SB 1984 First Engrossed
20121984e1
1 A bill to be entitled
2 An act relating to state technology; abolishing the
3 Agency for Enterprise Information Technology;
4 transferring the personnel, functions, and funds of
5 the Agency for Enterprise Information Technology to
6 the Agency for State Technology; transferring
7 specified personnel, functions, and funds relating to
8 technology programs from the Department of Management
9 Services to the Agency for State Technology;
10 transferring the Northwood Shared Resource Center and
11 the Southwood Shared Resource Center to the agency;
12 repealing s. 14.204, F.S., relating to the Agency for
13 Enterprise Information Technology; creating s. 20.70,
14 F.S.; creating the Agency for State Technology;
15 providing for an executive director who shall be the
16 state’s Chief Information Officer; providing for
17 organization of the agency; providing duties and
18 responsibilities of the agency and of the executive
19 director; requiring certain status reports to the
20 Governor, the Cabinet, and the Legislature;
21 authorizing the agency to adopt rules; reordering and
22 amending s. 282.0041, F.S.; revising and providing
23 definitions of terms as used in the Enterprise
24 Information Technology Services Management Act;
25 amending s. 282.0055, F.S.; revising provisions for
26 assignment of information technology services;
27 directing the agency to create a road map for
28 enterprise information technology service
29 consolidation and a comprehensive transition plan;
30 requiring the transition plan to be submitted to the
31 Governor and Cabinet and the Legislature by a certain
32 date; providing duties for state agencies relating to
33 the transition plan; prohibiting state agencies from
34 certain technology-related activities; providing for
35 exceptions; amending s. 282.0056, F.S.; providing for
36 development by the agency executive director of a
37 biennial State Information Technology Strategic
38 Resources Plan for approval by the Governor and the
39 Cabinet; directing state agencies to submit their own
40 information technology plans and any requested
41 information to the agency; revising provisions for
42 development of work plans and implementation plans;
43 revising provisions for reporting on achievements;
44 amending s. 282.201, F.S.; revising provisions for a
45 state data center system; providing legislative
46 intent; directing the agency to provide
47 recommendations to the Governor and Legislature
48 relating to changes to the schedule for the
49 consolidations of state agency data centers; providing
50 duties of a state agency consolidating a data center
51 into a primary data center; revising the scheduled
52 consolidation dates for state agency data centers;
53 amending s. 282.203, F.S.; revising duties of primary
54 data centers; removing provisions for boards of
55 trustees to head primary data centers; requiring a
56 memorandum of understanding between the primary data
57 center and the participating state agency; limiting
58 the term of the memorandum; providing for failure to
59 enter into a memorandum; repealing s. 282.204, F.S.,
60 relating to Northwood Shared Resource Center;
61 repealing s. 282.205, F.S., relating to Southwood
62 Shared Resource Center; creating s. 282.206, F.S.;
63 establishing the Fletcher Shared Resource Center
64 within the Department of Financial Services to provide
65 enterprise information technology services; directing
66 the center to collaborate with the agency; directing
67 the center to provide collocation services to the
68 Department of Legal Affairs, the Department of
69 Agriculture and Consumer Services, and the Department
70 of Financial Services; directing the Department of
71 Financial Services to continue to use the center and
72 provide service to the Office of Financial Regulation
73 and the Office of Insurance Regulation and host the
74 Legislative Appropriations System/Planning and
75 Budgeting Subsystem; providing for governance of the
76 center; providing for a steering committee to ensure
77 adequacy and appropriateness of services; directing
78 the Department of Legal Affairs and the Department of
79 Agriculture and Consumer Services to move data center
80 equipment to the center by certain dates; repealing s.
81 282.33, F.S., relating to objective standards for data
82 center energy efficiency; amending s. 282.34, F.S.;
83 revising provisions for a statewide e-mail service to
84 meet the needs of executive branch agencies; requiring
85 state agencies to receive e-mail services through the
86 agency; authorizing the Department of Agriculture and
87 Consumer Services, the Department of Financial
88 Services, the Office of Financial Regulation, and the
89 Office of Insurance Regulation to receive e-mail
90 services from the Fletcher Shared Resource Center or
91 the agency; amending s. 282.702, F.S.; directing the
92 agency to develop a plan for statewide voice-over
93 Internet protocol services; requiring certain content
94 in the plan; requiring the plan to be submitted to the
95 Governor, the Cabinet, and the Legislature by a
96 certain date; amending s. 364.0135, F.S.; providing
97 for the agency’s role in the promotion of broadband
98 Internet service; providing an additional duty;
99 amending ss. 20.22, 110.205, 215.22, 215.322, 216.292,
100 282.318, 282.604, 282.703, 282.704, 282.705, 282.706,
101 282.707, 282.709, 282.7101, 282.711, 287.012, 287.057,
102 318.18, 320.0802, 328.72, 365.171, 365.172, 365.173,
103 365.174, 401.013, 401.015, 401.018, 401.021, 401.024,
104 401.027, 401.465, 445.011, 445.045, and 668.50, F.S.,
105 relating to a financial and cash management system
106 task force, career service exemptions, trust funds,
107 payment cards and electronic funds transfers, the
108 Communications Working Capital Trust Fund, the
109 Enterprise Information Technology Services Management
110 Act, adoption of rules, the Communication Information
111 Technology Services Act, procurement of commodities
112 and contractual services, the Florida Uniform
113 Disposition of Traffic Infractions Act, surcharge on
114 vehicle license tax, vessel registration, broadband
115 Internet service, the emergency communications number
116 E911, regional emergency medical telecommunications,
117 the Workforce Innovation Act of 2000, and the Uniform
118 Electronic Transaction Act; conforming provisions and
119 cross-references to changes made by the act; revising
120 and deleting obsolete provisions; providing an
121 effective date.
122
123 Be It Enacted by the Legislature of the State of Florida:
124
125 Section 1. (1) The Agency for Enterprise Information
126 Technology is abolished.
127 (2) All of the powers, duties, functions, records,
128 personnel, and property; funds, trust funds, and unexpended
129 balances of appropriations, allocations, and other funds;
130 administrative authority; administrative rules; pending issues;
131 and existing contracts of the Agency for Enterprise Information
132 Technology are transferred by a type two transfer, pursuant to
133 s. 20.06(2), Florida Statutes, to the Agency for State
134 Technology.
135 Section 2. (1) The portions of the Technology Program
136 established under section 20.22(2), Florida Statutes, and
137 identified in the approved plan defined in s. 282.0055(2),
138 Florida Statutes, shall transfer by a type one transfer, as
139 defined in s. 20.06(1), Florida Statutes, from the Department of
140 Management Services to the Agency for State Technology no later
141 than June 30, 2014.
142 (2) The Northwood Shared Resource Center is transferred by
143 a type one transfer, as defined in s. 20.06(1), Florida
144 Statutes, from the Department of Management Services to the
145 Agency for State Technology.
146 (a) Any binding contract or interagency agreement entered
147 into between the Northwood Shared Resource Center, or an entity
148 or agent of the center, and any other agency, entity, or person
149 is binding on the Agency for State Technology for the remainder
150 of the term of such contract or agreement.
151 (b) The rules of the Northwood Shared Resource Center which
152 were in effect at 11:59 p.m. on June 30, 2012, become rules of
153 the Agency for State Technology and remain in effect until
154 amended or repealed in the manner provided by law.
155 (3) The Southwood Shared Resource Center is transferred by
156 a type one transfer, as defined in s. 20.06(1), Florida
157 Statutes, from the Department of Management Services to the
158 Agency for State Technology.
159 (a) Any binding contract or interagency agreement entered
160 into between the Southwood Shared Resource Center or an entity
161 or agent of the center and any other agency, entity, or person
162 is binding on the Agency for State Technology for the remainder
163 of the term of such contract or agreement.
164 (b) The rules of the Southwood Shared Resource Center which
165 were in effect at 11:59 p.m. on June 30, 2012, become rules of
166 the Agency for State Technology and remain in effect until
167 amended or repealed in the manner provided by law.
168 Section 3. Section 14.204, Florida Statutes, is repealed.
169 Section 4. Section 20.70, Florida Statutes, is created to
170 read:
171 20.70 Agency for State Technology.—The Agency for State
172 Technology is created.
173 (1) The head of the agency shall be the Governor and
174 Cabinet.
175 (2) The agency shall have an executive director who is the
176 state’s Chief Information Officer and who must:
177 (a) Have at least a bachelor’s degree in computer science,
178 information systems, business or public administration, or a
179 related field, or equivalent work experience;
180 (b) Have 10 or more years of experience working in the
181 field of information technology;
182 (c) Have 5 or more years of experience in related industry
183 managing multiple, large, cross-functional teams or projects,
184 and influencing senior-level management and key stakeholders;
185 (d) Have at least 5 years of executive-level leadership
186 responsibilities;
187 (e) Have performed an integral role in enterprise-wide
188 information technology consolidations;
189 (f) Be appointed by the Governor, subject to confirmation
190 by the Cabinet and the Senate, and shall serve at the pleasure
191 of the Governor and Cabinet.
