Florida Senate - 2017 SB 174
By Senator Artiles
40-00297-17 2017174__
1 A bill to be entitled
2 An act relating to the Enterprise Information
3 Technology Services Management Act; amending s.
4 282.0041, F.S.; revising definitions; amending s.
5 282.0051, F.S.; revising certain powers, duties, and
6 functions of the Agency for State Technology in
7 collaboration with the Department of Management
8 Services; amending s. 282.201, F.S.; authorizing
9 certain service-level agreements entered into by the
10 state data center to be extended for a specified
11 duration; requiring the state data center to submit a
12 specified report to the Executive Office of the
13 Governor under certain circumstances; deleting a
14 requirement within a service-level agreement to
15 provide a certain termination notice to the Agency for
16 State Technology; requiring the state data center to
17 plan, design, and conduct certain testing if cost
18 effective; deleting obsolete provisions relating to
19 the schedule for consolidations of agency data
20 centers; conforming provisions to changes made by the
21 act; reenacting s. 943.0415(2) and (3), F.S., relating
22 to the Cybercrime Office within the Department of Law
23 Enforcement, to incorporate the amendment made to s.
24 282.0041, F.S., in references thereto; providing an
25 effective date.
26
27 Be It Enacted by the Legislature of the State of Florida:
28
29 Section 1. Subsections (2) and (10) of section 282.0041,
30 Florida Statutes, are amended to read:
31 282.0041 Definitions.—As used in this chapter, the term:
32 (2) “Breach” has the same meaning as defined in s. 501.171
33 means a confirmed event that compromises the confidentiality,
34 integrity, or availability of information or data.
35 (10) “Incident” means a violation or imminent threat of
36 violation, whether such violation is accidental or deliberate,
37 of information technology resources, security policies,
38 acceptable use policies, or standard security practices. An
39 imminent threat of violation refers to a situation in which the
40 state agency has a factual basis for believing that a specific
41 incident is about to occur.
42 Section 2. Subsection (18) of section 282.0051, Florida
43 Statutes, is amended to read:
44 282.0051 Agency for State Technology; powers, duties, and
45 functions.—The Agency for State Technology shall have the
46 following powers, duties, and functions:
47 (18) In collaboration with the Department of Management
48 Services:
49 (a) Establish an information technology policy for all
50 information technology-related state contracts, including state
51 term contracts for information technology commodities,
52 consultant services, and staff augmentation services. The
53 information technology policy must include:
54 1. Identification of the information technology product and
55 service categories to be included in state term contracts.
56 2. Requirements to be included in solicitations for state
57 term contracts.
58 3. Evaluation criteria for the award of information
59 technology-related state term contracts.
60 4. The term of each information technology-related state
61 term contract.
62 5. The maximum number of vendors authorized on each state
63 term contract.
64 (b) Evaluate vendor responses for information technology
65 related state term contract solicitations and invitations to
66 negotiate.
67 (c) Answer vendor questions on information technology
68 related state term contract solicitations.
69 (d) Ensure that all information technology-related
70 solicitations by the department are procured and state contracts
71 are managed in accordance with the information technology policy
72 established under pursuant to paragraph (a) is included in all
73 solicitations and contracts which are administratively executed
74 by the department.
75 Section 3. Paragraph (d) of subsection (2) of section
76 282.201, Florida Statutes, is amended, paragraph (g) is added to
77 that subsection, and subsection (4) of that section is amended,
78 to read:
79 282.201 State data center.—The state data center is
80 established within the Agency for State Technology and shall
81 provide data center services that are hosted on premises or
82 externally through a third-party provider as an enterprise
83 information technology service. The provision of services must
84 comply with applicable state and federal laws, regulations, and
85 policies, including all applicable security, privacy, and
86 auditing requirements.
87 (2) STATE DATA CENTER DUTIES.–The state data center shall:
88 (d) Enter into a service-level agreement with each customer
89 entity to provide the required type and level of service or
90 services. If a customer entity fails to execute an agreement
91 within 60 days after commencement of a service, the state data
92 center may cease service. A service-level agreement may not have
93 an original a term exceeding 3 years, but the service-level
94 agreement may be extended for up to 6 months. If the state data
95 center and an existing customer entity either execute an
96 extension or fail to execute a new service-level agreement
97 before the expiration of an existing service-level agreement,
98 the state data center must submit a report to the Executive
99 Office of the Governor within 5 days after the date of the
100 executed extension or 15 days before the scheduled expiration
101 date of the service-level agreement, as applicable, to explain
102 the specific issues preventing execution of a new service-level
103 agreement and to describe the plan and schedule for resolving
104 those issues. A service-level agreement, and at a minimum, must:
105 1. Identify the parties and their roles, duties, and
106 responsibilities under the agreement.
107 2. State the duration of the contract term and specify the
108 conditions for renewal.
109 3. Identify the scope of work.
110 4. Identify the products or services to be delivered with
111 sufficient specificity to permit an external financial or
112 performance audit.
