Florida Senate - 2022 CS for SB 1670 By the Committee on Military and Veterans Affairs, Space, and Domestic Security; and Senator Hutson 583-02823-22 20221670c1 1 A bill to be entitled 2 An act relating to cybersecurity; amending s. 282.318, 3 F.S.; requiring the Department of Management Services, 4 acting through the Florida Digital Service, to provide 5 annual cybersecurity training to certain persons; 6 requiring state agency heads to annually provide 7 cybersecurity awareness training to certain persons; 8 creating s. 282.3185, F.S.; defining the term “local 9 government”; requiring the Florida Digital Service to 10 develop certain cybersecurity training curricula; 11 requiring certain persons to complete certain training 12 within a specified period and annually thereafter; 13 authorizing the Florida Digital Service to provide 14 certain training in collaboration with certain 15 entities; providing a declaration of important state 16 interest; providing an effective date. 17 18 Be It Enacted by the Legislature of the State of Florida: 19 20 Section 1. Paragraph (g) of subsection (3) and paragraph 21 (i) of subsection (4) of section 282.318, Florida Statutes, are 22 amended to read: 23 282.318 Cybersecurity.— 24 (3) The department, acting through the Florida Digital 25 Service, is the lead entity responsible for establishing 26 standards and processes for assessing state agency cybersecurity 27 risks and determining appropriate security measures. Such 28 standards and processes must be consistent with generally 29 accepted technology best practices, including the National 30 Institute for Standards and Technology Cybersecurity Framework, 31 for cybersecurity. The department, acting through the Florida 32 Digital Service, shall adopt rules that mitigate risks; 33 safeguard state agency digital assets, data, information, and 34 information technology resources to ensure availability, 35 confidentiality, and integrity; and support a security 36 governance framework. The department, acting through the Florida 37 Digital Service, shall also: 38 (g) Annually provide cybersecurity training to all state 39 agency technology professionals and employees with access to 40 highly sensitive information which
thatdevelops, assesses, and 41 documents competencies by role and skill level. The training may 42 be provided in collaboration with the Cybercrime Office of the 43 Department of Law Enforcement, a private sector entity, or an 44 institution of the State University System. 45 (4) Each state agency head shall, at a minimum: 46 (i) Provide cybersecurity awareness training to all state 47 agency employees within in the first30 days after commencing 48 employment, and annually thereafter, concerning cybersecurity 49 risks and the responsibility of employees to comply with 50 policies, standards, guidelines, and operating procedures 51 adopted by the state agency to reduce those risks. The training 52 may be provided in collaboration with the Cybercrime Office of 53 the Department of Law Enforcement, a private sector entity, or 54 an institution of the State University System. 55 Section 2. Section 282.3185, Florida Statutes, is created 56 to read: 57 282.3185 Local government cybersecurity.— 58 (1) As used in this section, the term “local government” 59 means any county or municipality. 60 (2) The Florida Digital Service: 61 (a) Shall develop a basic cybersecurity practices training 62 curriculum for local government employees. All local government 63 employees with access to the local government’s network must 64 complete the basic cybersecurity training within 30 days after 65 commencing employment and annually thereafter. 66 (b) Shall develop an advanced cybersecurity training 67 curriculum for local governments which is consistent with the 68 cybersecurity training required under s. 282.318(3)(g). All 69 local government technology professionals and employees with 70 access to highly sensitive information must complete the 71 advanced cybersecurity training within 30 days after commencing 72 employment and annually thereafter. 73 (c) May provide the cybersecurity training required by this 74 subsection in collaboration with the Cybercrime Office of the 75 Department of Law Enforcement, a private sector entity, or an 76 institution of the State University System. 77 Section 3. The Legislature finds and declares that this act 78 fulfills an important state interest. 79 Section 4. This act shall take effect July 1, 2022.