Florida Senate - 2016 PROPOSED COMMITTEE SUBSTITUTE
Bill No. SB 7050
Ì591178FÎ591178
576-03424-16
Proposed Committee Substitute by the Committee on Appropriations
(Appropriations Subcommittee on General Government)
1 A bill to be entitled
2 An act relating to information technology security;
3 amending s. 20.61, F.S.; revising the membership of
4 the Technology Advisory Council to include a
5 cybersecurity expert; requiring the council, in
6 coordination with the Florida Center for
7 Cybersecurity, to identify and recommend STEM training
8 opportunities; amending s. 282.318, F.S.; revising
9 duties of the Agency for State Technology; providing
10 for administration of a third-party risk assessment;
11 providing for the establishment of computer security
12 incident response teams within state agencies;
13 establishing procedures for reporting information
14 technology security incidents; providing for
15 continuously updated agency incident response plans;
16 providing for information technology security and
17 cybersecurity awareness training; providing for the
18 establishment of a collaborative STEM program for
19 cybersecurity workforce development; establishing
20 computer security incident response team
21 responsibilities; requiring each state agency head to
22 conduct a third-party administered risk assessment;
23 establishing notification procedures and reporting
24 timelines for an information technology security
25 incident or breach; amending s. 1001.03, F.S.;
26 revising entities directed to adopt a unified state
27 plan for K-20 STEM education to include the Technology
28 Advisory Council; amending s. 1004.444, F.S.;
29 requiring the Florida Center for Cybersecurity to
30 coordinate with the Technology Advisory Council;
31 providing appropriations; providing an effective date.
32
33 Be It Enacted by the Legislature of the State of Florida:
34
35 Section 1. Subsection (3) of section 20.61, Florida
36 Statutes, is amended to read:
37 20.61 Agency for State Technology.—The Agency for State
38 Technology is created within the Department of Management
39 Services. The agency is a separate budget program and is not
40 subject to control, supervision, or direction by the Department
41 of Management Services, including, but not limited to,
42 purchasing, transactions involving real or personal property,
43 personnel, or budgetary matters.
44 (3) The Technology Advisory Council, consisting of seven
45 members, is established within the Agency for State Technology
46 and shall be maintained pursuant to s. 20.052. Four members of
47 the council shall be appointed by the Governor, two of whom must
48 be from the private sector and one of whom must be a
49 cybersecurity expert. The President of the Senate and the
50 Speaker of the House of Representatives shall each appoint one
51 member of the council. The Attorney General, the Commissioner of
52 Agriculture and Consumer Services, and the Chief Financial
53 Officer shall jointly appoint one member by agreement of a
54 majority of these officers. Upon initial establishment of the
55 council, two of the Governor’s appointments shall be for 2-year
56 terms. Thereafter, all appointments shall be for 4-year terms.
57 (a) The council shall consider and make recommendations to
58 the executive director on such matters as enterprise information
59 technology policies, standards, services, and architecture. The
60 council may also identify and recommend opportunities for the
61 establishment of public-private partnerships when considering
62 technology infrastructure and services in order to accelerate
63 project delivery and provide a source of new or increased
64 project funding.
65 (b) The executive director shall consult with the council
66 with regard to executing the duties and responsibilities of the
67 agency related to statewide information technology strategic
68 planning and policy.
69 (c) The council shall coordinate with the Florida Center
70 for Cybersecurity to identify and recommend opportunities for
71 establishing cutting-edge educational and training programs in
72 science, technology, engineering, and mathematics (STEM) for
73 students, consistent with the unified state plan adopted
74 pursuant to s. 1001.03(17); increasing the cybersecurity
75 workforce in the state; and preparing cybersecurity
76 professionals to possess a wide range of expertise.
77 (d)(c) The council shall be governed by the Code of Ethics
78 for Public Officers and Employees as set forth in part III of
79 chapter 112, and each member must file a statement of financial
80 interests pursuant to s. 112.3145.
