Florida Senate - 2014 SB 928
By the Committee on Governmental Oversight and Accountability
585-01669-14 2014928__
1 A bill to be entitled
2 An act relating to state technology; repealing s.
3 14.204, F.S., relating to the Agency for Enterprise
4 Information Technology within the Executive Office of
5 the Governor; creating s. 20.61, F.S.; creating the
6 Agency for State Technology within the Department of
7 Management Services; providing for an executive
8 director and other permanent positions; creating a
9 Technology Advisory Council and providing for
10 membership; amending s. 282.0041, F.S.; revising and
11 defining terms used in the Enterprise Information
12 Technology Services Management Act; creating s.
13 282.0051, F.S.; providing the powers, duties, and
14 functions of the Agency for State Technology;
15 authorizing the agency to adopt rules; providing
16 exceptions for certain departments; repealing s.
17 282.0055, F.S., relating to the assignment of
18 information technology resource and service
19 responsibilities; repealing s. 282.0056, F.S.,
20 relating to the development of an annual work plan,
21 the development of implementation plans, and policy
22 recommendations relating to enterprise information
23 technology services; amending s. 282.201, F.S.;
24 providing for a state data center and the duties of
25 the center; deleting duties for the Agency for
26 Enterprise Information Technology; revising the
27 schedule for consolidating agency data centers and
28 deleting obsolete provisions; revising the limitations
29 on state agencies; repealing s. 282.203, F.S.,
30 relating to primary data centers; repealing s.
31 282.204, F.S., relating to the Northwood Shared
32 Resource Center; repealing s. 282.205, F.S., relating
33 to the Southwood Shared Resource Center; amending s.
34 282.318, F.S.; conforming provisions to changes made
35 by the act; revising the duties of the state agencies
36 with respect to information technology security;
37 repealing s. 282.33, F.S., relating to objective
38 standards for data center energy efficiency; repealing
39 s. 282.34, F.S., relating to statewide e-mail service;
40 amending ss. 17.0315, 20.055, 110.205, 215.322, and
41 215.96, F.S.; conforming provisions to changes made by
42 the act; amending s. 216.023, F.S.; requiring the
43 governance structure of information technology
44 projects to incorporate certain standards; amending s.
45 287.057, F.S.; requiring the Department of Management
46 Services to consult with the agency with respect to
47 the online procurement of commodities; amending ss.
48 445.011, 445.045, and 668.50, F.S.; conforming
49 provisions to changes made by the act; amending s.
50 943.0415, F.S.; providing additional duties for the
51 Cybercrime Office in the Department of Law Enforcement
52 relating to cyber security; requiring the office to
53 provide cyber security training to state agency
54 employees; requiring the office to consult with the
55 agency; amending s. 1004.649, F.S.; revising
56 provisions relating to the Northwest Regional Data
57 Center; revising the center’s duties and the content
58 of service-level agreements with state agency
59 customers; transferring the components of the Agency
60 for Enterprise Information Technology to the Agency
61 for State Technology; providing that certain rules
62 adopted by the Agency for Enterprise Information
63 Technology are nullified; transferring the Northwood
64 Shared Resource Center and the Southwood Shared
65 Resource Center to the Agency for State Technology;
66 requiring the Agency for State Technology to complete
67 a feasibility study relating to managing state
68 government data; specifying the components of the
69 study; requiring the study to be submitted to the
70 Governor and Legislature by a certain date; creating
71 the State Data Center Task Force; specifying the
72 membership and purpose of the task force; providing
73 for expiration; providing an appropriation; providing
74 effective dates.
75
76 Be It Enacted by the Legislature of the State of Florida:
77
78 Section 1. Section 14.204, Florida Statutes, is repealed.
79 Section 2. Section 20.61, Florida Statutes, is created to
80 read:
81 20.61 Agency for State Technology.—The Agency for State
82 Technology is created within the Department of Management
83 Services.
84 (1) The agency is a separate budget entity and is not
85 subject to control, supervision, or direction by the department,
86 including, but not limited to, purchasing, transactions
87 involving real or personal property, personnel, or budgetary
88 matters.
89 (2) The agency shall be headed by an executive director
90 appointed by the Governor and subject to the confirmation of the
91 Senate. The executive director shall be the State Chief
92 Information Officer.
93 (a) The executive director must be a proven, effective
94 administrator who preferably has executive-level experience in
95 both the public and private sectors.
96 (b) The Governor shall conduct a thorough search to find
97 the most qualified candidate and in conducting such a search,
98 the Governor shall place emphasis on the development and
99 implementation of information technology strategic planning;
100 management of enterprise information technology projects,
101 particularly management of large-scale consolidation projects;
102 and development and implementation of fiscal and substantive
103 information technology policy.
104 (3) The following positions are established within the
105 agency, all of which shall be appointed by the executive
106 director:
107 (a) A Deputy State Chief Information Officer.
108 (b) A Chief Planning Officer and six Strategic Planning
109 Coordinators with one coordinator assigned to each of the
110 following major program areas: health and human services,
111 education, government operations, criminal and civil justice,
112 agriculture and natural resources, and transportation and
113 economic development.
114 (c) A Chief Operations Officer.
115 (d) A Chief Information Security Officer.
116 (e) A Chief Technology Officer.
117 (4) The Technology Advisory Council, consisting of seven
118 members, is established and shall be maintained within the
119 agency pursuant to s. 20.052. Four members, two of whom must be
120 from the private sector, shall be appointed by the Governor; one
121 member shall be appointed by the Cabinet; and one member each
122 shall be appointed by the President of the Senate and the
123 Speaker of the House of Representatives. Upon initial
124 establishment of the council, two of the Governor’s appointments
125 shall be for 2-year terms. Thereafter all appointments shall be
126 for 4-year terms.
127 (a) The council shall consider and make recommendations to
128 the executive director of the agency on such matters as
129 enterprise information technology policies, standards, services,
130 and architecture.
131 (b) The executive director of the agency shall consult with
132 the council with regard to executing the duties and
133 responsibilities of the agency related to statewide information
134 technology strategic planning and policy.
135 (c) The council shall be governed by the code of ethics for
136 public officers and employees as set forth in part III of
137 chapter 112 and each member must file a statement of financial
138 interests pursuant to s. 112.3145.
139 Section 3. Section 282.0041, Florida Statutes, is amended
140 to read:
141 282.0041 Definitions.—As used in this chapter, the term:
142 (1) “Agency” has the same meaning as in s. 216.011(1)(qq),
143 except that for purposes of this chapter, “agency” does not
144 include university boards of trustees or state universities.
145 (2) “Agency for Enterprise Information Technology” means
146 the agency created in s. 14.204.
147 (3) “Agency information technology service” means a service
148 that directly helps an agency fulfill its statutory or
149 constitutional responsibilities and policy objectives and is
150 usually associated with the agency’s primary or core business
151 functions.
152 (4) “Annual budget meeting” means a meeting of the board of
153 trustees of a primary data center to review data center usage to
154 determine the apportionment of board members for the following
155 fiscal year, review rates for each service provided, and
156 determine any other required changes.
157 (1)(5) “Breach” has the same meaning as in s. 817.5681(4).
158 (2)(6) “Business continuity plan” means a collection of
159 procedures and information used to maintain an agency’s critical
160 operations during a period of displacement or interruption of
161 normal operations plan for disaster recovery which provides for
162 the continued functioning of a primary data center during and
163 after a disaster.
164 (3)(7) “Computing facility” means agency space containing
165 fewer than a total of 10 physical or logical servers, any of
166 which supports a strategic or nonstrategic information
167 technology service, as described in budget instructions
168 developed pursuant to s. 216.023, but excluding single, logical
169 server installations that exclusively perform a utility function
170 such as file and print servers.
171 (4)(8) “Customer entity” means an entity that obtains
172 services from a state primary data center.
173 (5)(9) “Data center” means agency space containing 10 or
174 more physical or logical servers any of which supports a
175 strategic or nonstrategic information technology service, as
176 described in budget instructions developed pursuant to s.
177 216.023.
178 (6)(10) “Department” means the Department of Management
179 Services.
180 (7) “Disaster recovery” means the processes, policies,
181 procedures, and infrastructure that relate to preparing for and
182 implementing recovery or continuation of an organization’s vital
183 technology infrastructure after a natural or human–induced
184 disaster.
185 (8)(11) “Enterprise information technology service” means
186 an information technology service that is used in all agencies
187 or a subset of agencies and is established in law to be
188 designed, delivered, and managed at the enterprise level.
189 (12) “E-mail, messaging, and calendaring service” means the
190 enterprise information technology service that enables users to
191 send, receive, file, store, manage, and retrieve electronic
192 messages, attachments, appointments, and addresses. The e-mail,
193 messaging, and calendaring service must include e-mail account
194 management; help desk; technical support and user provisioning
195 services; disaster recovery and backup and restore capabilities;
196 antispam and antivirus capabilities; archiving and e-discovery;
197 and remote access and mobile messaging capabilities.
198 (9) “Event” means an observable occurrence in a system or
199 network.
200 (10) “Incident” means a violation or imminent threat of
201 violation of computer security policies, acceptable use
202 policies, or standard security practices. An imminent threat of
203 violation exists when a state agency has a factual basis for
204 believing that a specific incident is about to occur.
205 (13) “Information-system utility” means a full-service
206 information-processing facility offering hardware, software,
207 operations, integration, networking, and consulting services.
208 (11)(14) “Information technology” means equipment,
209 hardware, software, firmware, programs, systems, networks,
210 infrastructure, media, and related material used to
211 automatically, electronically, and wirelessly collect, receive,
212 access, transmit, display, store, record, retrieve, analyze,
213 evaluate, process, classify, manipulate, manage, assimilate,
214 control, communicate, exchange, convert, converge, interface,
215 switch, or disseminate information of any kind or form.