192 (3) The executive director:
193 (a) Shall be responsible for developing and administering a
194 comprehensive long-range plan for the state’s information
195 technology resources, ensuring the proper management of such
196 resources, and delivering services.
197 (b) Shall appoint a Chief Technology Officer to lead the
198 divisions of the agency dedicated to the operation and delivery
199 of enterprise information technology services.
200 (c) Shall appoint a Chief Operations Officer to lead the
201 divisions of the agency dedicated to enterprise information
202 technology policy, planning, standards, and procurement.
203 (d) Shall designate a state Chief Information Security
204 Officer.
205 (e) May appoint all employees necessary to carry out the
206 duties and responsibilities of the agency.
207 (4) The Agency for State Technology is prohibited from
208 using, and executives of the agency are prohibited from
209 directing spending from, operational information technology
210 trust funds, as defined in 282.0041, F.S., for any purpose for
211 which the Strategic Information Technology Trust Fund was
212 established.
213 (5) The following officers and divisions of the agency are
214 established:
215 (a) Under the Chief Technology Officer:
216 1. Upon transfer any portion of the Technology Program from
217 the Department of Management Services to the agency, there shall
218 be a Division of Telecommunications.
219 2. The Division of Data Center Operations which includes,
220 but is not limited to, any shared resource center established or
221 operated by the agency.
222 (b) Under the Chief Operations Officer:
223 1. Strategic Planning.
224 2. Enterprise Information Technology Standards.
225 a. Enterprise Information Technology Procurement.
226 b. Information Technology Security and Compliance.
227 3. Enterprise Services Planning and Consolidation.
228 4. Enterprise Project Management.
229 (c) Under the Director of Administration:
230 1. Accounting and Budgeting.
231 2. Personnel.
232 3. Procurement and Contracts.
233 (d) Under the Office of the Executive Director:
234 1. Inspector General.
235 2. Legal.
236 3. Governmental Affairs.
237 (6) The agency shall operate in a manner that ensures the
238 participation and representation of state agencies.
239 (7) The agency shall have the following duties and
240 responsibilities. The agency shall:
241 (a) Develop and publish a long-term State Information
242 Technology Resources Strategic Plan.
243 (b) Initiate, plan, design, implement, and manage
244 enterprise information technology services.
245 (c) Beginning October 1, 2012, and every 3 months
246 thereafter, provide a status report on its initiatives. The
247 report shall be presented at a meeting of the Governor and
248 Cabinet.
249 (d) Beginning September 1, 2013, and every 3 months
250 thereafter until enterprise information technology service
251 consolidations are complete, provide a status report on the
252 implementation of the consolidations that must be completed
253 during the fiscal year. The report shall be submitted to the
254 Executive Office of the Governor, the Cabinet, the President of
255 the Senate, and the Speaker of the House of Representatives. At
256 a minimum, the report must describe:
257 1. Whether the consolidation is on schedule, including
258 progress on achieving the milestones necessary for successful
259 and timely consolidation of scheduled agency data centers and
260 computing facilities; and
261 2. The risks that may affect the progress or outcome of the
262 consolidation and how such risks are being mitigated or managed.
263 (e) Set technical standards for information technology,
264 including, but not limited to, desktop computers, printers, and
265 mobile devices; review major information technology projects and
266 procurements; establish information technology security
267 standards; provide for the procurement of information technology
268 resources, excluding human resources; and deliver enterprise
269 information technology services as defined in s. 282.0041.
270 (f) Designate primary data centers and shared resource
271 centers.
272 (g) Operate shared resource centers in a manner that
273 promotes energy efficiency.
274 (h) Establish and deliver enterprise information technology
275 services to serve state agencies on a cost-sharing basis,
276 charging each state agency its proportionate share of the cost
277 of maintaining and delivering a service based on a state
278 agency’s use of the service.
279 (i) Use the following criteria to develop a means of
280 chargeback for primary data center services:
281 1. The customers of the primary data center shall provide
282 payments to the primary data center which are sufficient to
283 maintain the solvency of the primary data center operation for
284 the costs not directly funded through the General Appropriations
285 Act.
286 2. Per unit cost of usage shall be the primary basis for
287 pricing, and usage must be accurately measurable and
288 attributable to the appropriate customer.
289 3. The primary data center shall combine the aggregate
290 purchasing power of large and small customers to achieve
291 collective savings opportunities to all customers.
292 4. Chargeback methodologies shall be devised to consider
293 restrictions on grants to customers.
294 5. Chargeback methodologies should establish incentives
295 that lead to customer usage practices that result in lower costs
296 to the state.
297 6. Chargeback methodologies must consider technological
298 change when:
299 a. New services require short-term investments before
300 achieving long-term, full cost recovery for the service.
301 b. Customers of antiquated services may not be able to bear
302 the costs for the antiquated services during periods when
303 customers are migrating to replacement services.
304 7. Prices may be established which allow for accrual of
305 cash balances for the purpose of maintaining contingent
306 operating funds and funding planned capital investments. Accrual
307 of the cash balances shall be considered costs for the purposes
308 of this section.
309 8. Flat rate charges may be used only if there are
310 provisions for reconciling charges to comport with actual costs
311 and use.
312 (i) Exercise technical and fiscal prudence in determining
313 the best way to deliver enterprise information technology
314 services.
315 (j) Collect and maintain an inventory of the information
316 technology resources in the state agencies.
317 (k) Assume ownership or custody and control of information
318 processing equipment, supplies, and positions required in order
319 to thoroughly carry out the agency’s duties and
320 responsibilities.
321 (l) Adopt rules and policies for the efficient, secure, and
322 economical management and operation of the shared resource
323 centers and state telecommunications services.
324 (m) Provide other public sector organizations as defined in
325 s. 282.0041 with access to the services provided by the agency.
326 Access shall be provided on the same cost basis that applies to
327 state agencies.
328 (n) Ensure that data that is confidential under state or
329 federal law is not entered into or processed through any shared
330 resource center or network established under the agency until
331 the agency head and the executive director of the agency are
332 satisfied that safeguards for the data’s security have been
333 properly designed, installed, and tested and are fully
334 operational. This paragraph does not prescribe what actions
335 necessary to satisfy a state agency’s objectives are to be
336 undertaken or remove from the control and administration of the
337 state agency the responsibility for working with the agency to
338 implement safeguards, whether such control and administration
339 are specifically required by general law or administered under
340 the general program authority and responsibility of the state
341 agency. If the agency head and executive director of the agency
342 cannot reach agreement on satisfactory safeguards, the issue
343 shall be decided by the Governor and Cabinet.
344 (o) Conduct periodic assessments of state agencies for
345 compliance with statewide information technology policies and
346 recommend to the Governor and Cabinet statewide policies for
347 information technology.
348 (8) The agency may not use or direct the spending of
349 operational information technology trust funds to study and
350 develop enterprise information technology strategies, plans,
351 rules, reports, policies, proposals, budgets, or enterprise
352 information technology initiatives that are not directly related
353 to developing information technology services for which usage
354 fees reimburse the costs of the initiative. As used in this
355 subsection, the term “operational information technology trust
356 funds” means funds into which deposits are made on a fee-for
357 service basis or a trust fund dedicated to a specific
358 information technology project or system.
359 (9) The portions of the agency’s activities described in
360 subsection (8) for which usage fees do not reimburse costs of
361 the activity shall be funded at a rate of 0.55% of the total
362 identified information technology spend through
363 MyFloridaMarketPlace.
364 (10) The agency may adopt rules to carry out its duties and
365 responsibilities.
366 Section 5. Section 282.0041, Florida Statutes, is amended
367 to read:
368 282.0041 Definitions.—As used in this chapter, the term:
369 (1) “Agency” has the same meaning as in s. 216.011(1)(qq),
370 except that for purposes of this chapter, “agency” does not
371 include university boards of trustees or state universities.
372 (1)(2) “Agency for State Enterprise Information Technology”
373 or “agency” means the agency created in s. 20.70 14.204.
374 (2)(3) “Agency information technology service” means a
375 service that directly helps a state an agency fulfill its
376 statutory or constitutional responsibilities and policy
377 objectives and is usually associated with the state agency’s
378 primary or core business functions.