81 Section 2. Section 282.318, Florida Statutes, is amended to
82 read:
83 282.318 Security of data and information technology.—
84 (1) This section may be cited as the “Information
85 Technology Security Act.”
86 (2) As used in this section, the term “state agency” has
87 the same meaning as provided in s. 282.0041, except that the
88 term includes the Department of Legal Affairs, the Department of
89 Agriculture and Consumer Services, and the Department of
90 Financial Services.
91 (3) The Agency for State Technology is responsible for
92 establishing standards and processes consistent with generally
93 accepted best practices for information technology security and
94 cybersecurity and adopting rules that safeguard an agency’s
95 data, information, and information technology resources to
96 ensure availability, confidentiality, and integrity and to
97 mitigate risks. The agency shall also:
98 (a) Develop, and annually update by February 1, a statewide
99 information technology security strategic plan that includes
100 security goals and objectives for the strategic issues of
101 information technology security policy, risk management,
102 training, incident management, and disaster recovery planning.
103 (b) Develop and publish for use by state agencies an
104 information technology security framework that, at a minimum,
105 includes guidelines and processes for:
106 1. Establishing asset management procedures to ensure that
107 an agency’s information technology resources are identified and
108 managed consistent with their relative importance to the
109 agency’s business objectives.
110 2. Using a standard risk assessment methodology that
111 includes the identification of an agency’s priorities,
112 constraints, risk tolerances, and assumptions necessary to
113 support operational risk decisions.
114 3. Completing comprehensive risk assessments and
115 information technology security audits and submitting completed
116 assessments and audits to the Agency for State Technology.
117 4. Completing risk assessments administered by a third
118 party and submitting completed assessments to the Agency for
119 State Technology.
120 5.4. Identifying protection procedures to manage the
121 protection of an agency’s information, data, and information
122 technology resources.
123 6.5. Establishing procedures for accessing information and
124 data to ensure the confidentiality, integrity, and availability
125 of such information and data.
126 7.6. Detecting threats through proactive monitoring of
127 events, continuous security monitoring, and defined detection
128 processes.
129 8.7. Establishing a computer security incident response
130 team to respond to suspected Responding to information
131 technology security incidents, including breaches of personal
132 information containing confidential or exempt data. An agency’s
133 computer security incident response team must convene as soon as
134 practicable upon notice of a suspected security incident and
135 shall determine the appropriate response.
136 9.8. Recovering information and data in response to an
137 information technology security incident. The recovery may
138 include recommended improvements to the agency processes,
139 policies, or guidelines.
140 10. Establishing an information technology security
141 incident reporting process, which must include a procedure for
142 notification of the Agency for State Technology and the
143 Cybercrime Office of the Department of Law Enforcement. The
144 notification procedure must provide for tiered reporting
145 timeframes, with incidents of critical impact reported
146 immediately upon discovery, incidents of high impact reported
147 within 4 hours of discovery, and incidents of low impact
148 reported within 5 business days of discovery.
149 11. Incorporating lessons learned through detection and
150 response activities into agency incident response plans to
151 continuously improve organizational response activities.
152 12.9. Developing agency strategic and operational
153 information technology security plans required pursuant to this
154 section.
155 13.10. Establishing the managerial, operational, and
156 technical safeguards for protecting state government data and
157 information technology resources that align with the state
158 agency risk management strategy and that protect the
159 confidentiality, integrity, and availability of information and
160 data.
161 14. Providing all agency employees with information
162 technology security and cybersecurity awareness education and
163 training within 30 days after commencing employment.
164 (c) Assist state agencies in complying with this section.
165 (d) In collaboration with the Cybercrime Office of the
166 Department of Law Enforcement, provide training that must
167 include training on cybersecurity threats, trends, and best
168 practices for state agency information security managers and
169 computer security incident response team members at least
170 annually.
171 (e) Annually review the strategic and operational
172 information technology security plans of executive branch
173 agencies.
174 (f) Develop and establish a cutting-edge internship or
175 work-study program in science, technology, engineering, and
176 mathematics (STEM), which will produce a more skilled
177 cybersecurity workforce in the state. The program must be a
178 collaborative effort involving negotiations between the Agency
179 for State Technology, relevant Agency for State Technology
180 partners, and the Florida Center for Cybersecurity.
181 (4) Each state agency head shall, at a minimum:
182 (a) Designate an information security manager to administer
183 the information technology security program of the state agency.
