Florida Senate - 2019 SB 1570
By Senator Hooper
16-01145-19 20191570__
1 A bill to be entitled
2 An act relating to information technology
3 reorganization; transferring all powers, duties,
4 functions, records, offices, personnel, associated
5 administrative support positions, property, pending
6 issues and existing contracts, administrative
7 authority, certain administrative rules, trust funds,
8 and unexpended balances of appropriations,
9 allocations, and other funds of the Agency for State
10 Technology to the Department of Management Services by
11 a type two transfer; providing for the continuation of
12 certain contracts and interagency agreements; amending
13 s. 20.22, F.S.; establishing the Division of State
14 Technology within the Department of Management
15 Services to supersede the Technology Program;
16 establishing the position of state chief information
17 officer and providing qualifications thereof; amending
18 s. 20.255, F.S.; removing the expiration for
19 provisions designating the Department of Environmental
20 Protection as the lead agency for geospatial data;
21 authorizing the department to adopt rules for
22 specified purposes; repealing s. 20.61, F.S., relating
23 to the Agency for State Technology; amending s.
24 112.061, F.S.; authorizing the Department of
25 Management Services to adopt rules for certain
26 purposes; defining the term “statewide travel
27 management system”; specifying reporting requirements
28 for executive branch agencies and the judicial branch
29 through the statewide travel management system;
30 specifying that travel reports on the system may not
31 reveal confidential or exempt information; amending s.
32 282.003, F.S.; revising a short title; reordering and
33 amending s. 282.0041, F.S.; revising and providing
34 definitions; amending s. 282.0051, F.S.; transferring
35 powers, duties, and functions of the Agency for State
36 Technology to the Department of Management Services
37 and revising such powers, duties, and functions;
38 removing certain project oversight requirements;
39 requiring agency projected costs for data center
40 services to be provided to the Governor and the
41 Legislature on an annual basis; requiring the
42 department to provide certain recommendations;
43 amending s. 282.201, F.S.; transferring the state data
44 center from the Agency for State Technology to the
45 Department of Management Services; requiring the
46 department to appoint a director of the state data
47 center; deleting legislative intent; revising duties
48 of the state data center; requiring the state data
49 center to show preference for cloud-computing
50 solutions in its procurement process; revising the use
51 of the state data center and certain consolidation
52 requirements; removing obsolete language; revising
53 agency limitations; creating s. 282.206, F.S.;
54 providing legislative intent regarding the use of
55 cloud computing; requiring each state agency to adopt
56 formal procedures for cloud-computing options;
57 requiring a state agency to develop, and update
58 annually, a strategic plan for submission to the
59 Governor and the Legislature; specifying requirements
60 for the strategic plan; requiring a state agency
61 customer entity to notify the state data center
62 biannually of changes in anticipated use of state data
63 center services; specifying requirements and
64 limitations as to cloud-computing services for the
65 Department of Law Enforcement; amending s. 282.318,
66 F.S.; requiring the Department of Management Services
67 to appoint a state chief information security officer;
68 revising and specifying requirements for service-level
69 agreements for information technology and information
70 technology resources and services; conforming
71 provisions to changes made by the act; amending ss.
72 17.0315, 20.055, 97.0525, 110.205, 215.322, 215.96,
73 287.057, 282.00515, 287.0591, 365.171, 365.172,
74 365.173, 445.011, 445.045, 668.50, and 943.0415, F.S.;
75 conforming provisions and a cross-reference to changes
76 made by the act; creating the Florida Cybersecurity
77 Task Force; providing for the membership, meeting
78 requirements, and duties of the task force; providing
79 for administrative and staff support; requiring
80 executive branch departments and agencies to cooperate
81 with information requests made by the task force;
82 providing reporting requirements; providing for
83 expiration of the task force; providing an effective
84 date.
85
86 Be It Enacted by the Legislature of the State of Florida:
87
88 Section 1. All powers; duties; functions; records; offices;
89 personnel; associated administrative support positions;
90 property; pending issues and existing contracts; administrative
91 authority; administrative rules in chapter 74, Florida
92 Administrative Code, in effect as of July 1, 2019; trust funds;
93 and unexpended balances of appropriations, allocations, and
94 other funds of the Agency for State Technology are transferred
95 by a type two transfer pursuant to s. 20.06(2), Florida
96 Statutes, to the Department of Management Services.
97 Section 2. Any contract or interagency agreement existing
98 before July 1, 2019, between the Agency for State Technology, or
99 any entity or agent of the agency, and any other agency, entity,
100 or person shall continue as a contract or agreement on the
101 successor department or entity responsible for the program,
102 activity, or function relative to the contract or agreement.
103 Section 3. Paragraph (b) of subsection (2) and subsection
104 (4) of section 20.22, Florida Statutes, are amended to read:
105 20.22 Department of Management Services.—There is created a
106 Department of Management Services.
107 (2) The following divisions and programs within the
108 Department of Management Services are established:
109 (b) Division of State Technology, the director of which is
110 appointed by the secretary of the department and shall serve as
111 the state chief information officer. The state chief information
112 officer must be a proven, effective administrator who must have
113 at least 10 years of executive-level experience in the public or
114 private sector, preferably with experience in the development of
115 information technology strategic planning and the development
116 and implementation of fiscal and substantive information
117 technology policy and standards Technology Program.
118 (4) The Department of Management Services shall provide the
119 Agency for State Technology with financial management oversight.
120 The agency shall provide the department all documents and
121 necessary information, as requested, to meet the requirements of
122 this section. The department’s financial management oversight
123 includes:
124 (a) Developing and implementing cost-recovery mechanisms
125 for the administrative and data center costs of services through
126 agency assessments of applicable customer entities. Such cost
127 recovery mechanisms must comply with applicable state and
128 federal regulations concerning the distribution and use of funds
129 and must ensure that, for each fiscal year, no service or
130 customer entity subsidizes another service or customer entity.
131 (b) Implementing an annual reconciliation process to ensure
132 that each customer entity is paying for the full direct and
133 indirect cost of each service as determined by the customer
134 entity’s use of each service.
135 (c) Providing rebates that may be credited against future
136 billings to customer entities when revenues exceed costs.
137 (d) Requiring each customer entity to transfer sufficient
138 funds into the appropriate data processing appropriation
139 category before implementing a customer entity’s request for a
140 change in the type or level of service provided, if such change
141 results in a net increase to the customer entity’s costs for
142 that fiscal year.
143 (e) By October 1, 2018, providing to each customer entity’s
144 agency head the estimated agency assessment cost by the Agency
145 for State Technology for the following fiscal year. The agency
146 assessment cost of each customer entity includes administrative
147 and data center services costs of the agency.
148 (f) Preparing the legislative budget request for the Agency
149 for State Technology based on the issues requested and approved
150 by the executive director of the Agency for State Technology.
151 Upon the approval of the agency’s executive director, the
152 Department of Management Services shall transmit the agency’s
153 legislative budget request to the Governor and the Legislature
154 pursuant to s. 216.023.
155 (g) Providing a plan for consideration by the Legislative
156 Budget Commission if the Agency for State Technology increases
157 the cost of a service for a reason other than a customer
158 entity’s request made under paragraph (d). Such a plan is
159 required only if the service cost increase results in a net
160 increase to a customer entity.
161 (h) Providing a timely invoicing methodology to recover the
162 cost of services provided to the customer entity pursuant to s.
163 215.422.
164 (i) Providing an annual reconciliation process of prior
165 year expenditures completed on a timely basis and overall budget
166 management pursuant to chapter 216.
167 (j) This subsection expires July 1, 2019.
168 Section 4. Subsection (9) of section 20.255, Florida
169 Statutes, is amended to read:
170 20.255 Department of Environmental Protection.—There is
171 created a Department of Environmental Protection.
172 (9) The department shall act as the lead agency of the
173 executive branch for the development and review of policies,
174 practices, and standards related to geospatial data managed by
175 state agencies and water management districts. The department
176 shall coordinate and promote geospatial data sharing throughout
177 the state government and serve as the primary point of contact
178 for statewide geographic information systems projects, grants,
179 and resources. The department may adopt rules pursuant to ss.
180 120.536(1) and 120.54 to implement this subsection This
181 subsection expires July 1, 2019.
182 Section 5. Section 20.61, Florida Statutes, is repealed.
183 Section 6. Paragraph (c) is added to subsection (9) of
184 section 112.061, Florida Statutes, and subsection (16) is added
185 to that section, to read:
186 112.061 Per diem and travel expenses of public officers,
187 employees, and authorized persons; statewide travel management
188 system.—
189 (9) RULES.—
190 (c) The Department of Management Services may adopt rules
191 to administer the provisions of this section which relate to the
192 statewide travel management system.