379 (4) “Annual budget meeting” means a meeting of the board of
380 trustees of a primary data center to review data center usage to
381 determine the apportionment of board members for the following
382 fiscal year, review rates for each service provided, and
383 determine any other required changes.
384 (3)(5) “Breach” has the same meaning as in s. 817.5681(4).
385 (4)(6) “Business continuity plan” means a plan for disaster
386 recovery which provides for the continued functioning of a
387 primary data center during and after a disaster.
388 (5) “Collocation” means the method by which a state
389 agency’s data center occupies physical space within a shared
390 resource center where physical floor space, bandwidth, power,
391 cooling, and physical security are available for an equitable
392 usage rate and minimal complexity, and allow for the sustained
393 management and oversight of the collocating agency’s information
394 technology resources as well as physical and logical database
395 administration by the collocating agency’s staff.
396 (6)(7) “Computing facility” means a state agency site space
397 containing fewer than a total of 10 physical or logical servers,
398 any of which supports a strategic or nonstrategic information
399 technology service, as described in budget instructions
400 developed pursuant to s. 216.023, but excluding
401 telecommunications and voice gateways and a clustered pair of
402 servers operating as a single logical server to provide file,
403 print, security, and endpoint management services single,
404 logical-server installations that exclusively perform a utility
405 function such as file and print servers.
406 (7) “Computing service” means an information technology
407 service that is used in all state agencies or a subset of
408 agencies and is, therefore, a candidate for being established as
409 an enterprise information technology service. Examples include
410 e-mail, service hosting, telecommunications, and disaster
411 recovery.
412 (8) “Customer entity” means an entity that obtains services
413 from a primary data center.
414 (8)(9) “Data center” means a state agency site space
415 containing 10 or more physical or logical servers any of which
416 supports a strategic or nonstrategic information technology
417 service, as described in budget instructions developed pursuant
418 to s. 216.023.
419 (10) “Department” means the Department of Management
420 Services.
421 (9)(11) “Enterprise information technology service” means
422 an information technology service that is used in all state
423 agencies or a subset of state agencies and is designated by the
424 agency or established in law to be designed, delivered, and
425 managed at the enterprise level. Current enterprise information
426 technology services include data center services, e-mail, and
427 security.
428 (10)(12) “E-mail, messaging, and calendaring service” means
429 the enterprise information technology service that enables users
430 to send, receive, file, store, manage, and retrieve electronic
431 messages, attachments, appointments, and addresses. The e-mail,
432 messaging, and calendaring service must include e-mail account
433 management; help desk; technical support and user provisioning
434 services; disaster recovery and backup and restore capabilities;
435 antispam and antivirus capabilities; archiving and e-discovery;
436 and remote access and mobile messaging capabilities.
437 (11)(13) “Information-system utility” means an information
438 processing a full-service information-processing facility
439 offering hardware, software, operations, integration,
440 networking, floor space, and consulting services.
441 (12)(14) “Information technology resources” means
442 equipment, hardware, software, firmware, programs, systems,
443 networks, infrastructure, media, and related material used to
444 automatically, electronically, and wirelessly collect, receive,
445 access, transmit, display, store, record, retrieve, analyze,
446 evaluate, process, classify, manipulate, manage, assimilate,
447 control, communicate, exchange, convert, converge, interface,
448 switch, or disseminate information of any kind or form, and
449 includes the human resources to perform such duties, but
450 excludes application developers and logical database
451 administrators.
452 (13) “Local area network” means any telecommunications
453 network through which messages and data are exchanged strictly
454 within a single building or contiguous campus.
455 (14)(15) “Information technology policy” means statements
456 that describe clear choices for how information technology will
457 deliver effective and efficient government services to residents
458 and improve state agency operations. A policy may relate to
459 investments, business applications, architecture, or
460 infrastructure. A policy describes its rationale, implications
461 of compliance or noncompliance, the timeline for implementation,
462 metrics for determining compliance, and the accountable
463 structure responsible for its implementation.
464 (15) “Logical database administration” means the resources
465 required to build and maintain database structure, implement and
466 maintain role-based data access controls, and perform
467 performance optimization of data queries and includes the
468 manipulation, transformation, modification, and maintenance of
469 data within a logical database. Typical tasks include schema
470 design and modifications, user provisioning, query tuning, index
471 and statistics maintenance, and data import, export, and
472 manipulation.
473 (16) “Memorandum of understanding” means a written
474 agreement between a shared resource center or the Division of
475 Telecommunications in the agency and a state agency which
476 specifies the scope of services provided, service level,
477 duration of the agreement, responsible parties, and service
478 costs. A memorandum of understanding is not a rule pursuant to
479 chapter 120.
480 (17) “Other public sector organizations” means entities of
481 the legislative and judicial branches, the State University
482 System, the Florida Community College System, counties, and
483 municipalities. Such organizations may elect to participate in
484 the information technology programs, services, or contracts
485 offered by the Agency for State Technology, including
486 information technology procurement, in accordance with general
487 law, policies, and administrative rules.
488 (18)(16) “Performance metrics” means the measures of an
489 organization’s activities and performance.
490 (19) “Physical database administration” means the resources
491 responsible for installing, maintaining, and operating an
492 environment within which a database is hosted. Typical tasks
493 include database engine installation, configuration, and
494 security patching, as well as performing backup and restoration
495 of hosted databases, setup and maintenance of instance-based
496 data replication, and monitoring the health and performance of
497 the database environment.
498 (20)(17) “Primary data center” means a data center that is
499 a recipient entity for consolidation of state agency information
500 technology resources nonprimary data centers and computing
501 facilities and that is established by law.
502 (21)(18) “Project” means an endeavor that has a defined
503 start and end point; is undertaken to create or modify a unique
504 product, service, or result; and has specific objectives that,
505 when attained, signify completion.
506 (22)(19) “Risk analysis” means the process of identifying
507 security risks, determining their magnitude, and identifying
508 areas needing safeguards.
509 (23)(20) “Service level” means the key performance
510 indicators (KPI) of an organization or service which must be
511 regularly performed, monitored, and achieved.
512 (21) “Service-level agreement” means a written contract
513 between a data center and a customer entity which specifies the
514 scope of services provided, service level, the duration of the
515 agreement, the responsible parties, and service costs. A
516 service-level agreement is not a rule pursuant to chapter 120.
517 (24) “Shared resource center” means a primary data center
518 that has been designated and assigned specific duties under this
519 chapter or by the Agency for State Technology under s. 20.70.
520 (25)(22) “Standards” means required practices, controls,
521 components, or configurations established by an authority.
522 (26) “State agency” means any official, officer,
523 commission, board, authority, council, committee, or department
524 of the executive branch of state government. The term does not
525 include university boards of trustees or state universities.
526 (27) “State agency site” means a single, contiguous local
527 area network segment that does not traverse a metropolitan area
528 network or wide area network.
529 (28)(23) “SUNCOM Network” means the state enterprise
530 telecommunications system that provides all methods of
531 electronic or optical telecommunications beyond a single
532 building or contiguous building complex and used by entities
533 authorized as network users under this part.
534 (29)(24) “Telecommunications” means the science and
535 technology of communication at a distance, including electronic
536 systems used in the transmission or reception of information.
537 (30)(25) “Threat” means any circumstance or event that may
538 cause harm to the integrity, availability, or confidentiality of
539 information technology resources.
540 (31)(26) “Total cost” means all costs associated with
541 information technology projects or initiatives, including, but
542 not limited to, value of hardware, software, service,
543 maintenance, incremental personnel, and facilities. Total cost
544 of a loan or gift of information technology resources to a state
545 an agency includes the fair market value of the resources.
546 (32)(27) “Usage” means the billing amount charged by the
547 primary data center, less any pass-through charges, to the state
548 agency customer entity.
549 (33)(28) “Usage rate” means a state agency’s customer
550 entity’s usage or billing amount as a percentage of total usage.
551 (34) “Wide area network” means any telecommunications
552 network or components thereof through which messages and data
553 are exchanged outside of a local area network.
554 Section 6. Section 282.0055, Florida Statutes, is amended
555 to read:
556 (Substantial rewording of section. See
557 s. 282.0055, Florida Statutes, for current text.)
558 282.0055 Assignment of enterprise information technology.—
559 (1) The establishment of a systematic process for the
560 planning, design, implementation, procurement, delivery, and
561 maintenance of enterprise information technology services shall
562 be the responsibility of the Agency for State Technology for
563 executive branch agencies that are created or authorized in
564 statute to perform legislatively delegated functions. The
565 agency’s duties shall be performed in collaboration with the
566 state agencies. The supervision, design, development, delivery,
567 and maintenance of state-agency specific or unique software
568 applications shall remain within the responsibility and control
569 of the individual state agency or other public sector
570 organization.
