Florida Senate - 2022 CS for CS for SB 1670 By the Committees on Appropriations; and Military and Veterans Affairs, Space, and Domestic Security; and Senator Hutson 576-03523-22 20221670c2 1 A bill to be entitled 2 An act relating to cybersecurity; amending s. 3 282.0041, F.S.; revising a definition and defining the 4 term “ransomware incident”; amending s. 282.318, F.S.; 5 requiring the Department of Management Services, 6 acting through the Florida Digital Service, to develop 7 and publish guidelines and processes for reporting 8 cybersecurity incidents; requiring state agencies to 9 report ransomware incidents and certain cybersecurity 10 incidents to certain entities within specified 11 timeframes; requiring the Cybersecurity Operations 12 Center to provide certain notifications to the 13 Legislature within a specified timeframe; requiring 14 the Cybersecurity Operations Center to quarterly 15 provide certain reports to the Legislature and the 16 Florida Cybersecurity Advisory Council; requiring the 17 department, acting through the Florida Digital 18 Service, to develop and publish guidelines and 19 processes by a specified date for submitting after 20 action reports and annually provide cybersecurity 21 training to certain persons; requiring state agency 22 heads to annually provide cybersecurity awareness 23 training to certain persons; requiring state agencies 24 to report cybersecurity incidents and ransomware 25 incidents in compliance with certain procedures and 26 timeframes; requiring state agency heads to submit 27 certain after-action reports to the Florida Digital 28 Service within a specified timeframe; creating s. 29 282.3185, F.S.; providing a short title; defining the 30 term “local government”; requiring the Florida Digital 31 Service to develop certain cybersecurity training 32 curricula; requiring certain persons to complete 33 certain cybersecurity training within a specified 34 timeframe and annually thereafter; authorizing the 35 Florida Digital Service to provide a certain training 36 in collaboration with certain entities; requiring 37 certain local governments to adopt certain 38 cybersecurity standards by specified dates; requiring 39 local governments to provide a certain notification to 40 the Florida Digital Service and certain entities; 41 providing notification requirements; requiring local 42 governments to report ransomware incidents and certain 43 cybersecurity incidents to certain entities within 44 specified timeframes; requiring the Cybersecurity 45 Operations Center to provide a certain notification to 46 the Legislature within a specified timeframe; 47 authorizing local governments to report certain 48 cybersecurity incidents to certain entities; requiring 49 the Cybersecurity Operations Center to quarterly 50 provide certain reports to the Legislature and the 51 Florida Cybersecurity Advisory Council; requiring 52 local governments to submit after-action reports 53 containing certain information to the Florida Digital 54 Service within a specified timeframe; requiring the 55 Florida Digital Service to establish certain 56 guidelines and processes by a specified date; creating 57 s. 282.3186, F.S.; prohibiting certain entities from 58 paying or otherwise complying with a ransom demand; 59 amending s. 282.319, F.S.; revising the purpose of the 60 Florida Cybersecurity Advisory Council to include 61 advising counties and municipalities on cybersecurity; 62 requiring the council to meet at least quarterly to 63 review certain information and develop and make 64 certain recommendations; requiring the council to 65 annually submit to the Governor and the Legislature a 66 certain ransomware incident report beginning on a 67 specified date; providing requirements for the report; 68 defining the term “state agency”; creating s. 815.062, 69 F.S.; defining the term “governmental entity”; 70 prohibiting certain persons from introducing computer 71 contaminants in order to procure a ransom; prohibiting 72 certain employees or contractors from aiding or 73 abetting another to introduce computer contaminants in 74 order to procure a ransom; providing criminal 75 penalties; requiring a person convicted of certain 76 offenses to pay a certain fine; requiring deposit of 77 certain moneys in the General Revenue Fund; providing 78 a legislative finding and declaration of an important 79 state interest; providing an effective date. 80 81 Be It Enacted by the Legislature of the State of Florida: 82 83 Section 1. Present subsections (28) through (37) of section 84 282.0041, Florida Statutes, are redesignated as subsections (29) 85 through (38), respectively, a new subsection (28) is added to 86 that section, and subsection (19) of that section is amended, to 87 read: 88 282.0041 Definitions.—As used in this chapter, the term: 89 (19) “Incident” means a violation or imminent threat of 90 violation, whether such violation is accidental or deliberate, 91 of information technology resources, security, policies, or 92 practices. An imminent threat of violation refers to a situation 93 in which a
