s communication and information resources
970 concerning information security risks and the responsibility of
971 employees and users to comply with policies, standards,
972 guidelines, and operating procedures adopted by the agency to
973 reduce those risks.
974 (i) Develop a process for detecting, reporting, and
975 responding to suspected or confirmed security incidents,
976 including suspected or confirmed breaches consistent with the
977 security rules and guidelines established by the Agency for
978 Enterprise Information Technology office.
979 1. Suspected or confirmed information security incidents
980 and breaches must be immediately reported to the Agency for
981 Enterprise Information Technology office.
982 2. For incidents involving breaches, agencies shall provide
983 notice in accordance with s. 817.5681 and to the Agency for
984 Enterprise Information Technology office in accordance with this
985 subsection.
986 (5) Each state agency shall include appropriate security
987 requirements in the specifications for the solicitation of
988 contracts for procuring information technology or information
989 technology resources or services which are consistent with the
990 rules and guidelines established by the Agency for Enterprise
991 Information Technology Office of Information Security.
992 (6) The Agency for Enterprise Information Technology may
993 adopt rules relating to information security and to administer
994 the provisions of this section.
995 (7) By December 31, 2010, the Agency for Enterprise
996 Information Technology shall develop, and submit to the
997 Governor, the President of the Senate, and the Speaker of the
998 House of Representatives a proposed implementation plan for
999 information technology security. The agency shall describe the
1000 scope of operation, conduct costs and requirements analyses,
1001 conduct an inventory of all existing security information
1002 technology resources, and develop strategies, timeframes, and
1003 resources necessary for statewide migration.
1004 Section 10. Subsections (3) and (4) of section 282.33,
1005 Florida Statutes, are amended to read:
1006 282.33 Objective standards for data center energy
1007 efficiency.—
1008 (2) State shared resource data centers and other data
1009 centers that the Agency for Enterprise Information Technology
1010 has determined will be recipients for consolidating data
1011 centers, which are designated by the Agency for Enterprise
1012 Information Technology, shall evaluate their data center
1013 facilities for energy efficiency using the standards established
1014 in this section.
1015 (a) Results of these evaluations shall be reported to the
1016 Agency for Enterprise Information Technology, the President of
1017 the Senate, and the Speaker of the House of Representatives.
1018 Reports shall enable the tracking of energy performance over
1019 time and comparisons between facilities.
1020 (b) Beginning By December 31, 2010, and every 3 years
1021 biennially thereafter, the Agency for Enterprise Information
1022 Technology shall submit to the Legislature recommendations for
1023 reducing energy consumption and improving the energy efficiency
1024 of state primary data centers.
1025 (3) The primary means of achieving maximum energy savings
1026 across all state data centers and computing facilities shall be
1027 the consolidation of data centers and computing facilities as
1028 determined by the Agency for Enterprise Information Technology.
1029 State data centers and computing facilities in the state data
1030 center system shall be established as an enterprise information
1031 technology service as defined in s. 282.0041. The Agency for
1032 Enterprise Information Technology shall make recommendations on
1033 consolidating state data centers and computing facilities,
1034 pursuant to s. 282.0056, by December 31, 2009.
1035 (3)(4) If When the total cost of ownership of an energy
1036 efficient product is less than or equal to the cost of the
1037 existing data center facility or infrastructure, technical
1038 specifications for energy-efficient products should be
1039 incorporated in the plans and processes for replacing,
1040 upgrading, or expanding data center facilities or
1041 infrastructure, including, but not limited to, network, storage,
1042 or computer equipment and software.
1043 Section 11. Subsections (4) through (11) of section 282.34,
1044 Florida Statutes, are amended to read:
1045 282.34 Statewide e-mail service.—A state e-mail system that
1046 includes the delivery and support of e-mail, messaging, and
1047 calendaring capabilities is established as an enterprise
1048 information technology service as defined in s. 282.0041. The
1049 service shall be designed to meet the needs of all executive
1050 branch agencies. The primary goals of the service are to
1051 minimize the state investment required to establish, operate,
1052 and support the statewide service; reduce the cost of current e
1053 mail operations and the number of duplicative e-mail systems;
1054 and eliminate the need for each state agency to maintain its own
1055 e-mail staff.