193 (16) STATEWIDE TRAVEL MANAGEMENT SYSTEM.—
194 (a) For purposes of this subsection, “statewide travel
195 management system” means the system developed by the Department
196 of Management Services to:
197 1. Collect and store information relating to public officer
198 or employee travel information;
199 2. Standardize and automate agency travel management;
200 3. Allow for travel planning and approval, expense
201 reporting, and reimbursement; and
202 4. Allow travel information queries.
203 (b) Each executive branch state government agency and the
204 judicial branch must report on the statewide travel management
205 system all public officer and employee travel information,
206 including, but not limited to, name and position title; purpose
207 of travel; dates and location of travel; mode of travel;
208 confirmation from the head of the agency or designee
209 authorization, if required; and total travel cost. Each
210 executive branch state government agency and the judicial branch
211 must use the statewide travel management system for purposes of
212 travel authorization and reimbursement.
213 (c) Travel reports made available on the statewide travel
214 management system may not reveal information made confidential
215 or exempt by law.
216 Section 7. Section 282.003, Florida Statutes, is amended to
217 read:
218 282.003 Short title.—This part may be cited as the
219 “Enterprise Information Technology Services Management Act.”
220 Section 8. Effective July 1, 2019, and upon the expiration
221 of the amendment to that section made by chapter 2018-10, Laws
222 of Florida, section 282.0041, Florida Statutes, is reordered and
223 amended to read:
224 282.0041 Definitions.—As used in this chapter, the term:
225 (1) “Agency assessment” means the amount each customer
226 entity must pay annually for services from the Department of
227 Management Services and includes administrative and data center
228 services costs.
229 (2)(1) “Agency data center” means agency space containing
230 10 or more physical or logical servers.
231 (3)(2) “Breach” has the same meaning as provided in s.
232 501.171 means a confirmed event that compromises the
233 confidentiality, integrity, or availability of information or
234 data.
235 (4)(3) “Business continuity plan” means a collection of
236 procedures and information designed to keep an agency’s critical
237 operations running during a period of displacement or
238 interruption of normal operations.
239 (5) “Cloud computing” has the same meaning as provided in
240 Special Publication 800-145 issued by the National Institute of
241 Standards and Technology.
242 (6)(4) “Computing facility” or “agency computing facility”
243 means agency space containing fewer than a total of 10 physical
244 or logical servers, but excluding single, logical-server
245 installations that exclusively perform a utility function such
246 as file and print servers.
247 (7)(5) “Customer entity” means an entity that obtains
248 services from the Department of Management Services state data
249 center.
250 (8) “Data” means a subset of structured information in a
251 format that allows such information to be electronically
252 retrieved and transmitted.
253 (9)(6) “Department” means the Department of Management
254 Services.
255 (10)(7) “Disaster recovery” means the process, policies,
256 procedures, and infrastructure related to preparing for and
257 implementing recovery or continuation of an agency’s vital
258 technology infrastructure after a natural or human-induced
259 disaster.
260 (11)(8) “Enterprise information technology service” means
261 an information technology service that is used in all agencies
262 or a subset of agencies and is established in law to be
263 designed, delivered, and managed at the enterprise level.
264 (12)(9) “Event” means an observable occurrence in a system
265 or network.
266 (13)(10) “Incident” means a violation or imminent threat of
267 violation, whether such violation is accidental or deliberate,
268 of information technology resources, security policies,
269 acceptable use policies, or standard security practices. An
270 imminent threat of violation refers to a situation in which the
271 state agency has a factual basis for believing that a specific
272 incident is about to occur.
273 (14)(11) “Information technology” means equipment,
274 hardware, software, firmware, programs, systems, networks,
275 infrastructure, media, and related material used to
276 automatically, electronically, and wirelessly collect, receive,
277 access, transmit, display, store, record, retrieve, analyze,
278 evaluate, process, classify, manipulate, manage, assimilate,
279 control, communicate, exchange, convert, converge, interface,
280 switch, or disseminate information of any kind or form.
281 (15)(12) “Information technology policy” means a definite
282 course or method of action selected from among one or more
283 alternatives that guide and determine present and future
284 decisions.
285 (16)(13) “Information technology resources” has the same
286 meaning as provided in s. 119.011.
287 (17)(14) “Information technology security” means the
288 protection afforded to an automated information system in order
289 to attain the applicable objectives of preserving the integrity,
290 availability, and confidentiality of data, information, and
291 information technology resources.
292 (18) “Open data” means data collected or created by a state
293 agency and structured in a way that enables the data to be fully
294 discoverable and usable by the public. The term does not include
295 data that are restricted from public distribution based on
296 federal or state privacy, confidentiality, and security laws and
297 regulations or data for which a state agency is statutorily
298 authorized to assess a fee for its distribution.
299 (19)(15) “Performance metrics” means the measures of an
300 organization’s activities and performance.
301 (20)(16) “Project” means an endeavor that has a defined
302 start and end point; is undertaken to create or modify a unique
303 product, service, or result; and has specific objectives that,
304 when attained, signify completion.
305 (21)(17) “Project oversight” means an independent review
306 and analysis of an information technology project that provides
307 information on the project’s scope, completion timeframes, and
308 budget and that identifies and quantifies issues or risks
309 affecting the successful and timely completion of the project.
310 (22)(18) “Risk assessment” means the process of identifying
311 security risks, determining their magnitude, and identifying
312 areas needing safeguards.
313 (23)(19) “Service level” means the key performance
314 indicators (KPI) of an organization or service which must be
315 regularly performed, monitored, and achieved.
316 (24)(20) “Service-level agreement” means a written contract
317 between the Department of Management Services state data center
318 and a customer entity which specifies the scope of services
319 provided, service level, the duration of the agreement, the
320 responsible parties, and service costs. A service-level
321 agreement is not a rule pursuant to chapter 120.
322 (25)(21) “Stakeholder” means a person, group, organization,
323 or state agency involved in or affected by a course of action.
324 (26)(22) “Standards” means required practices, controls,
325 components, or configurations established by an authority.
326 (27)(23) “State agency” means any official, officer,
327 commission, board, authority, council, committee, or department
328 of the executive branch of state government; the Justice
329 Administrative Commission; and the Public Service Commission.
330 The term does not include university boards of trustees or state
331 universities. As used in part I of this chapter, except as
332 otherwise specifically provided, the term does not include the
333 Department of Legal Affairs, the Department of Agriculture and
334 Consumer Services, or the Department of Financial Services.
335 (28)(24) “SUNCOM Network” means the state enterprise
336 telecommunications system that provides all methods of
337 electronic or optical telecommunications beyond a single
338 building or contiguous building complex and used by entities
339 authorized as network users under this part.
340 (29)(25) “Telecommunications” means the science and
341 technology of communication at a distance, including electronic
342 systems used in the transmission or reception of information.
343 (30)(26) “Threat” means any circumstance or event that has
344 the potential to adversely impact a state agency’s operations or
345 assets through an information system via unauthorized access,
346 destruction, disclosure, or modification of information or
347 denial of service.
348 (31)(27) “Variance” means a calculated value that
349 illustrates how far positive or negative a projection has
350 deviated when measured against documented estimates within a
351 project plan.
352 Section 9. Effective July 1, 2019, and upon the expiration
353 of the amendment to that section made by chapter 2018-10, Laws
354 of Florida, section 282.0051, Florida Statutes, is amended to
355 read:
356 282.0051 Department of Management Services Agency for State
357 Technology; powers, duties, and functions.—The department Agency
358 for State Technology shall have the following powers, duties,
359 and functions:
360 (1) Develop and publish information technology policy for
361 the management of the state’s information technology resources.
362 (2) Establish and publish information technology
363 architecture standards to provide for the most efficient use of
364 the state’s information technology resources and to ensure
365 compatibility and alignment with the needs of state agencies.
366 The department agency shall assist state agencies in complying
367 with the standards.
368 (3) By June 30, 2015, Establish project management and
369 oversight standards with which state agencies must comply when
370 implementing information technology projects. The department
371 agency shall provide training opportunities to state agencies to
372 assist in the adoption of the project management and oversight
373 standards. To support data-driven decisionmaking, the standards
374 must include, but are not limited to:
375 (a) Performance measurements and metrics that objectively
376 reflect the status of an information technology project based on
377 a defined and documented project scope, cost, and schedule.
378 (b) Methodologies for calculating acceptable variances in
379 the projected versus actual scope, schedule, or cost of an
380 information technology project.
381 (c) Reporting requirements, including requirements designed
382 to alert all defined stakeholders that an information technology
383 project has exceeded acceptable variances defined and documented
384 in a project plan.
385 (d) Content, format, and frequency of project updates.