216 (12)(15) “Information technology policy” means a specific
217 course or method of action selected from among alternatives that
218 guide and determine present and future decisions statements that
219 describe clear choices for how information technology will
220 deliver effective and efficient government services to residents
221 and improve state agency operations. A policy may relate to
222 investments, business applications, architecture, or
223 infrastructure. A policy describes its rationale, implications
224 of compliance or noncompliance, the timeline for implementation,
225 metrics for determining compliance, and the accountable
226 structure responsible for its implementation.
227 (13) “Information technology resources” has the same
228 meaning as in s. 119.011.
229 (14) “Information technology security” means the protection
230 afforded to an automated information system in order to attain
231 the applicable objectives of preserving the integrity,
232 availability, and confidentiality of data, information, and
233 information technology resources.
234 (15)(16) “Performance metrics” means the measures of an
235 organization’s activities and performance.
236 (16)(17) “Primary data center” means a data center that is
237 a recipient entity for consolidation of state agency nonprimary
238 data centers and computing facilities and that is established by
239 law.
240 (17)(18) “Project” means an endeavor that has a defined
241 start and end point; is undertaken to create or modify a unique
242 product, service, or result; and has specific objectives that,
243 when attained, signify completion.
244 (18) “Project oversight” means an independent review and
245 analysis of an information technology project in order to
246 provide information on the project’s scope, completion
247 timeframes, and budget and should identify and quantify any
248 issues or risks affecting the successful and timely completion
249 of the project.
250 (19) “Risk assessment analysis” means the process of
251 identifying security risks, determining their magnitude, and
252 identifying areas needing safeguards.
253 (20) “Service level” means the key performance indicators
254 (KPI) of an organization or service which must be regularly
255 performed, monitored, and achieved.
256 (21) “Service-level agreement” means a written contract
257 between a data center and a customer entity which specifies the
258 scope of services provided, service level, the duration of the
259 agreement, the responsible parties, and service costs. A
260 service-level agreement is not a rule pursuant to chapter 120.
261 (22) “Stakeholder” means an individual, group,
262 organization, or state agency involved in or affected by a
263 course of action.
264 (23)(22) “Standards” means required practices, controls,
265 components, or configurations established by an authority.
266 (24) “State Agency” means any official, officer,
267 commission, board, authority, council, committee, or department
268 of the executive branch of state government, and the Justice
269 Administration Commission and the Public Service Commission. For
270 the purpose of this chapter, “agency” does not include
271 university boards of trustees or state universities.
272 (25) “State data center” means an enterprise information
273 technology service provider that is the recipient entity for the
274 consolidation of state agency data centers and computing
275 facilities and that establishes, implements, operates, monitors,
276 reviews, maintains, and physically or virtually improves
277 information technology services designated by the Agency for
278 State Technology in compliance with the operating guidelines and
279 procedures set forth by the agency pursuant to s. 282.0051(11).
280 (26)(23) “SUNCOM Network” means the state enterprise
281 telecommunications system that provides all methods of
282 electronic or optical telecommunications beyond a single
283 building or contiguous building complex and used by entities
284 authorized as network users under this part.
285 (27)(24) “Telecommunications” means the science and
286 technology of communication at a distance, including electronic
287 systems used in the transmission or reception of information.
288 (28)(25) “Threat” means any circumstance or event that has
289 the potential to adversely affect a state agency’s operation or
290 assets through an information system by means of unauthorized
291 access, destruction, disclosure, modification of information, or
292 denial of service may cause harm to the integrity, availability,
293 or confidentiality of information technology resources.
294 (29) “Variance” means a calculated value that illustrates a
295 positive or negative deviation from a projection measured
296 against documented estimations within a project plan.
297 (26) “Total cost” means all costs associated with
298 information technology projects or initiatives, including, but
299 not limited to, value of hardware, software, service,
300 maintenance, incremental personnel, and facilities. Total cost
301 of a loan or gift of information technology resources to an
302 agency includes the fair market value of the resources.
303 (27) “Usage” means the billing amount charged by the
304 primary data center, less any pass-through charges, to the
305 customer entity.
306 (28) “Usage rate” means a customer entity’s usage or
307 billing amount as a percentage of total usage.
308 Section 4. Section 282.0051, Florida Statutes, is created
309 to read:
310 282.0051 Agency for State Technology; powers, duties, and
311 functions.—
312 (1) The Agency for State Technology has the following
313 powers, duties, and functions:
314 (a) Developing and publishing information technology policy
315 for the management of the state’s information technology
316 resources.
317 (b) Establishing and publishing information technology
318 architecture standards to achieve the most efficient use of the
319 state’s information technology resources and to ensure
320 compatibility and alignment with the needs of state agencies.
321 The agency shall assist state agencies in complying with such
322 standards.
323 (c) By June 30, 2015, establishing project management and
324 project oversight standards that state agencies must comply with
325 while implementing information technology projects. The Agency
326 for State Technology shall provide training opportunities to
327 state agencies to assist in the adoption of the project
328 management and oversight standards. To support data-driven
329 decisionmaking, such standards must include, but are not limited
330 to:
331 1. Performance measurements and metrics that objectively
332 reflect the status of an information technology project based on
333 the defined and documented project scope, cost, and schedule.
334 2. Methodologies for calculating acceptable variance ranges
335 in the projected versus actual scope, schedule, or cost of an
336 information technology project.
337 3. Reporting requirements that provide project visibility
338 to all identified stakeholders, including instances in which an
339 information technology project exceeds the acceptable variance
340 ranges as defined and documented in the project plan.
341 4. The content, format, and frequency of project updates.
342 (d) Beginning January 1, 2015, performing project oversight
343 on all information technology projects that have total project
344 costs of $10 million or more and that are funded in the General
345 Appropriations Act or under state law. The agency shall report
346 at least quarterly to the Executive Office of the Governor, the
347 President of the Senate, and the Speaker of the House of
348 Representatives on any information technology project the agency
349 identifies as being a high-risk project that may exceed the
350 acceptable variance ranges as defined and documented in the
351 project plan. The report must include an assessment of the risk
352 levels, including fiscal risks, associated with proceeding to
353 the next stage of the project and a recommendation for requiring
354 corrective action, which includes suspending or terminating the
355 project.
356 (e) By October 15, 2015, and biennially thereafter,
357 identifying opportunities for standardizing and consolidating
358 information technology services that support business functions
359 and operations, including administrative functions such as
360 purchasing, accounting and reporting, cash management, and
361 personnel, which are common across state agencies, and providing
362 recommendations for such standardization and consolidation to
363 the Executive Office of the Governor, the President of the
364 Senate, and the Speaker of the House of Representatives.
365 (f) In collaboration with the department, establishing best
366 practices for the procurement of information technology products
367 and services in order to reduce costs, increase productivity, or
368 improve services. Such practices must include a provision that
369 requires the agency to review all information technology
370 purchases made by state agencies which have a total cost of
371 $250,000 or more, unless a purchase is specifically mandated by
372 the Legislature, for compliance with the standards established
373 pursuant to this section.
374 (g) Advising and collaborating with the department in
375 conducting procurement negotiations for information technology
376 products and services that will be used by multiple state
377 agencies, and collaborating with the department in information
378 technology resource acquisition planning.
379 (h) Encouraging state agencies, when considering technology
380 infrastructure priorities, to actively seek out and identify
381 opportunities that potentially fit into the public-private
382 partnership model, and develop sustainable partnerships between
383 private entities and units of government in order to accelerate
384 project delivery and provide a source of new or increased
385 funding for other infrastructure needs.
386 (i) Establishing standards for information technology
387 reports and updates for use by state agencies which include, but
388 are not limited to, operational work plans, project spending
389 plans, and project status reports.
390 (j) Upon request, assisting state agencies in the
391 development of their information technology-related legislative
392 budget requests.
393 (k) Conducting annual assessments of state agencies to
394 determine their compliance with information technology standards
395 and guidelines developed and published by the Agency for State
396 Technology and provide results of the assessments to the
397 Executive Office of the Governor, the President of the Senate,
398 and the Speaker of the House of Representatives.
399 (l) Providing operational management and oversight of the
400 state data center established pursuant to s. 282.201, which
401 includes:
402 1. Implementing industry standards and best practices for
403 the state data center’s facilities, operations, maintenance,
404 planning, and management processes.
405 2. Developing and implementing cost-recovery mechanisms
406 that recover the full cost of services, including direct and
407 indirect costs, through charges to applicable customer entities.
408 Such mechanisms must comply with applicable state and federal
409 requirements relating to the distribution and use of such funds
410 and must ensure that for any fiscal year a service or customer
411 entity is not subsidizing another service or customer entity.
412 3. Establishing operating guidelines and procedures
413 necessary for the state data center to perform its duties
414 pursuant to s. 282.201 which comply with applicable state and
415 federal laws, rules, and policies and are in accordance with
416 generally accepted governmental accounting and auditing
417 standards. Such guidelines and procedures must include, but need
418 not be limited to:
419 a. Implementing a consolidated administrative support
420 structure that is responsible for the provision of financial
421 management, procurement, transactions involving real or personal
422 property, human resources, and operational support.
423 b. Implementing an annual reconciliation process to ensure
424 that each customer entity is paying for the full direct and
425 indirect cost of each service as determined by the customer
426 entity’s use of each service.
427 c. Providing rebates, which may be credited against future
428 billings, to customer entities when revenues exceed costs.
429 d. Requiring a customer entity to validate that sufficient
430 funds are in or will be transferred into the appropriate data
431 processing appropriation category before implementing a customer
432 entity’s request for a change in the type or level of service if
433 such change results in a net increase to the customer entity’s
434 costs for that fiscal year.
