Florida Senate - 2021 SB 1900
By Senator Boyd
21-01791B-21 20211900__
1 A bill to be entitled
2 An act relating to cybersecurity; amending s. 20.055,
3 F.S.; requiring certain audit plans of an inspector
4 general to include certain information; amending s.
5 282.0041, F.S.; revising and providing definitions;
6 amending ss. 282.0051, 282.201, and 282.206, F.S.;
7 revising provisions to replace references to
8 information technology security with cybersecurity;
9 amending s. 282.318, F.S.; revising provisions to
10 replace references to information technology security
11 and computer security with references to
12 cybersecurity; revising a short title; providing that
13 the Department of Management Services, acting through
14 the Florida Digital Service, is the lead entity for
15 the purpose of certain responsibilities; providing and
16 revising requirements for the department, acting
17 through the Florida Digital Service; providing that
18 certain employees shall be assigned to selected exempt
19 service; providing that the state chief information
20 security officer is responsible for state technology
21 systems and must notify the Governor of certain
22 incidents and threats; revising requirements for state
23 agency heads; requiring the department, through the
24 Florida Digital Service, to track the implementation
25 by state agencies of certain plans; creating 282.319,
26 F.S.; creating the Florida Cybersecurity Advisory
27 Council within the Department of Management Services;
28 providing the purpose of the council; requiring the
29 council to provide certain assistance to the Florida
30 Digital Service; providing for the membership of the
31 council; providing for terms of council members;
32 providing that the Secretary of Management Services,
33 or his or her designee, shall serve as the ex officio
34 executive director of the council; providing that
35 members shall serve without compensation but are
36 entitled to reimbursement for per diem and travel
37 expenses; requiring the council to meet at least
38 quarterly for certain purposes; requiring the council
39 to submit an annual report to the Governor and
40 Legislature; amending s. 943.0415, F.S., conforming
41 provisions to changes made by the act; providing an
42 effective date.
43
44 Be It Enacted by the Legislature of the State of Florida:
45
46 Section 1. Paragraph (i) of subsection (6) of section
47 20.055, Florida Statutes, is amended to read:
48 20.055 Agency inspectors general.—
49 (6) In carrying out the auditing duties and
50 responsibilities of this act, each inspector general shall
51 review and evaluate internal controls necessary to ensure the
52 fiscal accountability of the state agency. The inspector general
53 shall conduct financial, compliance, electronic data processing,
54 and performance audits of the agency and prepare audit reports
55 of his or her findings. The scope and assignment of the audits
56 shall be determined by the inspector general; however, the
57 agency head may at any time request the inspector general to
58 perform an audit of a special program, function, or
59 organizational unit. The performance of the audit shall be under
60 the direction of the inspector general, except that if the
61 inspector general does not possess the qualifications specified
62 in subsection (4), the director of auditing shall perform the
63 functions listed in this subsection.
64 (i) The inspector general shall develop long-term and
65 annual audit plans based on the findings of periodic risk
66 assessments. The plan, where appropriate, should include
67 postaudit samplings of payments and accounts. The plan shall
68 show the individual audits to be conducted during each year and
69 related resources to be devoted to the respective audits. The
70 plan shall include a specific cybersecurity audit plan. The
71 Chief Financial Officer, to assist in fulfilling the
72 responsibilities for examining, auditing, and settling accounts,
73 claims, and demands pursuant to s. 17.03(1), and examining,
74 auditing, adjusting, and settling accounts pursuant to s. 17.04,
75 may use audits performed by the inspectors general and internal
76 auditors. For state agencies under the jurisdiction of the
77 Governor, the audit plans shall be submitted to the Chief
78 Inspector General. The plan shall be submitted to the agency
79 head for approval. A copy of the approved plan shall be
80 submitted to the Auditor General.
81 Section 2. Present subsections (8) through (21) of section
82 282.0041, Florida Statutes, are redesignated as subsections (9)
83 through (22), respectively, present subsection (22) is amended,
84 and a new subsection (8) is added to that section, to read:
85 282.0041 Definitions.—As used in this chapter, the term:
86 (8) “Cybersecurity” means the protection afforded to
87 information technology resources from unauthorized access or
88 criminal use by ensuring the confidentiality, integrity, and
89 availability of data and information.