386 (4) Beginning January 1, 2015, Perform project oversight on
387 all state agency information technology projects that have total
388 project costs of $10 million or more and that are funded in the
389 General Appropriations Act or any other law. The department
390 agency shall report at least quarterly to the Executive Office
391 of the Governor, the President of the Senate, and the Speaker of
392 the House of Representatives on any information technology
393 project that the department agency identifies as high-risk due
394 to the project exceeding acceptable variance ranges defined and
395 documented in a project plan. The report must include a risk
396 assessment, including fiscal risks, associated with proceeding
397 to the next stage of the project, and a recommendation for
398 corrective actions required, including suspension or termination
399 of the project.
400 (5) By April 1, 2016, and biennially thereafter, Identify
401 opportunities for standardization and consolidation of
402 information technology services that support business functions
403 and operations, including administrative functions such as
404 purchasing, accounting and reporting, cash management, and
405 personnel, and that are common across state agencies. The
406 department agency shall biennially on April 1 provide
407 recommendations for standardization and consolidation to the
408 Executive Office of the Governor, the President of the Senate,
409 and the Speaker of the House of Representatives. The agency is
410 not precluded from providing recommendations before April 1,
411 2016.
412 (6) In collaboration with the Department of Management
413 Services, Establish best practices for the procurement of
414 information technology products and cloud-computing services in
415 order to reduce costs, increase the quality of data center
416 services productivity, or improve government services. Such
417 practices must include a provision requiring the agency to
418 review all information technology purchases made by state
419 agencies that have a total cost of $250,000 or more, unless a
420 purchase is specifically mandated by the Legislature, for
421 compliance with the standards established pursuant to this
422 section.
423 (7)(a) Participate with the Department of Management
424 Services in evaluating, conducting, and negotiating competitive
425 solicitations for state term contracts for information
426 technology commodities, consultant services, or staff
427 augmentation contractual services pursuant to s. 287.0591.
428 (b) Collaborate with the Department of Management Services
429 in information technology resource acquisition planning.
430 (8) Develop standards for information technology reports
431 and updates, including, but not limited to, operational work
432 plans, project spend plans, and project status reports, for use
433 by state agencies.
434 (8)(9) Upon request, assist state agencies in the
435 development of information technology-related legislative budget
436 requests.
437 (9) (10) Beginning July 1, 2016, and annually thereafter,
438 Conduct annual assessments of state agencies to determine
439 compliance with all information technology standards and
440 guidelines developed and published by the department agency, and
441 beginning December 1, 2016, and annually thereafter, and provide
442 results of the assessments to the Executive Office of the
443 Governor, the President of the Senate, and the Speaker of the
444 House of Representatives.
445 (10)(11) Provide operational management and oversight of
446 the state data center established pursuant to s. 282.201, which
447 includes:
448 (a) Implementing industry standards and best practices for
449 the state data center’s facilities, operations, maintenance,
450 planning, and management processes.
451 (b) Developing and implementing cost-recovery mechanisms
452 that recover the full direct and indirect cost of services
453 through charges to applicable customer entities. Such cost
454 recovery mechanisms must comply with applicable state and
455 federal regulations concerning distribution and use of funds and
456 must ensure that, for any fiscal year, no service or customer
457 entity subsidizes another service or customer entity.
458 (c) Developing and implementing appropriate operating
459 guidelines and procedures necessary for the state data center to
460 perform its duties pursuant to s. 282.201. The guidelines and
461 procedures must comply with applicable state and federal laws,
462 regulations, and policies and conform to generally accepted
463 governmental accounting and auditing standards. The guidelines
464 and procedures must include, but need not be limited to:
465 1. Implementing a consolidated administrative support
466 structure responsible for providing financial management,
467 procurement, transactions involving real or personal property,
468 human resources, and operational support.
469 2. Implementing an annual reconciliation process to ensure
470 that each customer entity is paying for the full direct and
471 indirect cost of each service as determined by the customer
472 entity’s use of each service.
473 3. Providing rebates that may be credited against future
474 billings to customer entities when revenues exceed costs.
475 4. Requiring customer entities to validate that sufficient
476 funds exist in the appropriate data processing appropriation
477 category or will be transferred into the appropriate data
478 processing appropriation category before implementation of a
479 customer entity’s request for a change in the type or level of
480 service provided, if such change results in a net increase to
481 the customer entity’s cost for that fiscal year.
482 5. By November 15 September 1 of each year, providing to
483 the Office of Policy and Budget in the Executive Office of the
484 Governor and to the chairs of the legislative appropriations
485 committees each customer entity’s agency head the projected
486 costs of providing data center services for the following fiscal
487 year.
488 6. Providing a plan for consideration by the Legislative
489 Budget Commission if the cost of a service is increased for a
490 reason other than a customer entity’s request made pursuant to
491 subparagraph 4. Such a plan is required only if the service cost
492 increase results in a net increase to a customer entity for that
493 fiscal year.
494 7. Standardizing and consolidating procurement and
495 contracting practices.
496 (d) In collaboration with the Department of Law
497 Enforcement, developing and implementing a process for
498 detecting, reporting, and responding to information technology
499 security incidents, breaches, and threats.
500 (e) Adopting rules relating to the operation of the state
501 data center, including, but not limited to, budgeting and
502 accounting procedures, cost-recovery methodologies, and
503 operating procedures.
504 (f) Beginning May 1, 2016, and annually thereafter,
505 Conducting an annual a market analysis to determine whether the
506 state’s approach to the provision of data center services is the
507 most effective and cost-efficient efficient manner by which its
508 customer entities can acquire such services, based on federal,
509 state, and local government trends; best practices in service
510 provision; and the acquisition of new and emerging technologies.
511 The results of the market analysis shall assist the state data
512 center in making adjustments to its data center service
513 offerings.
514 (11)(12) Recommend other information technology services
515 that should be designed, delivered, and managed as enterprise
516 information technology services. Recommendations must include
517 the identification of existing information technology resources
518 associated with the services, if existing services must be
519 transferred as a result of being delivered and managed as
520 enterprise information technology services.
521 (13) Recommend additional consolidations of agency
522 computing facilities or data centers into the state data center
523 established pursuant to s. 282.201. Such recommendations shall
524 include a proposed timeline for consolidation.
525 (12)(14) In consultation with state agencies, propose a
526 methodology and approach for identifying and collecting both
527 current and planned information technology expenditure data at
528 the state agency level.
529 (13)(a) (15)(a) Beginning January 1, 2015, and
530 Notwithstanding any other law, provide project oversight on any
531 information technology project of the Department of Financial
532 Services, the Department of Legal Affairs, and the Department of
533 Agriculture and Consumer Services which that has a total project
534 cost of $25 million or more and which that impacts one or more
535 other agencies. Such information technology projects must also
536 comply with the applicable information technology architecture,
537 project management and oversight, and reporting standards
538 established by the department agency.
539 (b) When performing the project oversight function
540 specified in paragraph (a), report at least quarterly to the
541 Executive Office of the Governor, the President of the Senate,
542 and the Speaker of the House of Representatives on any
543 information technology project that the department agency
544 identifies as high-risk due to the project exceeding acceptable
545 variance ranges defined and documented in the project plan. The
546 report shall include a risk assessment, including fiscal risks,
547 associated with proceeding to the next stage of the project and
548 a recommendation for corrective actions required, including
549 suspension or termination of the project.
550 (14)(16) If an information technology project implemented
551 by a state agency must be connected to or otherwise accommodated
552 by an information technology system administered by the
553 Department of Financial Services, the Department of Legal
554 Affairs, or the Department of Agriculture and Consumer Services,
555 consult with these departments regarding the risks and other
556 effects of such projects on their information technology systems
557 and work cooperatively with these departments regarding the
558 connections, interfaces, timing, or accommodations required to
559 implement such projects.
560 (15)(17) If adherence to standards or policies adopted by
561 or established pursuant to this section causes conflict with
562 federal regulations or requirements imposed on a state agency
563 and results in adverse action against the state agency or
564 federal funding, work with the state agency to provide
565 alternative standards, policies, or requirements that do not
566 conflict with the federal regulation or requirement. Beginning
567 July 1, 2015, The department agency shall annually report such
568 alternative standards to the Governor, the President of the
569 Senate, and the Speaker of the House of Representatives.
570 (16)(18) In collaboration with the Department of Management
571 Services:
572 (a) Establish an information technology policy for all
573 information technology-related state contracts, including state
574 term contracts for information technology commodities,
575 consultant services, and staff augmentation services. The
576 information technology policy must include:
577 1. Identification of the information technology product and
578 service categories to be included in state term contracts.
579 2. Requirements to be included in solicitations for state
580 term contracts.
581 3. Evaluation criteria for the award of information
582 technology-related state term contracts.