435 e. Providing to each customer entity’s agency head by
436 September 1 of each year the projected costs to provide data
437 center services for the following fiscal year.
438 f. Providing a plan for consideration by the Legislative
439 Budget Commission if the cost of a service is increased for a
440 reason other than a customer entity’s request pursuant to
441 subparagraph 4. which results in a net increase to the customer
442 entity for that fiscal year.
443 g. Standardizing and consolidating procurement and
444 contracting practices.
445 4. In collaboration with the Department of Law Enforcement,
446 developing and implementing a process for detecting, reporting,
447 and responding to information technology security incidents,
448 breaches, or threats.
449 5. Adopting rules relating to the operation of the state
450 data center, which include, but are not limited to, its
451 budgeting and accounting procedures, cost-recovery
452 methodologies, and operating procedures.
453 6. Consolidating contract practices and coordinating
454 software, hardware, or other technology-related procurements.
455 7. Annually conducting a market analysis to determine if
456 the state’s approach to the provision of data center services is
457 the most effective and efficient manner by which its customer
458 entities can acquire such services based on federal, state, and
459 local government trends, best practices in service provision,
460 and the acquisition of new and emerging technologies. The
461 results of the market analysis should assist the state data
462 center in making any necessary adjustments to its data center
463 service offerings.
464 (m) Recommending other information technology services that
465 should be designed, delivered, and managed as enterprise
466 information technology services. Such recommendations should
467 include the identification of any existing information
468 technology resources associated with such services which would
469 need to be transferred as a result of such services being
470 delivered and managed as enterprise information technology
471 services.
472 (n) Recommending any further agency computing facility or
473 data center consolidations into the state data center
474 established pursuant to s. 282.201. Such recommendations should
475 include the proposed timeline for the consolidation.
476 (o) In consultation with state agencies, proposing
477 methodology and approaches for identifying and collecting both
478 current and planned information technology expenditure data at
479 the state agency level.
480 (p) Adopting rules to administer this section.
481 (2) Except as provided in subsection (3), the Department of
482 Financial Services, the Department of Legal Affairs, the
483 Department of Agriculture and Consumer Services are not subject
484 to the powers, duties and functions of the Agency for State
485 Technology established under this section. Each of those
486 departments shall adopt the standards established in paragraphs
487 (1)(b), (1)(c), and (1)(i) or adopt alternative standards based
488 on best practices or industry standards and may contract
489 separately with the Agency for State Technology to provide and
490 perform any of the services and functions for those departments.
491 (3)(a) An information technology project administered or
492 implemented by the Department of Financial Services, the
493 Department of Legal Affairs, or the Department of Agriculture
494 and Consumer Services is subject to the powers, duties, and
495 functions of the Agency for State Technology if such project is
496 expected to have a total project cost of $50 million or more,
497 and the project directly affects another state agency or another
498 information technology project that is subject to the powers,
499 duties, and functions of the Agency for State Technology.
500 (b) If an information technology project administered by a
501 state agency subject to the powers, duties, and functions of the
502 Agency for State Technology must be connected to or otherwise
503 accommodated by an information technology system administered by
504 the Department of Financial Services, the Department of Legal
505 Affairs or the Department of Agriculture and Consumer Services,
506 the Agency for State Technology shall consult with those
507 departments regarding the risks and other effects of such
508 projects on those departments’ information technology systems
509 and shall work cooperatively with those departments regarding
510 the connections, interfaces, timing, or accommodation required
511 to implement such projects.
512 Section 5. Section 282.0055, Florida Statutes, is repealed.
513 Section 6. Section 282.0056, Florida Statutes, is repealed.
514 Section 7. Section 282.201, Florida Statutes, is amended to
515 read:
516 282.201 State data center system; agency duties and
517 limitations.—The A state data center system that includes all
518 primary data centers, other nonprimary data centers, and
519 computing facilities, and that provides an enterprise
520 information technology service as defined in s. 282.0041, is
521 established as a primary data center within the Agency for State
522 Technology and includes the facilities formerly known as the
523 Northwood Shared Resource Center and the Southwood Shared
524 Resource Center.
525 (1) INTENT.—The Legislature finds that the most efficient
526 and effective means of providing quality utility data processing
527 services to state agencies requires that computing resources be
528 concentrated in quality facilities that provide the proper
529 security, disaster recovery, infrastructure, and staff resources
530 to ensure that the state’s data is maintained reliably and
531 safely, and is recoverable in the event of a disaster.
532 Efficiencies resulting from such consolidation include the
533 increased ability to leverage technological expertise and
534 hardware and software capabilities; increased savings through
535 consolidated purchasing decisions; and the enhanced ability to
536 deploy technology improvements and implement new policies
537 consistently throughout the consolidated organization. Unless
538 otherwise exempt by law, it is the intent of the Legislature
539 that all agency data centers and computing facilities be
540 consolidated into the state a primary data center by 2019.
541 (2) STATE DATA CENTER DUTIES.—The state data center shall:
542 (a) Offer, develop, and support the services and
543 applications as provided in the service-level agreements
544 executed with its customer entities.
545 (b) Maintain the performance of the state data center,
546 which includes ensuring proper data backup, data backup
547 recovery, a disaster recovery plan, appropriate security, power,
548 cooling, fire suppression, and capacity.
549 (c) Develop a business continuity plan and a disaster
550 recovery plan, and conduct a live exercise of these plans at
551 least annually.
552 (d) Enter into a service level agreement with each customer
553 entity to provide the required type and level of service or
554 services. If a customer entity fails to execute an agreement
555 within 60 days after the commencement of a service, the state
556 data center may cease service. A service level agreement may not
557 have a term exceeding 3 years and at a minimum must:
558 1. Identify the parties and their roles, duties, and
559 responsibilities under the agreement.
560 2. State the duration of the contractual term and specify
561 the conditions for renewal.
562 3. Identify the scope of work.
563 4. Identify the products or services to be delivered with
564 sufficient specificity to permit an external financial or
565 performance audit.
566 5. Establish the services to be provided, the business
567 standards that must be met for each service, the cost of each
568 service, and the metrics and processes by which the business
569 standards for each service are to be objectively measured and
570 reported.
571 6. Provide a timely billing methodology for recovering the
572 cost of services provided to the customer entity pursuant to s.
573 215.422.
574 7. Provide a procedure for modifying the service level
575 agreement based on changes in the type, level, and cost of a
576 service.
577 8. Include a right-to-audit clause to ensure that the
578 parties to the agreement have access to records for audit
579 purposes during the term of the service level agreement.
580 9. Provide that a service level agreement may be terminated
581 by either party for cause only after giving the other party and
582 the Agency for State Technology notice in writing of the cause
583 for termination and an opportunity for the other party to
584 resolve the identified cause within a reasonable period.
585 10. Provide for the mediation of disputes by the Division
586 of Administrative Hearings pursuant to s. 120.573.
587 (e) Be the custodian of resources and equipment that are
588 located, operated, supported, and managed by the state data
589 center for the purposes of chapter 273.
590 (f) Assume administrative access rights to the resources
591 and equipment, such as servers, network components, and other
592 devices that are consolidated into the state data center.
593 1. On the date of each consolidation specified in this
594 section, the General Appropriations Act, or the Laws of Florida,
595 each state agency shall relinquish all administrative rights to
596 such resources and equipment. State agencies required to comply
597 with federal security regulations and policies shall retain
598 administrative access rights sufficient to comply with the
599 management control provisions of those regulations and policies;
600 however, the state data center shall have the appropriate type
601 or level of rights to allow the center to comply with its duties
602 pursuant to this section. The Department of Law Enforcement
603 shall serve as the arbiter of any disputes which may arise
604 regarding the appropriate type and level of administrative
605 access rights relating to the provision of management control in
606 accordance with federal criminal justice information guidelines.
607 2. The state data center shall provide its customer
608 entities with access to applications, servers, network
609 components, and other devices necessary for state agencies to
610 perform business activities and functions, and as defined and
611 documented in the service level agreement.
612 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
613 The Agency for Enterprise Information Technology shall:
614 (a) Collect and maintain information necessary for
615 developing policies relating to the data center system,
616 including, but not limited to, an inventory of facilities.
617 (b) Annually approve cost-recovery mechanisms and rate
618 structures for primary data centers which recover costs through
619 charges to customer entities.
620 (c) By September 30 of each year, submit to the
621 Legislature, the Executive Office of the Governor, and the
622 primary data centers recommendations to improve the efficiency
623 and cost-effectiveness of computing services provided by state
624 data center system facilities. Such recommendations must
625 include, but need not be limited to:
626 1. Policies for improving the cost-effectiveness and
627 efficiency of the state data center system, which includes the
628 primary data centers being transferred to a shared, virtualized
629 server environment, and the associated cost savings resulting
630 from the implementation of such policies.
631 2. Infrastructure improvements supporting the consolidation
632 of facilities or preempting the need to create additional data
633 centers or computing facilities.
634 3. Uniform disaster recovery standards.
635 4. Standards for primary data centers which provide cost
636 effective services and transparent financial data to user
637 agencies.
638 5. Consolidation of contract practices or coordination of
639 software, hardware, or other technology-related procurements and
640 the associated cost savings.
641 6. Improvements to data center governance structures.
642 (d) By October 1 of each year, provide recommendations to
643 the Governor and Legislature relating to changes to the schedule
644 for the consolidations of state agency data centers as provided
645 in subsection (4).
646 1. The recommendations must be based on the goal of
647 maximizing current and future cost savings by:
648 a. Consolidating purchase decisions.
649 b. Leveraging expertise and other resources to gain
650 economies of scale.
651 c. Implementing state information technology policies more
652 effectively.
653 d. Maintaining or improving the level of service provision
654 to customer entities.
655 2. The agency shall establish workgroups as necessary to
656 ensure participation by affected agencies in the development of
657 recommendations related to consolidations.