184 This designation must be provided annually in writing to the
185 Agency for State Technology by January 1. A state agency’s
186 information security manager, for purposes of these information
187 security duties, shall report directly to the agency head.
188 1. The information security manager shall establish a
189 computer security incident response team to respond to a
190 suspected computer security incident.
191 2. Computer security incident response team members shall
192 convene as soon as practicable upon notice of a suspected
193 security incident.
194 3. Computer security incident response team members shall
195 determine the appropriate response for a suspected computer
196 security incident. An appropriate response includes taking
197 action to prevent expansion or recurrence of an incident,
198 mitigating the effects of an incident, and eradicating an
199 incident. Newly identified risks must be mitigated or documented
200 as an accepted risk by computer security incident response team
201 members.
202 (b) Submit to the Agency for State Technology annually by
203 July 31, the state agency’s strategic and operational
204 information technology security plans developed pursuant to
205 rules and guidelines established by the Agency for State
206 Technology.
207 1. The state agency strategic information technology
208 security plan must cover a 3-year period and, at a minimum,
209 define security goals, intermediate objectives, and projected
210 agency costs for the strategic issues of agency information
211 security policy, risk management, security training, security
212 incident response, and disaster recovery. The plan must be based
213 on the statewide information technology security strategic plan
214 created by the Agency for State Technology and include
215 performance metrics that can be objectively measured to reflect
216 the status of the state agency’s progress in meeting security
217 goals and objectives identified in the agency’s strategic
218 information security plan.
219 2. The state agency operational information technology
220 security plan must include a progress report that objectively
221 measures progress made towards the prior operational information
222 technology security plan and a project plan that includes
223 activities, timelines, and deliverables for security objectives
224 that the state agency will implement during the current fiscal
225 year.
226 (c) Conduct, and update every 3 years, a comprehensive risk
227 assessment to determine the security threats to the data,
228 information, and information technology resources, including
229 mobile devices and print environments, of the agency. The risk
230 assessment must comply with the risk assessment methodology
231 developed by the Agency for State Technology and is confidential
232 and exempt from s. 119.07(1), except that such information shall
233 be available to the Auditor General, the Agency for State
234 Technology, the Cybercrime Office of the Department of Law
235 Enforcement, and, for state agencies under the jurisdiction of
236 the Governor, the Chief Inspector General.
237 (d) Subject to annual legislative appropriation, conduct a
238 risk assessment that must be administered by a third party
239 consistent with the guidelines and processes prescribed by the
240 Agency for State Technology. An initial risk assessment must be
241 completed by July 31, 2017. Additional risk assessments shall be
242 completed periodically consistent with the guidelines and
243 processes prescribed by the Agency for State Technology.
244 (e)(d) Develop, and periodically update, written internal
245 policies and procedures, which include procedures for reporting
246 information technology security incidents and breaches to the
247 Cybercrime Office of the Department of Law Enforcement and the
248 Agency for State Technology. Procedures for reporting
249 information technology security incidents and breaches must
250 include notification procedures and reporting timeframes. Such
251 policies and procedures must be consistent with the rules,
252 guidelines, and processes established by the Agency for State
253 Technology to ensure the security of the data, information, and
254 information technology resources of the agency. The internal
255 policies and procedures that, if disclosed, could facilitate the
256 unauthorized modification, disclosure, or destruction of data or
257 information technology resources are confidential information
258 and exempt from s. 119.07(1), except that such information shall
259 be available to the Auditor General, the Cybercrime Office of
260 the Department of Law Enforcement, the Agency for State
261 Technology, and, for state agencies under the jurisdiction of
262 the Governor, the Chief Inspector General.
263 (f)(e) Implement managerial, operational, and technical
264 safeguards established by the Agency for State Technology to
265 address identified risks to the data, information, and
266 information technology resources of the agency.
