Florida Senate - 2016 SB 7050
By the Committee on Governmental Oversight and Accountability
585-02231-16 20167050__
1 A bill to be entitled
2 An act relating to information technology security;
3 amending s. 20.61, F.S.; revising the membership of
4 the Technology Advisory Council to include a
5 cybersecurity expert; requiring the council, in
6 coordination with the Florida Center for
7 Cybersecurity, to identify and recommend STEM training
8 opportunities; amending s. 282.318, F.S.; revising
9 duties of the Agency for State Technology; providing
10 for administration of a third-party risk assessment;
11 providing for the establishment of computer security
12 incident response teams within state agencies;
13 establishing procedures for reporting information
14 technology security incidents; providing for
15 continuously updated agency incident response plans;
16 providing for information technology security and
17 cybersecurity awareness training; providing for the
18 establishment of a collaborative STEM program for
19 cybersecurity workforce development; establishing
20 computer security incident response team
21 responsibilities; requiring each state agency head to
22 conduct a third-party administered risk assessment;
23 establishing notification procedures and reporting
24 timelines for an information technology security
25 incident or breach; amending s. 1001.03, F.S.;
26 revising entities directed to adopt a unified state
27 plan for K-20 STEM education to include the Technology
28 Advisory Council; amending s. 1004.444, F.S.;
29 requiring the Florida Center for Cybersecurity to
30 coordinate with the Technology Advisory Council;
31 providing appropriations; providing an effective date.
32
33 Be It Enacted by the Legislature of the State of Florida:
34
35 Section 1. Subsection (3) of section 20.61, Florida
36 Statutes, is amended to read:
37 20.61 Agency for State Technology.—The Agency for State
38 Technology is created within the Department of Management
39 Services. The agency is a separate budget program and is not
40 subject to control, supervision, or direction by the Department
41 of Management Services, including, but not limited to,
42 purchasing, transactions involving real or personal property,
43 personnel, or budgetary matters.
44 (3) The Technology Advisory Council, consisting of seven
45 members, is established within the Agency for State Technology
46 and shall be maintained pursuant to s. 20.052. Four members of
47 the council shall be appointed by the Governor, two of whom must
48 be from the private sector and one of whom must be a
49 cybersecurity expert. The President of the Senate and the
50 Speaker of the House of Representatives shall each appoint one
51 member of the council. The Attorney General, the Commissioner of
52 Agriculture and Consumer Services, and the Chief Financial
53 Officer shall jointly appoint one member by agreement of a
54 majority of these officers. Upon initial establishment of the
55 council, two of the Governor’s appointments shall be for 2-year
56 terms. Thereafter, all appointments shall be for 4-year terms.
57 (a) The council shall consider and make recommendations to
58 the executive director on such matters as enterprise information
59 technology policies, standards, services, and architecture. The
60 council may also identify and recommend opportunities for the
61 establishment of public-private partnerships when considering
62 technology infrastructure and services in order to accelerate
63 project delivery and provide a source of new or increased
64 project funding.
65 (b) The executive director shall consult with the council
66 with regard to executing the duties and responsibilities of the
67 agency related to statewide information technology strategic
68 planning and policy.
69 (c) The council shall coordinate with the Florida Center
70 for Cybersecurity to identify and recommend opportunities for
71 establishing cutting-edge educational and training programs in
72 science, technology, engineering, and mathematics (STEM) for
73 students, consistent with the unified state plan adopted
74 pursuant to s. 1001.03(17); increasing the cybersecurity
75 workforce in the state; and preparing cybersecurity
76 professionals to possess a wide range of expertise.
77 (d)(c) The council shall be governed by the Code of Ethics
78 for Public Officers and Employees as set forth in part III of
79 chapter 112, and each member must file a statement of financial
80 interests pursuant to s. 112.3145.