1056 (4) All agencies must be completely migrated to the
1057 statewide e-mail service as soon as financially and
1058 operationally feasible, but no later than December 31, 2012 June
1059 30, 2015.
1060 (a) The Agency for Enterprise Information Technology, in
1061 consultation with the Southwood Shared Resource Center and the
1062 statewide e-mail service provider, shall establish a schedule
1063 for the following statewide e-mail service implementation
1064 schedule if different from the schedule provided in this
1065 subsection. is established for state agencies:
1066 1. Phase 1.—The following agencies must be completely
1067 migrated to the statewide e-mail system by June 30, 2012: the
1068 Agency for Enterprise Information Technology; the Agency for
1069 Persons With Disabilities; the Department of Business and
1070 Professional Regulation; the Department of Children and Family
1071 Services; the Department of Education, including the Board of
1072 Governors; the Department of Elderly Affairs; the Department of
1073 Citrus; the Department of Community Affairs, including the
1074 Division of Emergency Management; the Department of Corrections;
1075 the Department of Health; the Department of Highway Safety and
1076 Motor Vehicles; the Department of Management Services, including
1077 the Division of Administrative Hearings, the Division of
1078 Retirement, the Commission on Human Relations, the Northwood
1079 Shared Resource Center, and the Public Employees Relations
1080 Commission; the Southwood Shared Resource Center; the Department
1081 of State; the Department of Transportation; and the Department
1082 of Revenue.
1083 2. Phase 2.—The following agencies must be completely
1084 migrated to the statewide e-mail system by December 31, 2012
1085 June 30, 2013: the Agency for Health Care Administration; the
1086 Agency for Workforce Innovation; the Executive Office of the
1087 Governor, including the Office of Emergency Management; the
1088 Department of Community Affairs, the Department of Agriculture
1089 and Consumer Services; the Department of Financial Services,
1090 including the Office of Financial Regulation and the Office of
1091 Insurance Regulation; the Fish and Wildlife Conservation
1092 Commission; the State Board of Administration; the Department of
1093 Corrections the Department of Business and Professional
1094 Regulation; the Department of Education, including the Board of
1095 Governors; the Department of Environmental Protection; the
1096 Department of Juvenile Justice; the Department of the Lottery;
1097 the Department of State; the Department of Law Enforcement; the
1098 Department of Veterans’ Affairs; the Judicial Administration
1099 Commission; the Public Service Commission; and the Statewide
1100 Guardian Ad Litem Office.
1101 3. Phase 3.—The following agencies must be completely
1102 migrated to the statewide e-mail system by June 30, 2014: the
1103 Agency for Health Care Administration; the Agency for Workforce
1104 Innovation; the Department of Financial Services, including the
1105 Office of Financial Regulation and the Office of Insurance
1106 Regulation; the Department of Agriculture and Consumer Services;
1107 the Executive Office of the Governor; the Department of
1108 Transportation; the Fish and Wildlife Conservation Commission;
1109 the Agency for Persons With Disabilities; the Northwood Shared
1110 Resource Center; and the State Board of Administration.
1111 4. Phase 4.—The following agencies must be completely
1112 migrated to the statewide e-mail system by June 30, 2015: the
1113 Department of Children and Family Services; the Department of
1114 Citrus; the Department of Elderly Affairs; and the Department of
1115 Legal Affairs.
1116 (b) Agency requests to modify their scheduled implementing
1117 date must be submitted in writing to the Agency for Enterprise
1118 Information Technology. Any exceptions or modifications to the
1119 schedule must be approved by the Agency for Enterprise
1120 Information Technology based only on the following criteria:
1121 1. Avoiding nonessential investment in agency e-mail
1122 hardware or software refresh, upgrade, or replacement.
1123 2. Avoiding nonessential investment in new software or
1124 hardware licensing agreements, maintenance or support
1125 agreements, or e-mail staffing for current e-mail systems.
1126 3. Resolving known agency e-mail problems through migration
1127 to the statewide e-mail service.