267 (g)(f) Ensure that periodic internal audits and evaluations
268 of the agency’s information technology security program for the
269 data, information, and information technology resources of the
270 agency are conducted. The results of such audits and evaluations
271 are confidential information and exempt from s. 119.07(1),
272 except that such information shall be available to the Auditor
273 General, the Cybercrime Office of the Department of Law
274 Enforcement, the Agency for State Technology, and, for agencies
275 under the jurisdiction of the Governor, the Chief Inspector
276 General.
277 (h)(g) Include appropriate information technology security
278 requirements in the written specifications for the solicitation
279 of information technology and information technology resources
280 and services, which are consistent with the rules and guidelines
281 established by the Agency for State Technology in collaboration
282 with the Department of Management Services.
283 (i)(h) Provide information technology security and
284 cybersecurity awareness training to all state agency employees
285 in the first 30 days after commencing employment concerning
286 information technology security risks and the responsibility of
287 employees to comply with policies, standards, guidelines, and
288 operating procedures adopted by the state agency to attain an
289 appropriate level of cyber literacy and reduce those risks. The
290 training may be provided in collaboration with the Cybercrime
291 Office of the Department of Law Enforcement. Agencies shall
292 ensure that privileged users, third-party stakeholders, senior
293 executives, and physical and information security personnel
294 understand their roles and responsibilities.
295 (j) In collaboration with the Cybercrime Office of the
296 Department of Law Enforcement, provide training on cybersecurity
297 threats, trends, and best practices to computer security
298 incident response team members at least annually.
299 (k)(i) Develop a process for detecting, reporting, and
300 responding to threats, breaches, or information technology
301 security incidents that are consistent with the security rules,
302 guidelines, and processes established by the Agency for State
303 Technology.
304 1. All information technology security incidents and
305 breaches must be reported to the Agency for State Technology.
306 Procedures for reporting information technology security
307 incidents and breaches must include notification procedures.
308 2. For information technology security breaches, state
309 agencies shall provide notice in accordance with s. 501.171.
310 (l) Improve organizational response activities by
311 incorporating lessons learned from current and previous
312 detection and response activities into response plans.
313 (5) The Agency for State Technology shall adopt rules
314 relating to information technology security and to administer
315 this section.
316 Section 3. Subsection (17) of section 1001.03, Florida
317 Statutes, is amended to read:
318 1001.03 Specific powers of State Board of Education.—
319 (17) UNIFIED STATE PLAN FOR SCIENCE, TECHNOLOGY,
320 ENGINEERING, AND MATHEMATICS (STEM).—The State Board of
321 Education, in consultation with the Board of Governors, the
322 Technology Advisory Council, and the Department of Economic
323 Opportunity, shall adopt a unified state plan to improve K-20
324 STEM education and prepare students for high-skill, high-wage,
325 and high-demand employment in STEM and STEM-related fields.
326 Section 4. Section 1004.444, Florida Statutes, is amended
327 to read:
328 1004.444 Florida Center for Cybersecurity.—
329 (1) The Florida Center for Cybersecurity is established
330 within the University of South Florida.
331 (2) The goals of the center are to:
332 (a) Position Florida as the national leader in
333 cybersecurity and its related workforce through education,
334 research, and community engagement. The center shall coordinate
335 with the Technology Advisory Council in pursuit of this goal.
336 (b) Assist in the creation of jobs in the state’s
337 cybersecurity industry and enhance the existing cybersecurity
338 workforce. The center shall coordinate with the Technology
339 Advisory Council in pursuit of this goal.
340 (c) Act as a cooperative facilitator for state business and
341 higher education communities to share cybersecurity knowledge,
342 resources, and training. The center shall coordinate with the
343 Technology Advisory Council in pursuit of this goal.
344 (d) Seek out partnerships with major military installations
345 to assist, when possible, in homeland cybersecurity defense
346 initiatives.
347 (e) Attract cybersecurity companies to the state with an
348 emphasis on defense, finance, health care, transportation, and
349 utility sectors.
350 Section 5. For the 2016-2017 fiscal year, the sums of
351 $650,000 in nonrecurring funds and $50,000 in recurring funds
352 are appropriated from the General Revenue Fund to the Agency for
353 State Technology to conduct training exercises in coordination
354 with the Florida National Guard.
355 Section 6. For the 2016-2017 fiscal year, the sum of $12
356 million is appropriated from the General Revenue Fund to the
357 Agency for State Technology for the purpose of implementing this
358 act.
359 Section 7. This act shall take effect July 1, 2016.