81 Section 2. Section 282.318, Florida Statutes, is amended to
82 read:
83 282.318 Security of data and information technology.—
84 (1) This section may be cited as the “Information
85 Technology Security Act.”
86 (2) As used in this section, the term “state agency” has
87 the same meaning as provided in s. 282.0041, except that the
88 term includes the Department of Legal Affairs, the Department of
89 Agriculture and Consumer Services, and the Department of
90 Financial Services.
91 (3) The Agency for State Technology is responsible for
92 establishing standards and processes consistent with generally
93 accepted best practices for information technology security and
94 cybersecurity and adopting rules that safeguard an agency’s
95 data, information, and information technology resources to
96 ensure availability, confidentiality, and integrity and to
97 mitigate risks. The agency shall also:
98 (a) Develop, and annually update by February 1, a statewide
99 information technology security strategic plan that includes
100 security goals and objectives for the strategic issues of
101 information technology security policy, risk management,
102 training, incident management, and disaster recovery planning.
103 (b) Develop and publish for use by state agencies an
104 information technology security framework that, at a minimum,
105 includes guidelines and processes for:
106 1. Establishing asset management procedures to ensure that
107 an agency’s information technology resources are identified and
108 managed consistent with their relative importance to the
109 agency’s business objectives.
110 2. Using a standard risk assessment methodology that
111 includes the identification of an agency’s priorities,
112 constraints, risk tolerances, and assumptions necessary to
113 support operational risk decisions.
114 3. Completing comprehensive risk assessments and
115 information technology security audits and submitting completed
116 assessments and audits to the Agency for State Technology.
117 4. Completing risk assessments administered by a third
118 party and submitting completed assessments to the Agency for
119 State Technology.
120 5.4. Identifying protection procedures to manage the
121 protection of an agency’s information, data, and information
122 technology resources.
123 6.5. Establishing procedures for accessing information and
124 data to ensure the confidentiality, integrity, and availability
125 of such information and data.
126 7.6. Detecting threats through proactive monitoring of
127 events, continuous security monitoring, and defined detection
128 processes.
129 8.7. Establishing a computer security incident response
130 team to respond to suspected Responding to information
131 technology security incidents, including breaches of personal
132 information containing confidential or exempt data. An agency’s
133 computer security incident response team must convene as soon as
134 practicable upon notice of a suspected security incident and
135 shall determine the appropriate response.
136 9.8. Recovering information and data in response to an
137 information technology security incident. The recovery may
138 include recommended improvements to the agency processes,
139 policies, or guidelines.
140 10. Establishing an information technology security
141 incident reporting process, which must include a procedure for
142 notification of the Agency for State Technology and the
143 Cybercrime Office of the Department of Law Enforcement. The
144 notification procedure must provide for tiered reporting
145 timeframes, with incidents of critical impact reported
146 immediately upon discovery, incidents of high impact reported
147 within 4 hours of discovery, and incidents of low impact
148 reported within 5 business days of discovery.
149 11. Incorporating lessons learned through detection and
150 response activities into agency incident response plans to
151 continuously improve organizational response activities.
152 12.9. Developing agency strategic and operational
153 information technology security plans required pursuant to this
154 section.
155 13.10. Establishing the managerial, operational, and
156 technical safeguards for protecting state government data and
157 information technology resources that align with the state
158 agency risk management strategy and that protect the
159 confidentiality, integrity, and availability of information and
160 data.
161 14. Providing all agency employees with information
162 technology security and cybersecurity awareness education and
163 training within 30 days after commencing employment.
164 (c) Assist state agencies in complying with this section.
165 (d) In collaboration with the Cybercrime Office of the
166 Department of Law Enforcement, provide training that must
167 include training on cybersecurity threats, trends, and best
168 practices for state agency information security managers and
169 computer security incident response team members at least
170 annually.
171 (e) Annually review the strategic and operational
172 information technology security plans of executive branch
173 agencies.
174 (f) Develop and establish a cutting-edge internship or
175 work-study program in science, technology, engineering, and
176 mathematics (STEM), which will produce a more skilled
177 cybersecurity workforce in the state. The program must be a
178 collaborative effort involving negotiations between the Agency
179 for State Technology, relevant Agency for State Technology
180 partners, and the Florida Center for Cybersecurity.
181 (4) Each state agency head shall, at a minimum:
182 (a) Designate an information security manager to administer
183 the information technology security program of the state agency.