583 4. The term of each information technology-related state
584 term contract.
585 5. The maximum number of vendors authorized on each state
586 term contract.
587 (b) Evaluate vendor responses for information technology
588 related state term contract solicitations and invitations to
589 negotiate.
590 (c) Answer vendor questions on information technology
591 related state term contract solicitations.
592 (d) Ensure that the information technology policy
593 established pursuant to paragraph (a) is included in all
594 solicitations and contracts that which are administratively
595 executed by the department.
596 (17) Recommend potential methods for standardizing data
597 across state agencies which will promote interoperability and
598 reduce the collection of duplicative data.
599 (18) Recommend open data technical standards and
600 terminologies for use by state agencies.
601 (19) Adopt rules to administer this section.
602 Section 10. Effective July 1, 2019, and upon the expiration
603 of the amendment to that section made by chapter 2018-10, Laws
604 of Florida, section 282.201, Florida Statutes, is amended to
605 read:
606 282.201 State data center.—The state data center is
607 established within the department Agency for State Technology
608 and shall provide data center services that are hosted on
609 premises or externally through a third-party provider as an
610 enterprise information technology service. The provision of data
611 center services must comply with applicable state and federal
612 laws, regulations, and policies, including all applicable
613 security, privacy, and auditing requirements. The department
614 shall appoint a director of the state data center, preferably an
615 individual who has experience in leading data center facilities
616 and has expertise in cloud-computing management.
617 (1) INTENT.—The Legislature finds that the most efficient
618 and effective means of providing quality utility data processing
619 services to state agencies requires that computing resources be
620 concentrated in quality facilities that provide the proper
621 security, disaster recovery, infrastructure, and staff resources
622 to ensure that the state’s data is maintained reliably and
623 safely, and is recoverable in the event of a disaster. Unless
624 otherwise exempt by law, it is the intent of the Legislature
625 that all agency data centers and computing facilities shall be
626 consolidated into the state data center.
627 (1)(2) STATE DATA CENTER DUTIES.—The state data center
628 shall:
629 (a) Offer, develop, and support the services and
630 applications defined in service-level agreements executed with
631 its customer entities.
632 (b) Maintain performance of the state data center by
633 ensuring proper data backup, data backup recovery, disaster
634 recovery, and appropriate security, power, cooling, fire
635 suppression, and capacity.
636 (c) Develop and implement a business continuity plan and a
637 disaster recovery plans plan, and beginning July 1, 2015, and
638 annually thereafter, conduct a live exercise of each plan.
639 (d) Enter into a service-level agreement with each customer
640 entity to provide the required type and level of service or
641 services. If a customer entity fails to execute an agreement
642 within 60 days after commencement of a service, the state data
643 center may cease service. A service-level agreement may not have
644 a term exceeding 3 years and at a minimum must:
645 1. Identify the parties and their roles, duties, and
646 responsibilities under the agreement.
647 2. State the duration of the contract term and specify the
648 conditions for renewal.
649 3. Identify the scope of work.
650 4. Identify the products or services to be delivered with
651 sufficient specificity to permit an external financial or
652 performance audit.
653 5. Establish the services to be provided, the business
654 standards that must be met for each service, the cost of each
655 service by agency application, and the metrics and processes by
656 which the business standards for each service are to be
657 objectively measured and reported.
658 6. Provide a timely billing methodology to recover the
659 costs of services provided to the customer entity pursuant to s.
660 215.422.
661 7. Provide a procedure for modifying the service-level
662 agreement based on changes in the type, level, and cost of a
663 service.
664 8. Include a right-to-audit clause to ensure that the
665 parties to the agreement have access to records for audit
666 purposes during the term of the service-level agreement.
667 9. Provide that a service-level agreement may be terminated
668 by either party for cause only after giving the other party and
669 the department Agency for State Technology notice in writing of
670 the cause for termination and an opportunity for the other party
671 to resolve the identified cause within a reasonable period.
672 10. Provide for mediation of disputes by the Division of
673 Administrative Hearings pursuant to s. 120.573.
674 (e) For purposes of chapter 273, be the custodian of
675 resources and equipment located in and operated, supported, and
676 managed by the state data center.
677 (f) Assume administrative access rights to resources and
678 equipment, including servers, network components, and other
679 devices, consolidated into the state data center.
680 1. Upon the date of each consolidation specified in this
681 section, the General Appropriations Act, or any other law, a
682 state agency shall relinquish administrative rights to
683 consolidated resources and equipment. State agencies required to
684 comply with federal and state criminal justice information
685 security rules and policies shall retain administrative access
686 rights sufficient to comply with the management control
687 provisions of those rules and policies; however, the state data
688 center shall have the appropriate type or level of rights to
689 allow the center to comply with its duties pursuant to this
690 section. The Department of Law Enforcement shall serve as the
691 arbiter of disputes pertaining to the appropriate type and level
692 of administrative access rights pertaining to the provision of
693 management control in accordance with the federal criminal
694 justice information guidelines.
695 2. The state data center shall provide customer entities
696 with access to applications, servers, network components, and
697 other devices necessary for entities to perform business
698 activities and functions, and as defined and documented in a
699 service-level agreement.
700 (g) In its procurement process, show preference for cloud
701 computing solutions that minimize or do not require the
702 purchasing, financing, or leasing of state data center
703 infrastructure, and that meet the needs of customer agencies,
704 that reduce costs, and that meet or exceed the applicable state
705 and federal laws, regulations, and standards for information
706 technology security.
707 (h) Assist customer entities in transitioning from state
708 data center services to third-party cloud-computing services
709 procured by a customer entity.
710 (3) STATE AGENCY DUTIES.—
711 (a) Each state agency shall provide to the Agency for State
712 Technology all requested information relating to its data
713 centers and computing facilities and any other information
714 relevant to the effective transition of an agency data center or
715 computing facility into the state data center.
716 (b) Each state agency customer of the state data center
717 shall notify the state data center, by May 31 and November 30 of
718 each year, of any significant changes in anticipated utilization
719 of state data center services pursuant to requirements
720 established by the state data center.
721 (2)(4) USE OF THE STATE DATA CENTER SCHEDULE FOR
722 CONSOLIDATIONS OF AGENCY DATA CENTERS.—
723 (a) Consolidations of agency data centers and computing
724 facilities into the state data center shall be made by the dates
725 specified in this section and in accordance with budget
726 adjustments contained in the General Appropriations Act.
727 (b) During the 2013-2014 fiscal year, the following state
728 agencies shall be consolidated by the specified date:
729 1. By October 31, 2013, the Department of Economic
730 Opportunity.
731 2. By December 31, 2013, the Executive Office of the
732 Governor, to include the Division of Emergency Management except
733 for the Emergency Operation Center’s management system in
734 Tallahassee and the Camp Blanding Emergency Operations Center in
735 Starke.
736 3. By March 31, 2014, the Department of Elderly Affairs.
737 4. By October 30, 2013, the Fish and Wildlife Conservation
738 Commission, except for the commission’s Fish and Wildlife
739 Research Institute in St. Petersburg.
740 (c) The following are exempt from the use of the state data
741 center consolidation under this section: the Department of Law
742 Enforcement, the Department of the Lottery’s Gaming System,
743 Systems Design and Development in the Office of Policy and
744 Budget, the regional traffic management centers as described in
745 s. 335.14(2) and the Office of Toll Operations of the Department
746 of Transportation, the State Board of Administration, state
747 attorneys, public defenders, criminal conflict and civil
748 regional counsel, capital collateral regional counsel, and the
749 Florida Housing Finance Corporation.
750 (d) A state agency that is consolidating its agency data
751 center or computing facility into the state data center must
752 execute a new or update an existing service-level agreement
753 within 60 days after the commencement of the service. If a state
754 agency and the state data center are unable to execute a
755 service-level agreement by that date, the agency shall submit a
756 report to the Executive Office of the Governor within 5 working
757 days after that date which explains the specific issues
758 preventing execution and describing the plan and schedule for
759 resolving those issues.
760 (e) Each state agency scheduled for consolidation into the
761 state data center shall submit a transition plan to the Agency
762 for State Technology by July 1 of the fiscal year before the
763 fiscal year in which the scheduled consolidation will occur.
764 Transition plans shall be developed in consultation with the
765 state data center and must include:
766 1. An inventory of the agency data center’s resources being
767 consolidated, including all hardware and its associated life
768 cycle replacement schedule, software, staff, contracted
769 services, and facility resources performing data center
770 management and operations, security, backup and recovery,
771 disaster recovery, system administration, database
772 administration, system programming, job control, production
773 control, print, storage, technical support, help desk, and
774 managed services, but excluding application development, and the
775 agency’s costs supporting these resources.
