Florida Senate - 2012                          SENATOR AMENDMENT
       Bill No. CS for HB 5509
       
       
       
       
       
       
                                Barcode 888418                          
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                                       .                                
                                       .                                
                                       .                                
                Floor: 1/R/2R          .                                
             03/09/2012 06:43 PM       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       Senator Ring moved the following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. (1) The Agency for Enterprise Information
    6  Technology is abolished.
    7         (2) All of the powers, duties, functions, records,
    8  personnel, and property; funds, trust funds, and unexpended
    9  balances of appropriations, allocations, and other funds;
   10  administrative authority; administrative rules; pending issues;
   11  and existing contracts of the Agency for Enterprise Information
   12  Technology are transferred by a type two transfer, pursuant to
   13  s. 20.06(2), Florida Statutes, to the Agency for State
   14  Technology.
   15         Section 2. (1) The portions of the Technology Program
   16  established under section 20.22(2), Florida Statutes, and
   17  identified in the approved plan defined in s. 282.0055(2),
   18  Florida Statutes, shall transfer by a type one transfer, as
   19  defined in s. 20.06(1), Florida Statutes, from the Department of
   20  Management Services to the Agency for State Technology no later
   21  than June 30, 2014.
   22         (2) The Northwood Shared Resource Center is transferred by
   23  a type one transfer, as defined in s. 20.06(1), Florida
   24  Statutes, from the Department of Management Services to the
   25  Agency for State Technology.
   26         (a) Any binding contract or interagency agreement entered
   27  into between the Northwood Shared Resource Center, or an entity
   28  or agent of the center, and any other agency, entity, or person
   29  is binding on the Agency for State Technology for the remainder
   30  of the term of such contract or agreement.
   31         (b) The rules of the Northwood Shared Resource Center which
   32  were in effect at 11:59 p.m. on June 30, 2012, become rules of
   33  the Agency for State Technology and remain in effect until
   34  amended or repealed in the manner provided by law.
   35         (3) The Southwood Shared Resource Center is transferred by
   36  a type one transfer, as defined in s. 20.06(1), Florida
   37  Statutes, from the Department of Management Services to the
   38  Agency for State Technology.
   39         (a) Any binding contract or interagency agreement entered
   40  into between the Southwood Shared Resource Center or an entity
   41  or agent of the center and any other agency, entity, or person
   42  is binding on the Agency for State Technology for the remainder
   43  of the term of such contract or agreement.
   44         (b) The rules of the Southwood Shared Resource Center which
   45  were in effect at 11:59 p.m. on June 30, 2012, become rules of
   46  the Agency for State Technology and remain in effect until
   47  amended or repealed in the manner provided by law.
   48         Section 3. Section 14.204, Florida Statutes, is repealed.
   49         Section 4. Section 20.70, Florida Statutes, is created to
   50  read:
   51         20.70 Agency for State Technology.—The Agency for State
   52  Technology is created.
   53         (1) The head of the agency shall be the Governor and
   54  Cabinet.
   55         (2) The agency shall have an executive director who is the
   56  state’s Chief Information Officer and who must:
   57         (a) Have at least a bachelor’s degree in computer science,
   58  information systems, business or public administration, or a
   59  related field, or equivalent work experience;
   60         (b) Have 10 or more years of experience working in the
   61  field of information technology;
   62         (c) Have 5 or more years of experience in related industry
   63  managing multiple, large, cross-functional teams or projects,
   64  and influencing senior-level management and key stakeholders;
   65         (d) Have at least 5 years of executive-level leadership
   66  responsibilities;
   67         (e) Have performed an integral role in enterprise-wide
   68  information technology consolidations;
   69         (f) Be appointed by the Governor, subject to confirmation
   70  by the Cabinet and the Senate, and shall serve at the pleasure
   71  of the Governor and Cabinet.
   72         (3) The executive director:
   73         (a) Shall be responsible for developing and administering a
   74  comprehensive long-range plan for the state’s information
   75  technology resources, ensuring the proper management of such
   76  resources, and delivering services.
   77         (b) Shall appoint a Chief Technology Officer to lead the
   78  divisions of the agency dedicated to the operation and delivery
   79  of enterprise information technology services.
   80         (c) Shall appoint a Chief Operations Officer to lead the
   81  divisions of the agency dedicated to enterprise information
   82  technology policy, planning, standards, and procurement.
   83         (d) Shall designate a state Chief Information Security
   84  Officer.
   85         (e) May appoint all employees necessary to carry out the
   86  duties and responsibilities of the agency.
   87         (4) The Agency for State Technology is prohibited from
   88  using, and executives of the agency are prohibited from
   89  directing spending from, operational information technology
   90  trust funds, as defined in 282.0041, F.S., for any purpose for
   91  which the Strategic Information Technology Trust Fund was
   92  established.
   93         (5) The following officers and divisions of the agency are
   94  established:
   95         (a) Under the Chief Technology Officer:
   96         1. Upon transfer any portion of the Technology Program from
   97  the Department of Management Services to the agency, there shall
   98  be a Division of Telecommunications.
   99         2. The Division of Data Center Operations which includes,
  100  but is not limited to, any shared resource center established or
  101  operated by the agency.
  102         (b) Under the Chief Operations Officer:
  103         1. Strategic Planning.
  104         2. Enterprise Information Technology Standards.
  105         a. Enterprise Information Technology Procurement.
  106         b. Information Technology Security and Compliance.
  107         3. Enterprise Services Planning and Consolidation.
  108         4. Enterprise Project Management.
  109         (c) Under the Director of Administration:
  110         1. Accounting and Budgeting.
  111         2. Personnel.
  112         3. Procurement and Contracts.
  113         (d) Under the Office of the Executive Director:
  114         1. Inspector General.
  115         2. Legal.
  116         3. Governmental Affairs.
  117         (6) The agency shall operate in a manner that ensures the
  118  participation and representation of state agencies.
  119         (7) The agency shall have the following duties and
  120  responsibilities. The agency shall:
  121         (a) Develop and publish a long-term State Information
  122  Technology Resources Strategic Plan.
  123         (b) Initiate, plan, design, implement, and manage
  124  enterprise information technology services.
  125         (c) Beginning October 1, 2012, and every 3 months
  126  thereafter, provide a status report on its initiatives. The
  127  report shall be presented at a meeting of the Governor and
  128  Cabinet.
  129         (d) Beginning September 1, 2013, and every 3 months
  130  thereafter until enterprise information technology service
  131  consolidations are complete, provide a status report on the
  132  implementation of the consolidations that must be completed
  133  during the fiscal year. The report shall be submitted to the
  134  Executive Office of the Governor, the Cabinet, the President of
  135  the Senate, and the Speaker of the House of Representatives. At
  136  a minimum, the report must describe:
  137         1. Whether the consolidation is on schedule, including
  138  progress on achieving the milestones necessary for successful
  139  and timely consolidation of scheduled agency data centers and
  140  computing facilities; and
  141         2. The risks that may affect the progress or outcome of the
  142  consolidation and how such risks are being mitigated or managed.
  143         (e) Set technical standards for information technology,
  144  including, but not limited to, desktop computers, printers, and
  145  mobile devices; review major information technology projects and
  146  procurements; establish information technology security
  147  standards; provide for the procurement of information technology
  148  resources, excluding human resources; and deliver enterprise
  149  information technology services as defined in s. 282.0041.
  150         (f) Designate primary data centers and shared resource
  151  centers.
  152         (g) Operate shared resource centers in a manner that
  153  promotes energy efficiency.
  154         (h) Establish and deliver enterprise information technology
  155  services to serve state agencies on a cost-sharing basis,
  156  charging each state agency its proportionate share of the cost
  157  of maintaining and delivering a service based on a state
  158  agency’s use of the service.
  159         (i) Use the following criteria to develop a means of
  160  chargeback for primary data center services:
  161         1. The customers of the primary data center shall provide
  162  payments to the primary data center which are sufficient to
  163  maintain the solvency of the primary data center operation for
  164  the costs not directly funded through the General Appropriations
  165  Act.
  166         2. Per unit cost of usage shall be the primary basis for
  167  pricing, and usage must be accurately measurable and
  168  attributable to the appropriate customer.
  169         3. The primary data center shall combine the aggregate
  170  purchasing power of large and small customers to achieve
  171  collective savings opportunities to all customers.
  172         4. Chargeback methodologies shall be devised to consider
  173  restrictions on grants to customers.
  174         5. Chargeback methodologies should establish incentives
  175  that lead to customer usage practices that result in lower costs
  176  to the state.
  177         6. Chargeback methodologies must consider technological
  178  change when:
  179         a. New services require short-term investments before
  180  achieving long-term, full cost recovery for the service.
  181         b. Customers of antiquated services may not be able to bear
  182  the costs for the antiquated services during periods when
  183  customers are migrating to replacement services.
  184         7. Prices may be established which allow for accrual of
  185  cash balances for the purpose of maintaining contingent
  186  operating funds and funding planned capital investments. Accrual
  187  of the cash balances shall be considered costs for the purposes
  188  of this section.