658 (e) Develop and establish rules relating to the operation
659 of the state data center system which comply with applicable
660 federal regulations, including 2 C.F.R. part 225 and 45 C.F.R.
661 The rules must address:
662 1. Ensuring that financial information is captured and
663 reported consistently and accurately.
664 2. Identifying standards for hardware, including standards
665 for a shared, virtualized server environment, and operations
666 system software and other operational software, including
667 security and network infrastructure, for the primary data
668 centers; requiring compliance with such standards in order to
669 enable the efficient consolidation of the agency data centers or
670 computing facilities; and providing an exemption process from
671 compliance with such standards, which must be consistent with
672 paragraph (5)(b).
673 3. Requiring annual full cost recovery on an equitable
674 rational basis. The cost-recovery methodology must ensure that
675 no service is subsidizing another service and may include
676 adjusting the subsequent year’s rates as a means to recover
677 deficits or refund surpluses from a prior year.
678 4. Requiring that any special assessment imposed to fund
679 expansion is based on a methodology that apportions the
680 assessment according to the proportional benefit to each
681 customer entity.
682 5. Requiring that rebates be given when revenues have
683 exceeded costs, that rebates be applied to offset charges to
684 those customer entities that have subsidized the costs of other
685 customer entities, and that such rebates may be in the form of
686 credits against future billings.
687 6. Requiring that all service-level agreements have a
688 contract term of up to 3 years, but may include an option to
689 renew for up to 3 additional years contingent on approval by the
690 board, and require at least a 180-day notice of termination.
691 (3) STATE AGENCY DUTIES.—
692 (a) For the purpose of completing the work activities
693 described in subsections (1) and (2), Each state agency shall
694 provide to the Agency for State Enterprise Information
695 Technology all requested information relating to its data
696 centers and computing facilities and any other information
697 relevant to the effective agency’s ability to effectively
698 transition of a state agency data center or computing facility
699 its computer services into the state a primary data center. The
700 agency shall also participate as required in workgroups relating
701 to specific consolidation planning and implementation tasks as
702 assigned by the Agency for Enterprise Information Technology and
703 determined necessary to accomplish consolidation goals.
704 (b) Each state agency customer of the state a primary data
705 center shall notify the state data center, by May 31 and
706 November 30 of each year, of any significant changes in
707 anticipated use utilization of data center services pursuant to
708 requirements established by the state boards of trustees of each
709 primary data center.
710 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
711 (a) Consolidations of agency data centers and computing
712 facilities shall be made by the date and to the specified state
713 primary data center facility as provided in this section and in
714 accordance with budget adjustments contained in the General
715 Appropriations Act.
716 (b) By December 31, 2011, the following shall be
717 consolidated into the Northwest Regional Data Center:
718 1. The Department of Education’s Knott Data Center in the
719 Turlington Building.
720 2. The Department of Education’s Division of Vocational
721 Rehabilitation.
722 3. The Department of Education’s Division of Blind
723 Services, except for the division’s disaster recovery site in
724 Daytona Beach.
725 4. The FCAT Explorer.
726 (c) During the 2011-2012 fiscal year, the following shall
727 be consolidated into the Southwood Shared Resource Center:
728 1. By September 30, 2011, the Department of Corrections.
729 2. By March 31, 2012, the Department of Transportation’s
730 Burns Building.
731 3. By March 31, 2012, the Department of Transportation’s
732 Survey & Mapping Office.
733 (d) By July 1, 2012, the Department of Highway Safety and
734 Motor Vehicles’ Office of Commercial Vehicle Enforcement shall
735 be consolidated into the Northwood Shared Resource Center.
736 (e) By September 30, 2012, the Department of Revenue’s
737 Carlton Building and Imaging Center locations shall be
738 consolidated into the Northwest Regional Data Center.
739 (f) During the 2012-2013 fiscal year, the following shall
740 be consolidated into the Northwood Shared Resource Center:
741 1. By July 1, 2012, the Agency for Health Care
742 Administration.
743 2. By August 31, 2012, the Department of Highway Safety and
744 Motor Vehicles.
745 3. By December 31, 2012, the Department of Environmental
746 Protection’s Palmetto Commons.
747 4. By December 31, 2012, the Department of Health’s Test
748 and Development Lab and all remaining data center resources
749 located at the Capital Circle Office Complex.
750 (g) During the 2013-2014 fiscal year, the following shall
751 be consolidated into the Southwood Shared Resource Center:
752 1. By October 31, 2013, the Department of Economic
753 Opportunity.
754 2. By December 31, 2013, the Executive Office of the
755 Governor, to include the Division of Emergency Management except
756 for the Emergency Operation Center’s management system in
757 Tallahassee and the Camp Blanding Emergency Operations Center in
758 Starke.
759 3. By March 31, 2014, the Department of Elderly Affairs.
760 (h) By October 30, 2013, the Fish and Wildlife Conservation
761 Commission, except for the commission’s Fish and Wildlife
762 Research Institute in St. Petersburg, shall be consolidated into
763 the Northwood Shared Resource Center.
764 (i) During the 2014-2015 fiscal year, the following
765 agencies shall work with the Agency for Enterprise Information
766 Technology to begin preliminary planning for consolidation into
767 a primary data center:
768 1. The Department of Health’s Jacksonville Lab Data Center.
769 2. The Department of Transportation’s district offices,
770 toll offices, and the District Materials Office.
771 3. The Department of Military Affairs’ Camp Blanding Joint
772 Training Center in Starke.
773 4. The Camp Blanding Emergency Operations Center in Starke.
774 5. The Department of Education’s Division of Blind Services
775 disaster recovery site in Daytona Beach.
776 6. The Department of Education’s disaster recovery site at
777 Santa Fe College.
778 7. The Fish and Wildlife Conservation Commission’s Fish and
779 Wildlife Research Institute in St. Petersburg.
780 8. The Department of Children and Family Services’ Suncoast
781 Data Center in Tampa.
782 9. The Department of Children and Family Services’ Florida
783 State Hospital in Chattahoochee.
784 (j) During the 2015-2016 fiscal year, all computing
785 resources remaining within an agency data center or computing
786 facility, to include the Department of Financial Services’
787 Hartman, Larson, and Fletcher Buildings data centers, shall be
788 transferred to a primary data center for consolidation unless
789 otherwise required to remain in the agency for specified
790 financial, technical, or business reasons that must be justified
791 in writing and approved by the Agency for Enterprise Information
792 Technology. Such data centers, computing facilities, and
793 resources must be identified by the Agency for Enterprise
794 Information Technology by October 1, 2014.
795 (b)(k) The Department of Financial Services, the Department
796 of Legal Affairs, the Department of Agriculture and Consumer
797 Services, the Department of Law Enforcement, the Department of
798 the Lottery’s Gaming System, Systems Design and Development in
799 the Office of Policy and Budget, the regional traffic management
800 centers and the Office of Toll Operations of the Department of
801 Transportation, and the State Board of Administration, state
802 attorneys, public defenders, criminal conflict and civil
803 regional counsel, capital collateral regional counsel, the
804 Florida Clerks of Court Operations Corporation, and the Florida
805 Housing Finance Corporation are exempt from data center
806 consolidation under this section.
807 (c)(l) A state Any agency that is consolidating its agency
808 data center or computing facility centers into the state a
809 primary data center must execute a new or update an existing
810 service-level agreement within 60 days after the commencement of
811 service specified consolidation date, as required by s.
812 282.201(2) s. 282.203, in order to specify the services and
813 levels of service it is to receive from the state primary data
814 center as a result of the consolidation. If the state an agency
815 and the state primary data center are unable to execute a
816 service-level agreement by that date, the agency and the primary
817 data center shall submit a report to the Executive Office of the
818 Governor and to the chairs of the legislative appropriations
819 committees within 5 working days after that date which explains
820 the specific issues preventing execution and describing the plan
821 and schedule for resolving those issues.
822 (m) Beginning September 1, 2011, and every 6 months
823 thereafter until data center consolidations are complete, the
824 Agency for Enterprise Information Technology shall provide a
825 status report on the implementation of the consolidations that
826 must be completed during the fiscal year. The report shall be
827 submitted to the Executive Office of the Governor and the chairs
828 of the legislative appropriations committees. The report must,
829 at a minimum, describe:
830 1. Whether the consolidation is on schedule, including
831 progress on achieving the milestones necessary for successful
832 and timely consolidation of scheduled agency data centers and
833 computing facilities.
834 2. The risks that may affect the progress or outcome of the
835 consolidation and how these risks are being addressed,
836 mitigated, or managed.
837 (d)(n) Each state agency scheduled identified in this
838 subsection for consolidation into the state a primary data
839 center shall submit a transition plan to the Agency for State
840 Technology appropriate primary data center by July 1 of the
841 fiscal year before the fiscal year in which the scheduled
842 consolidation will occur. Transition plans shall be developed in
843 consultation with the state appropriate primary data center
844 centers and the Agency for Enterprise Information Technology,
845 and must include:
846 1. An inventory of the state agency data center’s resources
847 being consolidated, including all hardware and its associated
848 life cycle replacement schedule, software, staff, contracted
849 services, and facility resources performing data center
850 management and operations, security, backup and recovery,
851 disaster recovery, system administration, database
852 administration, system programming, job control, production
853 control, print, storage, technical support, help desk, and
854 managed services, but excluding application development, and the
855 state agency’s costs supporting these resources.
856 2. A list of contracts in effect, including, but not
857 limited to, contracts for hardware, software, and maintenance,
858 which identifies the expiration date, the contract parties, and
859 the cost of each contract.
860 3. A detailed description of the level of services needed
861 to meet the technical and operational requirements of the
862 platforms being consolidated.
863 4. A description of resources for computing services
864 proposed to remain in the department.