776 2. A list of contracts in effect, including, but not
777 limited to, contracts for hardware, software, and maintenance,
778 which identifies the expiration date, the contract parties, and
779 the cost of each contract.
780 3. A detailed description of the level of services needed
781 to meet the technical and operational requirements of the
782 platforms being consolidated.
783 4. A timetable with significant milestones for the
784 completion of the consolidation.
785 (f) Each state agency scheduled for consolidation into the
786 state data center shall submit with its respective legislative
787 budget request the specific recurring and nonrecurring budget
788 adjustments of resources by appropriation category into the
789 appropriate data processing category pursuant to the legislative
790 budget request instructions in s. 216.023.
791 (3)(5) AGENCY LIMITATIONS.—
792 (a) Unless exempt from the use of the state data center
793 consolidation pursuant to this section or authorized by the
794 Legislature or as provided in paragraph (b), a state agency may
795 not:
796 (a)1. Create a new agency computing facility or data
797 center, or expand the capability to support additional computer
798 equipment in an existing agency computing facility or data
799 center; or
800 2. Spend funds before the state agency’s scheduled
801 consolidation into the state data center to purchase or modify
802 hardware or operations software that does not comply with
803 standards established by the Agency for State Technology
804 pursuant to s. 282.0051;
805 3. Transfer existing computer services to any data center
806 other than the state data center;
807 (b)4. Terminate services with the state data center without
808 giving written notice of intent to terminate services 180 days
809 before such termination; or
810 5. Initiate a new computer service except with the state
811 data center.
812 (b) Exceptions to the limitations in subparagraphs (a)1.,
813 2., 3., and 5. may be granted by the Agency for State Technology
814 if there is insufficient capacity in the state data center to
815 absorb the workload associated with agency computing services,
816 if expenditures are compatible with the standards established
817 pursuant to s. 282.0051, or if the equipment or resources are
818 needed to meet a critical agency business need that cannot be
819 satisfied by the state data center. The Agency for State
820 Technology shall establish requirements that a state agency must
821 follow when submitting and documenting a request for an
822 exception. The Agency for State Technology shall also publish
823 guidelines for its consideration of exception requests. However,
824 the decision of the Agency for State Technology regarding an
825 exception request is not subject to chapter 120.
826 Section 11. Section 282.206, Florida Statutes, is created
827 to read:
828 282.206 Cloud-first policy in state agencies.—
829 (1) The Legislature finds that the most efficient and
830 effective means of providing quality data processing services is
831 through the use of cloud computing. It is the intent of the
832 Legislature that each state agency adopt a cloud-first policy
833 that first considers cloud-computing solutions in its technology
834 sourcing strategy for technology initiatives or upgrades
835 whenever possible and feasible.
836 (2) In its procurement process, each state agency shall
837 show a preference for cloud-computing solutions that either
838 minimize or do not require the use of state data center
839 infrastructure when cloud-computing solutions meet the needs of
840 the agency, reduce costs, and meet or exceed the applicable
841 state and federal laws, regulations, and standards for
842 information technology security.
843 (3) Each state agency shall adopt formal procedures for the
844 evaluation of cloud-computing options for existing applications,
845 technology initiatives, or upgrades.
846 (4) Each state agency shall develop a strategic plan to be
847 updated annually to address its inventory of applications
848 located at the state data center. Each agency shall submit the
849 plan by October 15 of each year to the Office of Policy and
850 Budget in the Executive Office of the Governor and the chairs of
851 the legislative appropriations committees. For each application,
852 the plan must identify and document the readiness, appropriate
853 strategy, and high-level timeline for transition to a cloud
854 computing service based on the application’s quality, cost, and
855 resource requirements. This information must be used to assist
856 the state data center in making adjustments to its service
857 offerings.
858 (5) Each state agency customer of the state data center
859 shall notify the state data center by May 31 and November 30
860 annually of any significant changes in its anticipated
861 utilization of state data center services pursuant to
862 requirements established by the state data center.
863 (6) Unless authorized by the Legislature, the Department of
864 Law Enforcement, as the state’s lead Criminal Justice
865 Information Services Systems Agency, may not impose more
866 stringent protection measures than outlined in the federal
867 Criminal Justice Information Services Security Policy relating
868 to the use of cloud-computing services.
869 Section 12. Section 282.318, Florida Statutes, is amended
870 to read:
871 282.318 Security of data and information technology.—
872 (1) This section may be cited as the “Information
873 Technology Security Act.”
874 (2) As used in this section, the term “state agency” has
875 the same meaning as provided in s. 282.0041, except that the
876 term includes the Department of Legal Affairs, the Department of
877 Agriculture and Consumer Services, and the Department of
878 Financial Services.
879 (3) The department Agency for State Technology is
880 responsible for establishing standards and processes consistent
881 with generally accepted best practices for information
882 technology security, to include cybersecurity, and adopting
883 rules that safeguard an agency’s data, information, and
884 information technology resources to ensure availability,
885 confidentiality, and integrity and to mitigate risks. The
886 department agency shall also:
887 (a) Designate a state chief information security officer
888 who must have experience and expertise in security and risk
889 management for communications and information technology
890 resources.
891 (b)(a) Develop, and annually update by February 1, a
892 statewide information technology security strategic plan that
893 includes security goals and objectives for the strategic issues
894 of information technology security policy, risk management,
895 training, incident management, and disaster recovery planning.
896 (c)(b) Develop and publish for use by state agencies an
897 information technology security framework that, at a minimum,
898 includes guidelines and processes for:
899 1. Establishing asset management procedures to ensure that
900 an agency’s information technology resources are identified and
901 managed consistent with their relative importance to the
902 agency’s business objectives.
903 2. Using a standard risk assessment methodology that
904 includes the identification of an agency’s priorities,
905 constraints, risk tolerances, and assumptions necessary to
906 support operational risk decisions.
907 3. Completing comprehensive risk assessments and
908 information technology security audits, which may be completed
909 by a private sector vendor, and submitting completed assessments
910 and audits to the department Agency for State Technology.
911 4. Identifying protection procedures to manage the
912 protection of an agency’s information, data, and information
913 technology resources.
914 5. Establishing procedures for accessing information and
915 data to ensure the confidentiality, integrity, and availability
916 of such information and data.
917 6. Detecting threats through proactive monitoring of
918 events, continuous security monitoring, and defined detection
919 processes.
920 7. Establishing agency computer security incident response
921 teams and describing their responsibilities for responding to
922 information technology security incidents, including breaches of
923 personal information containing confidential or exempt data.
924 8. Recovering information and data in response to an
925 information technology security incident. The recovery may
926 include recommended improvements to the agency processes,
927 policies, or guidelines.
928 9. Establishing an information technology security incident
929 reporting process that includes procedures and tiered reporting
930 timeframes for notifying the department Agency for State
931 Technology and the Department of Law Enforcement of information
932 technology security incidents. The tiered reporting timeframes
933 shall be based upon the level of severity of the information
934 technology security incidents being reported.
935 10. Incorporating information obtained through detection
936 and response activities into the agency’s information technology
937 security incident response plans.
938 11. Developing agency strategic and operational information
939 technology security plans required pursuant to this section.
940 12. Establishing the managerial, operational, and technical
941 safeguards for protecting state government data and information
942 technology resources that align with the state agency risk
943 management strategy and that protect the confidentiality,
944 integrity, and availability of information and data.
945 (d)(c) Assist state agencies in complying with this
946 section.
947 (e)(d) In collaboration with the Cybercrime Office of the
948 Department of Law Enforcement, annually provide training for
949 state agency information security managers and computer security
950 incident response team members that contains training on
951 information technology security, including cybersecurity,
952 threats, trends, and best practices.
953 (f)(e) Annually review the strategic and operational
954 information technology security plans of executive branch
955 agencies.
956 (4) Each state agency head shall, at a minimum:
957 (a) Designate an information security manager to administer
958 the information technology security program of the state agency.
959 This designation must be provided annually in writing to the
960 department Agency for State Technology by January 1. A state
961 agency’s information security manager, for purposes of these
962 information security duties, shall report directly to the agency
963 head.
964 (b) In consultation with the department Agency for State
965 Technology and the Cybercrime Office of the Department of Law
966 Enforcement, establish an agency computer security incident
967 response team to respond to an information technology security
968 incident. The agency computer security incident response team
969 shall convene upon notification of an information technology
970 security incident and must comply with all applicable guidelines
971 and processes established pursuant to paragraph (3)(c) paragraph
972 (3)(b).