  189         8. Flat rate charges may be used only if there are
  190  provisions for reconciling charges to comport with actual costs
  191  and use.
  192         (i) Exercise technical and fiscal prudence in determining
  193  the best way to deliver enterprise information technology
  194  services.
  195         (j) Collect and maintain an inventory of the information
  196  technology resources in the state agencies.
  197         (k) Assume ownership or custody and control of information
  198  processing equipment, supplies, and positions required in order
  199  to thoroughly carry out the agency’s duties and
  200  responsibilities.
  201         (l) Adopt rules and policies for the efficient, secure, and
  202  economical management and operation of the shared resource
  203  centers and state telecommunications services.
  204         (m) Provide other public sector organizations as defined in
  205  s. 282.0041 with access to the services provided by the agency.
  206  Access shall be provided on the same cost basis that applies to
  207  state agencies.
  208         (n) Ensure that data that is confidential under state or
  209  federal law is not entered into or processed through any shared
  210  resource center or network established under the agency until
  211  the agency head and the executive director of the agency are
  212  satisfied that safeguards for the data’s security have been
  213  properly designed, installed, and tested and are fully
  214  operational. This paragraph does not prescribe what actions
  215  necessary to satisfy a state agency’s objectives are to be
  216  undertaken or remove from the control and administration of the
  217  state agency the responsibility for working with the agency to
  218  implement safeguards, whether such control and administration
  219  are specifically required by general law or administered under
  220  the general program authority and responsibility of the state
  221  agency. If the agency head and executive director of the agency
  222  cannot reach agreement on satisfactory safeguards, the issue
  223  shall be decided by the Governor and Cabinet.
  224         (o) Conduct periodic assessments of state agencies for
  225  compliance with statewide information technology policies and
  226  recommend to the Governor and Cabinet statewide policies for
  227  information technology.
  228         (8) The agency may not use or direct the spending of
  229  operational information technology trust funds to study and
  230  develop enterprise information technology strategies, plans,
  231  rules, reports, policies, proposals, budgets, or enterprise
  232  information technology initiatives that are not directly related
  233  to developing information technology services for which usage
  234  fees reimburse the costs of the initiative. As used in this
  235  subsection, the term “operational information technology trust
  236  funds” means funds into which deposits are made on a fee-for
  237  service basis or a trust fund dedicated to a specific
  238  information technology project or system.
  239         (9) The portions of the agency’s activities described in
  240  subsection (8) for which usage fees do not reimburse costs of
  241  the activity shall be funded at a rate of 0.55% of the total
  242  identified information technology spend through
  243  MyFloridaMarketPlace.
  244         (10) The agency may adopt rules to carry out its duties and
  245  responsibilities.
  246         Section 5. Section 282.0041, Florida Statutes, amended to
  247  read:
  248         282.0041 Definitions.—As used in this chapter, the term:
  249         (1) “Agency” has the same meaning as in s. 216.011(1)(qq),
  250  except that for purposes of this chapter, “agency” does not
  251  include university boards of trustees or state universities.
  252         (1)(2) “Agency for State Enterprise Information Technology”
  253  or “agency” means the agency created in s. 20.70 14.204.
  254         (2)(3) “Agency information technology service” means a
  255  service that directly helps a state an agency fulfill its
  256  statutory or constitutional responsibilities and policy
  257  objectives and is usually associated with the state agency’s
  258  primary or core business functions.
  259         (4) “Annual budget meeting” means a meeting of the board of
  260  trustees of a primary data center to review data center usage to
  261  determine the apportionment of board members for the following
  262  fiscal year, review rates for each service provided, and
  263  determine any other required changes.
  264         (3)(5) “Breach” has the same meaning as in s. 817.5681(4).
  265         (4)(6) “Business continuity plan” means a plan for disaster
  266  recovery which provides for the continued functioning of a
  267  primary data center during and after a disaster.
  268         (5) “Collocation” means the method by which a state
  269  agency’s data center occupies physical space within a shared
  270  resource center where physical floor space, bandwidth, power,
  271  cooling, and physical security are available for an equitable
  272  usage rate and minimal complexity, and allow for the sustained
  273  management and oversight of the collocating agency’s information
  274  technology resources as well as physical and logical database
  275  administration by the collocating agency’s staff.
  276         (6)(7) “Computing facility” means a state agency site space
  277  containing fewer than a total of 10 physical or logical servers,
  278  any of which supports a strategic or nonstrategic information
  279  technology service, as described in budget instructions
  280  developed pursuant to s. 216.023, but excluding
  281  telecommunications and voice gateways and a clustered pair of
  282  servers operating as a single logical server to provide file,
  283  print, security, and endpoint management services single,
  284  logical-server installations that exclusively perform a utility
  285  function such as file and print servers.
  286         (7) “Computing service” means an information technology
  287  service that is used in all state agencies or a subset of
  288  agencies and is, therefore, a candidate for being established as
  289  an enterprise information technology service. Examples include
  290  e-mail, service hosting, telecommunications, and disaster
  291  recovery.
  292         (8) “Customer entity” means an entity that obtains services
  293  from a primary data center.
  294         (8)(9) “Data center” means a state agency site space
  295  containing 10 or more physical or logical servers any of which
  296  supports a strategic or nonstrategic information technology
  297  service, as described in budget instructions developed pursuant
  298  to s. 216.023.
  299         (10) “Department” means the Department of Management
  300  Services.
  301         (9)(11) “Enterprise information technology service” means
  302  an information technology service that is used in all state
  303  agencies or a subset of state agencies and is designated by the
  304  agency or established in law to be designed, delivered, and
  305  managed at the enterprise level. Current enterprise information
  306  technology services include data center services, e-mail, and
  307  security.
  308         (10)(12) “E-mail, messaging, and calendaring service” means
  309  the enterprise information technology service that enables users
  310  to send, receive, file, store, manage, and retrieve electronic
  311  messages, attachments, appointments, and addresses. The e-mail,
  312  messaging, and calendaring service must include e-mail account
  313  management; help desk; technical support and user provisioning
  314  services; disaster recovery and backup and restore capabilities;
  315  antispam and antivirus capabilities; archiving and e-discovery;
  316  and remote access and mobile messaging capabilities.
  317         (11)(13) “Information-system utility” means an information
  318  processing a full-service information-processing facility
  319  offering hardware, software, operations, integration,
  320  networking, floor space, and consulting services.
  321         (12)(14) “Information technology resources” means
  322  equipment, hardware, software, firmware, programs, systems,
  323  networks, infrastructure, media, and related material used to
  324  automatically, electronically, and wirelessly collect, receive,
  325  access, transmit, display, store, record, retrieve, analyze,
  326  evaluate, process, classify, manipulate, manage, assimilate,
  327  control, communicate, exchange, convert, converge, interface,
  328  switch, or disseminate information of any kind or form, and
  329  includes the human resources to perform such duties, but
  330  excludes application developers and logical database
  331  administrators.
  332         (13) “Local area network” means any telecommunications
  333  network through which messages and data are exchanged strictly
  334  within a single building or contiguous campus.
  335         (14)(15) “Information technology policy” means statements
  336  that describe clear choices for how information technology will
  337  deliver effective and efficient government services to residents
  338  and improve state agency operations. A policy may relate to
  339  investments, business applications, architecture, or
  340  infrastructure. A policy describes its rationale, implications
  341  of compliance or noncompliance, the timeline for implementation,
  342  metrics for determining compliance, and the accountable
  343  structure responsible for its implementation.
  344         (15) “Logical database administration” means the resources
  345  required to build and maintain database structure, implement and
  346  maintain role-based data access controls, and perform
  347  performance optimization of data queries and includes the
  348  manipulation, transformation, modification, and maintenance of
  349  data within a logical database. Typical tasks include schema
  350  design and modifications, user provisioning, query tuning, index
  351  and statistics maintenance, and data import, export, and
  352  manipulation.
  353         (16) “Memorandum of understanding” means a written
  354  agreement between a shared resource center or the Division of
  355  Telecommunications in the agency and a state agency which
  356  specifies the scope of services provided, service level,
  357  duration of the agreement, responsible parties, and service
  358  costs. A memorandum of understanding is not a rule pursuant to
  359  chapter 120.
  360         (17) “Other public sector organizations” means entities of
  361  the legislative and judicial branches, the State University
  362  System, the Florida Community College System, counties, and
  363  municipalities. Such organizations may elect to participate in
  364  the information technology programs, services, or contracts
  365  offered by the Agency for State Technology, including
  366  information technology procurement, in accordance with general
  367  law, policies, and administrative rules.
  368         (18)(16) “Performance metrics” means the measures of an
  369  organization’s activities and performance.
  370         (19) “Physical database administration” means the resources
  371  responsible for installing, maintaining, and operating an
  372  environment within which a database is hosted. Typical tasks
  373  include database engine installation, configuration, and
  374  security patching, as well as performing backup and restoration
  375  of hosted databases, setup and maintenance of instance-based
  376  data replication, and monitoring the health and performance of
  377  the database environment.
  378         (20)(17) “Primary data center” means a data center that is
  379  a recipient entity for consolidation of state agency information
  380  technology resources nonprimary data centers and computing
  381  facilities and that is established by law.