90 (22) “Information technology security” means the protection
91 afforded to an automated information system in order to attain
92 the applicable objectives of preserving the integrity,
93 availability, and confidentiality of data, information, and
94 information technology resources.
95 Section 3. Paragraph (j) of subsection (1) of section
96 282.0051, Florida Statutes, is amended to read:
97 282.0051 Department of Management Services; Florida Digital
98 Service; powers, duties, and functions.—
99 (1) The Florida Digital Service has been created within the
100 department to propose innovative solutions that securely
101 modernize state government, including technology and information
102 services, to achieve value through digital transformation and
103 interoperability, and to fully support the cloud-first policy as
104 specified in s. 282.206. The department, through the Florida
105 Digital Service, shall have the following powers, duties, and
106 functions:
107 (j) Provide operational management and oversight of the
108 state data center established pursuant to s. 282.201, which
109 includes:
110 1. Implementing industry standards and best practices for
111 the state data center’s facilities, operations, maintenance,
112 planning, and management processes.
113 2. Developing and implementing cost-recovery mechanisms
114 that recover the full direct and indirect cost of services
115 through charges to applicable customer entities. Such cost
116 recovery mechanisms must comply with applicable state and
117 federal regulations concerning distribution and use of funds and
118 must ensure that, for any fiscal year, no service or customer
119 entity subsidizes another service or customer entity. The
120 Florida Digital Service may recommend other payment mechanisms
121 to the Executive Office of the Governor, the President of the
122 Senate, and the Speaker of the House of Representatives. Such
123 mechanism may be implemented only if specifically authorized by
124 the Legislature.
125 3. Developing and implementing appropriate operating
126 guidelines and procedures necessary for the state data center to
127 perform its duties pursuant to s. 282.201. The guidelines and
128 procedures must comply with applicable state and federal laws,
129 regulations, and policies and conform to generally accepted
130 governmental accounting and auditing standards. The guidelines
131 and procedures must include, but need not be limited to:
132 a. Implementing a consolidated administrative support
133 structure responsible for providing financial management,
134 procurement, transactions involving real or personal property,
135 human resources, and operational support.
136 b. Implementing an annual reconciliation process to ensure
137 that each customer entity is paying for the full direct and
138 indirect cost of each service as determined by the customer
139 entity’s use of each service.
140 c. Providing rebates that may be credited against future
141 billings to customer entities when revenues exceed costs.
142 d. Requiring customer entities to validate that sufficient
143 funds exist in the appropriate data processing appropriation
144 category or will be transferred into the appropriate data
145 processing appropriation category before implementation of a
146 customer entity’s request for a change in the type or level of
147 service provided, if such change results in a net increase to
148 the customer entity’s cost for that fiscal year.
149 e. By November 15 of each year, providing to the Office of
150 Policy and Budget in the Executive Office of the Governor and to
151 the chairs of the legislative appropriations committees the
152 projected costs of providing data center services for the
153 following fiscal year.
154 f. Providing a plan for consideration by the Legislative
155 Budget Commission if the cost of a service is increased for a
156 reason other than a customer entity’s request made pursuant to
157 sub-subparagraph d. Such a plan is required only if the service
158 cost increase results in a net increase to a customer entity for
159 that fiscal year.
160 g. Standardizing and consolidating procurement and
161 contracting practices.
162 4. In collaboration with the Department of Law Enforcement,
163 developing and implementing a process for detecting, reporting,
164 and responding to cybersecurity information technology security
165 incidents, breaches, and threats.
166 5. Adopting rules relating to the operation of the state
167 data center, including, but not limited to, budgeting and
168 accounting procedures, cost-recovery methodologies, and
169 operating procedures.
170 Section 4. Paragraph (g) of subsection (1) of section
171 282.201, Florida Statutes, is amended to read:
172 282.201 State data center.—The state data center is
173 established within the department. The provision of data center
174 services must comply with applicable state and federal laws,
175 regulations, and policies, including all applicable security,
176 privacy, and auditing requirements. The department shall appoint
177 a director of the state data center, preferably an individual
178 who has experience in leading data center facilities and has
179 expertise in cloud-computing management.
