Florida Senate - 2014 (PROPOSED COMMITTEE BILL) SPB 7024
FOR CONSIDERATION By the Committee on Governmental Oversight and
Accountability
585-00728B-14 20147024__
1 A bill to be entitled
2 An act relating to state technology; repealing s.
3 14.204, F.S., relating to the Agency for Enterprise
4 Information Technology within the Executive Office of
5 the Governor; creating s. 20.61, F.S.; creating the
6 Agency for State Technology within the Department of
7 Management Services; providing for an executive
8 director and other permanent positions; creating a
9 Technology Advisory Council and providing for
10 membership; amending s. 282.0041, F.S.; revising and
11 defining terms used in the Enterprise Information
12 Technology Services Management Act; creating s.
13 282.0051, F.S.; providing the powers, duties, and
14 functions of the Agency for State Technology;
15 authorizing the agency to adopt rules; providing
16 exceptions for certain departments; repealing s.
17 282.0055, F.S., relating to the assignment of
18 information technology resource and service
19 responsibilities; repealing s. 282.0056, F.S.,
20 relating to the development of an annual work plan,
21 the development of implementation plans, and policy
22 recommendations relating to enterprise information
23 technology services; amending s. 282.201, F.S.;
24 providing for a state data center and the duties of
25 the center; deleting duties for the Agency for
26 Enterprise Information Technology; revising the
27 schedule for consolidating agency data centers and
28 deleting obsolete provisions; revising the limitations
29 on state agencies; repealing s. 282.203, F.S.,
30 relating to primary data centers; repealing s.
31 282.204, F.S., relating to the Northwood Shared
32 Resource Center; repealing s. 282.205, F.S., relating
33 to the Southwood Shared Resource Center; amending s.
34 282.318, F.S.; conforming provisions to changes made
35 by the act; revising the duties of the state agencies
36 with respect to information security; repealing s.
37 282.33, F.S., relating to objective standards for data
38 center energy efficiency; repealing s. 282.34, F.S.,
39 relating to statewide e-mail service; amending ss.
40 17.0315, 20.055, 110.205, 215.322, and 215.96, F.S.;
41 conforming provisions to changes made by the act;
42 amending s. 216.023, F.S.; requiring the governance
43 structure of information technology projects to
44 incorporate certain standards; amending s. 287.057,
45 F.S.; requiring the Department of Management Services
46 to consult with the agency with respect to the online
47 procurement of commodities; amending ss. 445.011,
48 445.045, and 668.50, F.S.; conforming provisions to
49 changes made by the act; amending s. 943.0415, F.S.;
50 providing additional duties for the Cybercrime Office
51 in the Department of Law Enforcement relating to cyber
52 security; requiring the office to provide cyber
53 security training to state agency employees; requiring
54 the office to consult with the agency; amending s.
55 1004.649, F.S.; revising provisions relating to the
56 Northwest Regional Data Center; revising the center’s
57 duties and the content of service-level agreements
58 with state agency customers; transferring the
59 components of the Agency for Enterprise Information
60 Technology to the Agency for State Technology;
61 providing that certain rules adopted by the Agency for
62 Enterprise Information Technology are nullified;
63 transferring the Northwood Shared Resource Center and
64 the Southwood Shared Resource Center to the Agency for
65 State Technology; requiring the Agency for State
66 Technology to complete a feasibility study relating to
67 managing state government data; specifying the
68 components of the study; requiring the study to be
69 submitted to the Governor and Legislature by a certain
70 date; creating the State Data Center Task Force;
71 specifying the membership and purpose of the task
72 force; providing for expiration; providing an
73 appropriation; providing effective dates.
74
75 Be It Enacted by the Legislature of the State of Florida:
76
77 Section 1. Section 14.204, Florida Statutes, is repealed.
78 Section 2. Section 20.61, Florida Statutes, is created to
79 read:
80 20.61 Agency for State Technology.—The Agency for State
81 Technology is created within the Department of Management
82 Services.
83 (1) The agency is a separate budget entity and is not
84 subject to control, supervision, or direction by the department,
85 including, but not limited to, purchasing, transactions
86 involving real or personal property, personnel, or budgetary
87 matters.
88 (2) The agency shall be headed by an executive director
89 appointed by the Governor and subject to the confirmation of the
90 Senate. The executive director shall be the State Chief
91 Information Officer.
92 (a) The executive director must be a proven, effective
93 administrator who preferably has executive-level experience in
94 both the public and private sectors.
95 (b) The Governor shall conduct a thorough search to find
96 the most qualified candidate and in conducting such a search,
97 the Governor shall place emphasis on the development and
98 implementation of information technology strategic planning;
99 management of enterprise information technology projects,
100 particularly management of large-scale consolidation projects;
101 and development and implementation of fiscal and substantive
102 information technology policy.
103 (3) The following positions are established within the
104 agency, all of which shall be appointed by the executive
105 director:
106 (a) A Deputy State Chief Information Officer.
107 (b) A Chief Planning Officer and six Strategic Planning
108 Coordinators with one coordinator assigned to each of the
109 following major program areas: health and human services,
110 education, government operations, criminal and civil justice,
111 agriculture and natural resources, and transportation and
112 economic development.
113 (c) A Chief Operations Officer.
114 (d) A Chief Information Security Officer.
115 (e) A Chief Technology Officer.
116 (4) The Technology Advisory Council, consisting of seven
117 members, is established and shall be maintained within the
118 agency pursuant to s. 20.052. Four members, two of whom must be
119 from the private sector, shall be appointed by the Governor; one
120 member shall be appointed by the Cabinet; and one member each
121 shall be appointed by the President of the Senate and the
122 Speaker of the House of Representatives. Upon initial
123 establishment of the council, two of the Governor’s appointments
124 shall be for 2-year terms. Thereafter all appointments shall be
125 for 4-year terms.
126 (a) The council shall consider and make recommendations to
127 the executive director of the agency on such matters as
128 enterprise information technology policies, standards, services,
129 and architecture.
130 (b) The executive director of the agency shall consult with
131 the council with regard to executing the duties and
132 responsibilities of the agency related to statewide information
133 technology strategic planning and policy.
134 (c) The council shall be governed by the code of ethics for
135 public officers and employees as set forth in part III of
136 chapter 112 and each member must file a statement of financial
137 interests pursuant to s. 112.3145.
138 Section 3. Section 282.0041, Florida Statutes, is amended
139 to read:
140 282.0041 Definitions.—As used in this chapter, the term:
141 (1) “Agency” has the same meaning as in s. 216.011(1)(qq),
142 except that for purposes of this chapter, “agency” does not
143 include university boards of trustees or state universities.
144 (2) “Agency for Enterprise Information Technology” means
145 the agency created in s. 14.204.
146 (3) “Agency information technology service” means a service
147 that directly helps an agency fulfill its statutory or
148 constitutional responsibilities and policy objectives and is
149 usually associated with the agency’s primary or core business
150 functions.
151 (4) “Annual budget meeting” means a meeting of the board of
152 trustees of a primary data center to review data center usage to
153 determine the apportionment of board members for the following
154 fiscal year, review rates for each service provided, and
155 determine any other required changes.
156 (1)(5) “Breach” has the same meaning as in s. 817.5681(4).
157 (2)(6) “Business continuity plan” means a collection of
158 procedures and information used to maintain an agency’s critical
159 operations during a period of displacement or interruption of
160 normal operations plan for disaster recovery which provides for
161 the continued functioning of a primary data center during and
162 after a disaster.
163 (3)(7) “Computing facility” means agency space containing
164 fewer than a total of 10 physical or logical servers, any of
165 which supports a strategic or nonstrategic information
166 technology service, as described in budget instructions
167 developed pursuant to s. 216.023, but excluding single, logical
168 server installations that exclusively perform a utility function
169 such as file and print servers.
170 (4)(8) “Customer entity” means an entity that obtains
171 services from a state primary data center.
172 (5)(9) “Data center” means agency space containing 10 or
173 more physical or logical servers any of which supports a
174 strategic or nonstrategic information technology service, as
175 described in budget instructions developed pursuant to s.
176 216.023.
177 (6)(10) “Department” means the Department of Management
178 Services.
179 (7) “Disaster recovery” means the processes, policies,
180 procedures, and infrastructure that relate to preparing for and
181 implementing recovery or continuation of an organization’s vital
182 technology infrastructure after a natural or human–induced
183 disaster.
184 (8)(11) “Enterprise information technology service” means
185 an information technology service that is used in all agencies
186 or a subset of agencies and is established in law to be
187 designed, delivered, and managed at the enterprise level.
188 (12) “E-mail, messaging, and calendaring service” means the
189 enterprise information technology service that enables users to
190 send, receive, file, store, manage, and retrieve electronic
191 messages, attachments, appointments, and addresses. The e-mail,
192 messaging, and calendaring service must include e-mail account
193 management; help desk; technical support and user provisioning
194 services; disaster recovery and backup and restore capabilities;
195 antispam and antivirus capabilities; archiving and e-discovery;
196 and remote access and mobile messaging capabilities.
197 (9) “Event” means an observable occurrence in a system or
198 network.
199 (10) “Incident” means a violation or imminent threat of
200 violation of computer security policies, acceptable use
201 policies, or standard security practices. An imminent threat of
202 violation exists when a state agency has a factual basis for
203 believing that a specific incident is about to occur.
204 (13) “Information-system utility” means a full-service
205 information-processing facility offering hardware, software,
206 operations, integration, networking, and consulting services.