184 This designation must be provided annually in writing to the
185 Agency for State Technology by January 1. A state agency’s
186 information security manager, for purposes of these information
187 security duties, shall report directly to the agency head.
188 1. The information security manager shall establish a
189 computer security incident response team to respond to a
190 suspected computer security incident.
191 2. Computer security incident response team members shall
192 convene as soon as practicable upon notice of a suspected
193 security incident.
194 3. Computer security incident response team members shall
195 determine the appropriate response for a suspected computer
196 security incident. An appropriate response includes taking
197 action to prevent expansion or recurrence of an incident,
198 mitigating the effects of an incident, and eradicating an
199 incident. Newly identified risks must be mitigated or documented
200 as an accepted risk by computer security incident response team
201 members.
202 (b) Submit to the Agency for State Technology annually by
203 July 31, the state agency’s strategic and operational
204 information technology security plans developed pursuant to
205 rules and guidelines established by the Agency for State
206 Technology.
207 1. The state agency strategic information technology
208 security plan must cover a 3-year period and, at a minimum,
209 define security goals, intermediate objectives, and projected
210 agency costs for the strategic issues of agency information
211 security policy, risk management, security training, security
212 incident response, and disaster recovery. The plan must be based
213 on the statewide information technology security strategic plan
214 created by the Agency for State Technology and include
215 performance metrics that can be objectively measured to reflect
216 the status of the state agency’s progress in meeting security
217 goals and objectives identified in the agency’s strategic
218 information security plan.
219 2. The state agency operational information technology
220 security plan must include a progress report that objectively
221 measures progress made towards the prior operational information
222 technology security plan and a project plan that includes
223 activities, timelines, and deliverables for security objectives
224 that the state agency will implement during the current fiscal
225 year.
226 (c) Conduct, and update every 3 years, a comprehensive risk
227 assessment to determine the security threats to the data,
228 information, and information technology resources of the agency.
229 The risk assessment must comply with the risk assessment
230 methodology developed by the Agency for State Technology and is
231 confidential and exempt from s. 119.07(1), except that such
232 information shall be available to the Auditor General, the
233 Agency for State Technology, the Cybercrime Office of the
234 Department of Law Enforcement, and, for state agencies under the
235 jurisdiction of the Governor, the Chief Inspector General.
236 (d) Subject to annual legislative appropriation, conduct a
237 risk assessment that must be administered by a third party
238 consistent with the guidelines and processes prescribed by the
239 Agency for State Technology. An initial risk assessment must be
240 completed by July 31, 2017. Additional risk assessments shall be
241 completed periodically consistent with the guidelines and
242 processes prescribed by the Agency for State Technology.
243 (e)(d) Develop, and periodically update, written internal
244 policies and procedures, which include procedures for reporting
245 information technology security incidents and breaches to the
246 Cybercrime Office of the Department of Law Enforcement and the
247 Agency for State Technology. Procedures for reporting
248 information technology security incidents and breaches must
249 include notification procedures and reporting timeframes. Such
250 policies and procedures must be consistent with the rules,
251 guidelines, and processes established by the Agency for State
252 Technology to ensure the security of the data, information, and
253 information technology resources of the agency. The internal
254 policies and procedures that, if disclosed, could facilitate the
255 unauthorized modification, disclosure, or destruction of data or
256 information technology resources are confidential information
257 and exempt from s. 119.07(1), except that such information shall
258 be available to the Auditor General, the Cybercrime Office of
259 the Department of Law Enforcement, the Agency for State
260 Technology, and, for state agencies under the jurisdiction of
261 the Governor, the Chief Inspector General.
262 (f)(e) Implement managerial, operational, and technical
263 safeguards established by the Agency for State Technology to
264 address identified risks to the data, information, and
265 information technology resources of the agency.
266 (g)(f) Ensure that periodic internal audits and evaluations
267 of the agency’s information technology security program for the
268 data, information, and information technology resources of the
269 agency are conducted. The results of such audits and evaluations
270 are confidential information and exempt from s. 119.07(1),
271 except that such information shall be available to the Auditor
272 General, the Cybercrime Office of the Department of Law
273 Enforcement, the Agency for State Technology, and, for agencies
274 under the jurisdiction of the Governor, the Chief Inspector
275 General.
276 (h)(g) Include appropriate information technology security
277 requirements in the written specifications for the solicitation
278 of information technology and information technology resources
279 and services, which are consistent with the rules and guidelines
280 established by the Agency for State Technology in collaboration
281 with the Department of Management Services.