180 (1) STATE DATA CENTER DUTIES.—The state data center shall:
181 (g) In its procurement process, show preference for cloud
182 computing solutions that minimize or do not require the
183 purchasing, financing, or leasing of state data center
184 infrastructure, and that meet the needs of customer agencies,
185 that reduce costs, and that meet or exceed the applicable state
186 and federal laws, regulations, and standards for cybersecurity
187 information technology security.
188 Section 5. Subsection (2) of section 282.206, Florida
189 Statutes, is amended to read:
190 282.206 Cloud-first policy in state agencies.—
191 (2) In its procurement process, each state agency shall
192 show a preference for cloud-computing solutions that either
193 minimize or do not require the use of state data center
194 infrastructure when cloud-computing solutions meet the needs of
195 the agency, reduce costs, and meet or exceed the applicable
196 state and federal laws, regulations, and standards for
197 cybersecurity information technology security.
198 Section 6. Section 282.318, Florida Statutes, is amended to
199 read:
200 282.318 Cybersecurity Security of data and information
201 technology.—
202 (1) This section may be cited as the “Florida State
203 Cybersecurity Act.” “Information Technology Security Act.”
204 (2) As used in this section, the term “state agency” has
205 the same meaning as provided in s. 282.0041, except that the
206 term includes the Department of Legal Affairs, the Department of
207 Agriculture and Consumer Services, and the Department of
208 Financial Services.
209 (3) The department, acting through the Florida Digital
210 Service, is the lead entity responsible for establishing
211 standards and processes for assessing state agency cybersecurity
212 risks and determining appropriate security measures. Such
213 standards and processes must be consistent with generally
214 accepted technology best practices, including the National
215 Institute for Standards and Technology Cybersecurity Framework,
216 for cybersecurity. This shall include information technology
217 security, to include cybersecurity, and adopting rules that
218 mitigate risk; safeguard the state’s digital assets and agency
219 an agency’s data, information, and information technology
220 resources to ensure availability, confidentiality, and
221 integrity; and support a centralized security governance and to
222 mitigate risks. The department, acting through the Florida
223 Digital Service, shall also:
224 (a) Designate an employee of the Florida Digital Service as
225 the state chief information security officer. The state chief
226 information security officer must have experience and expertise
227 in security and risk management for communications and
228 information technology resources. The employees under the
229 direction of the state chief information security officer shall
230 be assigned to selected exempt service. The state chief
231 information security officer is responsible for the development,
232 operation, and management of cybersecurity for state technology
233 systems. The state chief information security officer must have
234 a direct communication channel to the Governor, or his or her
235 designee, related to risk assessments, threat monitoring,
236 detection, and response activities of suspected or confirmed
237 cyber incidents or threats.
238 (b) Develop, and annually update by February 1, a statewide
239 cybersecurity information technology security strategic plan
240 that includes security goals and objectives for cybersecurity,
241 including the identification and mitigation of risk, proactive
242 protections against threats, tactical risk detection, threat
243 reporting, and response and recovery protocols for a cyber
244 incident the strategic issues of information technology security
245 policy, risk management, training, incident management, and
246 disaster recovery planning.
247 (c) Develop and publish for use by state agencies a
248 centralized cybersecurity governance an information technology
249 security framework that, at a minimum, includes guidelines and
250 processes for:
251 1. Establishing asset management procedures to ensure that
252 an agency’s information technology resources are identified and
253 managed consistent with their relative importance to the
254 agency’s business objectives.
255 2. Using a standard risk assessment methodology that
256 includes the identification of an agency’s priorities,
257 constraints, risk tolerances, and assumptions necessary to
258 support operational risk decisions.
259 3. Completing comprehensive risk assessments and
260 cybersecurity information technology security audits, which may
261 be completed by a private sector vendor, and submitting
262 completed assessments and audits to the department.
263 4. Identifying protection procedures to manage the
264 protection of an agency’s information, data, and information
265 technology resources.