  382         (21)(18) “Project” means an endeavor that has a defined
  383  start and end point; is undertaken to create or modify a unique
  384  product, service, or result; and has specific objectives that,
  385  when attained, signify completion.
  386         (22)(19) “Risk analysis” means the process of identifying
  387  security risks, determining their magnitude, and identifying
  388  areas needing safeguards.
  389         (23)(20) “Service level” means the key performance
  390  indicators (KPI) of an organization or service which must be
  391  regularly performed, monitored, and achieved.
  392         (21) “Service-level agreement” means a written contract
  393  between a data center and a customer entity which specifies the
  394  scope of services provided, service level, the duration of the
  395  agreement, the responsible parties, and service costs. A
  396  service-level agreement is not a rule pursuant to chapter 120.
  397         (24) “Shared resource center” means a primary data center
  398  that has been designated and assigned specific duties under this
  399  chapter or by the Agency for State Technology under s. 20.70.
  400         (25)(22) “Standards” means required practices, controls,
  401  components, or configurations established by an authority.
  402         (26) “State agency” means any official, officer,
  403  commission, board, authority, council, committee, or department
  404  of the executive branch of state government. The term does not
  405  include university boards of trustees or state universities.
  406         (27) “State agency site” means a single, contiguous local
  407  area network segment that does not traverse a metropolitan area
  408  network or wide area network.
  409         (28)(23) “SUNCOM Network” means the state enterprise
  410  telecommunications system that provides all methods of
  411  electronic or optical telecommunications beyond a single
  412  building or contiguous building complex and used by entities
  413  authorized as network users under this part.
  414         (29)(24) “Telecommunications” means the science and
  415  technology of communication at a distance, including electronic
  416  systems used in the transmission or reception of information.
  417         (30)(25) “Threat” means any circumstance or event that may
  418  cause harm to the integrity, availability, or confidentiality of
  419  information technology resources.
  420         (31)(26) “Total cost” means all costs associated with
  421  information technology projects or initiatives, including, but
  422  not limited to, value of hardware, software, service,
  423  maintenance, incremental personnel, and facilities. Total cost
  424  of a loan or gift of information technology resources to a state
  425  an agency includes the fair market value of the resources.
  426         (32)(27) “Usage” means the billing amount charged by the
  427  primary data center, less any pass-through charges, to the state
  428  agency customer entity.
  429         (33)(28) “Usage rate” means a state agency’s customer
  430  entity’s usage or billing amount as a percentage of total usage.
  431         (34) “Wide area network” means any telecommunications
  432  network or components thereof through which messages and data
  433  are exchanged outside of a local area network.
  434         Section 6. Section 282.0055, Florida Statutes, is amended
  435  to read:
  436         (Substantial rewording of section. See
  437         s. 282.0055, Florida Statutes, for current text.)
  438         282.0055 Assignment of enterprise information technology.—
  439         (1) The establishment of a systematic process for the
  440  planning, design, implementation, procurement, delivery, and
  441  maintenance of enterprise information technology services shall
  442  be the responsibility of the Agency for State Technology for
  443  executive branch agencies that are created or authorized in
  444  statute to perform legislatively delegated functions. The
  445  agency’s duties shall be performed in collaboration with the
  446  state agencies. The supervision, design, development, delivery,
  447  and maintenance of state-agency specific or unique software
  448  applications shall remain within the responsibility and control
  449  of the individual state agency or other public sector
  450  organization.
  451         (2) During the 2012-2013 fiscal year, the Agency for State
  452  Technology shall, in collaboration with the state agencies and
  453  other stakeholders, create a road map for enterprise information
  454  technology service consolidation. The road map shall be
  455  presented for approval by the Governor and Cabinet by August 30,
  456  2013. At a minimum, the road map must include:
  457         (a) An enterprise architecture that provides innovative,
  458  yet pragmatic and cost-effective offering, and which
  459  contemplates the consolidated delivery of services based on
  460  similar business processes and functions that span across all
  461  executive and cabinet agencies.
  462         (b) A schedule for the consolidation of state agency data
  463  centers.
  464         (c) Cost-saving targets and timeframes for when the savings
  465  will be realized.
  466         (d) Recommendations, including cost estimates, for
  467  improvements to the shared resource centers, which will improve
  468  the agency’s ability to deliver enterprise information
  469  technology services.
  470         (e) A transition plan for the transfer of portions of the
  471  Technology Program established under s. 20.22(2), Florida
  472  Statutes, that provide an enterprise information technology
  473  service.
  474         (3) By October 15th of each year beginning in 2013, the
  475  Agency for State Technology shall develop a comprehensive
  476  transition plan for scheduled consolidations occurring in the
  477  next fiscal year. This plan shall be submitted to the Governor,
  478  the Cabinet, the President of the Senate, and the Speaker of the
  479  House of Representatives. The transition plan shall be developed
  480  in consultation with other state agencies submitting state
  481  agency transition plans. The comprehensive transition plan must
  482  include:
  483         (a) Recommendations for accomplishing the proposed
  484  transitions as efficiently and effectively as possible with
  485  minimal disruption to state agency business processes.
  486         (b) Strategies to minimize risks associated with any of the
  487  proposed consolidations.
  488         (c) A compilation of the state agency transition plans
  489  submitted by state agencies scheduled for consolidation for the
  490  following fiscal year.
  491         (d) An estimate of the cost to provide enterprise
  492  information technology services for each state agency scheduled
  493  for consolidation.
  494         (e) An analysis of the cost effects resulting from the
  495  planned consolidations on existing state agencies.
  496         (f) The fiscal year adjustments to budget categories in
  497  order to absorb the transfer of state agency information
  498  technology resources pursuant to the legislative budget request
  499  instructions provided in s. 216.023.
  500         (g) A description of any issues that must be resolved in
  501  order to accomplish as efficiently and effectively as possible
  502  all consolidations required during the fiscal year.
  503         (4) State agencies have the following duties:
  504         (a) For the purpose of completing its work activities, each
  505  state agency shall provide to the Agency for State Technology
  506  all requested information and any other information relevant to
  507  the state agency’s ability to effectively transition its
  508  information technology resources into the agency.
  509         (b) For the purpose of completing its work activities, each
  510  state agency shall temporarily assign staff to assist the agency
  511  with designated tasks as negotiated between the agency and the
  512  state agency.
  513         (c) Each state agency identified for consolidation into an
  514  enterprise information technology service offering must submit a
  515  transition plan to the Agency for State Technology by September
  516  1 of the fiscal year before the fiscal year in which the
  517  scheduled consolidation will occur. Transition plans shall be
  518  developed in consultation with the agency and must include:
  519         1. An inventory of the state agency data center’s resources
  520  being consolidated, including all hardware, software, staff, and
  521  contracted services, and the facility resources performing data
  522  center management and operations, security, backup and recovery,
  523  disaster recovery, system administration, database
  524  administration, system programming, mainframe maintenance, job
  525  control, production control, print, storage, technical support,
  526  help desk, and managed services, but excluding application
  527  development.
  528         2. A description of the level of services needed to meet
  529  the technical and operational requirements of the platforms
  530  being consolidated and an estimate of the primary data center’s
  531  cost for the provision of such services.
  532         3. A description of expected changes to its information
  533  technology needs and the timeframe when such changes will occur.
  534         4. A description of the information technology resources
  535  proposed to remain in the state agency.
  536         5. A baseline project schedule for the completion of the
  537  consolidation.
  538         6. The specific recurring and nonrecurring budget
  539  adjustments of budget resources by appropriation category into
  540  the appropriate data processing category pursuant to the
  541  legislative budget instructions in s. 216.023 necessary to
  542  support state agency costs for the transfer.
  543         (5)(a) Unless authorized by the Legislature or the agency
  544  as provided in paragraphs (b) and (c), a state agency may not:
  545         1. Create a new computing service or expand an existing
  546  computing service if that service has been designated as an
  547  enterprise information technology service.
  548         2. Spend funds before the state agency’s scheduled
  549  consolidation to an enterprise information technology service to
  550  purchase or modify hardware or operations software that does not
  551  comply with hardware and software standards established by the
  552  Agency for State Technology.
  553         3. Unless for the purpose of offsite disaster recovery
  554  services, transfer existing computing services to any service
  555  provider other than the Agency for State Technology.
  556         4. Terminate services with the Agency for State Technology
  557  without giving written notice of intent to terminate or transfer
  558  services 180 days before such termination or transfer.
  559         5. Initiate a new computing service with any service
  560  provider other than the Agency for State Technology if that
  561  service has been designated as an enterprise information
  562  technology service.
  563         (b) Exceptions to the limitations in subparagraphs (a)1.,
  564  2., 3., and 5. may be granted by the Agency for State Technology
  565  if there is insufficient capacity in the primary data centers to
  566  absorb the workload associated with agency computing services,
  567  expenditures are compatible with the scheduled consolidation and
  568  established standards, or the equipment or resources are needed
  569  to meet a critical state agency business need that cannot be
  570  satisfied from surplus equipment or resources of the primary
  571  data center until the state agency data center is consolidated.