1128 4. Accommodating unique agency circumstances that require
1129 an acceleration or delay of the implementation date.
1130 (5) In order to develop the implementation plan for the
1131 statewide e-mail service, the Agency for Enterprise Information
1132 Technology shall establish and coordinate a statewide e-mail
1133 project team. The agency shall also consult with and, as
1134 necessary, form workgroups consisting of agency e-mail
1135 management staff, agency chief information officers, agency
1136 budget directors, and other administrative staff. The statewide
1137 e-mail implementation plan must be submitted to the Governor,
1138 the President of the Senate, and the Speaker of the House of
1139 Representatives by July 1, 2011, or 120 calendar days after the
1140 contract for statewide e-mail services is signed, whichever is
1141 later.
1142 (6) Unless authorized by the Legislature or as provided in
1143 subsection (7), a state agency may not:
1144 (a) Initiate a new e-mail service or execute a new e-mail
1145 contract or new e-mail contract amendment for nonessential
1146 products or services with any entity other than the provider of
1147 the statewide e-mail service;
1148 (b) Purchase equipment or make expenditures to expand,
1149 support, or enhance an existing agency e-mail service Terminate
1150 a statewide e-mail service without giving written notice of
1151 termination 180 days in advance; or
1152 (c) Transfer e-mail system services from the provider of
1153 the statewide e-mail service.
1154 (7) Exceptions to paragraphs (6)(a), (b), and (c) may be
1155 granted by the Agency for Enterprise Information Technology only
1156 if the Southwood Shared Resource Center is unable to meet agency
1157 business requirements or provide the necessary equipment,
1158 resources, or support for the agency e-mail service, and if such
1159 requirements are essential to maintain agency operations.
1160 Requests for exceptions must be submitted in writing to the
1161 Agency for Enterprise Information Technology and include
1162 documented confirmation by the Southwood Shared Resource Center
1163 board of trustees that it cannot meet the requesting agency’s e
1164 mail service requirements.
1165 (8) Each agency shall include the budget issues necessary
1166 for migrating to the statewide e-mail service in its legislative
1167 budget request before the first full year it is scheduled to
1168 migrate to the statewide service in accordance with budget
1169 instructions developed pursuant to s. 216.023.
1170 (9) The Agency for Enterprise Information Technology shall
1171 adopt rules to standardize the format for state agency e-mail
1172 addresses, ensure the sufficiency and transparency of financial
1173 information relating to the enterprise e-mail service, and
1174 establish a process to resolve complaints from state agency
1175 customers regarding the scope, cost, and provision of the
1176 statewide e-mail service.
1177 (10) State agencies must fully cooperate with the Agency
1178 for Enterprise Information Technology in the performance of its
1179 responsibilities established in this section.
1180 (11) The Agency for Enterprise Information Technology may
1181 approve shall recommend changes to an agency’s scheduled date
1182 for migration to the statewide e-mail service pursuant to this
1183 section, annually by December 31, until migration to the
1184 statewide service is complete.
1185 Section 12. Section 282.35, Florida Statutes, is created to
1186 read:
1187 282.35 Statewide desktop service.—A state desktop service
1188 that includes the service delivery and support to enable the use
1189 of standard office automation functions is established as an
1190 enterprise information technology service. The service shall be
1191 designed to meet the needs of all executive branch agencies and
1192 reduce the current cost of operation and support.
1193 (1) The department shall be the provider of the statewide
1194 desktop service. The primary goals of the service are to
1195 minimize the state investment required to establish, operate,
1196 and support the statewide desktop service; reduce the cost of
1197 current desktop operations and the number of duplicative desktop
1198 management systems; and eliminate the need for each state agency
1199 to maintain its own desktop support staff. The department shall
1200 centrally host, manage, and provide desktop services to achieve
1201 these goals.
1202 (2) By December 31, 2011, the Agency for Enterprise
1203 Information Technology shall submit a proposed plan for the
1204 establishment of the desktop service to the Governor, the
1205 President of the Senate, and the Speaker of the House of
1206 Representatives. The plan shall be developed to reduce costs to
1207 the state and must, at a minimum, include:
1208 (a) An analysis of the in-house and external sourcing
1209 options that should be considered for delivery and support of
1210 the service. At a minimum, the analysis must include a lease
1211 option, a seat management option, hosted virtual desktop option,
1212 and, if technically and operationally beneficial, a combined in
1213 house and external sourcing option.
