Florida Senate - 2022                             CS for SB 1670
       
       
        
       By the Committee on Military and Veterans Affairs, Space, and
       Domestic Security; and Senator Hutson
       
       
       
       
       583-02823-22                                          20221670c1
    1                        A bill to be entitled                      
    2         An act relating to cybersecurity; amending s. 282.318,
    3         F.S.; requiring the Department of Management Services,
    4         acting through the Florida Digital Service, to provide
    5         annual cybersecurity training to certain persons;
    6         requiring state agency heads to annually provide
    7         cybersecurity awareness training to certain persons;
    8         creating s. 282.3185, F.S.; defining the term “local
    9         government”; requiring the Florida Digital Service to
   10         develop certain cybersecurity training curricula;
   11         requiring certain persons to complete certain training
   12         within a specified period and annually thereafter;
   13         authorizing the Florida Digital Service to provide
   14         certain training in collaboration with certain
   15         entities; providing a declaration of important state
   16         interest; providing an effective date.
   17          
   18  Be It Enacted by the Legislature of the State of Florida:
   19  
   20         Section 1. Paragraph (g) of subsection (3) and paragraph
   21  (i) of subsection (4) of section 282.318, Florida Statutes, are
   22  amended to read:
   23         282.318 Cybersecurity.—
   24         (3) The department, acting through the Florida Digital
   25  Service, is the lead entity responsible for establishing
   26  standards and processes for assessing state agency cybersecurity
   27  risks and determining appropriate security measures. Such
   28  standards and processes must be consistent with generally
   29  accepted technology best practices, including the National
   30  Institute for Standards and Technology Cybersecurity Framework,
   31  for cybersecurity. The department, acting through the Florida
   32  Digital Service, shall adopt rules that mitigate risks;
   33  safeguard state agency digital assets, data, information, and
   34  information technology resources to ensure availability,
   35  confidentiality, and integrity; and support a security
   36  governance framework. The department, acting through the Florida
   37  Digital Service, shall also:
   38         (g) Annually provide cybersecurity training to all state
   39  agency technology professionals and employees with access to
   40  highly sensitive information which that develops, assesses, and
   41  documents competencies by role and skill level. The training may
   42  be provided in collaboration with the Cybercrime Office of the
   43  Department of Law Enforcement, a private sector entity, or an
   44  institution of the State University System.
   45         (4) Each state agency head shall, at a minimum:
   46         (i) Provide cybersecurity awareness training to all state
   47  agency employees within in the first 30 days after commencing
   48  employment, and annually thereafter, concerning cybersecurity
   49  risks and the responsibility of employees to comply with
   50  policies, standards, guidelines, and operating procedures
   51  adopted by the state agency to reduce those risks. The training
   52  may be provided in collaboration with the Cybercrime Office of
   53  the Department of Law Enforcement, a private sector entity, or
   54  an institution of the State University System.
   55         Section 2. Section 282.3185, Florida Statutes, is created
   56  to read:
   57         282.3185 Local government cybersecurity.—
   58         (1) As used in this section, the term “local government”
   59  means any county or municipality.
   60         (2) The Florida Digital Service:
   61         (a) Shall develop a basic cybersecurity practices training
   62  curriculum for local government employees. All local government
   63  employees with access to the local government’s network must
   64  complete the basic cybersecurity training within 30 days after
   65  commencing employment and annually thereafter.
   66         (b) Shall develop an advanced cybersecurity training
   67  curriculum for local governments which is consistent with the
   68  cybersecurity training required under s. 282.318(3)(g). All
   69  local government technology professionals and employees with
   70  access to highly sensitive information must complete the
   71  advanced cybersecurity training within 30 days after commencing
   72  employment and annually thereafter.
   73         (c) May provide the cybersecurity training required by this
   74  subsection in collaboration with the Cybercrime Office of the
   75  Department of Law Enforcement, a private sector entity, or an
   76  institution of the State University System.
   77         Section 3. The Legislature finds and declares that this act
   78  fulfills an important state interest.
   79         Section 4. This act shall take effect July 1, 2022.