266 5. Establishing procedures for accessing information and
267 data to ensure the confidentiality, integrity, and availability
268 of such information and data.
269 6. Detecting threats through proactive monitoring of
270 events, continuous security monitoring, and defined detection
271 processes.
272 7. Establishing agency cybersecurity computer security
273 incident response teams and describing their responsibilities
274 for responding to cybersecurity information technology security
275 incidents, including breaches of personal information containing
276 confidential or exempt data.
277 8. Recovering information and data in response to a
278 cybersecurity an information technology security incident. The
279 recovery may include recommended improvements to the agency
280 processes, policies, or guidelines.
281 9. Establishing a cybersecurity an information technology
282 security incident reporting process that includes procedures and
283 tiered reporting timeframes for notifying the department and the
284 Department of Law Enforcement of cybersecurity information
285 technology security incidents. The tiered reporting timeframes
286 shall be based upon the level of severity of the cybersecurity
287 information technology security incidents being reported.
288 10. Incorporating information obtained through detection
289 and response activities into the agency’s cybersecurity
290 information technology security incident response plans.
291 11. Developing agency strategic and operational
292 cybersecurity information technology security plans required
293 pursuant to this section.
294 12. Establishing the managerial, operational, and technical
295 safeguards for protecting state government data and information
296 technology resources that align with the state agency risk
297 management strategy and that protect the confidentiality,
298 integrity, and availability of information and data.
299 (d) Assist state agencies in complying with this section.
300 (e) In collaboration with the Cybercrime Office of the
301 Department of Law Enforcement, annually provide training for
302 state agency information security managers and computer security
303 incident response team members that contains training on
304 cybersecurity information technology security, including
305 cybersecurity, threats, trends, and best practices.
306 (f) Annually review the strategic and operational
307 cybersecurity information technology security plans of executive
308 branch agencies.
309 (g) Provide training to all state agency technology
310 professionals which develops, assesses, and documents
311 competencies by role and skill level. The training may be
312 provided in collaboration with the Cybercrime Office of the
313 Department of Law Enforcement, a private sector entity, or a
314 state university.
315 (h) Operate and maintain a Cybersecurity Operations Center
316 led by the state chief information security officer, which must
317 be primarily virtual and staffed with tactical detection and
318 incident response personnel. The Cybersecurity Operations Center
319 shall serve as a clearinghouse for threat information and will
320 coordinate with the Department of Law Enforcement to support
321 state agencies and their response to any confirmed or suspected
322 cybersecurity incident.
323 (i) Lead an emergency support function at the State
324 Emergency Operations Center.
325 (j) In consultation with the Department of Law Enforcement,
326 have the authority to intervene in any confirmed or suspected
327 cybersecurity incident of a state agency.
328 (4) Each state agency head shall, at a minimum:
329 (a) Designate an information security manager to administer
330 the cybersecurity information technology security program of the
331 state agency. This designation must be provided annually in
332 writing to the department by January 1. A state agency’s
333 cybersecurity information security manager, for purposes of
334 these information security duties, shall report directly to the
335 agency head. The agency information security manager shall, at a
336 minimum, provide an asset management report detailing the
337 agency’s information technology resources to the state chief
338 information officer and chief information security officer
339 annually.
340 (b) In consultation with the department, through the
341 Florida Digital Service, and the Cybercrime Office of the
342 Department of Law Enforcement, establish an agency cybersecurity
343 computer security incident response team to respond to a
344 cybersecurity an information technology security incident. The
345 agency cybersecurity computer security incident response team
346 shall convene upon notification of a cybersecurity an
347 information technology security incident and must immediately
348 report all confirmed or suspected incidents to the state chief
349 information security officer, or his or her designee, and comply
350 with all applicable guidelines and processes established
351 pursuant to paragraph (3)(c).