  572         1. A request for an exception must be submitted in writing
  573  to the Agency for State Technology. The agency must accept,
  574  accept with conditions, or deny the request within 60 days after
  575  receipt of the written request. The agency’s decision is not
  576  subject to chapter 120.
  577         2. The Agency for State Technology may not approve a
  578  request unless it includes, at a minimum:
  579         a. A detailed description of the capacity requirements of
  580  the state agency requesting the exception.
  581         b. Documentation from the state agency head demonstrating
  582  why it is critical to the state agency’s mission that the
  583  expansion or transfer must be completed within the fiscal year
  584  rather than when capacity is established at a primary data
  585  center.
  586         3. Exceptions to subparagraph (a)4. may be granted by the
  587  Agency for State Technology if the termination or transfer of
  588  services can be absorbed within the current cost-allocation
  589  plan.
  590         Section 7. Section 282.0056, Florida Statutes, is amended
  591  to read:
  592         282.0056 Strategic plan, development of work plan, and;
  593  development of implementation plans; and policy
  594  recommendations.—
  595         (1) In order to provide a systematic process for meeting
  596  the state’s technology needs, the executive director of the
  597  Agency for State Technology shall develop a biennial state
  598  Information Technology Resources Strategic Plan. The Governor
  599  and Cabinet shall approve the plan before transmitting it to the
  600  Legislature, biennially, starting October 1, 2013. The plan must
  601  include the following elements:
  602         (a) The vision, goals, initiatives, and targets for state
  603  information technology for the short term of 2 years, midterm of
  604  3 to 5 years, and long term of more than 5 years.
  605         (b) An inventory of the information technology resources in
  606  state agencies and major projects currently in progress and
  607  planned. This does not imply that the agency has approval
  608  authority over major projects. As used in this section, the term
  609  “major project” means projects that cost more than $1 million to
  610  implement.
  611         (c) An analysis of opportunities for statewide initiatives
  612  that would yield efficiencies, cost savings, or avoidance or
  613  improve effectiveness in state programs. The analysis must
  614  include:
  615         1. Information technology services that should be designed,
  616  delivered, and managed as enterprise information technology
  617  services.
  618         2. Techniques for consolidating the purchase of information
  619  technology commodities and services that may result in savings
  620  for the state and for establishing a process to achieve savings
  621  through consolidated purchases.
  622         3. A cost-benefit analysis of options, such as
  623  privatization, outsourcing, or insourcing, to reduce costs or
  624  improve services to agencies and taxpayers.
  625         (d) Recommended initiatives based on the analysis in
  626  paragraph (c).
  627         (e) Implementation plans for enterprise information
  628  technology services designated by the agency. The implementation
  629  plans must describe the scope of service, requirements analyses,
  630  costs and savings projects, and a project schedule for statewide
  631  implementation.
  632         (2) Each state agency shall, biennially, provide to the
  633  agency the inventory required under paragraph (1)(b). The agency
  634  shall consult with and assist state agencies in the preparation
  635  of these inventories. Each state agency shall submit its
  636  inventory to the agency biennially, starting January 1, 2013.
  637         (3) For the purpose of completing its work activities, each
  638  state agency shall provide to the agency all requested
  639  information, including, but not limited to, the state agency’s
  640  costs, service requirements, staffing, and equipment
  641  inventories.
  642         (4)(1)For the purpose of ensuring accountability for the
  643  duties and responsibilities of the executive director and the
  644  agency under ss. 20.70 and 282.0055, the executive director For
  645  the purposes of carrying out its responsibilities under s.
  646  282.0055, the Agency for Enterprise Information Technology shall
  647  develop an annual work plan within 60 days after the beginning
  648  of the fiscal year describing the activities that the agency
  649  intends to undertake for that year and identify the critical
  650  success factors, risks, and issues associated with the work
  651  planned. The work plan must also include planned including
  652  proposed outcomes and completion timeframes for the planning and
  653  implementation of all enterprise information technology
  654  services. The work plan must align with the state Information
  655  Technology Resources Strategic Plan, be presented at a public
  656  hearing, and be approved by the Governor and Cabinet;, and,
  657  thereafter, be submitted to the President of the Senate and the
  658  Speaker of the House of Representatives. The work plan may be
  659  amended as needed, subject to approval by the Governor and
  660  Cabinet.
  661         (2) The agency may develop and submit to the President of
  662  the Senate, the Speaker of the House of Representatives, and the
  663  Governor by October 1 of each year implementation plans for
  664  proposed enterprise information technology services to be
  665  established in law.
  666         (3) In developing policy recommendations and implementation
  667  plans for established and proposed enterprise information
  668  technology services, the agency shall describe the scope of
  669  operation, conduct costs and requirements analyses, conduct an
  670  inventory of all existing information technology resources that
  671  are associated with each service, and develop strategies and
  672  timeframes for statewide migration.
  673         (4) For the purpose of completing its work activities, each
  674  state agency shall provide to the agency all requested
  675  information, including, but not limited to, the state agency’s
  676  costs, service requirements, and equipment inventories.
  677         (5) For the purpose of ensuring accountability for the
  678  duties and responsibilities of the executive director and the
  679  agency under ss. 20.70 and 282.0055, within 60 days after the
  680  end of each fiscal year, the executive director agency shall
  681  report to the Governor and Cabinet, the President of the Senate,
  682  and the Speaker of the House of Representatives on what was
  683  achieved or not achieved in the prior year’s work plan.
  684         Section 8. Section 282.201, Florida Statutes, is amended to
  685  read:
  686         (Substantial rewording of section. See
  687         s. 282.201, Florida Statutes, for current text.)
  688         282.201 State data center system; agency duties and
  689  limitations.—A state data center system that includes all
  690  primary data centers, other nonprimary data centers, and
  691  computing facilities, and that provides an enterprise
  692  information technology service, is established.
  693         (1) INTENT.—The Legislature finds that the most efficient
  694  and effective means of providing quality utility data processing
  695  services to state agencies requires that computing resources be
  696  concentrated in quality facilities that provide the proper
  697  security, infrastructure, and staff resources to ensure that the
  698  state’s data is maintained reliably and safely and is
  699  recoverable in the event of a disaster. Efficiencies resulting
  700  from such consolidation include the increased ability to
  701  leverage technological expertise and hardware and software
  702  capabilities; increased savings through consolidated purchasing
  703  decisions; and the enhanced ability to deploy technology
  704  improvements and implement new policies consistently throughout
  705  the consolidated organization.
  706         (2) AGENCY FOR STATE TECHNOLOGY DUTIES.—
  707         (a) The agency shall by October 1, 2013, provide to the
  708  Governor and Cabinet, recommendations for approving, confirming
  709  and removing primary data center designation. The
  710  recommendations shall consider the recommendations from the Law
  711  Enforcement Consolidations Task Force. Upon approval of the
  712  Governor and Cabinet of primary data center designations,
  713  existing primary data center designations are repealed by
  714  operation of law, and therefore, obsolete.
  715         (b) Establish a schedule for the consolidation of state
  716  agency data centers or a transition plan for outsourcing data
  717  center services, subject to review by the Governor and Cabinet.
  718  The schedule or transition plan must be provided by October 1,
  719  2013, and be updated annually until the completion of
  720  consolidation. The schedule must be based on the goals of
  721  maximizing the efficiency and quality of service delivery and
  722  cost savings.
  723         (3) STATE AGENCY DUTIES.—
  724         (a) Any state agency that is consolidating agency data
  725  centers into a primary data center must execute a new or update
  726  an existing memorandum of understanding or service level
  727  agreement within 60 days after the specified consolidation date,
  728  as required by s. 282.203, in order to specify the services and
  729  levels of service it is to receive from the primary data center
  730  as a result of the consolidation. If a state agency is unable to
  731  execute a memorandum of understanding by that date, the state
  732  agency shall submit a report to the Executive Office of the
  733  Governor, the Cabinet, the President of the Senate, and the
  734  Speaker of the House of Representatives within 5 working days
  735  after that date which explains the specific issues preventing
  736  execution and describes its plan and schedule for resolving
  737  those issues.
  738         (b) On the date of each consolidation specified in general
  739  law or the General Appropriations Act, each state agency shall
  740  retain the least-privileged administrative access rights
  741  necessary to perform the duties not assigned to the primary data
  742  centers.
  743         (4) SCHEDULE FOR CONSOLIDATIONS OF STATE AGENCY DATA
  744  CENTERS.—Consolidations of state agency data centers are
  745  suspended for the 2012-2013 fiscal year. Consolidations shall
  746  resume during the 2013-2014 fiscal year based upon a revised
  747  schedule developed by the agency. The revised schedule shall
  748  consider the recommendations from the Law Enforcement
  749  Consolidation Task Force. State agency data centers and
  750  computing facilities shall be consolidated into the agency by
  751  June 30, 2018.
  752         Section 9. Section 282.203, Florida Statutes, is amended to
  753  read:
  754         (Substantial rewording of section. See
  755         s. 282.203, Florida Statutes, for current text.)