207 (11)(14) “Information technology” means equipment,
208 hardware, software, firmware, programs, systems, networks,
209 infrastructure, media, and related material used to
210 automatically, electronically, and wirelessly collect, receive,
211 access, transmit, display, store, record, retrieve, analyze,
212 evaluate, process, classify, manipulate, manage, assimilate,
213 control, communicate, exchange, convert, converge, interface,
214 switch, or disseminate information of any kind or form.
215 (12)(15) “Information technology policy” means a specific
216 course or method of action selected from among alternatives that
217 guide and determine present and future decisions statements that
218 describe clear choices for how information technology will
219 deliver effective and efficient government services to residents
220 and improve state agency operations. A policy may relate to
221 investments, business applications, architecture, or
222 infrastructure. A policy describes its rationale, implications
223 of compliance or noncompliance, the timeline for implementation,
224 metrics for determining compliance, and the accountable
225 structure responsible for its implementation.
226 (13) “Information technology resources” has the same
227 meaning as in s. 119.011.
228 (14)(16) “Performance metrics” means the measures of an
229 organization’s activities and performance.
230 (15)(17) “Primary data center” means a data center that is
231 a recipient entity for consolidation of state agency nonprimary
232 data centers and computing facilities and that is established by
233 law.
234 (16)(18) “Project” means an endeavor that has a defined
235 start and end point; is undertaken to create or modify a unique
236 product, service, or result; and has specific objectives that,
237 when attained, signify completion.
238 (17) “Project oversight” means an independent review and
239 analysis of an information technology project in order to
240 provide information on the project’s scope, completion
241 timeframes, and budget and should identify and quantify any
242 issues or risks affecting the successful and timely completion
243 of the project.
244 (18)(19) “Risk assessment analysis” means the process of
245 identifying security risks, determining their magnitude, and
246 identifying areas needing safeguards.
247 (19)(20) “Service level” means the key performance
248 indicators (KPI) of an organization or service which must be
249 regularly performed, monitored, and achieved.
250 (20)(21) “Service-level agreement” means a written contract
251 between a data center and a customer entity which specifies the
252 scope of services provided, service level, the duration of the
253 agreement, the responsible parties, and service costs. A
254 service-level agreement is not a rule pursuant to chapter 120.
255 (21) “Stakeholder” means an individual, group,
256 organization, or state agency involved in or affected by a
257 course of action.
258 (22) “Standards” means required practices, controls,
259 components, or configurations established by an authority.
260 (23) “State agency” has the same meaning as in s. 216.011,
261 but does not include university boards of trustees or state
262 universities.
263 (24) “State data center” means an enterprise information
264 technology service provider that is the recipient entity for the
265 consolidation of state agency data centers and computing
266 facilities and that establishes, implements, operates, monitors,
267 reviews, maintains, and physically or virtually improves
268 information technology services designated by the Agency for
269 State Technology in compliance with the operating guidelines and
270 procedures set forth by the agency pursuant to s. 282.0051(11).
271 (25)(23) “SUNCOM Network” means the state enterprise
272 telecommunications system that provides all methods of
273 electronic or optical telecommunications beyond a single
274 building or contiguous building complex and used by entities
275 authorized as network users under this part.
276 (26)(24) “Telecommunications” means the science and
277 technology of communication at a distance, including electronic
278 systems used in the transmission or reception of information.
279 (27)(25) “Threat” means any circumstance or event that has
280 the potential to adversely affect a state agency’s operation or
281 assets through an information system by means of unauthorized
282 access, destruction, disclosure, modification of information, or
283 denial of service may cause harm to the integrity, availability,
284 or confidentiality of information technology resources.
285 (28) “Variance” means a calculated value that illustrates a
286 positive or negative deviation from a projection measured
287 against documented estimations within a project plan.
288 (26) “Total cost” means all costs associated with
289 information technology projects or initiatives, including, but
290 not limited to, value of hardware, software, service,
291 maintenance, incremental personnel, and facilities. Total cost
292 of a loan or gift of information technology resources to an
293 agency includes the fair market value of the resources.
294 (27) “Usage” means the billing amount charged by the
295 primary data center, less any pass-through charges, to the
296 customer entity.
297 (28) “Usage rate” means a customer entity’s usage or
298 billing amount as a percentage of total usage.
299 Section 4. Section 282.0051, Florida Statutes, is created
300 to read:
301 282.0051 Agency for State Technology; powers, duties, and
302 functions.—
303 (1) The Agency for State Technology has the following
304 powers, duties, and functions:
305 (a) Developing and publishing information technology policy
306 for the management of the state’s information technology
307 resources.
308 (b) Establishing and publishing information technology
309 architecture standards to achieve the most efficient use of the
310 state’s information technology resources and to ensure
311 compatibility and alignment with the needs of state agencies.
312 The agency shall assist state agencies in complying with such
313 standards.
314 (c) By June 30, 2015, establishing project management and
315 project oversight standards that state agencies must comply with
316 while implementing information technology projects. The Agency
317 for State Technology shall provide training opportunities to
318 state agencies to assist in the adoption of the project
319 management and oversight standards. To support data-driven
320 decisionmaking, such standards must include, but are not limited
321 to:
322 1. Performance measurements and metrics that objectively
323 reflect the status of an information technology project based on
324 the defined and documented project scope, cost, and schedule.
325 2. Methodologies for calculating acceptable variance ranges
326 in the projected versus actual scope, schedule, or cost of an
327 information technology project.
328 3. Reporting requirements that provide project visibility
329 to all identified stakeholders, including instances in which an
330 information technology project exceeds the acceptable variance
331 ranges as defined and documented in the project plan.
332 4. The content, format, and frequency of project updates.
333 (d) Beginning January 1, 2015, performing project oversight
334 on all information technology projects that have total project
335 costs of $10 million or more and that are funded in the General
336 Appropriations Act or under state law. The agency shall report
337 at least quarterly to the Executive Office of the Governor, the
338 President of the Senate, and the Speaker of the House of
339 Representatives on any information technology project the agency
340 identifies as being a high-risk project that may exceed the
341 acceptable variance ranges as defined and documented in the
342 project plan. The report must include an assessment of the risk
343 levels, including fiscal risks, associated with proceeding to
344 the next stage of the project and a recommendation for requiring
345 corrective action, which includes suspending or terminating the
346 project.
347 (e) By October 15, 2015, and biennially thereafter,
348 identifying opportunities for standardizing and consolidating
349 information technology services that support business functions
350 and operations, including administrative functions such as
351 purchasing, accounting and reporting, cash management, and
352 personnel, which are common across state agencies, and providing
353 recommendations for such standardization and consolidation to
354 the Executive Office of the Governor, the President of the
355 Senate, and the Speaker of the House of Representatives.
356 (f) In collaboration with the department, establishing best
357 practices for the procurement of information technology products
358 in order to reduce costs, increase productivity, or improve
359 services. Such practices must include a provision that requires
360 the agency to review all information technology purchases made
361 by state agencies which have a total cost of $250,000 or more,
362 unless a purchase is specifically mandated by the Legislature,
363 for compliance with the standards established pursuant to this
364 section.
365 (g) Advising and collaborating with the department in
366 conducting procurement negotiations for information technology
367 products that will be used by multiple state agencies, and
368 collaborating with the department in information technology
369 resource acquisition planning.
370 (h) Establishing standards for information technology
371 reports and updates for use by state agencies which include, but
372 are not limited to, operational work plans, project spending
373 plans, and project status reports.
374 (i) Upon request, assisting state agencies in the
375 development of their information technology-related legislative
376 budget requests.
377 (j) Conducting annual assessments of state agencies to
378 determine their compliance with information technology standards
379 and guidelines developed and published by the Agency for State
380 Technology and provide results of the assessments to the
381 Executive Office of the Governor, the President of the Senate,
382 and the Speaker of the House of Representatives.
383 (k) Providing operational management and oversight of the
384 state data center established pursuant to s. 282.201, which
385 includes:
386 1. Implementing industry standards and best practices for
387 the state data center’s facilities, operations, maintenance,
388 planning, and management processes.
389 2. Developing and implementing cost-recovery mechanisms
390 that recover the full cost of services, including direct and
391 indirect costs, through charges to applicable customer entities.
392 Such mechanisms must comply with applicable state and federal
393 requirements relating to the distribution and use of such funds
394 and must ensure that for any fiscal year a service or customer
395 entity is not subsidizing another service or customer entity.
396 3. Establishing operating guidelines and procedures
397 necessary for the state data center to perform its duties
398 pursuant to s. 282.201 which comply with applicable state and
399 federal laws, rules, and policies and are in accordance with
400 generally accepted governmental accounting and auditing
401 standards. Such guidelines and procedures must include, but need
402 not be limited to:
403 a. Implementing a consolidated administrative support
404 structure that is responsible for the provision of financial
405 management, procurement, transactions involving real or personal
406 property, human resources, and operational support.
407 b. Implementing an annual reconciliation process to ensure
408 that each customer entity is paying for the full direct and
409 indirect cost of each service as determined by the customer
410 entity’s use of each service.
411 c. Providing rebates, which may be credited against future
412 billings, to customer entities when revenues exceed costs.
413 d. Requiring a customer entity to validate that sufficient
414 funds are in or will be transferred into the appropriate data
415 processing appropriation category before implementing a customer
416 entity’s request for a change in the type or level of service if
417 such change results in a net increase to the customer entity’s
418 costs for that fiscal year.
419 e. Providing to each customer entity’s agency head by
420 September 1 of each year the projected costs to provide data
421 center services for the following fiscal year.