973 (c) Submit to the department Agency for State Technology
974 annually by July 31, the state agency’s strategic and
975 operational information technology security plans developed
976 pursuant to rules and guidelines established by the department
977 Agency for State Technology.
978 1. The state agency strategic information technology
979 security plan must cover a 3-year period and, at a minimum,
980 define security goals, intermediate objectives, and projected
981 agency costs for the strategic issues of agency information
982 security policy, risk management, security training, security
983 incident response, and disaster recovery. The plan must be based
984 on the statewide information technology security strategic plan
985 created by the department Agency for State Technology and
986 include performance metrics that can be objectively measured to
987 reflect the status of the state agency’s progress in meeting
988 security goals and objectives identified in the agency’s
989 strategic information security plan.
990 2. The state agency operational information technology
991 security plan must include a progress report that objectively
992 measures progress made towards the prior operational information
993 technology security plan and a project plan that includes
994 activities, timelines, and deliverables for security objectives
995 that the state agency will implement during the current fiscal
996 year.
997 (d) Conduct, and update every 3 years, a comprehensive risk
998 assessment, which may be completed by a private sector vendor,
999 to determine the security threats to the data, information, and
1000 information technology resources, including mobile devices and
1001 print environments, of the agency. The risk assessment must
1002 comply with the risk assessment methodology developed by the
1003 department Agency for State Technology and is confidential and
1004 exempt from s. 119.07(1), except that such information shall be
1005 available to the Auditor General, the Division of State
1006 Technology within the department Agency for State Technology,
1007 the Cybercrime Office of the Department of Law Enforcement, and,
1008 for state agencies under the jurisdiction of the Governor, the
1009 Chief Inspector General.
1010 (e) Develop, and periodically update, written internal
1011 policies and procedures, which include procedures for reporting
1012 information technology security incidents and breaches to the
1013 Cybercrime Office of the Department of Law Enforcement and the
1014 Division of State Technology within the department Agency for
1015 State Technology. Such policies and procedures must be
1016 consistent with the rules, guidelines, and processes established
1017 by the department Agency for State Technology to ensure the
1018 security of the data, information, and information technology
1019 resources of the agency. The internal policies and procedures
1020 that, if disclosed, could facilitate the unauthorized
1021 modification, disclosure, or destruction of data or information
1022 technology resources are confidential information and exempt
1023 from s. 119.07(1), except that such information shall be
1024 available to the Auditor General, the Cybercrime Office of the
1025 Department of Law Enforcement, the Division of State Technology
1026 within the department Agency for State Technology, and, for
1027 state agencies under the jurisdiction of the Governor, the Chief
1028 Inspector General.
1029 (f) Implement managerial, operational, and technical
1030 safeguards and risk assessment remediation plans recommended by
1031 the department Agency for State Technology to address identified
1032 risks to the data, information, and information technology
1033 resources of the agency.
1034 (g) Ensure that periodic internal audits and evaluations of
1035 the agency’s information technology security program for the
1036 data, information, and information technology resources of the
1037 agency are conducted. The results of such audits and evaluations
1038 are confidential information and exempt from s. 119.07(1),
1039 except that such information shall be available to the Auditor
1040 General, the Cybercrime Office of the Department of Law
1041 Enforcement, the Division of State Technology within the
1042 department Agency for State Technology, and, for agencies under
1043 the jurisdiction of the Governor, the Chief Inspector General.
1044 (h) Ensure that the Include appropriate information
1045 technology security and cybersecurity requirements in both the
1046 written specifications for the solicitation and service-level
1047 agreement of information technology and information technology
1048 resources and services meet or exceed the applicable state and
1049 federal laws, regulations, and standards for information
1050 technology security and cybersecurity. Service-level agreements
1051 must identify service provider and state agency responsibilities
1052 for privacy and security, protection of government data,
1053 personnel background screening, and security deliverables with
1054 associated frequencies, which are consistent with the rules and
1055 guidelines established by the Agency for State Technology in
1056 collaboration with the Department of Management Services.
1057 (i) Provide information technology security and
1058 cybersecurity awareness training to all state agency employees
1059 in the first 30 days after commencing employment concerning
1060 information technology security risks and the responsibility of
1061 employees to comply with policies, standards, guidelines, and
1062 operating procedures adopted by the state agency to reduce those
1063 risks. The training may be provided in collaboration with the
1064 Cybercrime Office of the Department of Law Enforcement.
1065 (j) Develop a process for detecting, reporting, and
1066 responding to threats, breaches, or information technology
1067 security incidents which is consistent with the security rules,
1068 guidelines, and processes established by the Agency for State
1069 Technology.
1070 1. All information technology security incidents and
1071 breaches must be reported to the Division of State Technology
1072 within the department Agency for State Technology and the
1073 Cybercrime Office of the Department of Law Enforcement and must
1074 comply with the notification procedures and reporting timeframes
1075 established pursuant to paragraph (3)(c) paragraph (3)(b).
1076 2. For information technology security breaches, state
1077 agencies shall provide notice in accordance with s. 501.171.
1078 3. Records held by a state agency which identify detection,
1079 investigation, or response practices for suspected or confirmed
1080 information technology security incidents, including suspected
1081 or confirmed breaches, are confidential and exempt from s.
1082 119.07(1) and s. 24(a), Art. I of the State Constitution, if the
1083 disclosure of such records would facilitate unauthorized access
1084 to or the unauthorized modification, disclosure, or destruction
1085 of:
1086 a. Data or information, whether physical or virtual; or
1087 b. Information technology resources, which includes:
1088 (I) Information relating to the security of the agency’s
1089 technologies, processes, and practices designed to protect
1090 networks, computers, data processing software, and data from
1091 attack, damage, or unauthorized access; or
1092 (II) Security information, whether physical or virtual,
1093 which relates to the agency’s existing or proposed information
1094 technology systems.
1095
1096 Such records shall be available to the Auditor General, the
1097 Division of State Technology within the department Agency for
1098 State Technology, the Cybercrime Office of the Department of Law
1099 Enforcement, and, for state agencies under the jurisdiction of
1100 the Governor, the Chief Inspector General. Such records may be
1101 made available to a local government, another state agency, or a
1102 federal agency for information technology security purposes or
1103 in furtherance of the state agency’s official duties. This
1104 exemption applies to such records held by a state agency before,
1105 on, or after the effective date of this exemption. This
1106 subparagraph is subject to the Open Government Sunset Review Act
1107 in accordance with s. 119.15 and shall stand repealed on October
1108 2, 2021, unless reviewed and saved from repeal through
1109 reenactment by the Legislature.
1110 (5) The portions of risk assessments, evaluations, external
1111 audits, and other reports of a state agency’s information
1112 technology security program for the data, information, and
1113 information technology resources of the state agency which are
1114 held by a state agency are confidential and exempt from s.
1115 119.07(1) and s. 24(a), Art. I of the State Constitution if the
1116 disclosure of such portions of records would facilitate
1117 unauthorized access to or the unauthorized modification,
1118 disclosure, or destruction of:
1119 (a) Data or information, whether physical or virtual; or
1120 (b) Information technology resources, which include:
1121 1. Information relating to the security of the agency’s
1122 technologies, processes, and practices designed to protect
1123 networks, computers, data processing software, and data from
1124 attack, damage, or unauthorized access; or
1125 2. Security information, whether physical or virtual, which
1126 relates to the agency’s existing or proposed information
1127 technology systems.
1128
1129 Such portions of records shall be available to the Auditor
1130 General, the Cybercrime Office of the Department of Law
1131 Enforcement, the Division of State Technology within the
1132 department Agency for State Technology, and, for agencies under
1133 the jurisdiction of the Governor, the Chief Inspector General.
1134 Such portions of records may be made available to a local
1135 government, another state agency, or a federal agency for
1136 information technology security purposes or in furtherance of
1137 the state agency’s official duties. For purposes of this
1138 subsection, “external audit” means an audit that is conducted by
1139 an entity other than the state agency that is the subject of the
1140 audit. This exemption applies to such records held by a state
1141 agency before, on, or after the effective date of this
1142 exemption. This subsection is subject to the Open Government
1143 Sunset Review Act in accordance with s. 119.15 and shall stand
1144 repealed on October 2, 2021, unless reviewed and saved from
1145 repeal through reenactment by the Legislature.
1146 (6) The department Agency for State Technology shall adopt
1147 rules relating to information technology security and to
1148 administer this section.
1149 Section 13. Subsections (1) and (2) of section 17.0315,
1150 Florida Statutes, are amended to read:
1151 17.0315 Financial and cash management system; task force.—
1152 (1) The Chief Financial Officer, as the constitutional
1153 officer responsible for settling and approving accounts against
1154 the state and keeping all state funds pursuant to s. 4, Art. IV
1155 of the State Constitution, is the head of and shall appoint
1156 members to a task force established to develop a strategic
1157 business plan for a successor financial and cash management
1158 system. The task force shall include the state chief information
1159 officer executive director of the Agency for State Technology
1160 and the director of the Office of Policy and Budget in the
1161 Executive Office of the Governor. Any member of the task force
1162 may appoint a designee.