  756         282.203 Primary data centers; duties.—
  757         (1) Each primary data center shall:
  758         (a) Serve participating state agencies as an information
  759  system utility.
  760         (b) Cooperate with participating state agencies to offer,
  761  develop, and support the services and applications.
  762         (c) Provide transparent financial statements to
  763  participating state agencies.
  764         (d) Assume the least-privileged administrative access
  765  rights necessary to perform the services provided by the data
  766  center for the software and equipment that is consolidated into
  767  a primary data center.
  768         (2) Each primary data center shall enter into a memorandum
  769  of understanding with each participating state agency to provide
  770  services. A memorandum of understanding may not have a term
  771  exceeding 3 years but may include an option to renew for up to 3
  772  years. Failure to execute a memorandum within 60 days after
  773  service commencement shall, in the case of a participating state
  774  agency, result in the continuation of the terms of the
  775  memorandum of understanding from the previous fiscal year,
  776  including any amendments that were formally proposed to the
  777  state agency by the primary data center within the 3 months
  778  before service commencement, and a revised cost-of-service
  779  estimate. If a participating state agency fails to execute a
  780  memorandum of understanding within 60 days after service
  781  commencement, the data center may cease providing services.
  782         Section 10. Section 282.204, Florida Statutes, is repealed.
  783         Section 11. Section 282.205, Florida Statutes, is repealed.
  784         Section 12. Section 282.33, Florida Statutes, is repealed.
  785         Section 13. Section 282.34, Florida Statutes, is amended to
  786  read:
  787         282.34 Statewide e-mail service.—A statewide e-mail service
  788  that includes the delivery and support of e-mail, messaging, and
  789  calendaring capabilities is established as an enterprise
  790  information technology service as defined in s. 282.0041. The
  791  service shall be provisioned designed to meet the needs of all
  792  executive branch agencies and may also be used by other public
  793  sector nonstate agency entities. The primary goals of the
  794  service are to provide a reliable collaborative communication
  795  service to state agencies; minimize the state investment
  796  required to establish, operate, and support the statewide
  797  service; reduce the cost of current e-mail operations and the
  798  number of duplicative e-mail systems; and eliminate the need for
  799  each state agency to maintain its own e-mail staff.
  800         (1) Except as specified in subsection (2), all state
  801  agencies shall receive their primary email services exclusively
  802  through the Agency for State Technology. The Southwood Shared
  803  Resource Center, a primary data center, shall be the provider of
  804  the statewide e-mail service for all state agencies. The center
  805  shall centrally host, manage, operate, and support the service,
  806  or outsource the hosting, management, operational, or support
  807  components of the service in order to achieve the primary goals
  808  identified in this section.
  809         (2) The Department of Legal Affairs shall work with the
  810  agency to develop a plan to migrate to the enterprise email
  811  service. The plan shall identify the time frame for migration,
  812  the associated costs, and the risks. The plan shall be presented
  813  to the Governor and Cabinet by December 1, 2014. The Agency for
  814  Enterprise Information Technology, in cooperation and
  815  consultation with all state agencies, shall prepare and submit
  816  for approval by the Legislative Budget Commission at a meeting
  817  scheduled before June 30, 2011, a proposed plan for the
  818  migration of all state agencies to the statewide e-mail service.
  819  The plan for migration must include:
  820         (a) A cost-benefit analysis that compares the total
  821  recurring and nonrecurring operating costs of the current agency
  822  e-mail systems, including monthly mailbox costs, staffing,
  823  licensing and maintenance costs, hardware, and other related e
  824  mail product and service costs to the costs associated with the
  825  proposed statewide e-mail service. The analysis must also
  826  include:
  827         1. A comparison of the estimated total 7-year life-cycle
  828  cost of the current agency e-mail systems versus the feasibility
  829  of funding the migration and operation of the statewide e-mail
  830  service.
  831         2. An estimate of recurring costs associated with the
  832  energy consumption of current agency e-mail equipment, and the
  833  basis for the estimate.
  834         3. An identification of the overall cost savings resulting
  835  from state agencies migrating to the statewide e-mail service
  836  and decommissioning their agency e-mail systems.
  837         (b) A proposed migration date for all state agencies to be
  838  migrated to the statewide e-mail service. The Agency for
  839  Enterprise Information Technology shall work with the Executive
  840  Office of the Governor to develop the schedule for migrating all
  841  state agencies to the statewide e-mail service except for the
  842  Department of Legal Affairs. The Department of Legal Affairs
  843  shall provide to the Agency for Enterprise Information
  844  Technology by June 1, 2011, a proposed migration date based upon
  845  its decision to participate in the statewide e-mail service and
  846  the identification of any issues that require resolution in
  847  order to migrate to the statewide e-mail service.
  848         (c) A budget amendment, submitted pursuant to chapter 216,
  849  for adjustments to each agency’s approved operating budget
  850  necessary to transfer sufficient budget resources into the
  851  appropriate data processing category to support its statewide e
  852  mail service costs.
  853         (d) A budget amendment, submitted pursuant to chapter 216,
  854  for adjustments to the Southwood Shared Resource Center approved
  855  operating budget to include adjustments in the number of
  856  authorized positions, salary budget and associated rate,
  857  necessary to implement the statewide e-mail service.
  858         (3) Contingent upon approval by the Legislative Budget
  859  Commission, the Southwood Shared Resource Center may contract
  860  for the provision of a statewide e-mail service. Executive
  861  branch agencies must be completely migrated to the statewide e
  862  mail service based upon the migration date included in the
  863  proposed plan approved by the Legislative Budget Commission.
  864         (4) Notwithstanding chapter 216, general revenue funds may
  865  be increased or decreased for each agency provided the net
  866  change to general revenue in total for all agencies is zero or
  867  less.
  868         (5) Subsequent to the approval of the consolidated budget
  869  amendment to reflect budget adjustments necessary to migrate to
  870  the statewide e-mail service, an agency may make adjustments
  871  subject to s. 216.177, notwithstanding provisions in chapter 216
  872  which may require such adjustments to be approved by the
  873  Legislative Budget Commission.
  874         (6) No agency may initiate a new e-mail service or execute
  875  a new e-mail contract or amend a current e-mail contract, other
  876  than with the Southwood Shared Resource Center, for nonessential
  877  products or services unless the Legislative Budget Commission
  878  denies approval for the Southwood Shared Resource Center to
  879  enter into a contract for the statewide e-mail service.
  880         (7) The Agency for Enterprise Information Technology shall
  881  work with the Southwood Shared Resource Center to develop an
  882  implementation plan that identifies and describes the detailed
  883  processes and timelines for an agency’s migration to the
  884  statewide e-mail service based on the migration date approved by
  885  the Legislative Budget Commission. The agency may establish and
  886  coordinate workgroups consisting of agency e-mail management,
  887  information technology, budget, and administrative staff to
  888  assist the agency in the development of the plan.
  889         (8) Each executive branch agency shall provide all
  890  information necessary to develop the implementation plan,
  891  including, but not limited to, required mailbox features and the
  892  number of mailboxes that will require migration services. Each
  893  agency must also identify any known business, operational, or
  894  technical plans, limitations, or constraints that should be
  895  considered when developing the plan.
  896         Section 14. Section 282.702, Florida Statutes, is amended
  897  to read:
  898         282.702 Powers and duties.—The Department of Management
  899  Services shall have the following powers, duties, and functions:
  900         (1) To publish electronically the portfolio of services
  901  available from the department, including pricing information;
  902  the policies and procedures governing usage of available
  903  services; and a forecast of the department’s priorities for each
  904  telecommunications service.
  905         (2) To adopt technical standards by rule for the state
  906  telecommunications network which ensure the interconnection and
  907  operational security of computer networks, telecommunications,
  908  and information systems of agencies.
  909         (3) To enter into agreements related to information
  910  technology and telecommunications services with state agencies
  911  and political subdivisions of the state.
  912         (4) To purchase from or contract with information
  913  technology providers for information technology, including
  914  private line services.
  915         (5) To apply for, receive, and hold authorizations,
  916  patents, copyrights, trademarks, service marks, licenses, and
  917  allocations or channels and frequencies to carry out the
  918  purposes of this part.
  919         (6) To purchase, lease, or otherwise acquire and to hold,
  920  sell, transfer, license, or otherwise dispose of real, personal,
  921  and intellectual property, including, but not limited to,
  922  patents, trademarks, copyrights, and service marks.
  923         (7) To cooperate with any federal, state, or local
  924  emergency management agency in providing for emergency
  925  telecommunications services.
  926         (8) To control and approve the purchase, lease, or
  927  acquisition and the use of telecommunications services,
  928  software, circuits, and equipment provided as part of any other
  929  total telecommunications system to be used by the state or its
  930  agencies.
  931         (9) To adopt rules pursuant to ss. 120.536(1) and 120.54
  932  relating to telecommunications and to administer the provisions
  933  of this part.
  934         (10) To apply for and accept federal funds for the purposes
  935  of this part as well as gifts and donations from individuals,
  936  foundations, and private organizations.