352 (c) Submit to the department annually by July 31, the state
353 agency’s strategic and operational cybersecurity information
354 technology security plans developed pursuant to rules and
355 guidelines established by the department through the Florida
356 Digital Service.
357 1. The state agency strategic cybersecurity information
358 technology security plan must cover a 3-year period and, at a
359 minimum, define security goals, intermediate objectives, and
360 projected agency costs for the strategic issues of agency
361 information security policy, risk management, security training,
362 security incident response, and disaster recovery. The plan must
363 be based on the statewide cybersecurity information technology
364 security strategic plan created by the department and include
365 performance metrics that can be objectively measured to reflect
366 the status of the state agency’s progress in meeting security
367 goals and objectives identified in the agency’s strategic
368 information security plan.
369 2. The state agency operational cybersecurity information
370 technology security plan must include a progress report that
371 objectively measures progress made towards the prior operational
372 cybersecurity information technology security plan and a project
373 plan that includes activities, timelines, and deliverables for
374 security objectives that the state agency will implement during
375 the current fiscal year.
376 (d) Conduct, and update every 3 years, a comprehensive risk
377 assessment annually, which may be completed by a private sector
378 vendor, to determine the security threats to the data,
379 information, and information technology resources, including
380 mobile devices and print environments, of the agency. The risk
381 assessment must comply with the risk assessment methodology
382 developed by the department and is confidential and exempt from
383 s. 119.07(1), except that such information shall be available to
384 the Auditor General, the Florida Digital Service within the
385 department, the Cybercrime Office of the Department of Law
386 Enforcement, and, for state agencies under the jurisdiction of
387 the Governor, the Chief Inspector General. If a private sector
388 vendor is used to complete this requirement, it must attest to
389 the validity of the risk assessment findings.
390 (e) Develop, and periodically update, written internal
391 policies and procedures, which include procedures for reporting
392 cybersecurity information technology security incidents and
393 breaches to the Cybercrime Office of the Department of Law
394 Enforcement and the Florida Digital Service within the
395 department. Such policies and procedures must be consistent with
396 the rules, guidelines, and processes established by the
397 department to ensure the security of the data, information, and
398 information technology resources of the agency. The internal
399 policies and procedures that, if disclosed, could facilitate the
400 unauthorized modification, disclosure, or destruction of data or
401 information technology resources are confidential information
402 and exempt from s. 119.07(1), except that such information shall
403 be available to the Auditor General, the Cybercrime Office of
404 the Department of Law Enforcement, the Florida Digital Service
405 within the department, and, for state agencies under the
406 jurisdiction of the Governor, the Chief Inspector General.
407 (f) Implement managerial, operational, and technical
408 safeguards and risk assessment remediation plans recommended by
409 the department to address identified risks to the data,
410 information, and information technology resources of the agency.
411 The department, through the Florida Digital Service, shall track
412 implementation by state agencies upon development of such
413 remediation plans in coordination with agency inspectors
414 general.
415 (g) Ensure that periodic internal audits and evaluations of
416 the agency’s cybersecurity information technology security
417 program for the data, information, and information technology
418 resources of the agency are conducted. The results of such
419 audits and evaluations are confidential information and exempt
420 from s. 119.07(1), except that such information shall be
421 available to the Auditor General, the Cybercrime Office of the
422 Department of Law Enforcement, the Florida Digital Service
423 within the department, and, for agencies under the jurisdiction
424 of the Governor, the Chief Inspector General.
425 (h) Ensure that the information technology security and
426 cybersecurity requirements in both the written specifications
427 for the solicitation, contracts, and service-level agreement of
428 information technology and information technology resources and
429 services meet or exceed the applicable state and federal laws,
430 regulations, and standards for information technology security
431 and cybersecurity. Service-level agreements must identify
432 service provider and state agency responsibilities for privacy
433 and security, protection of government data, personnel
434 background screening, and security deliverables with associated
435 frequencies.
436 (i) Provide information technology security and
437 cybersecurity awareness training, as approved by the Florida
438 Digital Service, to all state agency employees in the first 30
439 days after commencing employment concerning cybersecurity
440 information technology security risks and the responsibility of
441 employees to comply with policies, standards, guidelines, and
442 operating procedures adopted by the state agency to reduce those
443 risks. The training may be provided in collaboration with the
444 Cybercrime Office of the Department of Law Enforcement, a
445 private sector entity, or a state university.