422 f. Providing a plan for consideration by the Legislative
423 Budget Commission if the cost of a service is increased for a
424 reason other than a customer entity’s request pursuant to
425 subparagraph 4. which results in a net increase to the customer
426 entity for that fiscal year.
427 g. Standardizing and consolidating procurement and
428 contracting practices.
429 4. In collaboration with the Department of Law Enforcement,
430 developing and implementing a process for detecting, reporting,
431 and responding to information technology security incidents,
432 breaches, or threats.
433 5. Adopting rules relating to the operation of the state
434 data center, which include, but are not limited to, its
435 budgeting and accounting procedures, cost-recovery
436 methodologies, and operating procedures.
437 6. Consolidating contract practices and coordinating
438 software, hardware, or other technology-related procurements.
439 7. Annually conducting a market analysis to determine if
440 the state’s approach to the provision of data center services is
441 the most effective and efficient manner by which its customer
442 entities can acquire such services based on federal, state, and
443 local government trends, best practices in service provision,
444 and the acquisition of new and emerging technologies. The
445 results of the market analysis should assist the state data
446 center in making any necessary adjustments to its data center
447 service offerings.
448 (l) Recommending other information technology services that
449 should be designed, delivered, and managed as enterprise
450 information technology services. Such recommendations should
451 include the identification of any existing information
452 technology resources associated with such services which would
453 need to be transferred as a result of such services being
454 delivered and managed as enterprise information technology
455 services.
456 (m) Recommending any further agency computing facility or
457 data center consolidations into the state data center
458 established pursuant to s. 282.201. Such recommendations should
459 include the proposed timeline for the consolidation.
460 (n) In consultation with state agencies, proposing
461 methodology and approaches for identifying and collecting both
462 current and planned information technology expenditure data at
463 the state agency level.
464 (o) Adopting rules to administer this section.
465 (2) The Department of Financial Services, the Department of
466 Legal Affairs, and the Department of Agriculture and Consumer
467 Services are not subject to the standards, services, and
468 functions established by the Agency for State Technology under
469 this section. However:
470 (a) Each department may contract separately with the agency
471 to provide and perform any of such services and functions for
472 the department and shall adopt the standards established by the
473 agency pursuant to paragraphs (1)(b), (1)(c), and (1)(h) or
474 adopt alternative standards based on best practices or industry
475 standards.
476 (b) The Department of Financial Services, Department of
477 Legal Affairs and the Department of Agriculture and Consumer
478 Services are subject to the authority of the Agency for State
479 Technology under this section for any technology project whose
480 project scope affects another state agency and which has a total
481 project cost of $50 million or more funded in the General
482 Appropriations Act or under state law. This authority applies to
483 the specific technology project.
484 Section 5. Section 282.0055, Florida Statutes, is repealed.
485 Section 6. Section 282.0056, Florida Statutes, is repealed.
486 Section 7. Section 282.201, Florida Statutes, is amended to
487 read:
488 282.201 State data center system; agency duties and
489 limitations.—The A state data center system that includes all
490 primary data centers, other nonprimary data centers, and
491 computing facilities, and that provides an enterprise
492 information technology service as defined in s. 282.0041, is
493 established as a primary data center within the Agency for State
494 Technology and includes the facilities formerly known as the
495 Northwood Shared Resource Center and the Southwood Shared
496 Resource Center.
497 (1) INTENT.—The Legislature finds that the most efficient
498 and effective means of providing quality utility data processing
499 services to state agencies requires that computing resources be
500 concentrated in quality facilities that provide the proper
501 security, disaster recovery, infrastructure, and staff resources
502 to ensure that the state’s data is maintained reliably and
503 safely, and is recoverable in the event of a disaster.
504 Efficiencies resulting from such consolidation include the
505 increased ability to leverage technological expertise and
506 hardware and software capabilities; increased savings through
507 consolidated purchasing decisions; and the enhanced ability to
508 deploy technology improvements and implement new policies
509 consistently throughout the consolidated organization. Unless
510 otherwise exempt by law, it is the intent of the Legislature
511 that all agency data centers and computing facilities be
512 consolidated into the state a primary data center by 2019.
513 (2) STATE DATA CENTER DUTIES.—The state data center shall:
514 (a) Offer, develop, and support the services and
515 applications as provided in the service-level agreements
516 executed with its customer entities.
517 (b) Maintain the performance of the state data center,
518 which includes ensuring proper data backup, data backup
519 recovery, a disaster recovery plan, appropriate security, power,
520 cooling, fire suppression, and capacity.
521 (c) Develop a business continuity plan and a disaster
522 recovery plan, and conduct a live exercise of these plans at
523 least annually.
524 (d) Enter into a service level agreement with each customer
525 entity to provide the required type and level of service or
526 services. If a customer entity fails to execute an agreement
527 within 60 days after the commencement of a service, the state
528 data center may cease service. A service level agreement may not
529 have a term exceeding 3 years and at a minimum must:
530 1. Identify the parties and their roles, duties, and
531 responsibilities under the agreement.
532 2. State the duration of the contractual term and specify
533 the conditions for renewal.
534 3. Identify the scope of work.
535 4. Identify the products or services to be delivered with
536 sufficient specificity to permit an external financial or
537 performance audit.
538 5. Establish the services to be provided, the business
539 standards that must be met for each service, the cost of each
540 service, and the metrics and processes by which the business
541 standards for each service are to be objectively measured and
542 reported.
543 6. Provide a timely billing methodology for recovering the
544 cost of services provided to the customer entity pursuant to s.
545 215.422.
546 7. Provide a procedure for modifying the service level
547 agreement based on changes in the type, level, and cost of a
548 service.
549 8. Provide that a service level agreement may be terminated
550 by either party for cause only after giving the other party and
551 the Agency for State Technology notice in writing of the cause
552 for termination and an opportunity for the other party to
553 resolve the identified cause within a reasonable period.
554 9. Provide for the mediation of disputes by the Division of
555 Administrative Hearings pursuant to s. 120.573.
556 (e) Be the custodian of resources and equipment that are
557 located, operated, supported, and managed by the state data
558 center for the purposes of chapter 273.
559 (f) Assume administrative access rights to the resources
560 and equipment, such as servers, network components, and other
561 devices that are consolidated into the state data center.
562 1. On the date of each consolidation specified in this
563 section, the General Appropriations Act, or the Laws of Florida,
564 each state agency shall relinquish all administrative rights to
565 such resources and equipment. State agencies required to comply
566 with federal security regulations and policies shall retain
567 administrative access rights sufficient to comply with the
568 management control provisions of those regulations and policies;
569 however, the state data center shall have the appropriate type
570 or level of rights to allow the center to comply with its duties
571 pursuant to this section. The Department of Law Enforcement
572 shall serve as the arbiter of any disputes which may arise
573 regarding the appropriate type and level of administrative
574 access rights relating to the provision of management control in
575 accordance with federal criminal justice information guidelines.
576 2. The state data center shall provide its customer
577 entities with access to applications, servers, network
578 components, and other devices necessary for state agencies to
579 perform business activities and functions, and as defined and
580 documented in the service level agreement.
581 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
582 The Agency for Enterprise Information Technology shall:
583 (a) Collect and maintain information necessary for
584 developing policies relating to the data center system,
585 including, but not limited to, an inventory of facilities.
586 (b) Annually approve cost-recovery mechanisms and rate
587 structures for primary data centers which recover costs through
588 charges to customer entities.
589 (c) By September 30 of each year, submit to the
590 Legislature, the Executive Office of the Governor, and the
591 primary data centers recommendations to improve the efficiency
592 and cost-effectiveness of computing services provided by state
593 data center system facilities. Such recommendations must
594 include, but need not be limited to:
595 1. Policies for improving the cost-effectiveness and
596 efficiency of the state data center system, which includes the
597 primary data centers being transferred to a shared, virtualized
598 server environment, and the associated cost savings resulting
599 from the implementation of such policies.
600 2. Infrastructure improvements supporting the consolidation
601 of facilities or preempting the need to create additional data
602 centers or computing facilities.
603 3. Uniform disaster recovery standards.
604 4. Standards for primary data centers which provide cost
605 effective services and transparent financial data to user
606 agencies.
607 5. Consolidation of contract practices or coordination of
608 software, hardware, or other technology-related procurements and
609 the associated cost savings.
610 6. Improvements to data center governance structures.
611 (d) By October 1 of each year, provide recommendations to
612 the Governor and Legislature relating to changes to the schedule
613 for the consolidations of state agency data centers as provided
614 in subsection (4).
615 1. The recommendations must be based on the goal of
616 maximizing current and future cost savings by:
617 a. Consolidating purchase decisions.
618 b. Leveraging expertise and other resources to gain
619 economies of scale.
620 c. Implementing state information technology policies more
621 effectively.
622 d. Maintaining or improving the level of service provision
623 to customer entities.
624 2. The agency shall establish workgroups as necessary to
625 ensure participation by affected agencies in the development of
626 recommendations related to consolidations.
627 (e) Develop and establish rules relating to the operation
628 of the state data center system which comply with applicable
629 federal regulations, including 2 C.F.R. part 225 and 45 C.F.R.
630 The rules must address:
631 1. Ensuring that financial information is captured and
632 reported consistently and accurately.
633 2. Identifying standards for hardware, including standards
634 for a shared, virtualized server environment, and operations
635 system software and other operational software, including
636 security and network infrastructure, for the primary data
637 centers; requiring compliance with such standards in order to
638 enable the efficient consolidation of the agency data centers or
639 computing facilities; and providing an exemption process from
640 compliance with such standards, which must be consistent with
641 paragraph (5)(b).