571 (2) During the 2012-2013 fiscal year, the Agency for State
572 Technology shall, in collaboration with the state agencies and
573 other stakeholders, create a road map for enterprise information
574 technology service consolidation. The road map shall be
575 presented for approval by the Governor and Cabinet by August 30,
576 2013. At a minimum, the road map must include:
577 (a) An enterprise architecture that provides innovative,
578 yet pragmatic and cost-effective offering, and which
579 contemplates the consolidated delivery of services based on
580 similar business processes and functions that span across all
581 executive and cabinet agencies.
582 (b) A schedule for the consolidation of state agency data
583 centers.
584 (c) Cost-saving targets and timeframes for when the savings
585 will be realized.
586 (d) Recommendations, including cost estimates, for
587 improvements to the shared resource centers, which will improve
588 the agency’s ability to deliver enterprise information
589 technology services.
590 (e) A transition plan for the transfer of portions of the
591 Technology Program established under s. 20.22(2), Florida
592 Statutes, that provide an enterprise information technology
593 service.
594 (3) By October 15th of each year beginning in 2013, the
595 Agency for State Technology shall develop a comprehensive
596 transition plan for scheduled consolidations occurring in the
597 next fiscal year. This plan shall be submitted to the Governor,
598 the Cabinet, the President of the Senate, and the Speaker of the
599 House of Representatives. The transition plan shall be developed
600 in consultation with other state agencies submitting state
601 agency transition plans. The comprehensive transition plan must
602 include:
603 (a) Recommendations for accomplishing the proposed
604 transitions as efficiently and effectively as possible with
605 minimal disruption to state agency business processes.
606 (b) Strategies to minimize risks associated with any of the
607 proposed consolidations.
608 (c) A compilation of the state agency transition plans
609 submitted by state agencies scheduled for consolidation for the
610 following fiscal year.
611 (d) An estimate of the cost to provide enterprise
612 information technology services for each state agency scheduled
613 for consolidation.
614 (e) An analysis of the cost effects resulting from the
615 planned consolidations on existing state agencies.
616 (f) The fiscal year adjustments to budget categories in
617 order to absorb the transfer of state agency information
618 technology resources pursuant to the legislative budget request
619 instructions provided in s. 216.023.
620 (g) A description of any issues that must be resolved in
621 order to accomplish as efficiently and effectively as possible
622 all consolidations required during the fiscal year.
623 (4) State agencies have the following duties:
624 (a) For the purpose of completing its work activities, each
625 state agency shall provide to the Agency for State Technology
626 all requested information and any other information relevant to
627 the state agency’s ability to effectively transition its
628 information technology resources into the agency.
629 (b) For the purpose of completing its work activities, each
630 state agency shall temporarily assign staff to assist the agency
631 with designated tasks as negotiated between the agency and the
632 state agency.
633 (c) Each state agency identified for consolidation into an
634 enterprise information technology service offering must submit a
635 transition plan to the Agency for State Technology by September
636 1 of the fiscal year before the fiscal year in which the
637 scheduled consolidation will occur. Transition plans shall be
638 developed in consultation with the agency and must include:
639 1. An inventory of the state agency data center’s resources
640 being consolidated, including all hardware, software, staff, and
641 contracted services, and the facility resources performing data
642 center management and operations, security, backup and recovery,
643 disaster recovery, system administration, database
644 administration, system programming, mainframe maintenance, job
645 control, production control, print, storage, technical support,
646 help desk, and managed services, but excluding application
647 development.
648 2. A description of the level of services needed to meet
649 the technical and operational requirements of the platforms
650 being consolidated and an estimate of the primary data center’s
651 cost for the provision of such services.
652 3. A description of expected changes to its information
653 technology needs and the timeframe when such changes will occur.
654 4. A description of the information technology resources
655 proposed to remain in the state agency.
656 5. A baseline project schedule for the completion of the
657 consolidation.
658 6. The specific recurring and nonrecurring budget
659 adjustments of budget resources by appropriation category into
660 the appropriate data processing category pursuant to the
661 legislative budget instructions in s. 216.023 necessary to
662 support state agency costs for the transfer.
663 (5)(a) Unless authorized by the Legislature or the agency
664 as provided in paragraphs (b) and (c), a state agency may not:
665 1. Create a new computing service or expand an existing
666 computing service if that service has been designated as an
667 enterprise information technology service.
668 2. Spend funds before the state agency’s scheduled
669 consolidation to an enterprise information technology service to
670 purchase or modify hardware or operations software that does not
671 comply with hardware and software standards established by the
672 Agency for State Technology.
673 3. Unless for the purpose of offsite disaster recovery
674 services, transfer existing computing services to any service
675 provider other than the Agency for State Technology.
676 4. Terminate services with the Agency for State Technology
677 without giving written notice of intent to terminate or transfer
678 services 180 days before such termination or transfer.
679 5. Initiate a new computing service with any service
680 provider other than the Agency for State Technology if that
681 service has been designated as an enterprise information
682 technology service.
683 (b) Exceptions to the limitations in subparagraphs (a)1.,
684 2., 3., and 5. may be granted by the Agency for State Technology
685 if there is insufficient capacity in the primary data centers to
686 absorb the workload associated with agency computing services,
687 expenditures are compatible with the scheduled consolidation and
688 established standards, or the equipment or resources are needed
689 to meet a critical state agency business need that cannot be
690 satisfied from surplus equipment or resources of the primary
691 data center until the state agency data center is consolidated.
692 1. A request for an exception must be submitted in writing
693 to the Agency for State Technology. The agency must accept,
694 accept with conditions, or deny the request within 60 days after
695 receipt of the written request. The agency’s decision is not
696 subject to chapter 120.
697 2. The Agency for State Technology may not approve a
698 request unless it includes, at a minimum:
699 a. A detailed description of the capacity requirements of
700 the state agency requesting the exception.
701 b. Documentation from the state agency head demonstrating
702 why it is critical to the state agency’s mission that the
703 expansion or transfer must be completed within the fiscal year
704 rather than when capacity is established at a primary data
705 center.
706 3. Exceptions to subparagraph (a)4. may be granted by the
707 Agency for State Technology if the termination or transfer of
708 services can be absorbed within the current cost-allocation
709 plan.
710 Section 7. Section 282.0056, Florida Statutes, is amended
711 to read:
712 282.0056 Strategic plan, development of work plan, and;
713 development of implementation plans; and policy
714 recommendations.—
715 (1) In order to provide a systematic process for meeting
716 the state’s technology needs, the executive director of the
717 Agency for State Technology shall develop a biennial state
718 Information Technology Resources Strategic Plan. The Governor
719 and Cabinet shall approve the plan before transmitting it to the
720 Legislature, biennially, starting October 1, 2013. The plan must
721 include the following elements:
722 (a) The vision, goals, initiatives, and targets for state
723 information technology for the short term of 2 years, midterm of
724 3 to 5 years, and long term of more than 5 years.
725 (b) An inventory of the information technology resources in
726 state agencies and major projects currently in progress and
727 planned. This does not imply that the agency has approval
728 authority over major projects. As used in this section, the term
729 “major project” means projects that cost more than $1 million to
730 implement.
731 (c) An analysis of opportunities for statewide initiatives
732 that would yield efficiencies, cost savings, or avoidance or
733 improve effectiveness in state programs. The analysis must
734 include:
735 1. Information technology services that should be designed,
736 delivered, and managed as enterprise information technology
737 services.
738 2. Techniques for consolidating the purchase of information
739 technology commodities and services that may result in savings
740 for the state and for establishing a process to achieve savings
741 through consolidated purchases.
742 3. A cost-benefit analysis of options, such as
743 privatization, outsourcing, or insourcing, to reduce costs or
744 improve services to agencies and taxpayers.
745 (d) Recommended initiatives based on the analysis in
746 paragraph (c).
747 (e) Implementation plans for enterprise information
748 technology services designated by the agency. The implementation
749 plans must describe the scope of service, requirements analyses,
750 costs and savings projects, and a project schedule for statewide
751 implementation.
752 (2) Each state agency shall, biennially, provide to the
753 agency the inventory required under paragraph (1)(b). The agency
754 shall consult with and assist state agencies in the preparation
755 of these inventories. Each state agency shall submit its
756 inventory to the agency biennially, starting January 1, 2013.