865 4.5. A timetable with significant milestones for the
866 completion of the consolidation.
867 (o) Each primary data center shall develop a transition
868 plan for absorbing the transfer of agency data center resources
869 based upon the timetables for transition as provided in this
870 subsection. The plan shall be submitted to the Agency for
871 Enterprise Information Technology, the Executive Office of the
872 Governor, and the chairs of the legislative appropriations
873 committees by September 1 of the fiscal year before the fiscal
874 year in which the scheduled consolidations will occur. Each plan
875 must include:
876 1. The projected cost to provide data center services for
877 each agency scheduled for consolidation.
878 2. A staffing plan that identifies the projected staffing
879 needs and requirements based on the estimated workload
880 identified in the agency transition plan.
881 3. The fiscal year adjustments to budget categories in
882 order to absorb the transfer of agency data center resources
883 pursuant to the legislative budget request instructions provided
884 in s. 216.023.
885 4. An analysis of the cost effects resulting from the
886 planned consolidations on existing agency customers.
887 5. A description of any issues that must be resolved in
888 order to accomplish as efficiently and effectively as possible
889 all consolidations required during the fiscal year.
890 (e)(p) Each state agency scheduled identified in this
891 subsection for consolidation into the state a primary data
892 center shall submit with its respective legislative budget
893 request the specific recurring and nonrecurring budget
894 adjustments of resources by appropriation category into the
895 appropriate data processing category pursuant to the legislative
896 budget request instructions in s. 216.023.
897 (5) AGENCY LIMITATIONS.—
898 (a) Unless exempt from state data center consolidation
899 pursuant to this section, authorized by the Legislature, or as
900 provided in paragraph paragraphs (b) and (c), a state agency may
901 not:
902 1. Create a new computing facility or data center, or
903 expand the capability to support additional computer equipment
904 in an existing state agency computing facility or nonprimary
905 data center;
906 2. Spend funds before the state agency’s scheduled
907 consolidation into the state a primary data center to purchase
908 or modify hardware or operations software that does not comply
909 with hardware and software standards established by the Agency
910 for State Enterprise Information Technology pursuant to
911 paragraph (2)(e) for the efficient consolidation of the agency
912 data centers or computing facilities;
913 3. Transfer existing computer services to any data center
914 other than the state a primary data center;
915 4. Terminate services with the state a primary data center
916 or transfer services between primary data centers without giving
917 written notice of intent to terminate or transfer services 180
918 days before such termination or transfer; or
919 5. Initiate a new computer service except with the state a
920 primary data center.
921 (b) Exceptions to the limitations in subparagraphs (a)1.,
922 2., 3., and 5. may be granted by the Agency for State Enterprise
923 Information Technology if there is insufficient capacity in the
924 state a primary data center to absorb the workload associated
925 with agency computing services, if expenditures are compatible
926 with the scheduled consolidation and the standards established
927 pursuant to s. 282.0051 paragraph (2)(e), or if the equipment or
928 resources are needed to meet a critical agency business need
929 that cannot be satisfied by from surplus equipment or resources
930 of the state primary data center until the agency data center is
931 consolidated. The Agency for State Technology shall develop and
932 publish the guidelines and required documentation that a state
933 agency must comply with when requesting an exception. The
934 agency’s decision regarding the exception request is not subject
935 to chapter 120.
936 1. A request for an exception must be submitted in writing
937 to the Agency for Enterprise Information Technology. The agency
938 must accept, accept with conditions, or deny the request within
939 60 days after receipt of the written request. The agency’s
940 decision is not subject to chapter 120.
941 2. At a minimum, the agency may not approve a request
942 unless it includes:
943 a. Documentation approved by the primary data center’s
944 board of trustees which confirms that the center cannot meet the
945 capacity requirements of the agency requesting the exception
946 within the current fiscal year.
947 b. A description of the capacity requirements of the agency
948 requesting the exception.
949 c. Documentation from the agency demonstrating why it is
950 critical to the agency’s mission that the expansion or transfer
951 must be completed within the fiscal year rather than when
952 capacity is established at a primary data center.
953 (c) Exceptions to subparagraph (a)4. may be granted by the
954 board of trustees of the primary data center if the termination
955 or transfer of services can be absorbed within the current cost
956 allocation plan.
957 (d) Upon the termination of or transfer of agency computing
958 services from the primary data center, the primary data center
959 shall require information sufficient to determine compliance
960 with this section. If a primary data center determines that an
961 agency is in violation of this section, it shall report the
962 violation to the Agency for Enterprise Information Technology.
963 (6) RULES.—The Agency for Enterprise Information Technology
964 may adopt rules to administer this part relating to the state
965 data center system including the primary data centers.
966 Section 8. Section 282.203, Florida Statutes, is repealed.
967 Section 9. Section 282.204, Florida Statutes, is repealed.
968 Section 10. Section 282.205, Florida Statutes, is repealed.
969 Section 11. Section 282.318, Florida Statutes, is amended
970 to read:
971 282.318 Enterprise security of data and information
972 technology.—
973 (1) This section may be cited as the “Enterprise Security
974 of Data and Information Technology Act.”
975 (2) Information technology security is established as an
976 enterprise information technology service as defined in s.
977 282.0041.
978 (2)(3) The Agency for State Enterprise Information
979 Technology is responsible for establishing standards,
980 guidelines, and processes by rule which are consistent with
981 generally accepted best practices for information technology
982 security, and adopting rules that safeguard an agency’s data,
983 information, and information technology resources to ensure its
984 availability, confidentiality, and integrity rules and
985 publishing guidelines for ensuring an appropriate level of
986 security for all data and information technology resources for
987 executive branch agencies. The agency shall also perform the
988 following duties and responsibilities:
989 (a) By June 30, 2015, develop, and annually update a
990 statewide by February 1, an enterprise information technology
991 security strategic plan that includes security goals and
992 objectives for the strategic issues of information technology
993 security policy, risk management, training, incident management,
994 and disaster recovery survivability planning.
995 (b) Develop and publish an information technology security
996 framework for use by state agencies which, at a minimum,
997 includes guidelines and processes enterprise security rules and
998 published guidelines for:
999 1. Developing and using a risk assessment methodology that
1000 will apply to state agencies to identify the priorities,
1001 constraints, risk tolerance, and assumptions.
1002 2.1. Completing comprehensive risk assessments analyses and
1003 information technology security audits. Such assessments and
1004 audits shall be conducted by state agencies and reviewed by the
1005 Agency for State Technology conducted by state agencies.
1006 3. Identifying protection procedures to manage the
1007 protection of a state agency’s information, data, and
1008 information technology resources.
1009 4. Detecting threats through proactive monitoring of
1010 events, continuous security monitoring, and specified detection
1011 processes.
1012 5.2. Responding to suspected or confirmed information
1013 technology security incidents, including suspected or confirmed
1014 breaches of personal information containing confidential or
1015 exempt data.
1016 6.3. Developing state agency strategic and operational
1017 information technology security plans required under this
1018 section, including strategic security plans and security program
1019 plans.
1020 7.4. Recovering The recovery of information technology and
1021 data in response to an information technology security incident
1022 following a disaster. The recovery may include recommended
1023 improvements to the processes, policies, or guidelines.
1024 8.5. Establishing The managerial, operational, and
1025 technical safeguards for protecting state government data and
1026 information technology resources which align with state agency
1027 risk management strategies for protecting the confidentiality,
1028 integrity, and availability of information technology and data.
1029 9. Establishing procedures for accessing information
1030 technology resources and data in order to limit authorized
1031 users, processes, or devices to authorized activities and
1032 transactions to ensure the confidentiality, integrity, and
1033 availability of such information and data.
1034 10. Establishing asset management procedures to ensure that
1035 information technology resources are identified and consistently
1036 managed with their relative importance to business objectives.
1037 (c) Assist state agencies in complying with the provisions
1038 of this section.
1039 (d) Pursue appropriate funding for the purpose of enhancing
1040 domestic security.
1041 (d)(e) In collaboration with the Cybercrime Office in the
1042 Department of Law Enforcement, provide training for state agency
1043 information security managers.
1044 (e)(f) Annually review the strategic and operational
1045 information technology security plans of state executive branch
1046 agencies.
1047 (3)(4) To assist the Agency for Enterprise Information
1048 Technology in carrying out its responsibilities, Each state
1049 agency head shall, at a minimum:
1050 (a) Designate an information security manager who, for the
1051 purposes of his or her information technology security duties,
1052 shall report to the agency head and shall to administer the
1053 information technology security program of the agency for its
1054 data and information technology resources. This designation must
1055 be provided annually in writing to the Agency for State
1056 Enterprise Information Technology by January 1.
1057 (b) Submit annually to the Agency for State Enterprise
1058 Information Technology annually by July 31, the state agency’s
1059 strategic and operational information technology security plans
1060 developed pursuant to the rules and guidelines established by
1061 the Agency for State Enterprise Information Technology.
1062 1. The state agency strategic information technology
1063 security plan must cover a 3-year period and, at a minimum,
1064 define security goals, intermediate objectives, and projected
1065 agency costs for the strategic issues of agency information
1066 security policy, risk management, security training, security
1067 incident response, and disaster recovery survivability. The plan
1068 must be based on the statewide enterprise strategic information
1069 security strategic plan created by the Agency for State
1070 Enterprise Information Technology and include performance
1071 metrics that can be objectively measured in order to gauge the
1072 state agency’s progress in meeting the security goals and
1073 objectives identified in the strategic information technology
1074 security plan. Additional issues may be included.
1075 2. The state agency operational information technology
1076 security plan must include a progress report that objectively
1077 measures progress made toward for the prior operational
1078 information technology security plan and a project plan that
1079 includes activities, timelines, and deliverables for security
1080 objectives that, subject to current resources, the state agency
1081 will implement during the current fiscal year. The cost of
1082 implementing the portions of the plan which cannot be funded
1083 from current resources must be identified in the plan.