642 3. Requiring annual full cost recovery on an equitable
643 rational basis. The cost-recovery methodology must ensure that
644 no service is subsidizing another service and may include
645 adjusting the subsequent year’s rates as a means to recover
646 deficits or refund surpluses from a prior year.
647 4. Requiring that any special assessment imposed to fund
648 expansion is based on a methodology that apportions the
649 assessment according to the proportional benefit to each
650 customer entity.
651 5. Requiring that rebates be given when revenues have
652 exceeded costs, that rebates be applied to offset charges to
653 those customer entities that have subsidized the costs of other
654 customer entities, and that such rebates may be in the form of
655 credits against future billings.
656 6. Requiring that all service-level agreements have a
657 contract term of up to 3 years, but may include an option to
658 renew for up to 3 additional years contingent on approval by the
659 board, and require at least a 180-day notice of termination.
660 (3) STATE AGENCY DUTIES.—
661 (a) For the purpose of completing the work activities
662 described in subsections (1) and (2), Each state agency shall
663 provide to the Agency for State Enterprise Information
664 Technology all requested information relating to its data
665 centers and computing facilities and any other information
666 relevant to the effective agency’s ability to effectively
667 transition of a state agency data center or computing facility
668 its computer services into the state a primary data center. The
669 agency shall also participate as required in workgroups relating
670 to specific consolidation planning and implementation tasks as
671 assigned by the Agency for Enterprise Information Technology and
672 determined necessary to accomplish consolidation goals.
673 (b) Each state agency customer of the state a primary data
674 center shall notify the state data center, by May 31 and
675 November 30 of each year, of any significant changes in
676 anticipated use utilization of data center services pursuant to
677 requirements established by the state boards of trustees of each
678 primary data center.
679 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
680 (a) Consolidations of agency data centers and computing
681 facilities shall be made by the date and to the specified state
682 primary data center facility as provided in this section and in
683 accordance with budget adjustments contained in the General
684 Appropriations Act.
685 (b) By December 31, 2011, the following shall be
686 consolidated into the Northwest Regional Data Center:
687 1. The Department of Education’s Knott Data Center in the
688 Turlington Building.
689 2. The Department of Education’s Division of Vocational
690 Rehabilitation.
691 3. The Department of Education’s Division of Blind
692 Services, except for the division’s disaster recovery site in
693 Daytona Beach.
694 4. The FCAT Explorer.
695 (c) During the 2011-2012 fiscal year, the following shall
696 be consolidated into the Southwood Shared Resource Center:
697 1. By September 30, 2011, the Department of Corrections.
698 2. By March 31, 2012, the Department of Transportation’s
699 Burns Building.
700 3. By March 31, 2012, the Department of Transportation’s
701 Survey & Mapping Office.
702 (d) By July 1, 2012, the Department of Highway Safety and
703 Motor Vehicles’ Office of Commercial Vehicle Enforcement shall
704 be consolidated into the Northwood Shared Resource Center.
705 (e) By September 30, 2012, the Department of Revenue’s
706 Carlton Building and Imaging Center locations shall be
707 consolidated into the Northwest Regional Data Center.
708 (f) During the 2012-2013 fiscal year, the following shall
709 be consolidated into the Northwood Shared Resource Center:
710 1. By July 1, 2012, the Agency for Health Care
711 Administration.
712 2. By August 31, 2012, the Department of Highway Safety and
713 Motor Vehicles.
714 3. By December 31, 2012, the Department of Environmental
715 Protection’s Palmetto Commons.
716 4. By December 31, 2012, the Department of Health’s Test
717 and Development Lab and all remaining data center resources
718 located at the Capital Circle Office Complex.
719 (g) During the 2013-2014 fiscal year, the following shall
720 be consolidated into the Southwood Shared Resource Center:
721 1. By October 31, 2013, the Department of Economic
722 Opportunity.
723 2. By December 31, 2013, the Executive Office of the
724 Governor, to include the Division of Emergency Management except
725 for the Emergency Operation Center’s management system in
726 Tallahassee and the Camp Blanding Emergency Operations Center in
727 Starke.
728 3. By March 31, 2014, the Department of Elderly Affairs.
729 (h) By October 30, 2013, the Fish and Wildlife Conservation
730 Commission, except for the commission’s Fish and Wildlife
731 Research Institute in St. Petersburg, shall be consolidated into
732 the Northwood Shared Resource Center.
733 (i) During the 2014-2015 fiscal year, the following
734 agencies shall work with the Agency for Enterprise Information
735 Technology to begin preliminary planning for consolidation into
736 a primary data center:
737 1. The Department of Health’s Jacksonville Lab Data Center.
738 2. The Department of Transportation’s district offices,
739 toll offices, and the District Materials Office.
740 3. The Department of Military Affairs’ Camp Blanding Joint
741 Training Center in Starke.
742 4. The Camp Blanding Emergency Operations Center in Starke.
743 5. The Department of Education’s Division of Blind Services
744 disaster recovery site in Daytona Beach.
745 6. The Department of Education’s disaster recovery site at
746 Santa Fe College.
747 7. The Fish and Wildlife Conservation Commission’s Fish and
748 Wildlife Research Institute in St. Petersburg.
749 8. The Department of Children and Family Services’ Suncoast
750 Data Center in Tampa.
751 9. The Department of Children and Family Services’ Florida
752 State Hospital in Chattahoochee.
753 (j) During the 2015-2016 fiscal year, all computing
754 resources remaining within an agency data center or computing
755 facility, to include the Department of Financial Services’
756 Hartman, Larson, and Fletcher Buildings data centers, shall be
757 transferred to a primary data center for consolidation unless
758 otherwise required to remain in the agency for specified
759 financial, technical, or business reasons that must be justified
760 in writing and approved by the Agency for Enterprise Information
761 Technology. Such data centers, computing facilities, and
762 resources must be identified by the Agency for Enterprise
763 Information Technology by October 1, 2014.
764 (b)(k) The Department of Law Enforcement, the Department of
765 the Lottery’s Gaming System, Systems Design and Development in
766 the Office of Policy and Budget, the regional traffic management
767 centers and the Office of Toll Operations of the Department of
768 Transportation, and the State Board of Administration, state
769 attorneys, public defenders, criminal conflict and civil
770 regional counsel, capital collateral regional counsel, the
771 Florida Clerks of Court Operations Corporation, and the Florida
772 Housing Finance Corporation are exempt from data center
773 consolidation under this section.
774 (c)(l) A state Any agency that is consolidating its agency
775 data center or computing facility centers into the state a
776 primary data center must execute a new or update an existing
777 service-level agreement within 60 days after the commencement of
778 service specified consolidation date, as required by s.
779 282.201(2) s. 282.203, in order to specify the services and
780 levels of service it is to receive from the state primary data
781 center as a result of the consolidation. If the state an agency
782 and the state primary data center are unable to execute a
783 service-level agreement by that date, the agency and the primary
784 data center shall submit a report to the Executive Office of the
785 Governor and to the chairs of the legislative appropriations
786 committees within 5 working days after that date which explains
787 the specific issues preventing execution and describing the plan
788 and schedule for resolving those issues.
789 (m) Beginning September 1, 2011, and every 6 months
790 thereafter until data center consolidations are complete, the
791 Agency for Enterprise Information Technology shall provide a
792 status report on the implementation of the consolidations that
793 must be completed during the fiscal year. The report shall be
794 submitted to the Executive Office of the Governor and the chairs
795 of the legislative appropriations committees. The report must,
796 at a minimum, describe:
797 1. Whether the consolidation is on schedule, including
798 progress on achieving the milestones necessary for successful
799 and timely consolidation of scheduled agency data centers and
800 computing facilities.
801 2. The risks that may affect the progress or outcome of the
802 consolidation and how these risks are being addressed,
803 mitigated, or managed.
804 (d)(n) Each state agency scheduled identified in this
805 subsection for consolidation into the state a primary data
806 center shall submit a transition plan to the Agency for State
807 Technology appropriate primary data center by July 1 of the
808 fiscal year before the fiscal year in which the scheduled
809 consolidation will occur. Transition plans shall be developed in
810 consultation with the state appropriate primary data center
811 centers and the Agency for Enterprise Information Technology,
812 and must include:
813 1. An inventory of the state agency data center’s resources
814 being consolidated, including all hardware and its associated
815 life cycle replacement schedule, software, staff, contracted
816 services, and facility resources performing data center
817 management and operations, security, backup and recovery,
818 disaster recovery, system administration, database
819 administration, system programming, job control, production
820 control, print, storage, technical support, help desk, and
821 managed services, but excluding application development, and the
822 state agency’s costs supporting these resources.
823 2. A list of contracts in effect, including, but not
824 limited to, contracts for hardware, software, and maintenance,
825 which identifies the expiration date, the contract parties, and
826 the cost of each contract.
827 3. A detailed description of the level of services needed
828 to meet the technical and operational requirements of the
829 platforms being consolidated.
830 4. A description of resources for computing services
831 proposed to remain in the department.
832 4.5. A timetable with significant milestones for the
833 completion of the consolidation.
834 (o) Each primary data center shall develop a transition
835 plan for absorbing the transfer of agency data center resources
836 based upon the timetables for transition as provided in this
837 subsection. The plan shall be submitted to the Agency for
838 Enterprise Information Technology, the Executive Office of the
839 Governor, and the chairs of the legislative appropriations
840 committees by September 1 of the fiscal year before the fiscal
841 year in which the scheduled consolidations will occur. Each plan
842 must include:
843 1. The projected cost to provide data center services for
844 each agency scheduled for consolidation.