113 5. Establish the services to be provided, the business
114 standards that must be met for each service, the cost of each
115 service, and the metrics and processes by which the business
116 standards for each service are to be objectively measured and
117 reported.
118 6. Provide a timely billing methodology to recover the cost
119 of services provided to the customer entity pursuant to s.
120 215.422.
121 7. Provide a procedure for modifying the service-level
122 agreement based on changes in the type, level, and cost of a
123 service.
124 8. Include a right-to-audit clause to ensure that the
125 parties to the agreement have access to records for audit
126 purposes during the term of the service-level agreement.
127 9. Provide that a service-level agreement may be terminated
128 by either party for cause only after giving the other party and
129 the Agency for State Technology notice in writing of the cause
130 for termination and an opportunity for the other party to
131 resolve the identified cause within a reasonable period.
132 10. Provide for mediation of disputes by the Division of
133 Administrative Hearings pursuant to s. 120.573.
134 (g) Plan, design, and conduct testing with information
135 technology resources to implement services within the scope of
136 the services provided by the state data center, if cost
137 effective.
138 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
139 (a) Consolidations of agency data centers and computing
140 facilities into the state data center shall be made by the dates
141 specified in this section and in accordance with budget
142 adjustments contained in the General Appropriations Act.
143 (b) During the 2013-2014 fiscal year, the following state
144 agencies shall be consolidated by the specified date:
145 1. By October 31, 2013, the Department of Economic
146 Opportunity.
147 2. By December 31, 2013, the Executive Office of the
148 Governor, to include the Division of Emergency Management except
149 for the Emergency Operation Center’s management system in
150 Tallahassee and the Camp Blanding Emergency Operations Center in
151 Starke.
152 3. By March 31, 2014, the Department of Elderly Affairs.
153 4. By October 30, 2013, the Fish and Wildlife Conservation
154 Commission, except for the commission’s Fish and Wildlife
155 Research Institute in St. Petersburg.
156 (a)(c) The following agency data centers are exempt from
157 state data center consolidation under this section: the
158 Department of Law Enforcement, the Department of the Lottery’s
159 Gaming System, Systems Design and Development in the Office of
160 Policy and Budget, the regional traffic management centers as
161 described in s. 335.14(2) and the Office of Toll Operations of
162 the Department of Transportation, the State Board of
163 Administration, state attorneys, public defenders, criminal
164 conflict and civil regional counsel, capital collateral regional
165 counsel, and the Florida Housing Finance Corporation.
166 (b)(d) A state agency that is consolidating its agency data
167 center or computing facility into the state data center must
168 execute a new or update an existing service-level agreement
169 within 60 days after the commencement of the service. If a state
170 agency and the state data center are unable to execute a
171 service-level agreement by that date, the agency shall submit a
172 report to the Executive Office of the Governor within 5 working
173 days after that date which explains the specific issues
174 preventing execution and describing the plan and schedule for
175 resolving those issues.
176 (c)(e) Each state agency consolidating scheduled for
177 consolidation into the state data center shall submit a
178 transition plan to the Agency for State Technology by July 1 of
179 the fiscal year before the fiscal year in which the scheduled
180 consolidation will occur. Transition plans shall be developed in
181 consultation with the state data center and must include:
182 1. An inventory of the agency data center’s resources being
183 consolidated, including all hardware and its associated life
184 cycle replacement schedule, software, staff, contracted
185 services, and facility resources performing data center
186 management and operations, security, backup and recovery,
187 disaster recovery, system administration, database
188 administration, system programming, job control, production
189 control, print, storage, technical support, help desk, and
190 managed services, but excluding application development, and the
191 agency’s costs supporting these resources.
192 2. A list of contracts in effect, including, but not
193 limited to, contracts for hardware, software, and maintenance,
194 which identifies the expiration date, the contract parties, and
195 the cost of each contract.
196 3. A detailed description of the level of services needed
197 to meet the technical and operational requirements of the
198 platforms being consolidated.
199 4. A timetable with significant milestones for the
200 completion of the consolidation.
201 (d)(f) Each state agency consolidating scheduled for
202 consolidation into the state data center shall submit with its
203 respective legislative budget request the specific recurring and
204 nonrecurring budget adjustments of resources by appropriation
205 category into the appropriate data processing category pursuant
206 to the legislative budget request instructions in s. 216.023.
207 Section 4. For the purpose of incorporating the amendment
208 made by this act to section 282.0041, Florida Statutes, in
209 references thereto, subsections (2) and (3) of section 943.0415,
210 Florida Statutes, are reenacted to read:
211 943.0415 Cybercrime Office.—There is created within the
212 Department of Law Enforcement the Cybercrime Office. The office
213 may:
214 (2) Monitor state information technology resources and
215 provide analysis on information technology security incidents,
216 threats, and breaches as defined in s. 282.0041.
217 (3) Investigate violations of state law pertaining to
218 information technology security incidents pursuant to s.
219 282.0041 and assist in incident response and recovery.
220 Section 5. This act shall take effect July 1, 2017.