  937         (11) To monitor issues relating to telecommunications
  938  facilities and services before the Florida Public Service
  939  Commission and the Federal Communications Commission and, if
  940  necessary, prepare position papers, prepare testimony, appear as
  941  a witness, and retain witnesses on behalf of state agencies in
  942  proceedings before the commissions.
  943         (12) Unless delegated to the state agencies by the
  944  department, to manage and control, but not intercept or
  945  interpret, telecommunications within the SUNCOM Network by:
  946         (a) Establishing technical standards to physically
  947  interface with the SUNCOM Network.
  948         (b) Specifying how telecommunications are transmitted
  949  within the SUNCOM Network.
  950         (c) Controlling the routing of telecommunications within
  951  the SUNCOM Network.
  952         (d) Establishing standards, policies, and procedures for
  953  access to and the security of the SUNCOM Network.
  954         (e) Ensuring orderly and reliable telecommunications
  955  services in accordance with the service level agreements
  956  executed with state agencies.
  957         (13) To plan, design, and conduct experiments for
  958  telecommunications services, equipment, and technologies, and to
  959  implement enhancements in the state telecommunications network
  960  if in the public interest and cost-effective. Funding for such
  961  experiments must be derived from SUNCOM Network service revenues
  962  and may not exceed 2 percent of the annual budget for the SUNCOM
  963  Network for any fiscal year or as provided in the General
  964  Appropriations Act. New services offered as a result of this
  965  subsection may not affect existing rates for facilities or
  966  services.
  967         (14) To enter into contracts or agreements, with or without
  968  competitive bidding or procurement, to make available, on a
  969  fair, reasonable, and nondiscriminatory basis, property and
  970  other structures under departmental control for the placement of
  971  new facilities by any wireless provider of mobile service as
  972  defined in 47 U.S.C. s. 153(27) or s. 332(d) and any
  973  telecommunications company as defined in s. 364.02 if it is
  974  practical and feasible to make such property or other structures
  975  available. The department may, without adopting a rule, charge a
  976  just, reasonable, and nondiscriminatory fee for the placement of
  977  the facilities, payable annually, based on the fair market value
  978  of space used by comparable telecommunications facilities in the
  979  state. The department and a wireless provider or
  980  telecommunications company may negotiate the reduction or
  981  elimination of a fee in consideration of services provided to
  982  the department by the wireless provider or telecommunications
  983  company. All such fees collected by the department shall be
  984  deposited directly into the Law Enforcement Radio Operating
  985  Trust Fund, and may be used by the department to construct,
  986  maintain, or support the system.
  987         (15) Establish policies that ensure that the department’s
  988  cost-recovery methodologies, billings, receivables,
  989  expenditures, budgeting, and accounting data are captured and
  990  reported timely, consistently, accurately, and transparently and
  991  are in compliance with all applicable federal and state laws and
  992  rules. The department shall annually submit to the Governor, the
  993  President of the Senate, and the Speaker of the House of
  994  Representatives a report that describes each service and its
  995  cost, the billing methodology for recovering the cost of the
  996  service, and, if applicable, the identity of those services that
  997  are subsidized.
  998         (16) Develop a plan for statewide voice-over-Internet
  999  protocol services. The plan shall include cost estimates and the
 1000  estimated return on investment. The plan shall be submitted to
 1001  the Governor, the Cabinet, the President of the Senate, and the
 1002  Speaker of the House of Representatives by June 30, 2013.
 1003         (17) The department shall produce a feasibility analysis by
 1004  January 1, 2013, of the options for procuring end-to-end network
 1005  services, including services provided by the statewide area
 1006  network, metropolitan area networks, and local area networks,
 1007  which may be provided by each state agency. The scope of this
 1008  service does not include wiring or file and print server
 1009  infrastructure. The feasibility analysis must determine the
 1010  technical and economic feasibility of using existing resources
 1011  and infrastructure that are owned or used by state entities in
 1012  the provision or receipt of network services in order to reduce
 1013  the cost of network services for the state. At a minimum, the
 1014  feasibility analysis must include:
 1015         (a)A definition and assessment of the current portfolio of
 1016  services, the network services that are provided by each state
 1017  agency, and a forecast of anticipated changes in network service
 1018  needs which considers specific state agency business needs and
 1019  the implementation of enterprise services established under this
 1020  chapter.
 1021         (b)A description of any limitations or enhancements in the
 1022  network, including any technical or logistical challenges
 1023  relating to the central provisioning of local area network
 1024  services currently provided and supported by each state agency.
 1025  The analysis must also address changes in usage patterns which
 1026  can reasonably be expected due to the consolidation of state
 1027  agency data centers or the specific business needs of state
 1028  agencies and other service customers.
 1029         (c)An analysis and comparison of the risks associated with
 1030  the current service delivery models and at least two other
 1031  options that leverage the existing resources and infrastructure
 1032  identified in this subsection. Options may include multi-vendor
 1033  and segmented contracting options. All sourcing options must
 1034  produce a service that can be used by schools and other
 1035  qualified entities that seek federal grants provided through the
 1036  Universal Service Fund Program.
 1037         (d)A cost-benefit analysis that estimates all major cost
 1038  elements associated with each sourcing option, focusing on the
 1039  nonrecurring and recurring life-cycle costs of the proposal in
 1040  order to determine the financial feasibility of each sourcing
 1041  option. The cost-benefit analysis must include:
 1042         1.The total recurring operating costs of the proposed
 1043  state network service including estimates of monthly charges,
 1044  staffing, billing, licenses and maintenance, hardware, and other
 1045  related costs.
 1046         2.An estimate of nonrecurring costs associated with
 1047  construction, transmission lines, premises and switching
 1048  hardware purchase and installation, and required software based
 1049  on the proposed solution.
 1050         3.An estimate of other critical costs associated with the
 1051  current and proposed sourcing options for the state network.
 1052         (e)Recommendations for reducing current costs associated
 1053  with statewide network services. The department shall consider
 1054  the following in developing the recommendations:
 1055         1.Leveraging existing resources and expertise.
 1056         2.Standardizing service-level agreements to customer
 1057  entities in order to maximize capacity and availability.
 1058         (f)A detailed timeline for the complete procurement and
 1059  transition to a more efficient and cost-effective solution.
 1060         Section 15. Paragraph (e) of subsection (2) of section
 1061  110.205, Florida Statutes, is amended to read:
 1062         110.205 Career service; exemptions.—
 1063         (2) EXEMPT POSITIONS.—The exempt positions that are not
 1064  covered by this part include the following:
 1065         (e) The executive director of Chief Information Officer in
 1066  the Agency for State Enterprise Information Technology. Unless
 1067  otherwise fixed by law, the Governor and Cabinet Agency for
 1068  Enterprise Information Technology shall set the salary and
 1069  benefits of this position in accordance with the rules of the
 1070  Senior Management Service.
 1071         Section 16. Subsections (2) and (9) of section 215.322,
 1072  Florida Statutes, are amended to read:
 1073         215.322 Acceptance of credit cards, charge cards, debit
 1074  cards, or electronic funds transfers by state agencies, units of
 1075  local government, and the judicial branch.—
 1076         (2) A state agency as defined in s. 216.011, or the
 1077  judicial branch, may accept credit cards, charge cards, debit
 1078  cards, or electronic funds transfers in payment for goods and
 1079  services with the prior approval of the Chief Financial Officer.
 1080  If the Internet or other related electronic methods are to be
 1081  used as the collection medium, the Agency for State Enterprise
 1082  Information Technology shall review and recommend to the Chief
 1083  Financial Officer whether to approve the request with regard to
 1084  the process or procedure to be used.
 1085         (9) For payment programs in which credit cards, charge
 1086  cards, or debit cards are accepted by state agencies, the
 1087  judicial branch, or units of local government, the Chief
 1088  Financial Officer, in consultation with the Agency for State
 1089  Enterprise Information Technology, may adopt rules to establish
 1090  uniform security safeguards for cardholder data and to ensure
 1091  compliance with the Payment Card Industry Data Security
 1092  Standards.
 1093         Section 17. Subsections (3), (4), (5), and (6) of section
 1094  282.318, Florida Statutes, are amended to read:
 1095         282.318 Enterprise security of data and information
 1096  technology.—
 1097         (3) The Agency for State Enterprise Information Technology
 1098  is responsible for establishing rules and publishing guidelines
 1099  for ensuring an appropriate level of security for all data and
 1100  information technology resources for executive branch agencies.
 1101  The agency shall also perform the following duties and
 1102  responsibilities:
 1103         (a) Develop, and annually update by February 1, an
 1104  enterprise information security strategic plan that includes
 1105  security goals and objectives for the strategic issues of
 1106  information security policy, risk management, training, incident
 1107  management, and survivability planning.
 1108         (b) Develop enterprise security rules and published
 1109  guidelines for:
 1110         1. Comprehensive risk analyses and information security
 1111  audits conducted by state agencies.
 1112         2. Responding to suspected or confirmed information
 1113  security incidents, including suspected or confirmed breaches of
 1114  personal information or exempt data.
 1115         3. Agency security plans, including strategic security
 1116  plans and security program plans.
 1117         4. The recovery of information technology and data
 1118  following a disaster.