845 2. A staffing plan that identifies the projected staffing
846 needs and requirements based on the estimated workload
847 identified in the agency transition plan.
848 3. The fiscal year adjustments to budget categories in
849 order to absorb the transfer of agency data center resources
850 pursuant to the legislative budget request instructions provided
851 in s. 216.023.
852 4. An analysis of the cost effects resulting from the
853 planned consolidations on existing agency customers.
854 5. A description of any issues that must be resolved in
855 order to accomplish as efficiently and effectively as possible
856 all consolidations required during the fiscal year.
857 (e)(p) Each state agency scheduled identified in this
858 subsection for consolidation into the state a primary data
859 center shall submit with its respective legislative budget
860 request the specific recurring and nonrecurring budget
861 adjustments of resources by appropriation category into the
862 appropriate data processing category pursuant to the legislative
863 budget request instructions in s. 216.023.
864 (5) AGENCY LIMITATIONS.—
865 (a) Unless exempt from state data center consolidation
866 pursuant to this section, authorized by the Legislature, or as
867 provided in paragraph paragraphs (b) and (c), a state agency may
868 not:
869 1. Create a new computing facility or data center, or
870 expand the capability to support additional computer equipment
871 in an existing state agency computing facility or nonprimary
872 data center;
873 2. Spend funds before the state agency’s scheduled
874 consolidation into the state a primary data center to purchase
875 or modify hardware or operations software that does not comply
876 with hardware and software standards established by the Agency
877 for State Enterprise Information Technology pursuant to
878 paragraph (2)(e) for the efficient consolidation of the agency
879 data centers or computing facilities;
880 3. Transfer existing computer services to any data center
881 other than the state a primary data center;
882 4. Terminate services with the state a primary data center
883 or transfer services between primary data centers without giving
884 written notice of intent to terminate or transfer services 180
885 days before such termination or transfer; or
886 5. Initiate a new computer service except with the state a
887 primary data center.
888 (b) Exceptions to the limitations in subparagraphs (a)1.,
889 2., 3., and 5. may be granted by the Agency for State Enterprise
890 Information Technology if there is insufficient capacity in the
891 state a primary data center to absorb the workload associated
892 with agency computing services, if expenditures are compatible
893 with the scheduled consolidation and the standards established
894 pursuant to s. 282.0051 paragraph (2)(e), or if the equipment or
895 resources are needed to meet a critical agency business need
896 that cannot be satisfied by from surplus equipment or resources
897 of the state primary data center until the agency data center is
898 consolidated. The Agency for State Technology shall develop and
899 publish the guidelines and required documentation that a state
900 agency must comply with when requesting an exception. The
901 agency’s decision regarding the exception request is not subject
902 to chapter 120.
903 1. A request for an exception must be submitted in writing
904 to the Agency for Enterprise Information Technology. The agency
905 must accept, accept with conditions, or deny the request within
906 60 days after receipt of the written request. The agency’s
907 decision is not subject to chapter 120.
908 2. At a minimum, the agency may not approve a request
909 unless it includes:
910 a. Documentation approved by the primary data center’s
911 board of trustees which confirms that the center cannot meet the
912 capacity requirements of the agency requesting the exception
913 within the current fiscal year.
914 b. A description of the capacity requirements of the agency
915 requesting the exception.
916 c. Documentation from the agency demonstrating why it is
917 critical to the agency’s mission that the expansion or transfer
918 must be completed within the fiscal year rather than when
919 capacity is established at a primary data center.
920 (c) Exceptions to subparagraph (a)4. may be granted by the
921 board of trustees of the primary data center if the termination
922 or transfer of services can be absorbed within the current cost
923 allocation plan.
924 (d) Upon the termination of or transfer of agency computing
925 services from the primary data center, the primary data center
926 shall require information sufficient to determine compliance
927 with this section. If a primary data center determines that an
928 agency is in violation of this section, it shall report the
929 violation to the Agency for Enterprise Information Technology.
930 (6) RULES.—The Agency for Enterprise Information Technology
931 may adopt rules to administer this part relating to the state
932 data center system including the primary data centers.
933 Section 8. Section 282.203, Florida Statutes, is repealed.
934 Section 9. Section 282.204, Florida Statutes, is repealed.
935 Section 10. Section 282.205, Florida Statutes, is repealed.
936 Section 11. Section 282.318, Florida Statutes, is amended
937 to read:
938 282.318 Enterprise security of data and information
939 technology.—
940 (1) This section may be cited as the “Enterprise Security
941 of Data and Information Technology Act.”
942 (2) Information technology security is established as an
943 enterprise information technology service as defined in s.
944 282.0041.
945 (2)(3) The Agency for State Enterprise Information
946 Technology is responsible for establishing standards,
947 guidelines, and processes by rule which are consistent with
948 generally accepted best practices for information security and
949 which ensure rules and publishing guidelines for ensuring an
950 appropriate level of security for all data and information
951 technology resources for executive branch agencies. The agency
952 shall also perform the following duties and responsibilities:
953 (a) By June 30, 2015, develop, and annually update a
954 statewide by February 1, an enterprise information security
955 strategic plan that includes security goals and objectives for
956 the strategic issues of information security policy, risk
957 management, training, incident management, and survivability
958 planning.
959 (b) Develop and publish an information security framework
960 for use by state agencies which, at a minimum, includes
961 guidelines and processes enterprise security rules and published
962 guidelines for:
963 1. Developing and using a risk assessment methodology that
964 will apply to state agencies to identify the priorities,
965 constraints, risk tolerance, and assumptions.
966 2.1. Completing comprehensive risk assessments analyses and
967 information security audits. Such assessments and audits shall
968 be conducted by state agencies and reviewed by the Agency for
969 State Technology conducted by state agencies.
970 3. Identifying protection procedures to manage the
971 protection of a state agency’s information, data, and
972 information technology resources.
973 4. Detecting threats through proactive monitoring of
974 events, continuous security monitoring, and specified detection
975 processes.
976 5.2. Responding to suspected or confirmed information
977 technology security incidents, including suspected or confirmed
978 breaches of personal information containing confidential or
979 exempt data.
980 6.3. Developing state agency strategic and operational
981 information security plans required under this section,
982 including strategic security plans and security program plans.
983 7.4. Recovering The recovery of information technology and
984 data in response to a security incident following a disaster.
985 The recovery may include recommended improvements to the
986 processes, policies, or guidelines.
987 8.5. Establishing The managerial, operational, and
988 technical safeguards for protecting state government data and
989 information technology resources which align with state agency
990 risk management strategies for protecting the confidentiality,
991 integrity, and availability of information technology and data.
992 9. Establishing procedures for accessing information
993 technology resources and data in order to limit authorized
994 users, processes, or devices to authorized activities and
995 transactions.
996 10. Establishing asset management procedures to ensure that
997 information technology resources are identified and consistently
998 managed with their relative importance to business objectives.
999 (c) Assist state agencies in complying with the provisions
1000 of this section.
1001 (d) Pursue appropriate funding for the purpose of enhancing
1002 domestic security.
1003 (d)(e) In collaboration with the Cybercrime Office in the
1004 Department of Law Enforcement, provide training for state agency
1005 information security managers.
1006 (e)(f) Annually review the strategic and operational
1007 information security plans of state executive branch agencies.
1008 (3)(4) To assist the Agency for Enterprise Information
1009 Technology in carrying out its responsibilities, Each state
1010 agency head shall, at a minimum:
1011 (a) Designate an information security manager who, for the
1012 purposes of his or her information technology security duties,
1013 shall report to the agency head and shall to administer the
1014 information technology security program of the agency for its
1015 data and information technology resources. This designation must
1016 be provided annually in writing to the Agency for State
1017 Enterprise Information Technology by January 1.
1018 (b) Submit annually to the Agency for State Enterprise
1019 Information Technology annually by July 31, the state agency’s
1020 strategic and operational information security plans developed
1021 pursuant to the rules and guidelines established by the Agency
1022 for State Enterprise Information Technology.
1023 1. The state agency strategic information security plan
1024 must cover a 3-year period and, at a minimum, define security
1025 goals, intermediate objectives, and projected agency costs for
1026 the strategic issues of agency information security policy, risk
1027 management, security training, security incident response, and
1028 survivability. The plan must be based on the statewide
1029 enterprise strategic information security strategic plan created
1030 by the Agency for State Enterprise Information Technology and
1031 include performance metrics that can be objectively measured in
1032 order to gauge the state agency’s progress in meeting the
1033 security goals and objectives identified in the strategic
1034 information security plan. Additional issues may be included.
1035 2. The state agency operational information security plan
1036 must include a progress report that objectively measures
1037 progress made toward for the prior operational information
1038 security plan and a project plan that includes activities,
1039 timelines, and deliverables for security objectives that,
1040 subject to current resources, the state agency will implement
1041 during the current fiscal year. The cost of implementing the
1042 portions of the plan which cannot be funded from current
1043 resources must be identified in the plan.
