Florida Senate - 2022 COMMITTEE AMENDMENT Bill No. SB 1670 Ì397432*Î397432 LEGISLATIVE ACTION Senate . House . . . . . ————————————————————————————————————————————————————————————————— ————————————————————————————————————————————————————————————————— The Committee on Military and Veterans Affairs, Space, and Domestic Security (Hutson) recommended the following: 1 Senate Amendment (with title amendment) 2 3 Delete everything after the enacting clause 4 and insert: 5 Section 1. Paragraph (g) of subsection (3) and paragraph 6 (i) of subsection (4) of section 282.318, Florida Statutes, are 7 amended to read: 8 282.318 Cybersecurity.— 9 (3) The department, acting through the Florida Digital 10 Service, is the lead entity responsible for establishing 11 standards and processes for assessing state agency cybersecurity 12 risks and determining appropriate security measures. Such 13 standards and processes must be consistent with generally 14 accepted technology best practices, including the National 15 Institute for Standards and Technology Cybersecurity Framework, 16 for cybersecurity. The department, acting through the Florida 17 Digital Service, shall adopt rules that mitigate risks; 18 safeguard state agency digital assets, data, information, and 19 information technology resources to ensure availability, 20 confidentiality, and integrity; and support a security 21 governance framework. The department, acting through the Florida 22 Digital Service, shall also: 23 (g) Annually provide cybersecurity training to all state 24 agency technology professionals and employees with access to 25 highly sensitive information which
thatdevelops, assesses, and 26 documents competencies by role and skill level. The training may 27 be provided in collaboration with the Cybercrime Office of the 28 Department of Law Enforcement, a private sector entity, or an 29 institution of the State University System. 30 (4) Each state agency head shall, at a minimum: 31 (i) Provide cybersecurity awareness training to all state 32 agency employees within in the first30 days after commencing 33 employment, and annually thereafter, concerning cybersecurity 34 risks and the responsibility of employees to comply with 35 policies, standards, guidelines, and operating procedures 36 adopted by the state agency to reduce those risks. The training 37 may be provided in collaboration with the Cybercrime Office of 38 the Department of Law Enforcement, a private sector entity, or 39 an institution of the State University System. 40 Section 2. Section 282.3185, Florida Statutes, is created 41 to read: 42 282.3185 Local government cybersecurity.— 43 (1) As used in this section, the term “local government” 44 means any county or municipality. 45 (2) The Florida Digital Service: 46 (a) Shall develop a basic cybersecurity practices training 47 curriculum for local government employees. All local government 48 employees with access to the local government’s network must 49 complete the basic cybersecurity training within 30 days after 50 commencing employment and annually thereafter. 51 (b) Shall develop an advanced cybersecurity training 52 curriculum for local governments which is consistent with the 53 cybersecurity training required under s. 282.318(3)(g). All 54 local government technology professionals and employees with 55 access to highly sensitive information must complete the 56 advanced cybersecurity training within 30 days after commencing 57 employment and annually thereafter. 58 (c) May provide the cybersecurity training required by this 59 subsection in collaboration with the Cybercrime Office of the 60 Department of Law Enforcement, a private sector entity, or an 61 institution of the State University System. 62 Section 3. The Legislature finds and declares that this act 63 fulfills an important state interest. 64 Section 4. This act shall take effect July 1, 2022. 65 66 ================= T I T L E A M E N D M E N T ================ 67 And the title is amended as follows: 68 Delete everything before the enacting clause 69 and insert: 70 A bill to be entitled 71 An act relating to cybersecurity; amending s. 282.318, 72 F.S.; requiring the Department of Management Services, 73 acting through the Florida Digital Service, to provide 74 annual cybersecurity training to certain persons; 75 requiring state agency heads to annually provide 76 cybersecurity awareness training to certain persons; 77 creating s. 282.3185, F.S.; defining the term “local 78 government”; requiring the Florida Digital Service to 79 develop certain cybersecurity training curricula; 80 requiring certain persons to complete certain training 81 within a specified period and annually thereafter; 82 authorizing the Florida Digital Service to provide 83 certain training in collaboration with certain 84 entities; providing a declaration of important state 85 interest; providing an effective date.