757 (3) For the purpose of completing its work activities, each
758 state agency shall provide to the agency all requested
759 information, including, but not limited to, the state agency’s
760 costs, service requirements, staffing, and equipment
761 inventories.
762 (4)(1) For the purpose of ensuring accountability for the
763 duties and responsibilities of the executive director and the
764 agency under ss. 20.70 and 282.0055, the executive director For
765 the purposes of carrying out its responsibilities under s.
766 282.0055, the Agency for Enterprise Information Technology shall
767 develop an annual work plan within 60 days after the beginning
768 of the fiscal year describing the activities that the agency
769 intends to undertake for that year and identify the critical
770 success factors, risks, and issues associated with the work
771 planned. The work plan must also include planned including
772 proposed outcomes and completion timeframes for the planning and
773 implementation of all enterprise information technology
774 services. The work plan must align with the state Information
775 Technology Resources Strategic Plan, be presented at a public
776 hearing, and be approved by the Governor and Cabinet;, and,
777 thereafter, be submitted to the President of the Senate and the
778 Speaker of the House of Representatives. The work plan may be
779 amended as needed, subject to approval by the Governor and
780 Cabinet.
781 (2) The agency may develop and submit to the President of
782 the Senate, the Speaker of the House of Representatives, and the
783 Governor by October 1 of each year implementation plans for
784 proposed enterprise information technology services to be
785 established in law.
786 (3) In developing policy recommendations and implementation
787 plans for established and proposed enterprise information
788 technology services, the agency shall describe the scope of
789 operation, conduct costs and requirements analyses, conduct an
790 inventory of all existing information technology resources that
791 are associated with each service, and develop strategies and
792 timeframes for statewide migration.
793 (4) For the purpose of completing its work activities, each
794 state agency shall provide to the agency all requested
795 information, including, but not limited to, the state agency’s
796 costs, service requirements, and equipment inventories.
797 (5) For the purpose of ensuring accountability for the
798 duties and responsibilities of the executive director and the
799 agency under ss. 20.70 and 282.0055, within 60 days after the
800 end of each fiscal year, the executive director agency shall
801 report to the Governor and Cabinet, the President of the Senate,
802 and the Speaker of the House of Representatives on what was
803 achieved or not achieved in the prior year’s work plan.
804 Section 8. Section 282.201, Florida Statutes, is amended to
805 read:
806 (Substantial rewording of section. See
807 s. 282.201, Florida Statutes, for current text.)
808 282.201 State data center system; agency duties and
809 limitations.—A state data center system that includes all
810 primary data centers, other nonprimary data centers, and
811 computing facilities, and that provides an enterprise
812 information technology service, is established.
813 (1) INTENT.—The Legislature finds that the most efficient
814 and effective means of providing quality utility data processing
815 services to state agencies requires that computing resources be
816 concentrated in quality facilities that provide the proper
817 security, infrastructure, and staff resources to ensure that the
818 state’s data is maintained reliably and safely and is
819 recoverable in the event of a disaster. Efficiencies resulting
820 from such consolidation include the increased ability to
821 leverage technological expertise and hardware and software
822 capabilities; increased savings through consolidated purchasing
823 decisions; and the enhanced ability to deploy technology
824 improvements and implement new policies consistently throughout
825 the consolidated organization.
826 (2) AGENCY FOR STATE TECHNOLOGY DUTIES.—
827 (a) The agency shall by October 1, 2013, provide to the
828 Governor and Cabinet, recommendations for approving, confirming
829 and removing primary data center designation. The
830 recommendations shall consider the recommendations from the Law
831 Enforcement Consolidations Task Force. Upon approval of the
832 Governor and Cabinet of primary data center designations,
833 existing primary data center designations are repealed by
834 operation of law, and therefore, obsolete.
835 (b) Establish a schedule for the consolidation of state
836 agency data centers or a transition plan for outsourcing data
837 center services, subject to review by the Governor and Cabinet.
838 The schedule or transition plan must be provided by October 1,
839 2013, and be updated annually until the completion of
840 consolidation. The schedule must be based on the goals of
841 maximizing the efficiency and quality of service delivery and
842 cost savings.
843 (3) STATE AGENCY DUTIES.—
844 (a) Any state agency that is consolidating agency data
845 centers into a primary data center must execute a new or update
846 an existing memorandum of understanding or service level
847 agreement within 60 days after the specified consolidation date,
848 as required by s. 282.203, in order to specify the services and
849 levels of service it is to receive from the primary data center
850 as a result of the consolidation. If a state agency is unable to
851 execute a memorandum of understanding by that date, the state
852 agency shall submit a report to the Executive Office of the
853 Governor, the Cabinet, the President of the Senate, and the
854 Speaker of the House of Representatives within 5 working days
855 after that date which explains the specific issues preventing
856 execution and describes its plan and schedule for resolving
857 those issues.
858 (b) On the date of each consolidation specified in general
859 law or the General Appropriations Act, each state agency shall
860 retain the least-privileged administrative access rights
861 necessary to perform the duties not assigned to the primary data
862 centers.
863 (4) SCHEDULE FOR CONSOLIDATIONS OF STATE AGENCY DATA
864 CENTERS.—Consolidations of state agency data centers are
865 suspended for the 2012-2013 fiscal year. Consolidations shall
866 resume during the 2013-2014 fiscal year based upon a revised
867 schedule developed by the agency. The revised schedule shall
868 consider the recommendations from the Law Enforcement
869 Consolidation Task Force. State agency data centers and
870 computing facilities shall be consolidated into the agency by
871 June 30, 2018.
872 Section 9. Section 282.203, Florida Statutes, is amended to
873 read:
874 (Substantial rewording of section. See
875 s. 282.203, Florida Statutes, for current text.)
876 282.203 Primary data centers; duties.—
877 (1) Each primary data center shall:
878 (a) Serve participating state agencies as an information
879 system utility.
880 (b) Cooperate with participating state agencies to offer,
881 develop, and support the services and applications.
882 (c) Provide transparent financial statements to
883 participating state agencies.
884 (d) Assume the least-privileged administrative access
885 rights necessary to perform the services provided by the data
886 center for the software and equipment that is consolidated into
887 a primary data center.
888 (2) Each primary data center shall enter into a memorandum
889 of understanding with each participating state agency to provide
890 services. A memorandum of understanding may not have a term
891 exceeding 3 years but may include an option to renew for up to 3
892 years. Failure to execute a memorandum within 60 days after
893 service commencement shall, in the case of a participating state
894 agency, result in the continuation of the terms of the
895 memorandum of understanding from the previous fiscal year,
896 including any amendments that were formally proposed to the
897 state agency by the primary data center within the 3 months
898 before service commencement, and a revised cost-of-service
899 estimate. If a participating state agency fails to execute a
900 memorandum of understanding within 60 days after service
901 commencement, the data center may cease providing services.
902 Section 10. Section 282.204, Florida Statutes, is repealed.
903 Section 11. Section 282.205, Florida Statutes, is repealed.
904 Section 12. Section 282.33, Florida Statutes, is repealed.
905 Section 13. Section 282.34, Florida Statutes, is amended to
906 read:
907 282.34 Statewide e-mail service.—A statewide e-mail service
908 that includes the delivery and support of e-mail, messaging, and
909 calendaring capabilities is established as an enterprise
910 information technology service as defined in s. 282.0041. The
911 service shall be provisioned designed to meet the needs of all
912 executive branch agencies and may also be used by other public
913 sector nonstate agency entities. The primary goals of the
914 service are to provide a reliable collaborative communication
915 service to state agencies; minimize the state investment
916 required to establish, operate, and support the statewide
917 service; reduce the cost of current e-mail operations and the
918 number of duplicative e-mail systems; and eliminate the need for
919 each state agency to maintain its own e-mail staff.
920 (1) Except as specified in subsection (2), all state
921 agencies shall receive their primary e-mail services exclusively
922 through the Agency for State Technology. The Southwood Shared
923 Resource Center, a primary data center, shall be the provider of
924 the statewide e-mail service for all state agencies. The center
925 shall centrally host, manage, operate, and support the service,
926 or outsource the hosting, management, operational, or support
927 components of the service in order to achieve the primary goals
928 identified in this section.
929 (2) The Department of Legal Affairs shall work with the
930 agency to develop a plan to migrate to the enterprise e-mail
931 service. The plan shall identify the time frame for migration,
932 the associated costs, and the risks. The plan shall be presented
933 to the Governor and Cabinet by December 1, 2014. The Agency for
934 Enterprise Information Technology, in cooperation and
935 consultation with all state agencies, shall prepare and submit
936 for approval by the Legislative Budget Commission at a meeting
937 scheduled before June 30, 2011, a proposed plan for the
938 migration of all state agencies to the statewide e-mail service.