1044 (c) Conduct, and update every 3 years, a comprehensive risk
1045 assessment analysis to determine the security threats to the
1046 data, information, and information technology resources of the
1047 state agency. The risk assessment must comply with the risk
1048 assessment methodology developed by the Agency for State
1049 Technology. The risk assessment analysis information is
1050 confidential and exempt from the provisions of s. 119.07(1),
1051 except that such information shall be available to the Auditor
1052 General, and the Agency for State Enterprise Information
1053 Technology, and the Cybercrime Office in the Department of Law
1054 Enforcement for performing postauditing duties.
1055 (d) Develop, and periodically update, written internal
1056 policies and procedures, which include procedures for reporting
1057 information technology security incidents and breaches to the
1058 Cybercrime Office in the Department of Law Enforcement and
1059 notifying the Agency for State Enterprise Information Technology
1060 when a suspected or confirmed breach, or an information security
1061 incident, occurs. Such policies and procedures must be
1062 consistent with the rules, and guidelines, and processes
1063 established by the Agency for State Enterprise Information
1064 Technology to ensure the security of the data, information, and
1065 information technology resources of the state agency. The
1066 internal policies and procedures that, if disclosed, could
1067 facilitate the unauthorized modification, disclosure, or
1068 destruction of data or information technology resources are
1069 confidential information and exempt from s. 119.07(1), except
1070 that such information shall be available to the Auditor General,
1071 the Cybercrime Office in the Department of Law Enforcement, and
1072 the Agency for State Enterprise Information Technology for
1073 performing postauditing duties.
1074 (e) Implement the managerial, operational, and technical
1075 appropriate cost-effective safeguards established by the Agency
1076 for State Technology to address identified risks to the data,
1077 information, and information technology resources of the agency.
1078 (f) Ensure that periodic internal audits and evaluations of
1079 the agency’s security program for the data, information, and
1080 information technology resources of the agency are conducted.
1081 The results of such audits and evaluations are confidential
1082 information and exempt from s. 119.07(1), except that such
1083 information shall be available to the Auditor General, the
1084 Cybercrime Office in the Department of Law Enforcement, and the
1085 Agency for State Enterprise Information Technology for
1086 performing postauditing duties.
1087 (g) Include appropriate security requirements in the
1088 written specifications for the solicitation of information
1089 technology and information technology resources and services,
1090 which are consistent with the rules and guidelines established
1091 by the Agency for State Enterprise Information Technology in
1092 collaboration with the department.
1093 (h) Require that state agency employees complete the
1094 security awareness training offered by the Agency for State
1095 Technology in collaboration with the Cybercrime Office in the
1096 Department of Law Enforcement. Coordinate with state agencies to
1097 provide agency-specific security training aligned with the
1098 agency operational information security plan. Provide security
1099 awareness training to employees and users of the agency’s
1100 communication and information resources concerning information
1101 security risks and the responsibility of employees and users to
1102 comply with policies, standards, guidelines, and operating
1103 procedures adopted by the agency to reduce those risks.
1104 (i) Develop processes a process for detecting, reporting,
1105 and responding to information suspected or confirmed security
1106 threats or breaches or security incidents which are, including
1107 suspected or confirmed breaches consistent with the security
1108 rules, and guidelines, and processes established by the Agency
1109 for State Enterprise Information Technology.
1110 1. All Suspected or confirmed information technology
1111 security incidents and breaches must be immediately reported to
1112 the Cybercrime Office in the Department of Law Enforcement and
1113 the Agency for State Enterprise Information Technology.
1114 2. For information technology security incidents involving
1115 breaches, agencies shall provide notice in accordance with s.
1116 817.5681 and to the Agency for Enterprise Information Technology
1117 in accordance with this subsection.
1118 (5) Each state agency shall include appropriate security
1119 requirements in the specifications for the solicitation of
1120 contracts for procuring information technology or information
1121 technology resources or services which are consistent with the
1122 rules and guidelines established by the Agency for Enterprise
1123 Information Technology.
1124 (4)(6) The Agency for State Enterprise Information
1125 Technology may adopt rules relating to information security and
1126 to administer the provisions of this section.
1127 Section 12. Section 282.33, Florida Statutes, is repealed.
1128 Section 13. Effective upon this act becoming a law, section
1129 282.34, Florida Statutes, is repealed.
1130 Section 14. Subsections (1) and (2) of section 17.0315,
1131 Florida Statutes, are amended to read:
1132 17.0315 Financial and cash management system; task force.—
1133 (1) The Chief Financial Officer, as the constitutional
1134 officer responsible for settling and approving accounts against
1135 the state and keeping all state funds pursuant to s. 4, Art. IV
1136 of the State Constitution, is shall be the head of and shall
1137 appoint members to a task force established to develop a
1138 strategic business plan for a successor financial and cash
1139 management system. The task force shall include the executive
1140 director of the Agency for State Enterprise Information
1141 Technology and the director of the Office of Policy and Budget
1142 in the Executive Office of the Governor. Any member of the task
1143 force may appoint a designee.
1144 (2) The strategic business plan for a successor financial
1145 and cash management system must:
1146 (a) Permit proper disbursement and auditing controls
1147 consistent with the respective constitutional duties of the
1148 Chief Financial Officer and the Legislature;
1149 (b) Promote transparency in the accounting of public funds;
1150 (c) Provide timely and accurate recording of financial
1151 transactions by agencies and their professional staffs;
1152 (d) Support executive reporting and data analysis
1153 requirements;
1154 (e) Be capable of interfacing with other systems providing
1155 human resource services, procuring goods and services, and
1156 providing other enterprise functions;
1157 (f) Be capable of interfacing with the existing legislative
1158 appropriations, planning, and budgeting systems;
1159 (g) Be coordinated with the information technology strategy
1160 development efforts of the Agency for State Enterprise
1161 Information Technology;
1162 (h) Be coordinated with the revenue estimating conference
1163 process as supported by the Office of Economic and Demographic
1164 Research; and
1165 (i) Address other such issues as the Chief Financial
1166 Officer identifies.
1167 Section 15. Subsection (1) of section 20.055, Florida
1168 Statutes, is reordered and amended to read:
1169 20.055 Agency inspectors general.—
1170 (1) As used in For the purposes of this section, the term:
1171 (d)(a) “State agency” means each department created
1172 pursuant to this chapter, and also includes the Executive Office
1173 of the Governor, the Department of Military Affairs, the Fish
1174 and Wildlife Conservation Commission, the Office of Insurance
1175 Regulation of the Financial Services Commission, the Office of
1176 Financial Regulation of the Financial Services Commission, the
1177 Public Service Commission, the Board of Governors of the State
1178 University System, the Florida Housing Finance Corporation, the
1179 Agency for State Technology, and the state courts system.
1180 (a)(b) “Agency head” means the Governor, a Cabinet officer,
1181 a secretary as defined in s. 20.03(5), or an executive director
1182 as those terms are defined in s. 20.03, 20.03(6). It also
1183 includes the chair of the Public Service Commission, the
1184 Director of the Office of Insurance Regulation of the Financial
1185 Services Commission, the Director of the Office of Financial
1186 Regulation of the Financial Services Commission, the board of
1187 directors of the Florida Housing Finance Corporation, and the
1188 Chief Justice of the State Supreme Court.
1189 (c) “Individuals substantially affected” means natural
1190 persons who have established a real and sufficiently immediate
1191 injury in fact due to the findings, conclusions, or
1192 recommendations of a final report of a state agency inspector
1193 general, who are the subject of the audit or investigation, and
1194 who do not have or are not currently afforded an existing right
1195 to an independent review process. The term does not apply to
1196 employees of the state, including career service, probationary,
1197 other personal service, Selected Exempt Service, and Senior
1198 Management Service employees;, are not covered by this
1199 definition. This definition also does not cover former employees
1200 of the state if the final report of the state agency inspector
1201 general relates to matters arising during a former employee’s
1202 term of state employment; or. This definition does not apply to
1203 persons who are the subject of audits or investigations
1204 conducted pursuant to ss. 112.3187-112.31895 or s. 409.913 or
1205 which are otherwise confidential and exempt under s. 119.07.
1206 (b)(d) “Entities contracting with the state” means for
1207 profit and not-for-profit organizations or businesses that have
1208 having a legal existence, such as corporations or partnerships,
1209 as opposed to natural persons, which have entered into a
1210 relationship with a state agency as defined in paragraph (a) to
1211 provide for consideration certain goods or services to the state
1212 agency or on behalf of the state agency. The relationship may be
1213 evidenced by payment by warrant or purchasing card, contract,
1214 purchase order, provider agreement, or other such mutually
1215 agreed upon relationship. The term This definition does not
1216 apply to entities that which are the subject of audits or
1217 investigations conducted pursuant to ss. 112.3187-112.31895 or
1218 s. 409.913 or which are otherwise confidential and exempt under
1219 s. 119.07.
1220 Section 16. Paragraph (e) of subsection (2) of section
1221 110.205, Florida Statutes, is amended to read:
1222 110.205 Career service; exemptions.—
1223 (2) EXEMPT POSITIONS.—The exempt positions that are not
1224 covered by this part include the following:
1225 (e) The Chief Information Officer in the Agency for State
1226 Enterprise Information Technology. Unless otherwise fixed by
1227 law, the Agency for State Enterprise Information Technology
1228 shall set the salary and benefits of this position in accordance
1229 with the rules of the Senior Management Service.
1230 Section 17. Subsections (2) and (9) of section 215.322,
1231 Florida Statutes, are amended to read:
1232 215.322 Acceptance of credit cards, charge cards, debit
1233 cards, or electronic funds transfers by state agencies, units of
1234 local government, and the judicial branch.—
1235 (2) A state agency as defined in s. 216.011, or the
1236 judicial branch, may accept credit cards, charge cards, debit
1237 cards, or electronic funds transfers in payment for goods and
1238 services with the prior approval of the Chief Financial Officer.