 1119         5. The managerial, operational, and technical safeguards
 1120  for protecting state government data and information technology
 1121  resources.
 1122         (c) Assist agencies in complying with the provisions of
 1123  this section.
 1124         (d) Pursue appropriate funding for the purpose of enhancing
 1125  domestic security.
 1126         (e) Provide training for agency information security
 1127  managers.
 1128         (f) Annually review the strategic and operational
 1129  information security plans of executive branch agencies.
 1130         (4) To assist the Agency for State Enterprise Information
 1131  Technology in carrying out its responsibilities, each state
 1132  agency head shall, at a minimum:
 1133         (a) Designate an information security manager to administer
 1134  the security program of the state agency for its data and
 1135  information technology resources. This designation must be
 1136  provided annually in writing to the Agency for State Enterprise
 1137  Information Technology by January 1.
 1138         (b) Annually submit to the Agency for State Enterprise
 1139  Information Technology annually by July 31, the state agency’s
 1140  comprehensive strategic and operational information security
 1141  plans developed pursuant to the rules and guidelines established
 1142  by the Agency for State Enterprise Information Technology.
 1143         1. The state agency comprehensive strategic information
 1144  security plan must cover a 3-year period and define security
 1145  goals, intermediate objectives, and projected agency costs for
 1146  the strategic issues of agency information security policy, risk
 1147  management, security training, security incident response, and
 1148  survivability. The plan must be based on the enterprise
 1149  strategic information security plan created by the Agency for
 1150  State Enterprise Information Technology. Additional issues may
 1151  be included.
 1152         2. The state agency operational information security plan
 1153  must include a progress report for the prior operational
 1154  information security plan and a project plan that includes
 1155  activities, timelines, and deliverables for security objectives
 1156  that, subject to current resources, the state agency will
 1157  implement during the current fiscal year. The cost of
 1158  implementing the portions of the plan which cannot be funded
 1159  from current resources must be identified in the plan.
 1160         (c) Conduct, and update every 3 years, a comprehensive risk
 1161  analysis to determine the security threats to the data,
 1162  information, and information technology resources of the state
 1163  agency. The risk analysis information is confidential and exempt
 1164  from the provisions of s. 119.07(1), except that such
 1165  information shall be available to the Auditor General and the
 1166  Agency for State Enterprise Information Technology for
 1167  performing postauditing duties.
 1168         (d) Develop, and periodically update, written internal
 1169  policies and procedures that, which include procedures for
 1170  notifying the Agency for State Enterprise Information Technology
 1171  when a suspected or confirmed breach, or an information security
 1172  incident, occurs. Such policies and procedures must be
 1173  consistent with the rules and guidelines established by the
 1174  Agency for State Enterprise Information Technology to ensure the
 1175  security of the data, information, and information technology
 1176  resources of the state agency. The internal policies and
 1177  procedures that, if disclosed, could facilitate the unauthorized
 1178  modification, disclosure, or destruction of data or information
 1179  technology resources are confidential information and exempt
 1180  from s. 119.07(1), except that such information shall be
 1181  available to the Auditor General and the Agency for State
 1182  Enterprise Information Technology for performing postauditing
 1183  duties.
 1184         (e) Implement appropriate cost-effective safeguards to
 1185  address identified risks to the data, information, and
 1186  information technology resources of the state agency.
 1187         (f) Ensure that periodic internal audits and evaluations of
 1188  the state agency’s security program for the data, information,
 1189  and information technology resources of the state agency are
 1190  conducted. The results of such audits and evaluations are
 1191  confidential information and exempt from s. 119.07(1), except
 1192  that such information shall be available to the Auditor General
 1193  and the Agency for State Enterprise Information Technology for
 1194  performing postauditing duties.
 1195         (g) Include appropriate security requirements in the
 1196  written specifications for the solicitation of information
 1197  technology and information technology resources and services,
 1198  which are consistent with the rules and guidelines established
 1199  by the Agency for State Enterprise Information Technology.
 1200         (h) Provide security awareness training to employees and
 1201  users of the state agency’s communication and information
 1202  resources concerning information security risks and the
 1203  responsibility of employees and users to comply with policies,
 1204  standards, guidelines, and operating procedures adopted by the
 1205  state agency to reduce those risks.
 1206         (i) Develop a process for detecting, reporting, and
 1207  responding to suspected or confirmed security incidents,
 1208  including suspected or confirmed breaches consistent with the
 1209  security rules and guidelines established by the Agency for
 1210  State Enterprise Information Technology.
 1211         1. Suspected or confirmed information security incidents
 1212  and breaches must be immediately reported to the Agency for
 1213  State Enterprise Information Technology.
 1214         2. For incidents involving breaches, agencies shall provide
 1215  notice in accordance with s. 817.5681 and to the Agency for
 1216  State Enterprise Information Technology in accordance with this
 1217  subsection.
 1218         (5) Each state agency shall include appropriate security
 1219  requirements in the specifications for the solicitation of
 1220  contracts for procuring information technology or information
 1221  technology resources or services which are consistent with the
 1222  rules and guidelines established by the Agency for State
 1223  Enterprise Information Technology.
 1224         (6) The Agency for State Enterprise Information Technology
 1225  may adopt rules relating to information security and to
 1226  administer the provisions of this section.
 1227         Section 18. Subsection (14) of section 287.012, Florida
 1228  Statutes, is amended to read:
 1229         287.012 Definitions.—As used in this part, the term:
 1230         (14) “Information technology” means, but is not limited to,
 1231  equipment, hardware, software, mainframe maintenance, firmware,
 1232  programs, systems, networks, infrastructure, media, and related
 1233  material used to automatically, electronically, and wirelessly
 1234  collect, receive, access, transmit, display, store, record,
 1235  retrieve, analyze, evaluate, process, classify, manipulate,
 1236  manage, assimilate, control, communicate, exchange, convert,
 1237  converge, interface, switch, or disseminate information of any
 1238  kind or form has the meaning ascribed in s. 282.0041.
 1239         Section 19. Subsection (22) of section 287.057, Florida
 1240  Statutes, is amended to read:
 1241         287.057 Procurement of commodities or contractual
 1242  services.—
 1243         (22) The department, in consultation with the Agency for
 1244  State Enterprise Information Technology and the Chief Financial
 1245  Officer Comptroller, shall develop a program for online
 1246  procurement of commodities and contractual services. To enable
 1247  the state to promote open competition and to leverage its buying
 1248  power, agencies shall participate in the online procurement
 1249  program, and eligible users may participate in the program. Only
 1250  vendors prequalified as meeting mandatory requirements and
 1251  qualifications criteria may participate in online procurement.
 1252         (a) The department, in consultation with the agency, may
 1253  contract for equipment and services necessary to develop and
 1254  implement online procurement.
 1255         (b) The department, in consultation with the agency, shall
 1256  adopt rules, pursuant to ss. 120.536(1) and 120.54, to
 1257  administer the program for online procurement. The rules shall
 1258  include, but not be limited to:
 1259         1. Determining the requirements and qualification criteria
 1260  for prequalifying vendors.
 1261         2. Establishing the procedures for conducting online
 1262  procurement.
 1263         3. Establishing the criteria for eligible commodities and
 1264  contractual services.
 1265         4. Establishing the procedures for providing access to
 1266  online procurement.
 1267         5. Determining the criteria warranting any exceptions to
 1268  participation in the online procurement program.
 1269         (c) The department may impose and shall collect all fees
 1270  for the use of the online procurement systems.
 1271         1. The fees may be imposed on an individual transaction
 1272  basis or as a fixed percentage of the cost savings generated. At
 1273  a minimum, the fees must be set in an amount sufficient to cover
 1274  the projected costs of the services, including administrative
 1275  and project service costs in accordance with the policies of the
 1276  department.
 1277         2. If the department contracts with a provider for online
 1278  procurement, the department, pursuant to appropriation, shall
 1279  compensate the provider from the fees after the department has
 1280  satisfied all ongoing costs. The provider shall report
 1281  transaction data to the department each month so that the
 1282  department may determine the amount due and payable to the
 1283  department from each vendor.
 1284         3. All fees that are due and payable to the state on a
 1285  transactional basis or as a fixed percentage of the cost savings
 1286  generated are subject to s. 215.31 and must be remitted within
 1287  40 days after receipt of payment for which the fees are due. For
 1288  fees that are not remitted within 40 days, the vendor shall pay
 1289  interest at the rate established under s. 55.03(1) on the unpaid
 1290  balance from the expiration of the 40-day period until the fees
 1291  are remitted.
 1292         4. All fees and surcharges collected under this paragraph
 1293  shall be deposited in the Operating Trust Fund as provided by
 1294  law.
 1295         Section 20. Subsection (4) of section 445.011, Florida
 1296  Statutes, is amended to read:
 1297         445.011 Workforce information systems.—
 1298         (4) Workforce Florida, Inc., shall coordinate development
 1299  and implementation of workforce information systems with the
 1300  executive director of the Agency for State Enterprise
 1301  Information Technology to ensure compatibility with the state’s
 1302  information system strategy and enterprise architecture.