939 The plan for migration must include:
940 (a) A cost-benefit analysis that compares the total
941 recurring and nonrecurring operating costs of the current agency
942 e-mail systems, including monthly mailbox costs, staffing,
943 licensing and maintenance costs, hardware, and other related e
944 mail product and service costs to the costs associated with the
945 proposed statewide e-mail service. The analysis must also
946 include:
947 1. A comparison of the estimated total 7-year life-cycle
948 cost of the current agency e-mail systems versus the feasibility
949 of funding the migration and operation of the statewide e-mail
950 service.
951 2. An estimate of recurring costs associated with the
952 energy consumption of current agency e-mail equipment, and the
953 basis for the estimate.
954 3. An identification of the overall cost savings resulting
955 from state agencies migrating to the statewide e-mail service
956 and decommissioning their agency e-mail systems.
957 (b) A proposed migration date for all state agencies to be
958 migrated to the statewide e-mail service. The Agency for
959 Enterprise Information Technology shall work with the Executive
960 Office of the Governor to develop the schedule for migrating all
961 state agencies to the statewide e-mail service except for the
962 Department of Legal Affairs. The Department of Legal Affairs
963 shall provide to the Agency for Enterprise Information
964 Technology by June 1, 2011, a proposed migration date based upon
965 its decision to participate in the statewide e-mail service and
966 the identification of any issues that require resolution in
967 order to migrate to the statewide e-mail service.
968 (c) A budget amendment, submitted pursuant to chapter 216,
969 for adjustments to each agency’s approved operating budget
970 necessary to transfer sufficient budget resources into the
971 appropriate data processing category to support its statewide e
972 mail service costs.
973 (d) A budget amendment, submitted pursuant to chapter 216,
974 for adjustments to the Southwood Shared Resource Center approved
975 operating budget to include adjustments in the number of
976 authorized positions, salary budget and associated rate,
977 necessary to implement the statewide e-mail service.
978 (3) Contingent upon approval by the Legislative Budget
979 Commission, the Southwood Shared Resource Center may contract
980 for the provision of a statewide e-mail service. Executive
981 branch agencies must be completely migrated to the statewide e
982 mail service based upon the migration date included in the
983 proposed plan approved by the Legislative Budget Commission.
984 (4) Notwithstanding chapter 216, general revenue funds may
985 be increased or decreased for each agency provided the net
986 change to general revenue in total for all agencies is zero or
987 less.
988 (5) Subsequent to the approval of the consolidated budget
989 amendment to reflect budget adjustments necessary to migrate to
990 the statewide e-mail service, an agency may make adjustments
991 subject to s. 216.177, notwithstanding provisions in chapter 216
992 which may require such adjustments to be approved by the
993 Legislative Budget Commission.
994 (6) No agency may initiate a new e-mail service or execute
995 a new e-mail contract or amend a current e-mail contract, other
996 than with the Southwood Shared Resource Center, for nonessential
997 products or services unless the Legislative Budget Commission
998 denies approval for the Southwood Shared Resource Center to
999 enter into a contract for the statewide e-mail service.
1000 (7) The Agency for Enterprise Information Technology shall
1001 work with the Southwood Shared Resource Center to develop an
1002 implementation plan that identifies and describes the detailed
1003 processes and timelines for an agency’s migration to the
1004 statewide e-mail service based on the migration date approved by
1005 the Legislative Budget Commission. The agency may establish and
1006 coordinate workgroups consisting of agency e-mail management,
1007 information technology, budget, and administrative staff to
1008 assist the agency in the development of the plan.
1009 (8) Each executive branch agency shall provide all
1010 information necessary to develop the implementation plan,
1011 including, but not limited to, required mailbox features and the
1012 number of mailboxes that will require migration services. Each
1013 agency must also identify any known business, operational, or
1014 technical plans, limitations, or constraints that should be
1015 considered when developing the plan.
1016 Section 14. Section 282.702, Florida Statutes, is amended
1017 to read:
1018 282.702 Powers and duties.—The Department of Management
1019 Services shall have the following powers, duties, and functions:
1020 (1) To publish electronically the portfolio of services
1021 available from the department, including pricing information;
1022 the policies and procedures governing usage of available
1023 services; and a forecast of the department’s priorities for each
1024 telecommunications service.
1025 (2) To adopt technical standards by rule for the state
1026 telecommunications network which ensure the interconnection and
1027 operational security of computer networks, telecommunications,
1028 and information systems of agencies.
1029 (3) To enter into agreements related to information
1030 technology and telecommunications services with state agencies
1031 and political subdivisions of the state.
1032 (4) To purchase from or contract with information
1033 technology providers for information technology, including
1034 private line services.
1035 (5) To apply for, receive, and hold authorizations,
1036 patents, copyrights, trademarks, service marks, licenses, and
1037 allocations or channels and frequencies to carry out the
1038 purposes of this part.
1039 (6) To purchase, lease, or otherwise acquire and to hold,
1040 sell, transfer, license, or otherwise dispose of real, personal,
1041 and intellectual property, including, but not limited to,
1042 patents, trademarks, copyrights, and service marks.
1043 (7) To cooperate with any federal, state, or local
1044 emergency management agency in providing for emergency
1045 telecommunications services.
1046 (8) To control and approve the purchase, lease, or
1047 acquisition and the use of telecommunications services,
1048 software, circuits, and equipment provided as part of any other
1049 total telecommunications system to be used by the state or its
1050 agencies.
1051 (9) To adopt rules pursuant to ss. 120.536(1) and 120.54
1052 relating to telecommunications and to administer the provisions
1053 of this part.
1054 (10) To apply for and accept federal funds for the purposes
1055 of this part as well as gifts and donations from individuals,
1056 foundations, and private organizations.
1057 (11) To monitor issues relating to telecommunications
1058 facilities and services before the Florida Public Service
1059 Commission and the Federal Communications Commission and, if
1060 necessary, prepare position papers, prepare testimony, appear as
1061 a witness, and retain witnesses on behalf of state agencies in
1062 proceedings before the commissions.
1063 (12) Unless delegated to the state agencies by the
1064 department, to manage and control, but not intercept or
1065 interpret, telecommunications within the SUNCOM Network by:
1066 (a) Establishing technical standards to physically
1067 interface with the SUNCOM Network.
1068 (b) Specifying how telecommunications are transmitted
1069 within the SUNCOM Network.
1070 (c) Controlling the routing of telecommunications within
1071 the SUNCOM Network.
1072 (d) Establishing standards, policies, and procedures for
1073 access to and the security of the SUNCOM Network.
1074 (e) Ensuring orderly and reliable telecommunications
1075 services in accordance with the service level agreements
1076 executed with state agencies.
1077 (13) To plan, design, and conduct experiments for
1078 telecommunications services, equipment, and technologies, and to
1079 implement enhancements in the state telecommunications network
1080 if in the public interest and cost-effective. Funding for such
1081 experiments must be derived from SUNCOM Network service revenues
1082 and may not exceed 2 percent of the annual budget for the SUNCOM
1083 Network for any fiscal year or as provided in the General
1084 Appropriations Act. New services offered as a result of this
1085 subsection may not affect existing rates for facilities or
1086 services.
1087 (14) To enter into contracts or agreements, with or without
1088 competitive bidding or procurement, to make available, on a
1089 fair, reasonable, and nondiscriminatory basis, property and
1090 other structures under departmental control for the placement of
1091 new facilities by any wireless provider of mobile service as
1092 defined in 47 U.S.C. s. 153(27) or s. 332(d) and any
1093 telecommunications company as defined in s. 364.02 if it is
1094 practical and feasible to make such property or other structures
1095 available. The department may, without adopting a rule, charge a
1096 just, reasonable, and nondiscriminatory fee for the placement of
1097 the facilities, payable annually, based on the fair market value
1098 of space used by comparable telecommunications facilities in the
1099 state. The department and a wireless provider or
1100 telecommunications company may negotiate the reduction or
1101 elimination of a fee in consideration of services provided to
1102 the department by the wireless provider or telecommunications
1103 company. All such fees collected by the department shall be
1104 deposited directly into the Law Enforcement Radio Operating
1105 Trust Fund, and may be used by the department to construct,
1106 maintain, or support the system.
1107 (15) Establish policies that ensure that the department’s
1108 cost-recovery methodologies, billings, receivables,
1109 expenditures, budgeting, and accounting data are captured and
1110 reported timely, consistently, accurately, and transparently and
1111 are in compliance with all applicable federal and state laws and
1112 rules. The department shall annually submit to the Governor, the
1113 President of the Senate, and the Speaker of the House of
1114 Representatives a report that describes each service and its
1115 cost, the billing methodology for recovering the cost of the
1116 service, and, if applicable, the identity of those services that
1117 are subsidized.