1214 (b) Estimated expenditures for desktop services in each
1215 state agency for the 2011-2012 fiscal year.
1216 (c) A cost-benefit analysis that estimates all major cost
1217 elements associated with each sourcing option, including the
1218 nonrecurring and recurring costs of each option. The analysis
1219 must also include a comparison of the total cost of existing
1220 desktop services with the total cost of each sourcing option for
1221 desktop services in order to determine the level of savings
1222 which can be expected.
1223 (d) A complete description of the scope of functionality,
1224 service requirements, operations and management processes, and
1225 required resources, standards, and governance associated with
1226 each sourcing option.
1227 (e) A concise analysis of the ability of each sourcing
1228 option to provide needed functionality and meet major service
1229 requirements, including federal and state requirements for
1230 confidentiality, privacy, security, and records retention.
1231 (f) A reliable schedule for migrating all state agency
1232 desktop resources to the new service beginning no later than
1233 July 1, 2013, and completing by June 30, 2015.
1234 (3) In order to develop the recommended plan for the new
1235 system, the Agency for Enterprise Information Technology shall
1236 consult with, and, as necessary, form workgroups consisting of,
1237 agency program management staff, agency chief information
1238 officers, and agency budget directors. State agencies must
1239 cooperate with the Agency for Enterprise Technology in its
1240 development of the plan.
1241 (4) Unless authorized by the Legislature or as provided in
1242 subsection (5), a state agency may not:
1243 (a) Initiate a new desktop service with any entity other
1244 than the provider of the statewide desktop service;
1245 (b) Terminate a statewide desktop service without giving
1246 written notice of termination 180 days in advance; or
1247 (c) Transfer desktop services from the provider of the
1248 statewide desktop service.
1249 (5) Exceptions to paragraphs (4)(a), (b), and (c) may be
1250 granted by the Agency for Enterprise Information Technology only
1251 if the department is unable to meet agency desktop service
1252 requirements. Requests for exceptions must be submitted in
1253 writing to the Agency for Enterprise Information Technology and
1254 must include confirmation by the secretary of the department
1255 that the department cannot meet the requesting agency’s desktop
1256 service requirements.
1257 Section 13. Paragraph (a) of subsection (2), paragraph (h)
1258 of subsection (3), paragraph (b) of subsection (4), and
1259 subsection (15) of section 287.042, Florida Statutes, are
1260 amended to read:
1261 287.042 Powers, duties, and functions.—The department shall
1262 have the following powers, duties, and functions:
1263 (2)(a) To establish purchasing agreements and procure state
1264 term contracts for commodities and contractual services,
1265 pursuant to s. 287.057, under which state agencies shall, and
1266 eligible users may, make purchases pursuant to s. 287.056. The
1267 department may restrict purchases from some term contracts to
1268 state agencies only for those term contracts where the inclusion
1269 of other governmental entities will have an adverse effect on
1270 competition or to those federal facilities located in this
1271 state. The department may adopt rules establishing the
1272 conditions under which an agency may be exempted from using a
1273 state term contract or purchasing agreement if the department
1274 determines that the use of such exemption is in the best
1275 interest of the state. In such planning or purchasing the Office
1276 of Supplier Diversity may monitor to ensure that opportunities
1277 are afforded for contracting with minority business enterprises.
1278 The department, for state term contracts, and all agencies, for
1279 multiyear contractual services or term contracts, shall explore
1280 reasonable and economical means to utilize certified minority
1281 business enterprises. Purchases by any county, municipality,
1282 private nonprofit community transportation coordinator
1283 designated pursuant to chapter 427, while conducting business
1284 related solely to the Commission for the Transportation
1285 Disadvantaged, or other local public agency under the provisions
1286 in the state purchasing contracts, and purchases, from the
1287 corporation operating the correctional work programs, of
1288 products or services that are subject to paragraph (1)(f), are
1289 exempt from the competitive solicitation requirements otherwise
1290 applying to their purchases.