1239 If the Internet or other related electronic methods are to be
1240 used as the collection medium, the Agency for State Enterprise
1241 Information Technology shall review and recommend to the Chief
1242 Financial Officer whether to approve the request with regard to
1243 the process or procedure to be used.
1244 (9) For payment programs in which credit cards, charge
1245 cards, or debit cards are accepted by state agencies, the
1246 judicial branch, or units of local government, the Chief
1247 Financial Officer, in consultation with the Agency for State
1248 Enterprise Information Technology, may adopt rules to establish
1249 uniform security safeguards for cardholder data and to ensure
1250 compliance with the Payment Card Industry Data Security
1251 Standards.
1252 Section 18. Subsection (2) of section 215.96, Florida
1253 Statutes, is amended to read:
1254 215.96 Coordinating council and design and coordination
1255 staff.—
1256 (2) The coordinating council shall consist of the Chief
1257 Financial Officer; the Commissioner of Agriculture; the Attorney
1258 General; the secretary of the Department of Management Services;
1259 the executive director of the Agency for State Technology the
1260 Attorney General; and the Director of Planning and Budgeting,
1261 Executive Office of the Governor, or their designees. The Chief
1262 Financial Officer, or his or her designee, shall be chair of the
1263 coordinating council, and the design and coordination staff
1264 shall provide administrative and clerical support to the council
1265 and the board. The design and coordination staff shall maintain
1266 the minutes of each meeting and shall make such minutes
1267 available to any interested person. The Auditor General, the
1268 State Courts Administrator, an executive officer of the Florida
1269 Association of State Agency Administrative Services Directors,
1270 and an executive officer of the Florida Association of State
1271 Budget Officers, or their designees, shall serve without voting
1272 rights as ex officio members of on the coordinating council. The
1273 chair may call meetings of the coordinating council as often as
1274 necessary to transact business; however, the coordinating
1275 council must shall meet at least annually once a year. Action of
1276 the coordinating council shall be by motion, duly made, seconded
1277 and passed by a majority of the coordinating council voting in
1278 the affirmative for approval of items that are to be recommended
1279 for approval to the Financial Management Information Board.
1280 Section 19. Paragraph (a) of subsection (4) of section
1281 216.023, Florida Statutes, is amended to read:
1282 216.023 Legislative budget requests to be furnished to
1283 Legislature by agencies.—
1284 (4)(a) The legislative budget request must contain for each
1285 program must contain:
1286 1. The constitutional or statutory authority for a program,
1287 a brief purpose statement, and approved program components.
1288 2. Information on expenditures for 3 fiscal years (actual
1289 prior-year expenditures, current-year estimated expenditures,
1290 and agency budget requested expenditures for the next fiscal
1291 year) by appropriation category.
1292 3. Details on trust funds and fees.
1293 4. The total number of positions (authorized, fixed, and
1294 requested).
1295 5. An issue narrative describing and justifying changes in
1296 amounts and positions requested for current and proposed
1297 programs for the next fiscal year.
1298 6. Information resource requests.
1299 7. Supporting information, including applicable cost
1300 benefit analyses, business case analyses, performance
1301 contracting procedures, service comparisons, and impacts on
1302 performance standards for any request to outsource or privatize
1303 agency functions. The cost-benefit and business case analyses
1304 must include an assessment of the impact on each affected
1305 activity from those identified in accordance with paragraph (b).
1306 Performance standards must include standards for each affected
1307 activity and be expressed in terms of the associated unit of
1308 activity.
1309 8. An evaluation of any major outsourcing and privatization
1310 initiatives undertaken during the last 5 fiscal years having
1311 aggregate expenditures exceeding $10 million during the term of
1312 the contract. The evaluation must shall include an assessment of
1313 contractor performance, a comparison of anticipated service
1314 levels to actual service levels, and a comparison of estimated
1315 savings to actual savings achieved. Consolidated reports issued
1316 by the Department of Management Services may be used to satisfy
1317 this requirement.
1318 9. Supporting information for any proposed consolidated
1319 financing of deferred-payment commodity contracts including
1320 guaranteed energy performance savings contracts. Supporting
1321 information must also include narrative describing and
1322 justifying the need, baseline for current costs, estimated cost
1323 savings, projected equipment purchases, estimated contract
1324 costs, and return on investment calculation.
1325 10. For projects that exceed $10 million in total cost, the
1326 statutory reference of the existing policy or the proposed
1327 substantive policy that establishes and defines the project’s
1328 governance structure, planned scope, main business objectives
1329 that must be achieved, and estimated completion timeframes. The
1330 governance structure for information technology-related projects
1331 requested by a state agency must incorporate the applicable
1332 project management and oversight standards established under s.
1333 282.0051. Information technology budget requests for the
1334 continuance of existing hardware and software maintenance
1335 agreements, renewal of existing software licensing agreements,
1336 or the replacement of desktop units with new technology that is
1337 similar to the technology currently in use are exempt from this
1338 requirement.
1339 Section 20. Subsection (22) of section 287.057, Florida
1340 Statutes, is amended to read:
1341 287.057 Procurement of commodities or contractual
1342 services.—
1343 (22) The department, in consultation with the Chief
1344 Financial Officer and the Agency for State Technology, shall
1345 maintain a program for the online procurement of commodities and
1346 contractual services. To enable the state to promote open
1347 competition and leverage its buying power, agencies shall
1348 participate in the online procurement program, and eligible
1349 users may participate in the program. Only vendors prequalified
1350 as meeting mandatory requirements and qualifications criteria
1351 may participate in online procurement.
1352 (a) The department, in consultation with the Agency for
1353 State Technology, may contract for equipment and services
1354 necessary to develop and implement online procurement.
1355 (b) The department shall adopt rules to administer the
1356 program for online procurement. The rules must include, but not
1357 be limited to:
1358 1. Determining the requirements and qualification criteria
1359 for prequalifying vendors.
1360 2. Establishing the procedures for conducting online
1361 procurement.
1362 3. Establishing the criteria for eligible commodities and
1363 contractual services.
1364 4. Establishing the procedures for providing access to
1365 online procurement.
1366 5. Determining the criteria warranting any exceptions to
1367 participation in the online procurement program.
1368 (c) The department may impose and shall collect all fees
1369 for the use of the online procurement systems.
1370 1. The fees may be imposed on an individual transaction
1371 basis or as a fixed percentage of the cost savings generated. At
1372 a minimum, the fees must be set in an amount sufficient to cover
1373 the projected costs of the services, including administrative
1374 and project service costs in accordance with the policies of the
1375 department.
1376 2. If the department contracts with a provider for online
1377 procurement, the department, pursuant to appropriation, shall
1378 compensate the provider from the fees after the department has
1379 satisfied all ongoing costs. The provider shall report
1380 transaction data to the department each month so that the
1381 department may determine the amount due and payable to the
1382 department from each vendor.
1383 3. All fees that are due and payable to the state on a
1384 transactional basis or as a fixed percentage of the cost savings
1385 generated are subject to s. 215.31 and must be remitted within
1386 40 days after receipt of payment for which the fees are due. For
1387 fees that are not remitted within 40 days, the vendor shall pay
1388 interest at the rate established under s. 55.03(1) on the unpaid
1389 balance from the expiration of the 40-day period until the fees
1390 are remitted.
1391 4. All fees and surcharges collected under this paragraph
1392 shall be deposited in the Operating Trust Fund as provided by
1393 law.
1394 Section 21. Subsection (4) of section 445.011, Florida
1395 Statutes, is amended to read:
1396 445.011 Workforce information systems.—
1397 (4) Workforce Florida, Inc., shall coordinate development
1398 and implementation of workforce information systems with the
1399 executive director of the Agency for State Enterprise
1400 Information Technology to ensure compatibility with the state’s
1401 information system strategy and enterprise architecture.
1402 Section 22. Subsections (2) and (4) of section 445.045,
1403 Florida Statutes, are amended to read:
1404 445.045 Development of an Internet-based system for
1405 information technology industry promotion and workforce
1406 recruitment.—
1407 (2) Workforce Florida, Inc., shall coordinate with the
1408 Agency for State Enterprise Information Technology and the
1409 Department of Economic Opportunity to ensure links, where
1410 feasible and appropriate, to existing job information websites
1411 maintained by the state and state agencies and to ensure that
1412 information technology positions offered by the state and state
1413 agencies are posted on the information technology website.
1414 (4)(a) Workforce Florida, Inc., shall coordinate
1415 development and maintenance of the website under this section
1416 with the executive director of the Agency for State Enterprise
1417 Information Technology to ensure compatibility with the state’s
1418 information system strategy and enterprise architecture.
1419 (b) Workforce Florida, Inc., may enter into an agreement
1420 with the Agency for State Enterprise Information Technology, the
1421 Department of Economic Opportunity, or any other public agency
1422 with the requisite information technology expertise for the
1423 provision of design, operating, or other technological services
1424 necessary to develop and maintain the website.
1425 (c) Workforce Florida, Inc., may procure services necessary
1426 to implement the provisions of this section, if it employs
1427 competitive processes, including requests for proposals,
1428 competitive negotiation, and other competitive processes that to
1429 ensure that the procurement results in the most cost-effective
1430 investment of state funds.