1084 (c) Conduct, and update every 3 years, a comprehensive risk
1085 assessment analysis to determine the security threats to the
1086 data, information, and information technology resources of the
1087 state agency. The risk assessment must comply with the risk
1088 assessment methodology developed by the Agency for State
1089 Technology. The risk assessment analysis information is
1090 confidential and exempt from the provisions of s. 119.07(1),
1091 except that such information shall be available to the Auditor
1092 General, and the Agency for State Enterprise Information
1093 Technology, and the Cybercrime Office in the Department of Law
1094 Enforcement for performing postauditing duties.
1095 (d) Develop, and periodically update, written internal
1096 policies and procedures, which include procedures for reporting
1097 information technology security incidents and breaches to the
1098 Cybercrime Office in the Department of Law Enforcement and
1099 notifying the Agency for State Enterprise Information
1100 Technology, and for those agencies under the jurisdiction of the
1101 Governor, to the Chief Inspector General when a suspected or
1102 confirmed breach, or an information security incident, occurs.
1103 Such policies and procedures must be consistent with the rules,
1104 and guidelines, and processes established by the Agency for
1105 State Enterprise Information Technology to ensure the security
1106 of the data, information, and information technology resources
1107 of the state agency. The internal policies and procedures that,
1108 if disclosed, could facilitate the unauthorized modification,
1109 disclosure, or destruction of data or information technology
1110 resources are confidential information and exempt from s.
1111 119.07(1), except that such information shall be available to
1112 the Auditor General, the Cybercrime Office in the Department of
1113 Law Enforcement, and the Agency for State Enterprise Information
1114 Technology, and for those agencies under the jurisdiction of the
1115 Governor, to the Chief Inspector General for performing
1116 postauditing duties.
1117 (e) Implement the managerial, operational, and technical
1118 appropriate cost-effective safeguards established by the Agency
1119 for State Technology to address identified risks to the data,
1120 information, and information technology resources of the agency.
1121 (f) Ensure that periodic internal audits and evaluations of
1122 the agency’s information technology security program for the
1123 data, information, and information technology resources of the
1124 agency are conducted. The results of such audits and evaluations
1125 are confidential information and exempt from s. 119.07(1),
1126 except that such information shall be available to the Auditor
1127 General, the Cybercrime Office in the Department of Law
1128 Enforcement, and the Agency for State Enterprise Information
1129 Technology for performing postauditing duties.
1130 (g) Include appropriate information technology security
1131 requirements in the written specifications for the solicitation
1132 of information technology and information technology resources
1133 and services, which are consistent with the rules and guidelines
1134 established by the Agency for State Enterprise Information
1135 Technology in collaboration with the department.
1136 (h) Require that state agency employees complete the
1137 security awareness training offered by the Agency for State
1138 Technology in collaboration with the Cybercrime Office in the
1139 Department of Law Enforcement. Coordinate with state agencies to
1140 provide agency-specific security training aligned with the
1141 agency operational information technology security plan. Provide
1142 security awareness training to employees and users of the
1143 agency’s communication and information resources concerning
1144 information security risks and the responsibility of employees
1145 and users to comply with policies, standards, guidelines, and
1146 operating procedures adopted by the agency to reduce those
1147 risks.
1148 (i) Develop processes a process for detecting, reporting,
1149 and responding to information technology suspected or confirmed
1150 security threats or breaches or information technology security
1151 incidents which are, including suspected or confirmed breaches
1152 consistent with the security rules, and guidelines, and
1153 processes established by the Agency for State Enterprise
1154 Information Technology.
1155 1. All Suspected or confirmed information technology
1156 security incidents and breaches must be immediately reported to
1157 the Cybercrime Office in the Department of Law Enforcement and
1158 the Agency for State Enterprise Information Technology.
1159 2. For information technology security incidents involving
1160 breaches, agencies shall provide notice in accordance with s.
1161 817.5681 and to the Agency for Enterprise Information Technology
1162 in accordance with this subsection.
1163 (5) Each state agency shall include appropriate security
1164 requirements in the specifications for the solicitation of
1165 contracts for procuring information technology or information
1166 technology resources or services which are consistent with the
1167 rules and guidelines established by the Agency for Enterprise
1168 Information Technology.
1169 (4)(6) The Agency for State Enterprise Information
1170 Technology may adopt rules relating to information technology
1171 security and to administer the provisions of this section.
1172 Section 12. Section 282.33, Florida Statutes, is repealed.
1173 Section 13. Effective upon this act becoming a law, section
1174 282.34, Florida Statutes, is repealed.
1175 Section 14. Subsections (1) and (2) of section 17.0315,
1176 Florida Statutes, are amended to read:
1177 17.0315 Financial and cash management system; task force.—
1178 (1) The Chief Financial Officer, as the constitutional
1179 officer responsible for settling and approving accounts against
1180 the state and keeping all state funds pursuant to s. 4, Art. IV
1181 of the State Constitution, is shall be the head of and shall
1182 appoint members to a task force established to develop a
1183 strategic business plan for a successor financial and cash
1184 management system. The task force shall include the executive
1185 director of the Agency for State Enterprise Information
1186 Technology and the director of the Office of Policy and Budget
1187 in the Executive Office of the Governor. Any member of the task
1188 force may appoint a designee.
1189 (2) The strategic business plan for a successor financial
1190 and cash management system must:
1191 (a) Permit proper disbursement and auditing controls
1192 consistent with the respective constitutional duties of the
1193 Chief Financial Officer and the Legislature;
1194 (b) Promote transparency in the accounting of public funds;
1195 (c) Provide timely and accurate recording of financial
1196 transactions by agencies and their professional staffs;
1197 (d) Support executive reporting and data analysis
1198 requirements;
1199 (e) Be capable of interfacing with other systems providing
1200 human resource services, procuring goods and services, and
1201 providing other enterprise functions;
1202 (f) Be capable of interfacing with the existing legislative
1203 appropriations, planning, and budgeting systems;
1204 (g) Be coordinated with the information technology strategy
1205 development efforts of the Agency for State Enterprise
1206 Information Technology;
1207 (h) Be coordinated with the revenue estimating conference
1208 process as supported by the Office of Economic and Demographic
1209 Research; and
1210 (i) Address other such issues as the Chief Financial
1211 Officer identifies.
1212 Section 15. Subsection (1) of section 20.055, Florida
1213 Statutes, is reordered and amended to read:
1214 20.055 Agency inspectors general.—
1215 (1) As used in For the purposes of this section, the term:
1216 (d)(a) “State agency” means each department created
1217 pursuant to this chapter, and also includes the Executive Office
1218 of the Governor, the Department of Military Affairs, the Fish
1219 and Wildlife Conservation Commission, the Office of Insurance
1220 Regulation of the Financial Services Commission, the Office of
1221 Financial Regulation of the Financial Services Commission, the
1222 Public Service Commission, the Board of Governors of the State
1223 University System, the Florida Housing Finance Corporation, the
1224 Agency for State Technology, and the state courts system.
1225 (a)(b) “Agency head” means the Governor, a Cabinet officer,
1226 a secretary as defined in s. 20.03(5), or an executive director
1227 as those terms are defined in s. 20.03, 20.03(6). It also
1228 includes the chair of the Public Service Commission, the
1229 Director of the Office of Insurance Regulation of the Financial
1230 Services Commission, the Director of the Office of Financial
1231 Regulation of the Financial Services Commission, the board of
1232 directors of the Florida Housing Finance Corporation, and the
1233 Chief Justice of the State Supreme Court.
1234 (c) “Individuals substantially affected” means natural
1235 persons who have established a real and sufficiently immediate
1236 injury in fact due to the findings, conclusions, or
1237 recommendations of a final report of a state agency inspector
1238 general, who are the subject of the audit or investigation, and
1239 who do not have or are not currently afforded an existing right
1240 to an independent review process. The term does not apply to
1241 employees of the state, including career service, probationary,
1242 other personal service, Selected Exempt Service, and Senior
1243 Management Service employees;, are not covered by this
1244 definition. This definition also does not cover former employees
1245 of the state if the final report of the state agency inspector
1246 general relates to matters arising during a former employee’s
1247 term of state employment; or. This definition does not apply to
1248 persons who are the subject of audits or investigations
1249 conducted pursuant to ss. 112.3187-112.31895 or s. 409.913 or
1250 which are otherwise confidential and exempt under s. 119.07.
1251 (b)(d) “Entities contracting with the state” means for
1252 profit and not-for-profit organizations or businesses that have
1253 having a legal existence, such as corporations or partnerships,
1254 as opposed to natural persons, which have entered into a
1255 relationship with a state agency as defined in paragraph (a) to
1256 provide for consideration certain goods or services to the state
1257 agency or on behalf of the state agency. The relationship may be
1258 evidenced by payment by warrant or purchasing card, contract,
1259 purchase order, provider agreement, or other such mutually
1260 agreed upon relationship. The term This definition does not
1261 apply to entities that which are the subject of audits or
1262 investigations conducted pursuant to ss. 112.3187-112.31895 or
1263 s. 409.913 or which are otherwise confidential and exempt under
1264 s. 119.07.
1265 Section 16. Paragraph (e) of subsection (2) of section
1266 110.205, Florida Statutes, is amended to read:
1267 110.205 Career service; exemptions.—
1268 (2) EXEMPT POSITIONS.—The exempt positions that are not
1269 covered by this part include the following:
1270 (e) The Chief Information Officer in the Agency for State
1271 Enterprise Information Technology. Unless otherwise fixed by
1272 law, the Agency for State Enterprise Information Technology
1273 shall set the salary and benefits of this position in accordance
1274 with the rules of the Senior Management Service.