 1303         Section 21. Subsection (2) and paragraphs (a) and (b) of
 1304  subsection (4) of section 445.045, Florida Statutes, are amended
 1305  to read:
 1306         445.045 Development of an Internet-based system for
 1307  information technology industry promotion and workforce
 1308  recruitment.—
 1309         (2) Workforce Florida, Inc., shall coordinate with the
 1310  Agency for State Enterprise Information Technology and the
 1311  Department of Economic Opportunity to ensure links, where
 1312  feasible and appropriate, to existing job information websites
 1313  maintained by the state and state agencies and to ensure that
 1314  information technology positions offered by the state and state
 1315  agencies are posted on the information technology website.
 1316         (4)(a) Workforce Florida, Inc., shall coordinate
 1317  development and maintenance of the website under this section
 1318  with the executive director of the Agency for State Enterprise
 1319  Information Technology to ensure compatibility with the state’s
 1320  information system strategy and enterprise architecture.
 1321         (b) Workforce Florida, Inc., may enter into an agreement
 1322  with the Agency for State Enterprise Information Technology, the
 1323  Department of Economic Opportunity, or any other public agency
 1324  with the requisite information technology expertise for the
 1325  provision of design, operating, or other technological services
 1326  necessary to develop and maintain the website.
 1327         Section 22. Paragraph (b) of subsection (18) of section
 1328  668.50, Florida Statutes, is amended to read:
 1329         668.50 Uniform Electronic Transaction Act.—
 1330         (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
 1331  GOVERNMENTAL AGENCIES.—
 1332         (b) To the extent that a governmental agency uses
 1333  electronic records and electronic signatures under paragraph
 1334  (a), the Agency for State Enterprise Information Technology, in
 1335  consultation with the governmental agency, giving due
 1336  consideration to security, may specify:
 1337         1. The manner and format in which the electronic records
 1338  must be created, generated, sent, communicated, received, and
 1339  stored and the systems established for those purposes.
 1340         2. If electronic records must be signed by electronic
 1341  means, the type of electronic signature required, the manner and
 1342  format in which the electronic signature must be affixed to the
 1343  electronic record, and the identity of, or criteria that must be
 1344  met by, any third party used by a person filing a document to
 1345  facilitate the process.
 1346         3. Control processes and procedures as appropriate to
 1347  ensure adequate preservation, disposition, integrity, security,
 1348  confidentiality, and auditability of electronic records.
 1349         4. Any other required attributes for electronic records
 1350  which are specified for corresponding nonelectronic records or
 1351  reasonably necessary under the circumstances.
 1352         Section 23. This act shall take effect July 1, 2012.
 1353  
 1354  
 1355  ================= T I T L E  A M E N D M E N T ================
 1356         And the title is amended as follows:
 1357         Delete everything before the enacting clause
 1358  and insert:
 1359                        A bill to be entitled                      
 1360         An act relating to state technology; abolishing the
 1361         Agency for Enterprise Information Technology;
 1362         transferring the personnel, functions, and funds of
 1363         the Agency for Enterprise Information Technology to
 1364         the Agency for State Technology; transferring
 1365         specified personnel, functions, and funds relating to
 1366         technology programs from the Department of Management
 1367         Services to the Agency for State Technology;
 1368         transferring the Northwood Shared Resource Center and
 1369         the Southwood Shared Resource Center to the agency;
 1370         repealing s. 14.204, F.S., relating to the Agency for
 1371         Enterprise Information Technology; creating s. 20.70,
 1372         F.S.; creating the Agency for State Technology;
 1373         providing for an executive director who shall be the
 1374         state’s Chief Information Officer; providing for
 1375         organization of the agency; providing duties and
 1376         responsibilities of the agency and of the executive
 1377         director; requiring certain status reports to the
 1378         Governor, the Cabinet, and the Legislature;
 1379         authorizing the agency to adopt rules; reordering and
 1380         amending s. 282.0041, F.S.; revising and providing
 1381         definitions of terms as used in the Enterprise
 1382         Information Technology Services Management Act;
 1383         amending s. 282.0055, F.S.; revising provisions for
 1384         assignment of information technology services;
 1385         directing the agency to create a road map for
 1386         enterprise information technology service
 1387         consolidation and a comprehensive transition plan;
 1388         requiring the transition plan to be submitted to the
 1389         Governor and Cabinet and the Legislature by a certain
 1390         date; providing duties for state agencies relating to
 1391         the transition plan; prohibiting state agencies from
 1392         certain technology-related activities; providing for
 1393         exceptions; amending s. 282.0056, F.S.; providing for
 1394         development by the agency executive director of a
 1395         biennial State Information Technology Strategic
 1396         Resources Plan for approval by the Governor and the
 1397         Cabinet; directing state agencies to submit their own
 1398         information technology plans and any requested
 1399         information to the agency; revising provisions for
 1400         development of work plans and implementation plans;
 1401         revising provisions for reporting on achievements;
 1402         amending s. 282.201, F.S.; revising provisions for a
 1403         state data center system; providing legislative
 1404         intent; directing the agency to provide
 1405         recommendations to the Governor and Legislature
 1406         relating to changes to the schedule for the
 1407         consolidations of state agency data centers; providing
 1408         duties of a state agency consolidating a data center
 1409         into a primary data center; revising the scheduled
 1410         consolidation dates for state agency data centers;
 1411         amending s. 282.203, F.S.; revising duties of primary
 1412         data centers; removing provisions for boards of
 1413         trustees to head primary data centers; requiring a
 1414         memorandum of understanding between the primary data
 1415         center and the participating state agency; limiting
 1416         the term of the memorandum; providing for failure to
 1417         enter into a memorandum; repealing s. 282.204, F.S.,
 1418         relating to Northwood Shared Resource Center;
 1419         repealing s. 282.205, F.S., relating to Southwood
 1420         Shared Resource Center; creating s. 282.206, F.S.;
 1421         establishing the Fletcher Shared Resource Center
 1422         within the Department of Financial Services to provide
 1423         enterprise information technology services; directing
 1424         the center to collaborate with the agency; directing
 1425         the center to provide collocation services to the
 1426         Department of Legal Affairs, the Department of
 1427         Agriculture and Consumer Services, and the Department
 1428         of Financial Services; directing the Department of
 1429         Financial Services to continue to use the center and
 1430         provide service to the Office of Financial Regulation
 1431         and the Office of Insurance Regulation and host the
 1432         Legislative Appropriations System/Planning and
 1433         Budgeting Subsystem; providing for governance of the
 1434         center; providing for a steering committee to ensure
 1435         adequacy and appropriateness of services; directing
 1436         the Department of Legal Affairs and the Department of
 1437         Agriculture and Consumer Services to move data center
 1438         equipment to the center by certain dates; repealing s.
 1439         282.33, F.S., relating to objective standards for data
 1440         center energy efficiency; amending s. 282.34, F.S.;
 1441         revising provisions for a statewide e-mail service to
 1442         meet the needs of executive branch agencies; requiring
 1443         state agencies to receive e-mail services through the
 1444         agency; authorizing the Department of Agriculture and
 1445         Consumer Services, the Department of Financial
 1446         Services, the Office of Financial Regulation, and the
 1447         Office of Insurance Regulation to receive e-mail
 1448         services from the Fletcher Shared Resource Center or
 1449         the agency; amending s. 282.702, F.S.; directing the
 1450         agency to develop a plan for statewide voice-over
 1451         Internet protocol services; requiring certain content
 1452         in the plan; requiring the plan to be submitted to the
 1453         Governor, the Cabinet, and the Legislature by a
 1454         certain date; amending s. 364.0135, F.S.; providing
 1455         for the agency’s role in the promotion of broadband
 1456         Internet service; providing an additional duty;
 1457         amending ss. 20.22, 110.205, 215.22, 215.322, 216.292,
 1458         282.318, 282.604, 282.703, 282.704, 282.705, 282.706,
 1459         282.707, 282.709, 282.7101, 282.711, 287.012, 287.057,
 1460         318.18, 320.0802, 328.72, 365.171, 365.172, 365.173,
 1461         365.174, 401.013, 401.015, 401.018, 401.021, 401.024,
 1462         401.027, 401.465, 445.011, 445.045, and 668.50, F.S.,
 1463         relating to a financial and cash management system
 1464         task force, career service exemptions, trust funds,
 1465         payment cards and electronic funds transfers, the
 1466         Communications Working Capital Trust Fund, the
 1467         Enterprise Information Technology Services Management
 1468         Act, adoption of rules, the Communication Information
 1469         Technology Services Act, procurement of commodities
 1470         and contractual services, the Florida Uniform
 1471         Disposition of Traffic Infractions Act, surcharge on
 1472         vehicle license tax, vessel registration, broadband
 1473         Internet service, the emergency communications number
 1474         E911, regional emergency medical telecommunications,
 1475         the Workforce Innovation Act of 2000, and the Uniform
 1476         Electronic Transaction Act; conforming provisions and
 1477         cross-references to changes made by the act; revising
 1478         and deleting obsolete provisions; providing an
 1479         effective date.
 1480