446 (j) Develop a process for detecting, reporting, and
447 responding to threats, breaches, or cybersecurity information
448 technology security incidents which is consistent with the
449 security rules, guidelines, and processes established by the
450 department.
451 1. All cybersecurity information technology security
452 incidents and breaches must be reported to the Florida Digital
453 Service within the department and the Cybercrime Office of the
454 Department of Law Enforcement and must comply with the
455 notification procedures and reporting timeframes established
456 pursuant to paragraph (3)(c).
457 2. For cybersecurity information technology security
458 breaches, state agencies shall provide notice in accordance with
459 s. 501.171.
460 (5) Portions of records held by a state agency which
461 contain network schematics, hardware and software
462 configurations, or encryption, or which identify detection,
463 investigation, or response practices for suspected or confirmed
464 cybersecurity information technology security incidents,
465 including suspected or confirmed breaches, are confidential and
466 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
467 Constitution, if the disclosure of such records would facilitate
468 unauthorized access to or the unauthorized modification,
469 disclosure, or destruction of:
470 (a) Data or information, whether physical or virtual; or
471 (b) Information technology resources, which includes:
472 1. Information relating to the security of the agency’s
473 technologies, processes, and practices designed to protect
474 networks, computers, data processing software, and data from
475 attack, damage, or unauthorized access; or
476 2. Security information, whether physical or virtual, which
477 relates to the agency’s existing or proposed information
478 technology systems.
479 (6) The portions of risk assessments, evaluations, external
480 audits, and other reports of a state agency’s cybersecurity
481 information technology security program for the data,
482 information, and information technology resources of the state
483 agency which are held by a state agency are confidential and
484 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
485 Constitution if the disclosure of such portions of records would
486 facilitate unauthorized access to or the unauthorized
487 modification, disclosure, or destruction of:
488 (a) Data or information, whether physical or virtual; or
489 (b) Information technology resources, which include:
490 1. Information relating to the security of the agency’s
491 technologies, processes, and practices designed to protect
492 networks, computers, data processing software, and data from
493 attack, damage, or unauthorized access; or
494 2. Security information, whether physical or virtual, which
495 relates to the agency’s existing or proposed information
496 technology systems.
497
498 For purposes of this subsection, “external audit” means an audit
499 that is conducted by an entity other than the state agency that
500 is the subject of the audit.
501 (7) Those portions of a public meeting as specified in s.
502 286.011 which would reveal records which are confidential and
503 exempt under subsection (5) or subsection (6) are exempt from s.
504 286.011 and s. 24(b), Art. I of the State Constitution. No
505 exempt portion of an exempt meeting may be off the record. All
506 exempt portions of such meeting shall be recorded and
507 transcribed. Such recordings and transcripts are confidential
508 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
509 I of the State Constitution unless a court of competent
510 jurisdiction, after an in camera review, determines that the
511 meeting was not restricted to the discussion of data and
512 information made confidential and exempt by this section. In the
513 event of such a judicial determination, only that portion of the
514 recording and transcript which reveals nonexempt data and
515 information may be disclosed to a third party.
516 (8) The portions of records made confidential and exempt in
517 subsections (5), (6), and (7) shall be available to the Auditor
518 General, the Cybercrime Office of the Department of Law
519 Enforcement, the Florida Digital Service within the department,
520 and, for agencies under the jurisdiction of the Governor, the
521 Chief Inspector General. Such portions of records may be made
522 available to a local government, another state agency, or a
523 federal agency for cybersecurity information technology security
524 purposes or in furtherance of the state agency’s official
525 duties.
526 (9) The exemptions contained in subsections (5), (6), and
527 (7) apply to records held by a state agency before, on, or after
528 the effective date of this exemption.
529 (10) Subsections (5), (6), and (7) are subject to the Open
530 Government Sunset Review Act in accordance with s. 119.15 and
531 shall stand repealed on October 2, 2025, unless reviewed and
532 saved from repeal through reenactment by the Legislature.
533 (11) The department shall adopt rules relating to
534 cybersecurity information technology security and to administer
535 this section.