1163 (2) The strategic business plan for a successor financial
1164 and cash management system must:
1165 (a) Permit proper disbursement and auditing controls
1166 consistent with the respective constitutional duties of the
1167 Chief Financial Officer and the Legislature;
1168 (b) Promote transparency in the accounting of public funds;
1169 (c) Provide timely and accurate recording of financial
1170 transactions by agencies and their professional staffs;
1171 (d) Support executive reporting and data analysis
1172 requirements;
1173 (e) Be capable of interfacing with other systems providing
1174 human resource services, procuring goods and services, and
1175 providing other enterprise functions;
1176 (f) Be capable of interfacing with the existing legislative
1177 appropriations, planning, and budgeting systems;
1178 (g) Be coordinated with the information technology strategy
1179 development efforts of the Department of Management Services
1180 Agency for State Technology;
1181 (h) Be coordinated with the revenue estimating conference
1182 process as supported by the Office of Economic and Demographic
1183 Research; and
1184 (i) Address other such issues as the Chief Financial
1185 Officer identifies.
1186 Section 14. Paragraph (d) of subsection (1) of section
1187 20.055, Florida Statutes, is amended to read:
1188 20.055 Agency inspectors general.—
1189 (1) As used in this section, the term:
1190 (d) “State agency” means each department created pursuant
1191 to this chapter and the Executive Office of the Governor, the
1192 Department of Military Affairs, the Fish and Wildlife
1193 Conservation Commission, the Office of Insurance Regulation of
1194 the Financial Services Commission, the Office of Financial
1195 Regulation of the Financial Services Commission, the Public
1196 Service Commission, the Board of Governors of the State
1197 University System, the Florida Housing Finance Corporation, the
1198 Agency for State Technology, the Office of Early Learning, and
1199 the state courts system.
1200 Section 15. Paragraph (b) of subsection (3) of section
1201 97.0525, Florida Statutes, is amended to read:
1202 97.0525 Online voter registration.—
1203 (3)
1204 (b) The division shall conduct a comprehensive risk
1205 assessment of the online voter registration system before making
1206 the system publicly available and every 2 years thereafter. The
1207 comprehensive risk assessment must comply with the risk
1208 assessment methodology developed by the Department of Management
1209 Services Agency for State Technology for identifying security
1210 risks, determining the magnitude of such risks, and identifying
1211 areas that require safeguards.
1212 Section 16. Paragraph (e) of subsection (2) of section
1213 110.205, Florida Statutes, is amended to read:
1214 110.205 Career service; exemptions.—
1215 (2) EXEMPT POSITIONS.—The exempt positions that are not
1216 covered by this part include the following:
1217 (e) The state chief information officer executive director
1218 of the Agency for State Technology. Unless otherwise fixed by
1219 law, the Department of Management Services Agency for State
1220 Technology shall set the salary and benefits of this position in
1221 accordance with the rules of the Senior Management Service.
1222 Section 17. Subsections (2) and (9) of section 215.322,
1223 Florida Statutes, are amended to read:
1224 215.322 Acceptance of credit cards, charge cards, debit
1225 cards, or electronic funds transfers by state agencies, units of
1226 local government, and the judicial branch.—
1227 (2) A state agency as defined in s. 216.011, or the
1228 judicial branch, may accept credit cards, charge cards, debit
1229 cards, or electronic funds transfers in payment for goods and
1230 services with the prior approval of the Chief Financial Officer.
1231 If the Internet or other related electronic methods are to be
1232 used as the collection medium, the state chief information
1233 officer Agency for State Technology shall review and recommend
1234 to the Chief Financial Officer whether to approve the request
1235 with regard to the process or procedure to be used.
1236 (9) For payment programs in which credit cards, charge
1237 cards, or debit cards are accepted by state agencies, the
1238 judicial branch, or units of local government, the Chief
1239 Financial Officer, in consultation with the state chief
1240 information officer Agency for State Technology, may adopt rules
1241 to establish uniform security safeguards for cardholder data and
1242 to ensure compliance with the Payment Card Industry Data
1243 Security Standards.
1244 Section 18. Subsection (2) of section 215.96, Florida
1245 Statutes, is amended to read:
1246 215.96 Coordinating council and design and coordination
1247 staff.—
1248 (2) The coordinating council shall consist of the Chief
1249 Financial Officer; the Commissioner of Agriculture; the Attorney
1250 General; the Secretary of Management Services; the state chief
1251 information officer executive director of the Agency for State
1252 Technology; and the Director of Planning and Budgeting,
1253 Executive Office of the Governor, or their designees. The Chief
1254 Financial Officer, or his or her designee, shall be chair of the
1255 council, and the design and coordination staff shall provide
1256 administrative and clerical support to the council and the
1257 board. The design and coordination staff shall maintain the
1258 minutes of each meeting and make such minutes available to any
1259 interested person. The Auditor General, the State Courts
1260 Administrator, an executive officer of the Florida Association
1261 of State Agency Administrative Services Directors, and an
1262 executive officer of the Florida Association of State Budget
1263 Officers, or their designees, shall serve without voting rights
1264 as ex officio members of the council. The chair may call
1265 meetings of the council as often as necessary to transact
1266 business; however, the council shall meet at least once a year.
1267 Action of the council shall be by motion, duly made, seconded
1268 and passed by a majority of the council voting in the
1269 affirmative for approval of items that are to be recommended for
1270 approval to the Financial Management Information Board.
1271 Section 19. Subsection (22) of section 287.057, Florida
1272 Statutes, is amended to read:
1273 287.057 Procurement of commodities or contractual
1274 services.—
1275 (22) The department, in consultation with the Chief
1276 Financial Officer and the state chief information officer Agency
1277 for State Technology, shall maintain a program for online
1278 procurement of commodities and contractual services. To enable
1279 the state to promote open competition and leverage its buying
1280 power, agencies shall participate in the online procurement
1281 program, and eligible users may participate in the program. Only
1282 vendors prequalified as meeting mandatory requirements and
1283 qualifications criteria may participate in online procurement.
1284 (a) The department, in consultation with the Agency for
1285 State Technology and in compliance with the standards of the
1286 agency, may contract for equipment and services necessary to
1287 develop and implement online procurement.
1288 (b) The department shall adopt rules to administer the
1289 program for online procurement. The rules must include, but not
1290 be limited to:
1291 1. Determining the requirements and qualification criteria
1292 for prequalifying vendors.
1293 2. Establishing the procedures for conducting online
1294 procurement.
1295 3. Establishing the criteria for eligible commodities and
1296 contractual services.
1297 4. Establishing the procedures for providing access to
1298 online procurement.
1299 5. Determining the criteria warranting any exceptions to
1300 participation in the online procurement program.
1301 (c) The department may impose and shall collect all fees
1302 for the use of the online procurement systems.
1303 1. The fees may be imposed on an individual transaction
1304 basis or as a fixed percentage of the cost savings generated. At
1305 a minimum, the fees must be set in an amount sufficient to cover
1306 the projected costs of the services, including administrative
1307 and project service costs in accordance with the policies of the
1308 department.
1309 2. If the department contracts with a provider for online
1310 procurement, the department, pursuant to appropriation, shall
1311 compensate the provider from the fees after the department has
1312 satisfied all ongoing costs. The provider shall report
1313 transaction data to the department each month so that the
1314 department may determine the amount due and payable to the
1315 department from each vendor.
1316 3. All fees that are due and payable to the state on a
1317 transactional basis or as a fixed percentage of the cost savings
1318 generated are subject to s. 215.31 and must be remitted within
1319 40 days after receipt of payment for which the fees are due. For
1320 fees that are not remitted within 40 days, the vendor shall pay
1321 interest at the rate established under s. 55.03(1) on the unpaid
1322 balance from the expiration of the 40-day period until the fees
1323 are remitted.
1324 4. All fees and surcharges collected under this paragraph
1325 shall be deposited in the Operating Trust Fund as provided by
1326 law.
1327 Section 20. Section 282.00515, Florida Statutes, is amended
1328 to read:
1329 282.00515 Duties of Cabinet agencies.—The Department of
1330 Legal Affairs, the Department of Financial Services, and the
1331 Department of Agriculture and Consumer Services shall adopt the
1332 standards established in s. 282.0051(2), (3), and (7) s.