1118 (16) Develop a plan for statewide voice-over-Internet
1119 protocol services. The plan shall include cost estimates and the
1120 estimated return on investment. The plan shall be submitted to
1121 the Governor, the Cabinet, the President of the Senate, and the
1122 Speaker of the House of Representatives by June 30, 2013.
1123 (17) The department shall produce a feasibility analysis by
1124 January 1, 2013, of the options for procuring end-to-end network
1125 services, including services provided by the statewide area
1126 network, metropolitan area networks, and local area networks,
1127 which may be provided by each state agency. The scope of this
1128 service does not include wiring or file and print server
1129 infrastructure. The feasibility analysis must determine the
1130 technical and economic feasibility of using existing resources
1131 and infrastructure that are owned or used by state entities in
1132 the provision or receipt of network services in order to reduce
1133 the cost of network services for the state. At a minimum, the
1134 feasibility analysis must include:
1135 (a) A definition and assessment of the current portfolio of
1136 services, the network services that are provided by each state
1137 agency, and a forecast of anticipated changes in network service
1138 needs which considers specific state agency business needs and
1139 the implementation of enterprise services established under this
1140 chapter.
1141 (b) A description of any limitations or enhancements in the
1142 network, including any technical or logistical challenges
1143 relating to the central provisioning of local area network
1144 services currently provided and supported by each state agency.
1145 The analysis must also address changes in usage patterns which
1146 can reasonably be expected due to the consolidation of state
1147 agency data centers or the specific business needs of state
1148 agencies and other service customers.
1149 (c) An analysis and comparison of the risks associated with
1150 the current service delivery models and at least two other
1151 options that leverage the existing resources and infrastructure
1152 identified in this subsection. Options may include multi-vendor
1153 and segmented contracting options. All sourcing options must
1154 produce a service that can be used by schools and other
1155 qualified entities that seek federal grants provided through the
1156 Universal Service Fund Program.
1157 (d) A cost-benefit analysis that estimates all major cost
1158 elements associated with each sourcing option, focusing on the
1159 nonrecurring and recurring life-cycle costs of the proposal in
1160 order to determine the financial feasibility of each sourcing
1161 option. The cost-benefit analysis must include:
1162 1. The total recurring operating costs of the proposed
1163 state network service including estimates of monthly charges,
1164 staffing, billing, licenses and maintenance, hardware, and other
1165 related costs.
1166 2. An estimate of nonrecurring costs associated with
1167 construction, transmission lines, premises and switching
1168 hardware purchase and installation, and required software based
1169 on the proposed solution.
1170 3. An estimate of other critical costs associated with the
1171 current and proposed sourcing options for the state network.
1172 (e) Recommendations for reducing current costs associated
1173 with statewide network services. The department shall consider
1174 the following in developing the recommendations:
1175 1. Leveraging existing resources and expertise.
1176 2. Standardizing service-level agreements to customer
1177 entities in order to maximize capacity and availability.
1178 (f) A detailed timeline for the complete procurement and
1179 transition to a more efficient and cost-effective solution.
1180 Section 15. Paragraph (e) of subsection (2) of section
1181 110.205, Florida Statutes, is amended to read:
1182 110.205 Career service; exemptions.—
1183 (2) EXEMPT POSITIONS.—The exempt positions that are not
1184 covered by this part include the following:
1185 (e) The executive director of Chief Information Officer in
1186 the Agency for State Enterprise Information Technology. Unless
1187 otherwise fixed by law, the Governor and Cabinet Agency for
1188 Enterprise Information Technology shall set the salary and
1189 benefits of this position in accordance with the rules of the
1190 Senior Management Service.
1191 Section 16. Subsections (2) and (9) of section 215.322,
1192 Florida Statutes, are amended to read:
1193 215.322 Acceptance of credit cards, charge cards, debit
1194 cards, or electronic funds transfers by state agencies, units of
1195 local government, and the judicial branch.—
1196 (2) A state agency as defined in s. 216.011, or the
1197 judicial branch, may accept credit cards, charge cards, debit
1198 cards, or electronic funds transfers in payment for goods and
1199 services with the prior approval of the Chief Financial Officer.
1200 If the Internet or other related electronic methods are to be
1201 used as the collection medium, the Agency for State Enterprise
1202 Information Technology shall review and recommend to the Chief
1203 Financial Officer whether to approve the request with regard to
1204 the process or procedure to be used.
1205 (9) For payment programs in which credit cards, charge
1206 cards, or debit cards are accepted by state agencies, the
1207 judicial branch, or units of local government, the Chief
1208 Financial Officer, in consultation with the Agency for State
1209 Enterprise Information Technology, may adopt rules to establish
1210 uniform security safeguards for cardholder data and to ensure
1211 compliance with the Payment Card Industry Data Security
1212 Standards.
1213 Section 17. Subsections (3), (4), (5), and (6) of section
1214 282.318, Florida Statutes, are amended to read:
1215 282.318 Enterprise security of data and information
1216 technology.—
1217 (3) The Agency for State Enterprise Information Technology
1218 is responsible for establishing rules and publishing guidelines
1219 for ensuring an appropriate level of security for all data and
1220 information technology resources for executive branch agencies.
1221 The agency shall also perform the following duties and
1222 responsibilities:
1223 (a) Develop, and annually update by February 1, an
1224 enterprise information security strategic plan that includes
1225 security goals and objectives for the strategic issues of
1226 information security policy, risk management, training, incident
1227 management, and survivability planning.
1228 (b) Develop enterprise security rules and published
1229 guidelines for:
1230 1. Comprehensive risk analyses and information security
1231 audits conducted by state agencies.
1232 2. Responding to suspected or confirmed information
1233 security incidents, including suspected or confirmed breaches of
1234 personal information or exempt data.
1235 3. Agency security plans, including strategic security
1236 plans and security program plans.
1237 4. The recovery of information technology and data
1238 following a disaster.
1239 5. The managerial, operational, and technical safeguards
1240 for protecting state government data and information technology
1241 resources.
1242 (c) Assist agencies in complying with the provisions of
1243 this section.
1244 (d) Pursue appropriate funding for the purpose of enhancing
1245 domestic security.
1246 (e) Provide training for agency information security
1247 managers.
1248 (f) Annually review the strategic and operational
1249 information security plans of executive branch agencies.
1250 (4) To assist the Agency for State Enterprise Information
1251 Technology in carrying out its responsibilities, each state
1252 agency head shall, at a minimum:
1253 (a) Designate an information security manager to administer
1254 the security program of the state agency for its data and
1255 information technology resources. This designation must be
1256 provided annually in writing to the Agency for State Enterprise
1257 Information Technology by January 1.
1258 (b) Annually submit to the Agency for State Enterprise
1259 Information Technology annually by July 31, the state agency’s
1260 comprehensive strategic and operational information security
1261 plans developed pursuant to the rules and guidelines established
1262 by the Agency for State Enterprise Information Technology.
1263 1. The state agency comprehensive strategic information
1264 security plan must cover a 3-year period and define security
1265 goals, intermediate objectives, and projected agency costs for
1266 the strategic issues of agency information security policy, risk
1267 management, security training, security incident response, and
1268 survivability. The plan must be based on the enterprise
1269 strategic information security plan created by the Agency for
1270 State Enterprise Information Technology. Additional issues may
1271 be included.
1272 2. The state agency operational information security plan
1273 must include a progress report for the prior operational
1274 information security plan and a project plan that includes
1275 activities, timelines, and deliverables for security objectives
1276 that, subject to current resources, the state agency will
1277 implement during the current fiscal year. The cost of
1278 implementing the portions of the plan which cannot be funded
1279 from current resources must be identified in the plan.
1280 (c) Conduct, and update every 3 years, a comprehensive risk
1281 analysis to determine the security threats to the data,
1282 information, and information technology resources of the state
1283 agency. The risk analysis information is confidential and exempt
1284 from the provisions of s. 119.07(1), except that such
1285 information shall be available to the Auditor General and the
1286 Agency for State Enterprise Information Technology for
1287 performing postauditing duties.