536 Section 7. Section 282.319, Florida Statutes, is created to
537 read:
538 282.319 Florida Cybersecurity Advisory Council.—
539 (1) The Florida Cybersecurity Advisory Council, an advisory
540 council as defined in s. 20.03(7), is created within the
541 department. Except as otherwise provided in this section, the
542 advisory council shall operate in a manner consistent with s.
543 20.052.
544 (2) The purpose of the council is to assist the state in
545 protecting the state’s information technology resources from
546 cyber threats and incidents.
547 (3) The council shall assist the Florida Digital Service in
548 implementing best cybersecurity practices, taking into
549 consideration the final recommendations of the Florida
550 Cybersecurity Task Force.
551 (4) The council shall be comprised of the following
552 members:
553 (a) The Lieutenant Governor or his or her designee.
554 (b) The state chief information officer.
555 (c) The state chief information security officer.
556 (d) The director of the Division of Emergency Management or
557 his or her designee.
558 (e) A representative of the computer crime center of the
559 Department of Law Enforcement, appointed by the executive
560 director of the department.
561 (f) A representative of the Florida Fusion Center of the
562 Department of Law Enforcement, appointed by the executive
563 director of the department.
564 (g) The Chief Inspector General.
565 (h) Six members of the private sector with experience in
566 cybersecurity mitigation or response, with two appointed by the
567 Governor, two appointed by the President of the Senate, and two
568 appointed by the Speaker of the House of Representatives.
569 (5) Members shall serve for a term of 4 years; however, for
570 the purpose of providing staggered terms, the initial
571 appointments made by the President of the Senate and the Speaker
572 of the House of Representatives shall be for a term of 2 years.
573 A vacancy shall be filled for the remainder of the unexpired
574 term in the same manner as the initial appointment. All members
575 of the council are eligible for reappointment.
576 (6) The Secretary of Management Services, or his or her
577 designee, shall serve as the ex officio, nonvoting executive
578 director of the council.
579 (7) Members of the council shall serve without compensation
580 but are entitled to receive reimbursement for per diem and
581 travel expenses pursuant to s. 112.061.
582 (8) The council shall meet at least quarterly to:
583 (a) Review existing state agency cybersecurity policies.
584 (b) Assess ongoing risks to state agency information
585 technology.
586 (c) Recommend a method to notify state agencies of new
587 risks.
588 (d) Recommend data breach simulation exercises.
589 (e) Assist the Florida Digital Service in developing
590 cybersecurity best practice recommendations for state agencies
591 which include recommendations regarding:
592 1. Continuous risk monitoring.
593 2. Password management.
594 3. Protecting data in legacy and new systems.
595 (f) Examine inconsistencies between state and federal law
596 regarding cybersecurity.
597 (9) Beginning June 30, 2022, and each June 30 thereafter,
598 the council shall submit a report to the Governor, the President
599 of the Senate, and the Speaker of the House of Representatives
600 outlining any recommendations considered necessary by the
601 council to address cybersecurity.
602 Section 8. Section 943.0415, Florida Statutes, is amended
603 to read:
604 943.0415 Cybercrime Office.—There is created within the
605 Department of Law Enforcement the Cybercrime Office. The office
606 may:
607 (1) Investigate violations of state law pertaining to the
608 sexual exploitation of children which are facilitated by or
609 connected to the use of any device capable of storing electronic
610 data.
611 (2) Monitor state information technology resources and
612 provide analysis on cybersecurity information technology
613 security incidents, threats, and breaches as defined in s.
614 282.0041.
615 (3) Investigate violations of state law pertaining to
616 cybersecurity information technology security incidents pursuant
617 to s. 282.0041 and assist in incident response and recovery.
618 (4) Provide security awareness training and information to
619 state agency employees concerning cybersecurity, online sexual
620 exploitation of children, and security risks, and the
621 responsibility of employees to comply with policies, standards,
622 guidelines, and operating procedures adopted by the department.
623 (5) Consult with the Florida Digital Service within the
624 Department of Management Services in the adoption of rules
625 relating to the cybersecurity information technology security
626 provisions in s. 282.318.
627 Section 9. This act shall take effect July 1, 2021.