1333 282.0051(2), (3), and (8) or adopt alternative standards based
1334 on best practices and industry standards, and may contract with
1335 the department Agency for State Technology to provide or perform
1336 any of the services and functions described in s. 282.0051 for
1337 the Department of Legal Affairs, the Department of Financial
1338 Services, or the Department of Agriculture and Consumer
1339 Services.
1340 Section 21. Subsections (3) and (4) of section 287.0591,
1341 Florida Statutes, are amended to read:
1342 287.0591 Information technology.—
1343 (3) The department may execute a state term contract for
1344 information technology commodities, consultant services, or
1345 staff augmentation contractual services that exceeds the 48
1346 month requirement if the Secretary of Management Services and
1347 the state chief information officer executive director of the
1348 Agency for State Technology certify to the Executive Office of
1349 the Governor that a longer contract term is in the best interest
1350 of the state.
1351 (4) If the department issues a competitive solicitation for
1352 information technology commodities, consultant services, or
1353 staff augmentation contractual services, the Division of State
1354 Technology within the department Agency for State Technology
1355 shall participate in such solicitations.
1356 Section 22. Paragraph (a) of subsection (3) of section
1357 365.171, Florida Statutes, is amended to read:
1358 365.171 Emergency communications number E911 state plan.—
1359 (3) DEFINITIONS.—As used in this section, the term:
1360 (a) “Office” means the Division of State Technology Program
1361 within the Department of Management Services, as designated by
1362 the secretary of the department.
1363 Section 23. Paragraph (s) of subsection (3) of section
1364 365.172, Florida Statutes, is amended to read:
1365 365.172 Emergency communications number “E911.”—
1366 (3) DEFINITIONS.—Only as used in this section and ss.
1367 365.171, 365.173, and 365.174, the term:
1368 (s) “Office” means the Division of State Technology Program
1369 within the Department of Management Services, as designated by
1370 the secretary of the department.
1371 Section 24. Paragraph (a) of subsection (1) of section
1372 365.173, Florida Statutes, is amended to read:
1373 365.173 Communications Number E911 System Fund.—
1374 (1) REVENUES.—
1375 (a) Revenues derived from the fee levied on subscribers
1376 under s. 365.172(8) must be paid by the board into the State
1377 Treasury on or before the 15th day of each month. Such moneys
1378 must be accounted for in a special fund to be designated as the
1379 Emergency Communications Number E911 System Fund, a fund created
1380 in the Division of State Technology Program, or other office as
1381 designated by the Secretary of Management Services.
1382 Section 25. Subsection (4) of section 445.011, Florida
1383 Statutes, is amended to read:
1384 445.011 Workforce information systems.—
1385 (4) CareerSource Florida, Inc., shall coordinate
1386 development and implementation of workforce information systems
1387 with the state chief information officer executive director of
1388 the Agency for State Technology to ensure compatibility with the
1389 state’s information system strategy and enterprise architecture.
1390 Section 26. Subsection (2) and paragraphs (a) and (b) of
1391 subsection (4) of section 445.045, Florida Statutes, are amended
1392 to read:
1393 445.045 Development of an Internet-based system for
1394 information technology industry promotion and workforce
1395 recruitment.—
1396 (2) CareerSource Florida, Inc., shall coordinate with the
1397 Department of Management Services Agency for State Technology
1398 and the Department of Economic Opportunity to ensure links, as
1399 feasible and appropriate, to existing job information websites
1400 maintained by the state and state agencies and to ensure that
1401 information technology positions offered by the state and state
1402 agencies are posted on the information technology website.
1403 (4)(a) CareerSource Florida, Inc., shall coordinate
1404 development and maintenance of the website under this section
1405 with the state chief information officer executive director of
1406 the Agency for State Technology to ensure compatibility with the
1407 state’s information system strategy and enterprise architecture.
1408 (b) CareerSource Florida, Inc., may enter into an agreement
1409 with the Agency for State Technology, the Department of Economic
1410 Opportunity, or any other public agency with the requisite
1411 information technology expertise for the provision of design,
1412 operating, or other technological services necessary to develop
1413 and maintain the website.
1414 Section 27. Paragraph (b) of subsection (18) of section
1415 668.50, Florida Statutes, is amended to read:
1416 668.50 Uniform Electronic Transaction Act.—
1417 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1418 GOVERNMENTAL AGENCIES.—
1419 (b) To the extent that a governmental agency uses
1420 electronic records and electronic signatures under paragraph
1421 (a), the Department of Management Services Agency for State
1422 Technology, in consultation with the governmental agency, giving
1423 due consideration to security, may specify:
1424 1. The manner and format in which the electronic records
1425 must be created, generated, sent, communicated, received, and
1426 stored and the systems established for those purposes.
1427 2. If electronic records must be signed by electronic
1428 means, the type of electronic signature required, the manner and
1429 format in which the electronic signature must be affixed to the
1430 electronic record, and the identity of, or criteria that must be
1431 met by, any third party used by a person filing a document to
1432 facilitate the process.
1433 3. Control processes and procedures as appropriate to
1434 ensure adequate preservation, disposition, integrity, security,
1435 confidentiality, and auditability of electronic records.
1436 4. Any other required attributes for electronic records
1437 which are specified for corresponding nonelectronic records or
1438 reasonably necessary under the circumstances.
1439 Section 28. Subsections (4) and (5) of section 943.0415,
1440 Florida Statutes, are amended to read:
1441 943.0415 Cybercrime Office.—There is created within the
1442 Department of Law Enforcement the Cybercrime Office. The office
1443 may:
1444 (4) Provide security awareness training and information to
1445 state agency employees concerning cybersecurity, online sexual
1446 exploitation of children, and security risks, and the
1447 responsibility of employees to comply with policies, standards,
1448 guidelines, and operating procedures adopted by the department
1449 Agency for State Technology.
1450 (5) Consult with the Division of State Technology within
1451 the Department of Management Services Agency for State
1452 Technology in the adoption of rules relating to the information
1453 technology security provisions in s. 282.318.
1454 Section 29. Florida Cybersecurity Task Force.—
1455 (1) The Florida Cybersecurity Task Force, a task force as
1456 defined in s. 20.03(8), Florida Statutes, is created adjunct to
1457 the Department of Management Services to review and conduct an
1458 assessment of the state’s cybersecurity infrastructure,
1459 governance, and operations. Except as otherwise provided in this
1460 section, the task force shall operate in a manner consistent
1461 with s. 20.052, Florida Statutes.
1462 (2) The task force consists of the following members:
1463 (a) The Lieutenant Governor, or his or her designee, who
1464 shall serve as chair of the task force.
1465 (b) A representative of the computer crime center of the
1466 Department of Law Enforcement, appointed by the executive
1467 director of the department.
1468 (c) A representative of the fusion center of the Department
1469 of Law Enforcement, appointed by the executive director of the
1470 department.
1471 (d) The state chief information officer.
1472 (e) The state chief information security officer.
1473 (f) A representative of the Division of Emergency
1474 Management within the Executive Office of the Governor,
1475 appointed by the director of the division.
1476 (g) A representative of the Office of the Chief Inspector
1477 General in the Executive Office of the Governor, appointed by
1478 the Chief Inspector General.
1479 (h) An individual appointed by the President of the Senate.
1480 (i) An individual appointed by the Speaker of the House of
1481 Representatives.
1482 (j) Members of the private sector appointed by the
1483 Governor.
1484 (3) The task force shall convene by October 1, 2019, and
1485 shall meet as necessary, but at least quarterly, at the call of
1486 the chair. The Division of State Technology within the
1487 Department of Management Services shall provide staffing and
1488 administrative support to the task force.
1489 (4) The task force shall:
1490 (a) Recommend methods to secure the state’s network systems
1491 and data, including standardized plans and procedures to
1492 identify developing threats and to prevent unauthorized access
1493 and destruction of data.
1494 (b) Identify and recommend remediation, if necessary, of
1495 high-risk cybersecurity issues facing state government.
1496 (c) Recommend a process to regularly assess cybersecurity
1497 infrastructure and activities of executive branch agencies.
1498 (d) Identify gaps in the state’s overall cybersecurity
1499 infrastructure, governance, and current operations. Based on any
1500 findings of gaps or deficiencies, the task force shall make
1501 recommendations for improvement.
1502 (e) Recommend cybersecurity improvements for the state’s
1503 emergency management and disaster response systems.
1504 (f) Recommend cybersecurity improvements of the state data
1505 center.
1506 (g) Review and recommend improvements relating to the
1507 state’s current operational plans for the response,
1508 coordination, and recovery from a cybersecurity attack.
1509 (5) All executive branch departments and agencies shall
1510 cooperate fully with requests for information made by the task
1511 force.
1512 (6) On or before November 1, 2020, the task force shall
1513 submit a final report of its findings and recommendations to the
1514 Governor, the President of the Senate, and the Speaker of the
1515 House of Representatives.
1516 (7) This section expires January 1, 2021.
1517 Section 30. This act shall take effect July 1, 2019.