282 (i)(h) Provide information technology security and
283 cybersecurity awareness training to all state agency employees
284 in the first 30 days after commencing employment concerning
285 information technology security risks and the responsibility of
286 employees to comply with policies, standards, guidelines, and
287 operating procedures adopted by the state agency to attain an
288 appropriate level of cyber literacy and reduce those risks. The
289 training may be provided in collaboration with the Cybercrime
290 Office of the Department of Law Enforcement. Agencies shall
291 ensure that privileged users, third-party stakeholders, senior
292 executives, and physical and information security personnel
293 understand their roles and responsibilities.
294 (j) In collaboration with the Cybercrime Office of the
295 Department of Law Enforcement, provide training on cybersecurity
296 threats, trends, and best practices to computer security
297 incident response team members at least annually.
298 (k)(i) Develop a process for detecting, reporting, and
299 responding to threats, breaches, or information technology
300 security incidents that are consistent with the security rules,
301 guidelines, and processes established by the Agency for State
302 Technology.
303 1. All information technology security incidents and
304 breaches must be reported to the Agency for State Technology.
305 Procedures for reporting information technology security
306 incidents and breaches must include notification procedures.
307 2. For information technology security breaches, state
308 agencies shall provide notice in accordance with s. 501.171.
309 (l) Improve organizational response activities by
310 incorporating lessons learned from current and previous
311 detection and response activities into response plans.
312 (5) The Agency for State Technology shall adopt rules
313 relating to information technology security and to administer
314 this section.
315 Section 3. Subsection (17) of section 1001.03, Florida
316 Statutes, is amended to read:
317 1001.03 Specific powers of State Board of Education.—
318 (17) UNIFIED STATE PLAN FOR SCIENCE, TECHNOLOGY,
319 ENGINEERING, AND MATHEMATICS (STEM).—The State Board of
320 Education, in consultation with the Board of Governors, the
321 Technology Advisory Council, and the Department of Economic
322 Opportunity, shall adopt a unified state plan to improve K-20
323 STEM education and prepare students for high-skill, high-wage,
324 and high-demand employment in STEM and STEM-related fields.
325 Section 4. Section 1004.444, Florida Statutes, is amended
326 to read:
327 1004.444 Florida Center for Cybersecurity.—
328 (1) The Florida Center for Cybersecurity is established
329 within the University of South Florida.
330 (2) The goals of the center are to:
331 (a) Position Florida as the national leader in
332 cybersecurity and its related workforce through education,
333 research, and community engagement. The center shall coordinate
334 with the Technology Advisory Council in pursuit of this goal.
335 (b) Assist in the creation of jobs in the state’s
336 cybersecurity industry and enhance the existing cybersecurity
337 workforce. The center shall coordinate with the Technology
338 Advisory Council in pursuit of this goal.
339 (c) Act as a cooperative facilitator for state business and
340 higher education communities to share cybersecurity knowledge,
341 resources, and training. The center shall coordinate with the
342 Technology Advisory Council in pursuit of this goal.
343 (d) Seek out partnerships with major military installations
344 to assist, when possible, in homeland cybersecurity defense
345 initiatives.
346 (e) Attract cybersecurity companies to the state with an
347 emphasis on defense, finance, health care, transportation, and
348 utility sectors.
349 Section 5. For the 2016-2017 fiscal year, the sums of
350 $650,000 in nonrecurring funds and $50,000 in recurring funds
351 are appropriated from the General Revenue Fund to the Agency for
352 State Technology to conduct training exercises in coordination
353 with the Florida National Guard.
354 Section 6. For the 2016-2017 fiscal year, the sum of $12
355 million is appropriated from the General Revenue Fund to the
356 Agency for State Technology for the purpose of implementing this
357 act.
358 Section 7. This act shall take effect July 1, 2016.