1275 Section 17. Subsections (2) and (9) of section 215.322,
1276 Florida Statutes, are amended to read:
1277 215.322 Acceptance of credit cards, charge cards, debit
1278 cards, or electronic funds transfers by state agencies, units of
1279 local government, and the judicial branch.—
1280 (2) A state agency as defined in s. 216.011, or the
1281 judicial branch, may accept credit cards, charge cards, debit
1282 cards, or electronic funds transfers in payment for goods and
1283 services with the prior approval of the Chief Financial Officer.
1284 If the Internet or other related electronic methods are to be
1285 used as the collection medium, the Agency for State Enterprise
1286 Information Technology shall review and recommend to the Chief
1287 Financial Officer whether to approve the request with regard to
1288 the process or procedure to be used.
1289 (9) For payment programs in which credit cards, charge
1290 cards, or debit cards are accepted by state agencies, the
1291 judicial branch, or units of local government, the Chief
1292 Financial Officer, in consultation with the Agency for State
1293 Enterprise Information Technology, may adopt rules to establish
1294 uniform security safeguards for cardholder data and to ensure
1295 compliance with the Payment Card Industry Data Security
1296 Standards.
1297 Section 18. Subsection (2) of section 215.96, Florida
1298 Statutes, is amended to read:
1299 215.96 Coordinating council and design and coordination
1300 staff.—
1301 (2) The coordinating council shall consist of the Chief
1302 Financial Officer; the Commissioner of Agriculture; the Attorney
1303 General; the secretary of the Department of Management Services;
1304 the executive director of the Agency for State Technology the
1305 Attorney General; and the Director of Planning and Budgeting,
1306 Executive Office of the Governor, or their designees. The Chief
1307 Financial Officer, or his or her designee, shall be chair of the
1308 coordinating council, and the design and coordination staff
1309 shall provide administrative and clerical support to the council
1310 and the board. The design and coordination staff shall maintain
1311 the minutes of each meeting and shall make such minutes
1312 available to any interested person. The Auditor General, the
1313 State Courts Administrator, an executive officer of the Florida
1314 Association of State Agency Administrative Services Directors,
1315 and an executive officer of the Florida Association of State
1316 Budget Officers, or their designees, shall serve without voting
1317 rights as ex officio members of on the coordinating council. The
1318 chair may call meetings of the coordinating council as often as
1319 necessary to transact business; however, the coordinating
1320 council must shall meet at least annually once a year. Action of
1321 the coordinating council shall be by motion, duly made, seconded
1322 and passed by a majority of the coordinating council voting in
1323 the affirmative for approval of items that are to be recommended
1324 for approval to the Financial Management Information Board.
1325 Section 19. Paragraph (a) of subsection (4) of section
1326 216.023, Florida Statutes, is amended to read:
1327 216.023 Legislative budget requests to be furnished to
1328 Legislature by agencies.—
1329 (4)(a) The legislative budget request must contain for each
1330 program must contain:
1331 1. The constitutional or statutory authority for a program,
1332 a brief purpose statement, and approved program components.
1333 2. Information on expenditures for 3 fiscal years (actual
1334 prior-year expenditures, current-year estimated expenditures,
1335 and agency budget requested expenditures for the next fiscal
1336 year) by appropriation category.
1337 3. Details on trust funds and fees.
1338 4. The total number of positions (authorized, fixed, and
1339 requested).
1340 5. An issue narrative describing and justifying changes in
1341 amounts and positions requested for current and proposed
1342 programs for the next fiscal year.
1343 6. Information resource requests.
1344 7. Supporting information, including applicable cost
1345 benefit analyses, business case analyses, performance
1346 contracting procedures, service comparisons, and impacts on
1347 performance standards for any request to outsource or privatize
1348 agency functions. The cost-benefit and business case analyses
1349 must include an assessment of the impact on each affected
1350 activity from those identified in accordance with paragraph (b).
1351 Performance standards must include standards for each affected
1352 activity and be expressed in terms of the associated unit of
1353 activity.
1354 8. An evaluation of any major outsourcing and privatization
1355 initiatives undertaken during the last 5 fiscal years having
1356 aggregate expenditures exceeding $10 million during the term of
1357 the contract. The evaluation must shall include an assessment of
1358 contractor performance, a comparison of anticipated service
1359 levels to actual service levels, and a comparison of estimated
1360 savings to actual savings achieved. Consolidated reports issued
1361 by the Department of Management Services may be used to satisfy
1362 this requirement.
1363 9. Supporting information for any proposed consolidated
1364 financing of deferred-payment commodity contracts including
1365 guaranteed energy performance savings contracts. Supporting
1366 information must also include narrative describing and
1367 justifying the need, baseline for current costs, estimated cost
1368 savings, projected equipment purchases, estimated contract
1369 costs, and return on investment calculation.
1370 10. For projects that exceed $10 million in total cost, the
1371 statutory reference of the existing policy or the proposed
1372 substantive policy that establishes and defines the project’s
1373 governance structure, planned scope, main business objectives
1374 that must be achieved, and estimated completion timeframes. The
1375 governance structure for information technology-related projects
1376 requested by a state agency must incorporate the applicable
1377 project management and oversight standards established under s.
1378 282.0051. Information technology budget requests for the
1379 continuance of existing hardware and software maintenance
1380 agreements, renewal of existing software licensing agreements,
1381 or the replacement of desktop units with new technology that is
1382 similar to the technology currently in use are exempt from this
1383 requirement.
1384 Section 20. Subsection (22) of section 287.057, Florida
1385 Statutes, is amended to read:
1386 287.057 Procurement of commodities or contractual
1387 services.—
1388 (22) The department, in consultation with the Chief
1389 Financial Officer and the Agency for State Technology, shall
1390 maintain a program for the online procurement of commodities and
1391 contractual services. To enable the state to promote open
1392 competition and leverage its buying power, agencies shall
1393 participate in the online procurement program, and eligible
1394 users may participate in the program. Only vendors prequalified
1395 as meeting mandatory requirements and qualifications criteria
1396 may participate in online procurement.
1397 (a) The department, in consultation with the Agency for
1398 State Technology, may contract for equipment and services
1399 necessary to develop and implement online procurement.
1400 (b) The department shall adopt rules to administer the
1401 program for online procurement. The rules must include, but not
1402 be limited to:
1403 1. Determining the requirements and qualification criteria
1404 for prequalifying vendors.
1405 2. Establishing the procedures for conducting online
1406 procurement.
1407 3. Establishing the criteria for eligible commodities and
1408 contractual services.
1409 4. Establishing the procedures for providing access to
1410 online procurement.
1411 5. Determining the criteria warranting any exceptions to
1412 participation in the online procurement program.
1413 (c) The department may impose and shall collect all fees
1414 for the use of the online procurement systems.
1415 1. The fees may be imposed on an individual transaction
1416 basis or as a fixed percentage of the cost savings generated. At
1417 a minimum, the fees must be set in an amount sufficient to cover
1418 the projected costs of the services, including administrative
1419 and project service costs in accordance with the policies of the
1420 department.
1421 2. If the department contracts with a provider for online
1422 procurement, the department, pursuant to appropriation, shall
1423 compensate the provider from the fees after the department has
1424 satisfied all ongoing costs. The provider shall report
1425 transaction data to the department each month so that the
1426 department may determine the amount due and payable to the
1427 department from each vendor.
1428 3. All fees that are due and payable to the state on a
1429 transactional basis or as a fixed percentage of the cost savings
1430 generated are subject to s. 215.31 and must be remitted within
1431 40 days after receipt of payment for which the fees are due. For
1432 fees that are not remitted within 40 days, the vendor shall pay
1433 interest at the rate established under s. 55.03(1) on the unpaid
1434 balance from the expiration of the 40-day period until the fees
1435 are remitted.
1436 4. All fees and surcharges collected under this paragraph
1437 shall be deposited in the Operating Trust Fund as provided by
1438 law.
1439 Section 21. Subsection (4) of section 445.011, Florida
1440 Statutes, is amended to read:
1441 445.011 Workforce information systems.—
1442 (4) Workforce Florida, Inc., shall coordinate development
1443 and implementation of workforce information systems with the
1444 executive director of the Agency for State Enterprise
1445 Information Technology to ensure compatibility with the state’s
1446 information system strategy and enterprise architecture.
1447 Section 22. Subsections (2) and (4) of section 445.045,
1448 Florida Statutes, are amended to read:
1449 445.045 Development of an Internet-based system for
1450 information technology industry promotion and workforce
1451 recruitment.—
1452 (2) Workforce Florida, Inc., shall coordinate with the
1453 Agency for State Enterprise Information Technology and the
1454 Department of Economic Opportunity to ensure links, where
1455 feasible and appropriate, to existing job information websites
1456 maintained by the state and state agencies and to ensure that
1457 information technology positions offered by the state and state
1458 agencies are posted on the information technology website.
1459 (4)(a) Workforce Florida, Inc., shall coordinate
1460 development and maintenance of the website under this section
1461 with the executive director of the Agency for State Enterprise
1462 Information Technology to ensure compatibility with the state’s
1463 information system strategy and enterprise architecture.
1464 (b) Workforce Florida, Inc., may enter into an agreement
1465 with the Agency for State Enterprise Information Technology, the
1466 Department of Economic Opportunity, or any other public agency
1467 with the requisite information technology expertise for the
1468 provision of design, operating, or other technological services
1469 necessary to develop and maintain the website.
1470 (c) Workforce Florida, Inc., may procure services necessary
1471 to implement the provisions of this section, if it employs
1472 competitive processes, including requests for proposals,
1473 competitive negotiation, and other competitive processes that to
1474 ensure that the procurement results in the most cost-effective
1475 investment of state funds.