1291 (3) To establish a system of coordinated, uniform
1292 procurement policies, procedures, and practices to be used by
1293 agencies in acquiring commodities and contractual services,
1294 which shall include, but not be limited to:
1295 (h) The development, in consultation with the Agency Chief
1296 Information Officers Council, of procedures to be used by state
1297 agencies when procuring information technology commodities and
1298 contractual services that to ensure compliance with public
1299 records requirements and records retention and archiving
1300 requirements.
1301 (4)
1302 (b) To prescribe, in consultation with the Agency Chief
1303 Information Officers Council, procedures for procuring
1304 information technology and information technology consultant
1305 services that which provide for public announcement and
1306 qualification, competitive solicitations, contract award, and
1307 prohibition against contingent fees. Such procedures are shall
1308 be limited to information technology consultant contracts for
1309 which the total project costs, or planning or study activities,
1310 are estimated to exceed the threshold amount provided for in s.
1311 287.017, for CATEGORY TWO.
1312 (15) To initiate or enter into joint agreements with
1313 governmental agencies, as defined in s. 163.3164(10), for the
1314 purpose of pooling funds for the purchase of commodities or
1315 information technology that can be used by multiple agencies.
1316 (a) Each agency that has been appropriated or has existing
1317 funds for such purchase, shall, upon contract award by the
1318 department, transfer their portion of the funds into the
1319 department’s Operating Trust Fund for payment by the department.
1320 The funds shall be transferred by the Executive Office of the
1321 Governor pursuant to the agency budget amendment request
1322 provisions under in chapter 216.
1323 (b) Agencies that sign the joint agreements are financially
1324 obligated for their portion of the agreed-upon funds. If an
1325 agency becomes more than 90 days delinquent in paying the funds,
1326 the department shall certify to the Chief Financial Officer the
1327 amount due, and the Chief Financial Officer shall transfer the
1328 amount due to the Operating Trust Fund of the department from
1329 any of the agency’s available funds. The Chief Financial Officer
1330 shall report these transfers and the reasons for the transfers
1331 to the Executive Office of the Governor and the legislative
1332 appropriations committees.
1333 Section 14. Section 287.056, Florida Statutes, is amended
1334 to read:
1335 287.056 Purchases from purchasing agreements and state term
1336 contracts.—
1337 (1) Agencies shall, and eligible users may, purchase
1338 commodities and contractual services from purchasing agreements
1339 established and state term contracts procured by the department,
1340 pursuant to s. 287.057, by the department. The department may
1341 adopt rules establishing the conditions under which an agency
1342 may be exempted from using a state term contract or purchasing
1343 agreement if the department determines that the use of such
1344 exemption is in the best interest of the state. Each agency
1345 agreement made under this subsection shall include:
1346 (a) A provision specifying a scope of work that clearly
1347 establishes all tasks that the contractor is required to
1348 perform.
1349 (b) A provision dividing the contract into quantifiable,
1350 measurable, and verifiable units of deliverables that must be
1351 received and accepted in writing by the contract manager before
1352 payment. Each deliverable must be directly related to the scope
1353 of work and specify the required minimum level of service to be
1354 performed and the criteria for evaluating the successful
1355 completion of each deliverable.
1356 (2) Agencies may have the option to purchase commodities or
1357 contractual services from state term contracts procured,
1358 pursuant to s. 287.057, by the department.
1359 (2)(3) Agencies and eligible users may use a request for
1360 quote to obtain written pricing or services information from a
1361 state term contract vendor for commodities or contractual
1362 services available on state term contract from that vendor. The
1363 purpose of a request for quote is to determine whether a price,
1364 term, or condition more favorable to the agency or eligible user
1365 than that provided in the state term contract is available. Use
1366 of a request for quote does not constitute a decision or
1367 intended decision that is subject to protest under s. 120.57(3).