1431 Section 23. Paragraph (b) of subsection (18) of section
1432 668.50, Florida Statutes, is amended to read:
1433 668.50 Uniform Electronic Transaction Act.—
1434 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1435 GOVERNMENTAL AGENCIES.—
1436 (b) To the extent that a governmental agency uses
1437 electronic records and electronic signatures under paragraph
1438 (a), the Agency for State Enterprise Information Technology, in
1439 consultation with the governmental agency, giving due
1440 consideration to security, may specify:
1441 1. The manner and format in which the electronic records
1442 must be created, generated, sent, communicated, received, and
1443 stored and the systems established for those purposes.
1444 2. If electronic records must be signed by electronic
1445 means, the type of electronic signature required, the manner and
1446 format in which the electronic signature must be affixed to the
1447 electronic record, and the identity of, or criteria that must be
1448 met by, any third party used by a person filing a document to
1449 facilitate the process.
1450 3. Control processes and procedures as appropriate to
1451 ensure adequate preservation, disposition, integrity, security,
1452 confidentiality, and auditability of electronic records.
1453 4. Any other required attributes for electronic records
1454 which are specified for corresponding nonelectronic records or
1455 reasonably necessary under the circumstances.
1456 Section 24. Section 943.0415, Florida Statutes, is amended
1457 to read:
1458 943.0415 Cybercrime Office.—The Cybercrime Office There is
1459 created within the Department of Law Enforcement the Cybercrime
1460 Office. The office may:
1461 (1) Investigate violations of state law pertaining to the
1462 sexual exploitation of children which are facilitated by or
1463 connected to the use of any device capable of storing electronic
1464 data.
1465 (2) Monitor information technology resources and provide
1466 analysis on information technology security incidents, threats,
1467 or breaches as those terms are defined in s. 282.0041.
1468 (3) Investigate violations of state law pertaining to
1469 information technology security incidents, threats, or breaches
1470 pursuant to s. 282.0041 and assist in incident response and
1471 recovery.
1472 (4) Provide security awareness training and information to
1473 state agency employees concerning cyber security, online sexual
1474 exploitation of children, security risks, and the responsibility
1475 of employees to comply with policies, standards, guidelines, and
1476 operating procedures adopted by the Agency for State Technology.
1477 (5) Consult with the Agency for State Technology in the
1478 adoption of rules relating to the information technology
1479 security provisions of s. 282.318.
1480 Section 25. Section 1004.649, Florida Statutes, is amended
1481 to read:
1482 1004.649 Northwest Regional Data Center.—
1483 (1) For the purpose of providing data center services to
1484 serving its state agency customers, the Northwest Regional Data
1485 Center at Florida State University is designated as a primary
1486 data center and shall:
1487 (a) Operate under a governance structure that represents
1488 its customers proportionally.
1489 (b) Maintain an appropriate cost-allocation methodology
1490 that accurately bills state agency customers based solely on the
1491 actual direct and indirect costs of the services provided to
1492 state agency customers, and ensures that for any fiscal year a
1493 state agency customer is not subsidizing a prohibits the
1494 subsidization of nonstate agency customer or another state
1495 agency customer customers’ costs by state agency customers. Such
1496 cost-allocation methodology must comply with applicable state
1497 and federal requirements concerning the distribution and use of
1498 state and federal funds.
1499 (c) Enter into a service-level agreement with each state
1500 agency customer to provide services as defined and approved by
1501 the governing board of the center. At a minimum, such service
1502 level agreements must:
1503 1. Identify the parties and their roles, duties, and
1504 responsibilities under the agreement;
1505 2. State the duration of the agreement term and specify the
1506 conditions for renewal;
1507 3. Identify the scope of work;
1508 4. Establish the services to be provided, the business
1509 standards that must be met for each service, the cost of each
1510 service, and the process by which the business standards for
1511 each service are to be objectively measured and reported;
1512 5. Provide a timely billing methodology for recovering the
1513 cost of services provided pursuant to s. 215.422; and
1514 6. Provide a procedure for modifying the service-level
1515 agreement to address any changes in projected costs of service;
1516 7. Prohibit the transfer of computing services between the
1517 Northwest Regional Data Center and the state data center
1518 established under s. 282.201 without at least 180 days’ notice
1519 of service cancellation;
1520 8. Identify the products or services to be delivered with
1521 sufficient specificity to permit an external financial or
1522 performance audit; and
1523 9. Provide that the service-level agreement may be
1524 terminated by either party for cause only after giving the other
1525 party notice in writing of the cause for termination and an
1526 opportunity for the other party to resolve the identified cause
1527 within a reasonable period.
1528 (d) Provide to the Board of Governors the total annual
1529 budget by major expenditure category, including, but not limited
1530 to, salaries, expenses, operating capital outlay, contracted
1531 services, or other personnel services by July 30 each fiscal
1532 year.
1533 (e) Provide to each state agency customer its projected
1534 annual cost for providing the agreed-upon data center services
1535 by September 1 each fiscal year.
1536 (f) Provide a plan for consideration by the Legislative
1537 Budget Commission if the governing body of the center approves
1538 the use of a billing rate schedule after the start of the fiscal
1539 year that increases any state agency customer’s costs for that
1540 fiscal year.
1541 (2) The Northwest Regional Data Center’s designation as a
1542 primary data center for purposes of serving its state agency
1543 customers may be terminated if:
1544 (a) The center requests such termination to the Board of
1545 Governors, the Senate President, and the Speaker of the House of
1546 Representatives; or
1547 (b) The center fails to comply with the provisions of this
1548 section.
1549 (3) If such designation is terminated, the center shall
1550 have 1 year to provide for the transition of its state agency
1551 customers to the state data center system established under s.
1552 282.201 Southwood Shared Resource Center or the Northwood Shared
1553 Resource Center.
1554 Section 26. The Agency for Enterprise Information
1555 Technology in the Executive Office of the Governor is
1556 transferred by a type two transfer, pursuant to s. 20.06,
1557 Florida Statutes, to the Agency for State Technology established
1558 pursuant to s. 20.61, Florida Statutes, except that the only
1559 rules that are transferred are chapters 71A-1 and 71A-2, Florida
1560 Administrative Code. All other rules adopted by the Agency for
1561 Enterprise Information Technology are nullified and of no
1562 further force or effect.
1563 Section 27. The Northwood Shared Resource Center in the
1564 Department of Management Services is transferred by a type two
1565 transfer, pursuant to s. 20.06, Florida Statutes, to the Agency
1566 for State Technology established pursuant to s. 20.61, Florida
1567 Statutes.
1568 Section 28. The Southwood Shared Resource Center in the
1569 Department of Management Services is transferred by a type two
1570 transfer, pursuant to s. 20.06, Florida Statutes, to the Agency
1571 for State Technology established pursuant to s. 20.61, Florida
1572 Statutes.
1573 Section 29. The Agency for State Technology shall:
1574 (1) Complete a feasibility study that analyzes, evaluates,
1575 and provides recommendations for managing state government data
1576 in a manner that promotes its interoperability and openness and,
1577 if legally permissible and not cost prohibitive, ensures that
1578 such data is available to the public in ways that make the data
1579 easy to find and use, and complies with chapter 119, Florida
1580 Statutes. At a minimum, the feasibility study must include the
1581 following components:
1582 (a) A clear description of which state government data
1583 should be public information. The guiding principle for this
1584 component is a presumption of openness to the extent permitted
1585 by law but subject to valid restrictions relating to privacy,
1586 confidentiality, and security, and other fiscal and legal
1587 restrictions.
1588 (b) Recommended standards for making the format and
1589 accessibility of public information uniform and ensuring that
1590 such data is published in a nonproprietary, searchable,
1591 sortable, platform-independent, and machine-readable format. The
1592 agency should include the projected cost to state agencies of
1593 implementing and maintaining such standards.
1594 (c) A project plan for implementing a single Internet
1595 website that contains public information or links to public
1596 information. The plan should include a timeline and benchmarks
1597 for making public information available online and identify any
1598 costs associated with the development and ongoing maintenance of
1599 such a website.
1600 (d) A recommended governance structure and review and
1601 compliance process to ensure accountability on the part of those
1602 who create, maintain, manage, or store public information or
1603 post it on the single Internet website. The agency should
1604 include any associated costs to implement and maintain the
1605 recommended governance structure and the review and compliance
1606 process.
1607 (2) Submit the completed feasibility study to the Executive
1608 Office of the Governor, the President of the Senate, and the
1609 Speaker of the House of Representatives by June 1, 2015.
1610 Section 30. The State Data Center Task Force is created.
1611 The task force shall be comprised of those individuals who were
1612 members of the boards of trustees of the Northwood and Southwood
1613 Shared Resource Centers as of June 30, 2014. The purpose of the
1614 task force is to provide assistance in the transition of the
1615 Northwood and Southwood Shared Resource Centers into the state
1616 data center established under s. 282.201, Florida Statutes. The
1617 task force shall identify any operational or fiscal issues
1618 affecting the transition and provide recommendations to the
1619 Agency for State Technology for the resolution of such issues.
1620 The task force may not make decisions regarding the state data
1621 center or the facilities formerly known as the Northwood and
1622 Southwood Shared Resource Centers and shall expire on or before
1623 June 30, 2015.
1624 Section 31. For the 2014-2015 fiscal year, the sum of
1625 $2,134,892 in nonrecurring general revenue funds, $2,865,108 in
1626 recurring general revenue funds, and 25 full-time equivalent
1627 positions and associated salary rate of 2,010,951 are
1628 appropriated to the Agency for State Technology for the purpose
1629 of implementing and administering this act.
1630 Section 32. Except as otherwise expressly provided in this
1631 act and except for this section, which shall take effect upon
1632 this act becoming a law, this act shall take effect July 1,
1633 2014.