1476 Section 23. Paragraph (b) of subsection (18) of section
1477 668.50, Florida Statutes, is amended to read:
1478 668.50 Uniform Electronic Transaction Act.—
1479 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1480 GOVERNMENTAL AGENCIES.—
1481 (b) To the extent that a governmental agency uses
1482 electronic records and electronic signatures under paragraph
1483 (a), the Agency for State Enterprise Information Technology, in
1484 consultation with the governmental agency, giving due
1485 consideration to security, may specify:
1486 1. The manner and format in which the electronic records
1487 must be created, generated, sent, communicated, received, and
1488 stored and the systems established for those purposes.
1489 2. If electronic records must be signed by electronic
1490 means, the type of electronic signature required, the manner and
1491 format in which the electronic signature must be affixed to the
1492 electronic record, and the identity of, or criteria that must be
1493 met by, any third party used by a person filing a document to
1494 facilitate the process.
1495 3. Control processes and procedures as appropriate to
1496 ensure adequate preservation, disposition, integrity, security,
1497 confidentiality, and auditability of electronic records.
1498 4. Any other required attributes for electronic records
1499 which are specified for corresponding nonelectronic records or
1500 reasonably necessary under the circumstances.
1501 Section 24. Section 943.0415, Florida Statutes, is amended
1502 to read:
1503 943.0415 Cybercrime Office.—The Cybercrime Office There is
1504 created within the Department of Law Enforcement the Cybercrime
1505 Office. The office may:
1506 (1) Investigate violations of state law pertaining to the
1507 sexual exploitation of children which are facilitated by or
1508 connected to the use of any device capable of storing electronic
1509 data.
1510 (2) Monitor information technology resources and provide
1511 analysis on information technology security incidents, threats,
1512 or breaches as those terms are defined in s. 282.0041.
1513 (3) Investigate violations of state law pertaining to
1514 information technology security incidents, threats, or breaches
1515 pursuant to s. 282.0041 and assist in incident response and
1516 recovery.
1517 (4) Provide security awareness training and information to
1518 state agency employees concerning cyber security, online sexual
1519 exploitation of children, security risks, and the responsibility
1520 of employees to comply with policies, standards, guidelines, and
1521 operating procedures adopted by the Agency for State Technology.
1522 (5) Consult with the Agency for State Technology in the
1523 adoption of rules relating to the information technology
1524 security provisions of s. 282.318.
1525 Section 25. Section 1004.649, Florida Statutes, is amended
1526 to read:
1527 1004.649 Northwest Regional Data Center.—
1528 (1) For the purpose of providing data center services to
1529 serving its state agency customers, the Northwest Regional Data
1530 Center at Florida State University is designated as a primary
1531 data center and shall:
1532 (a) Operate under a governance structure that represents
1533 its customers proportionally.
1534 (b) Maintain an appropriate cost-allocation methodology
1535 that accurately bills state agency customers based solely on the
1536 actual direct and indirect costs of the services provided to
1537 state agency customers, and ensures that for any fiscal year a
1538 state agency customer is not subsidizing a prohibits the
1539 subsidization of nonstate agency customer or another state
1540 agency customer customers’ costs by state agency customers. Such
1541 cost-allocation methodology must comply with applicable state
1542 and federal requirements concerning the distribution and use of
1543 state and federal funds.
1544 (c) Enter into a service-level agreement with each state
1545 agency customer to provide services as defined and approved by
1546 the governing board of the center. At a minimum, such service
1547 level agreements must:
1548 1. Identify the parties and their roles, duties, and
1549 responsibilities under the agreement;
1550 2. State the duration of the agreement term and specify the
1551 conditions for renewal;
1552 3. Identify the scope of work;
1553 4. Establish the services to be provided, the business
1554 standards that must be met for each service, the cost of each
1555 service, and the process by which the business standards for
1556 each service are to be objectively measured and reported;
1557 5. Provide a timely billing methodology for recovering the
1558 cost of services provided pursuant to s. 215.422; and
1559 6. Provide a procedure for modifying the service-level
1560 agreement to address any changes in projected costs of service;
1561 7. Prohibit the transfer of computing services between the
1562 Northwest Regional Data Center and the state data center
1563 established under s. 282.201 without at least 180 days’ notice
1564 of service cancellation;
1565 8. Identify the products or services to be delivered with
1566 sufficient specificity to permit an external financial or
1567 performance audit; and
1568 9. Provide that the service-level agreement may be
1569 terminated by either party for cause only after giving the other
1570 party notice in writing of the cause for termination and an
1571 opportunity for the other party to resolve the identified cause
1572 within a reasonable period.
1573 (d) Provide to the Board of Governors the total annual
1574 budget by major expenditure category, including, but not limited
1575 to, salaries, expenses, operating capital outlay, contracted
1576 services, or other personnel services by July 30 each fiscal
1577 year.
1578 (e) Provide to each state agency customer its projected
1579 annual cost for providing the agreed-upon data center services
1580 by September 1 each fiscal year.
1581 (f) Provide a plan for consideration by the Legislative
1582 Budget Commission if the governing body of the center approves
1583 the use of a billing rate schedule after the start of the fiscal
1584 year that increases any state agency customer’s costs for that
1585 fiscal year.
1586 (2) The Northwest Regional Data Center’s designation as a
1587 primary data center for purposes of serving its state agency
1588 customers may be terminated if:
1589 (a) The center requests such termination to the Board of
1590 Governors, the Senate President, and the Speaker of the House of
1591 Representatives; or
1592 (b) The center fails to comply with the provisions of this
1593 section.
1594 (3) If such designation is terminated, the center shall
1595 have 1 year to provide for the transition of its state agency
1596 customers to the state data center system established under s.
1597 282.201 Southwood Shared Resource Center or the Northwood Shared
1598 Resource Center.
1599 Section 26. The Agency for Enterprise Information
1600 Technology in the Executive Office of the Governor is
1601 transferred by a type two transfer, pursuant to s. 20.06,
1602 Florida Statutes, to the Agency for State Technology established
1603 pursuant to s. 20.61, Florida Statutes, except that the only
1604 rules that are transferred are chapters 71A-1 and 71A-2, Florida
1605 Administrative Code. All other rules adopted by the Agency for
1606 Enterprise Information Technology are nullified and of no
1607 further force or effect.
1608 Section 27. The Northwood Shared Resource Center in the
1609 Department of Management Services is transferred by a type two
1610 transfer, pursuant to s. 20.06, Florida Statutes, to the Agency
1611 for State Technology established pursuant to s. 20.61, Florida
1612 Statutes.
1613 Section 28. The Southwood Shared Resource Center in the
1614 Department of Management Services is transferred by a type two
1615 transfer, pursuant to s. 20.06, Florida Statutes, to the Agency
1616 for State Technology established pursuant to s. 20.61, Florida
1617 Statutes.
1618 Section 29. The Agency for State Technology shall:
1619 (1) Complete a feasibility study that analyzes, evaluates,
1620 and provides recommendations for managing state government data
1621 in a manner that promotes its interoperability and openness and,
1622 if legally permissible and not cost prohibitive, ensures that
1623 such data is available to the public in ways that make the data
1624 easy to find and use, and complies with chapter 119, Florida
1625 Statutes. At a minimum, the feasibility study must include the
1626 following components:
1627 (a) A clear description of which state government data
1628 should be public information. The guiding principle for this
1629 component is a presumption of openness to the extent permitted
1630 by law but subject to valid restrictions relating to privacy,
1631 confidentiality, and security, and other fiscal and legal
1632 restrictions.
1633 (b) Recommended standards for making the format and
1634 accessibility of public information uniform and ensuring that
1635 such data is published in a nonproprietary, searchable,
1636 sortable, platform-independent, and machine-readable format. The
1637 agency should include the projected cost to state agencies of
1638 implementing and maintaining such standards.
1639 (c) A project plan for implementing a single Internet
1640 website that contains public information or links to public
1641 information. The plan should include a timeline and benchmarks
1642 for making public information available online and identify any
1643 costs associated with the development and ongoing maintenance of
1644 such a website.
1645 (d) A recommended governance structure and review and
1646 compliance process to ensure accountability on the part of those
1647 who create, maintain, manage, or store public information or
1648 post it on the single Internet website. The agency should
1649 include any associated costs to implement and maintain the
1650 recommended governance structure and the review and compliance
1651 process.
1652 (2) Submit the completed feasibility study to the Executive
1653 Office of the Governor, the President of the Senate, and the
1654 Speaker of the House of Representatives by June 1, 2015.
1655 Section 30. The State Data Center Task Force is created.
1656 The task force shall be comprised of those individuals who were
1657 members of the boards of trustees of the Northwood and Southwood
1658 Shared Resource Centers as of June 30, 2014. The purpose of the
1659 task force is to provide assistance in the transition of the
1660 Northwood and Southwood Shared Resource Centers into the state
1661 data center established under s. 282.201, Florida Statutes. The
1662 task force shall identify any operational or fiscal issues
1663 affecting the transition and provide recommendations to the
1664 Agency for State Technology for the resolution of such issues.
1665 The task force may not make decisions regarding the state data
1666 center or the facilities formerly known as the Northwood and
1667 Southwood Shared Resource Centers and shall expire on or before
1668 June 30, 2015.
1669 Section 31. For the 2014-2015 fiscal year, the sum of
1670 $2,134,892 in nonrecurring general revenue funds, $2,865,108 in
1671 recurring general revenue funds, and 25 full-time equivalent
1672 positions and associated salary rate of 2,010,951 are
1673 appropriated to the Agency for State Technology for the purpose
1674 of implementing and administering this act.
1675 Section 32. Except as otherwise expressly provided in this
1676 act and except for this section, which shall take effect upon
1677 this act becoming a law, this act shall take effect July 1,
1678 2014.