1368 Section 15. Subsections (14) and (17) of section 287.057,
1369 Florida Statutes, are amended to read:
1370 287.057 Procurement of commodities or contractual
1371 services.—
1372 (14) For each contractual services contract, the agency
1373 shall designate an employee to function as contract manager who
1374 shall be responsible for enforcing performance of the contract
1375 terms and conditions and serve as a liaison with the contractor.
1376 Each contract manager who is responsible for contracts in excess
1377 of the threshold amount for CATEGORY TWO must attend training
1378 conducted by the Chief Financial Officer for accountability in
1379 contracts and grant management. The Chief Financial Officer
1380 shall establish and disseminate uniform procedures pursuant to
1381 s. 17.03(3) to ensure that contractual services have been
1382 rendered in accordance with the contract terms before the agency
1383 processes the invoice for payment. The procedures shall include,
1384 but need not be limited to, procedures for monitoring and
1385 documenting contractor performance, reviewing and documenting
1386 all deliverables for which payment is requested by vendors, and
1387 providing written certification by contract managers of the
1388 agency’s receipt of goods and services. The Department shall
1389 adopt rules to be used by agencies to manage contracts.
1390 (17)(a)1. Each agency must avoid, neutralize, or mitigate
1391 significant potential organizational conflicts of interest
1392 before a contract is awarded.
1393 1. If the agency elects to mitigate the significant
1394 potential organizational conflict or conflicts of interest, an
1395 adequate mitigation plan, including organizational, physical,
1396 and electronic barriers, shall be developed.
1397 2. If a conflict cannot be avoided or mitigated, an agency
1398 may proceed with the contract award if the agency head certifies
1399 that the award is in the best interests of the state. The agency
1400 head must specify in writing the basis for the certification.
1401 (b)1. An agency head may not proceed with a contract award
1402 under subparagraph (a)2. if a conflict of interest is based upon
1403 the vendor gaining an unfair competitive advantage.
1404 2. An unfair competitive advantage exists if when the
1405 vendor competing for the award of a contract obtained:
1406 1.a. Access to information that is not available to the
1407 public and would assist the vendor in obtaining the contract; or
1408 2.b. Source selection information that is relevant to the
1409 contract but is not available to all competitors and that would
1410 assist the vendor in obtaining the contract.
1411 (c) A person who receives a contract that has not been
1412 procured pursuant to subsections (1)-(3) to perform a
1413 feasibility study of the potential implementation of a
1414 subsequent contract, who participates in the drafting of a
1415 solicitation or who develops a program for future
1416 implementation, is not eligible to contract with the agency for
1417 any other contracts dealing with that specific subject matter,
1418 and any firm in which such person has any interest is not
1419 eligible to receive such contract. However, this prohibition
1420 does not prevent a vendor who responds to a request for
1421 information from being eligible to contract with an agency.
1422 Section 16. Section 45 of chapter 2010-151, Laws of
1423 Florida, is amended to read:
1424 Section 45. Contracts for academic program reviews,
1425 auditing services, health services, or Medicaid services are
1426 subject to the transaction or user fees imposed under ss.
1427 287.042(1)(h) and 287.057(22), Florida Statutes, only to the
1428 extent that such contracts were not subject to such transaction
1429 or user fees before July 1, 2010.
1430 Section 17. The Agency for Enterprise Information
1431 Technology is transferred by a type one transfer, as defined in
1432 s. 20.06(1), Florida Statutes, from the Executive Office of the
1433 Governor to the Department of Management Services.
1434 Section 18. The Northwood Shared Resource Center is
1435 transferred by a type one transfer, as defined in s. 20.06(1),
1436 Florida Statutes, from the Department of Children and Family
1437 Services to the Department of Management Services.
1438 Section 19. The Agency for Enterprise Information
1439 Technology, in coordination with the Southwood Shared Resource
1440 Center, shall provide a written status report to the Executive
1441 Office of the Governor and to the chairs of the legislative
1442 appropriations committees detailing the progress made by the
1443 agencies required to migrate, pursuant to s. 282.34(4)(a)1.,
1444 Florida Statutes, to the statewide e-mail service by June 30,
1445 2012. The status report must be provided every 6 months,
1446 beginning September 1, 2011, until implementation is compete.
1447 Section 20. This act shall take effect July 1, 2011.