1288 (d) Develop, and periodically update, written internal
1289 policies and procedures that, which include procedures for
1290 notifying the Agency for State Enterprise Information Technology
1291 when a suspected or confirmed breach, or an information security
1292 incident, occurs. Such policies and procedures must be
1293 consistent with the rules and guidelines established by the
1294 Agency for State Enterprise Information Technology to ensure the
1295 security of the data, information, and information technology
1296 resources of the state agency. The internal policies and
1297 procedures that, if disclosed, could facilitate the unauthorized
1298 modification, disclosure, or destruction of data or information
1299 technology resources are confidential information and exempt
1300 from s. 119.07(1), except that such information shall be
1301 available to the Auditor General and the Agency for State
1302 Enterprise Information Technology for performing postauditing
1303 duties.
1304 (e) Implement appropriate cost-effective safeguards to
1305 address identified risks to the data, information, and
1306 information technology resources of the state agency.
1307 (f) Ensure that periodic internal audits and evaluations of
1308 the state agency’s security program for the data, information,
1309 and information technology resources of the state agency are
1310 conducted. The results of such audits and evaluations are
1311 confidential information and exempt from s. 119.07(1), except
1312 that such information shall be available to the Auditor General
1313 and the Agency for State Enterprise Information Technology for
1314 performing postauditing duties.
1315 (g) Include appropriate security requirements in the
1316 written specifications for the solicitation of information
1317 technology and information technology resources and services,
1318 which are consistent with the rules and guidelines established
1319 by the Agency for State Enterprise Information Technology.
1320 (h) Provide security awareness training to employees and
1321 users of the state agency’s communication and information
1322 resources concerning information security risks and the
1323 responsibility of employees and users to comply with policies,
1324 standards, guidelines, and operating procedures adopted by the
1325 state agency to reduce those risks.
1326 (i) Develop a process for detecting, reporting, and
1327 responding to suspected or confirmed security incidents,
1328 including suspected or confirmed breaches consistent with the
1329 security rules and guidelines established by the Agency for
1330 State Enterprise Information Technology.
1331 1. Suspected or confirmed information security incidents
1332 and breaches must be immediately reported to the Agency for
1333 State Enterprise Information Technology.
1334 2. For incidents involving breaches, agencies shall provide
1335 notice in accordance with s. 817.5681 and to the Agency for
1336 State Enterprise Information Technology in accordance with this
1337 subsection.
1338 (5) Each state agency shall include appropriate security
1339 requirements in the specifications for the solicitation of
1340 contracts for procuring information technology or information
1341 technology resources or services which are consistent with the
1342 rules and guidelines established by the Agency for State
1343 Enterprise Information Technology.
1344 (6) The Agency for State Enterprise Information Technology
1345 may adopt rules relating to information security and to
1346 administer the provisions of this section.
1347 Section 18. Subsection (14) of section 287.012, Florida
1348 Statutes, is amended to read:
1349 287.012 Definitions.—As used in this part, the term:
1350 (14) “Information technology” means, but is not limited to,
1351 equipment, hardware, software, mainframe maintenance, firmware,
1352 programs, systems, networks, infrastructure, media, and related
1353 material used to automatically, electronically, and wirelessly
1354 collect, receive, access, transmit, display, store, record,
1355 retrieve, analyze, evaluate, process, classify, manipulate,
1356 manage, assimilate, control, communicate, exchange, convert,
1357 converge, interface, switch, or disseminate information of any
1358 kind or form has the meaning ascribed in s. 282.0041.
1359 Section 19. Subsection (22) of section 287.057, Florida
1360 Statutes, is amended to read:
1361 287.057 Procurement of commodities or contractual
1362 services.—
1363 (22) The department, in consultation with the Agency for
1364 State Enterprise Information Technology and the Chief Financial
1365 Officer Comptroller, shall develop a program for online
1366 procurement of commodities and contractual services. To enable
1367 the state to promote open competition and to leverage its buying
1368 power, agencies shall participate in the online procurement
1369 program, and eligible users may participate in the program. Only
1370 vendors prequalified as meeting mandatory requirements and
1371 qualifications criteria may participate in online procurement.
1372 (a) The department, in consultation with the agency, may
1373 contract for equipment and services necessary to develop and
1374 implement online procurement.
1375 (b) The department, in consultation with the agency, shall
1376 adopt rules, pursuant to ss. 120.536(1) and 120.54, to
1377 administer the program for online procurement. The rules shall
1378 include, but not be limited to:
1379 1. Determining the requirements and qualification criteria
1380 for prequalifying vendors.
1381 2. Establishing the procedures for conducting online
1382 procurement.
1383 3. Establishing the criteria for eligible commodities and
1384 contractual services.
1385 4. Establishing the procedures for providing access to
1386 online procurement.
1387 5. Determining the criteria warranting any exceptions to
1388 participation in the online procurement program.
1389 (c) The department may impose and shall collect all fees
1390 for the use of the online procurement systems.
1391 1. The fees may be imposed on an individual transaction
1392 basis or as a fixed percentage of the cost savings generated. At
1393 a minimum, the fees must be set in an amount sufficient to cover
1394 the projected costs of the services, including administrative
1395 and project service costs in accordance with the policies of the
1396 department.
1397 2. If the department contracts with a provider for online
1398 procurement, the department, pursuant to appropriation, shall
1399 compensate the provider from the fees after the department has
1400 satisfied all ongoing costs. The provider shall report
1401 transaction data to the department each month so that the
1402 department may determine the amount due and payable to the
1403 department from each vendor.
1404 3. All fees that are due and payable to the state on a
1405 transactional basis or as a fixed percentage of the cost savings
1406 generated are subject to s. 215.31 and must be remitted within
1407 40 days after receipt of payment for which the fees are due. For
1408 fees that are not remitted within 40 days, the vendor shall pay
1409 interest at the rate established under s. 55.03(1) on the unpaid
1410 balance from the expiration of the 40-day period until the fees
1411 are remitted.
1412 4. All fees and surcharges collected under this paragraph
1413 shall be deposited in the Operating Trust Fund as provided by
1414 law.
1415 Section 20. Subsection (4) of section 445.011, Florida
1416 Statutes, is amended to read:
1417 445.011 Workforce information systems.—
1418 (4) Workforce Florida, Inc., shall coordinate development
1419 and implementation of workforce information systems with the
1420 executive director of the Agency for State Enterprise
1421 Information Technology to ensure compatibility with the state’s
1422 information system strategy and enterprise architecture.
1423 Section 21. Subsection (2) and paragraphs (a) and (b) of
1424 subsection (4) of section 445.045, Florida Statutes, are amended
1425 to read:
1426 445.045 Development of an Internet-based system for
1427 information technology industry promotion and workforce
1428 recruitment.—
1429 (2) Workforce Florida, Inc., shall coordinate with the
1430 Agency for State Enterprise Information Technology and the
1431 Department of Economic Opportunity to ensure links, where
1432 feasible and appropriate, to existing job information websites
1433 maintained by the state and state agencies and to ensure that
1434 information technology positions offered by the state and state
1435 agencies are posted on the information technology website.
1436 (4)(a) Workforce Florida, Inc., shall coordinate
1437 development and maintenance of the website under this section
1438 with the executive director of the Agency for State Enterprise
1439 Information Technology to ensure compatibility with the state’s
1440 information system strategy and enterprise architecture.
1441 (b) Workforce Florida, Inc., may enter into an agreement
1442 with the Agency for State Enterprise Information Technology, the
1443 Department of Economic Opportunity, or any other public agency
1444 with the requisite information technology expertise for the
1445 provision of design, operating, or other technological services
1446 necessary to develop and maintain the website.
1447 Section 22. Paragraph (b) of subsection (18) of section
1448 668.50, Florida Statutes, is amended to read:
1449 668.50 Uniform Electronic Transaction Act.—
1450 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1451 GOVERNMENTAL AGENCIES.—
1452 (b) To the extent that a governmental agency uses
1453 electronic records and electronic signatures under paragraph
1454 (a), the Agency for State Enterprise Information Technology, in
1455 consultation with the governmental agency, giving due
1456 consideration to security, may specify:
1457 1. The manner and format in which the electronic records
1458 must be created, generated, sent, communicated, received, and
1459 stored and the systems established for those purposes.
1460 2. If electronic records must be signed by electronic
1461 means, the type of electronic signature required, the manner and
1462 format in which the electronic signature must be affixed to the
1463 electronic record, and the identity of, or criteria that must be
1464 met by, any third party used by a person filing a document to
1465 facilitate the process.
1466 3. Control processes and procedures as appropriate to
1467 ensure adequate preservation, disposition, integrity, security,
1468 confidentiality, and auditability of electronic records.
1469 4. Any other required attributes for electronic records
1470 which are specified for corresponding nonelectronic records or
1471 reasonably necessary under the circumstances.
1472 Section 23. This act shall take effect July 1, 2012.