thestate agency, county, or municipality has a 94 factual basis for believing that a specific incident is about to 95 occur. 96 (28) “Ransomware incident” means a malicious cybersecurity 97 incident in which a person or entity introduces software that 98 gains unauthorized access to or encrypts, modifies, or otherwise 99 renders unavailable a state agency’s, county’s, or 100 municipality’s data and thereafter the person or entity demands 101 a ransom to prevent the publication of the data, restore access 102 to the data, or otherwise remediate the impact of the software. 103 Section 2. Paragraphs (c) and (g) of subsection (3) and 104 paragraphs (i) and (j) of subsection (4) of section 282.318, 105 Florida Statutes, are amended, and paragraph (k) is added to 106 subsection (4) of that section, to read: 107 282.318 Cybersecurity.— 108 (3) The department, acting through the Florida Digital 109 Service, is the lead entity responsible for establishing 110 standards and processes for assessing state agency cybersecurity 111 risks and determining appropriate security measures. Such 112 standards and processes must be consistent with generally 113 accepted technology best practices, including the National 114 Institute for Standards and Technology Cybersecurity Framework, 115 for cybersecurity. The department, acting through the Florida 116 Digital Service, shall adopt rules that mitigate risks; 117 safeguard state agency digital assets, data, information, and 118 information technology resources to ensure availability, 119 confidentiality, and integrity; and support a security 120 governance framework. The department, acting through the Florida 121 Digital Service, shall also: 122 (c) Develop and publish for use by state agencies a 123 cybersecurity governance framework that, at a minimum, includes 124 guidelines and processes for: 125 1. Establishing asset management procedures to ensure that 126 an agency’s information technology resources are identified and 127 managed consistent with their relative importance to the 128 agency’s business objectives. 129 2. Using a standard risk assessment methodology that 130 includes the identification of an agency’s priorities, 131 constraints, risk tolerances, and assumptions necessary to 132 support operational risk decisions. 133 3. Completing comprehensive risk assessments and 134 cybersecurity audits, which may be completed by a private sector 135 vendor, and submitting completed assessments and audits to the 136 department. 137 4. Identifying protection procedures to manage the 138 protection of an agency’s information, data, and information 139 technology resources. 140 5. Establishing procedures for accessing information and 141 data to ensure the confidentiality, integrity, and availability 142 of such information and data. 143 6. Detecting threats through proactive monitoring of 144 events, continuous security monitoring, and defined detection 145 processes. 146 7. Establishing agency cybersecurity incident response 147 teams and describing their responsibilities for responding to 148 cybersecurity incidents, including breaches of personal 149 information containing confidential or exempt data. 150 8. Recovering information and data in response to a 151 cybersecurity incident. The recovery may include recommended 152 improvements to the agency processes, policies, or guidelines. 153 9. Establishing a cybersecurity incident reporting process 154 that includes procedures and tiered reporting timeframesfor 155 notifying the department and the Department of Law Enforcement 156 of cybersecurity incidents. The tiered reporting timeframes157 shall be based upon the level of severity of the cybersecurity158 incidents being reported.159 a. The level of severity of the cybersecurity incident is 160 defined by the National Cyber Incident Response Plan of the 161 United States Department of Homeland Security as follows: 162 (I) Level 5 is an emergency-level incident within the 163 specified jurisdiction that poses an imminent threat to the 164 provision of wide-scale critical infrastructure services; 165 national, state, or local government security; or the lives of 166 the country’s, state’s, or local government’s residents. 167 (II) Level 4 is a severe-level incident that is likely to 168 result in a significant impact in the affected jurisdiction to 169 public health or safety; national, state, or local security; 170 economic security; or civil liberties. 171 (III) Level 3 is a high-level incident that is likely to 172 result in a demonstrable impact in the affected jurisdiction to 173 public health or safety; national, state, or local security; 174 economic security; civil liberties; or public confidence. 175 (IV) Level 2 is a medium-level incident that may impact 176 public health or safety; national, state, or local security; 177 economic security; civil liberties; or public confidence. 178 (V) Level 1 is a low-level incident that is unlikely to 179 impact public health or safety; national, state, or local 180 security; economic security; civil liberties; or public 181 confidence. 182 b. The cybersecurity incident reporting process must 183 specify the information that must be reported by a state agency 184 following a cybersecurity incident or ransomware incident, 185 which, at a minimum, must include the following: 186 (I) A summary of the facts surrounding the cybersecurity 187 incident or ransomware incident. 188 (II) The date on which the state agency most recently 189 backed up its data, the physical location of the backup, if the 190 backup was affected, and if the backup was created using cloud 191 computing. 192 (III) The types of data compromised by the cybersecurity 193 incident or ransomware incident. 194 (IV) The estimated fiscal impact of the cybersecurity 195 incident or ransomware incident. 196 (V) In the case of a ransomware incident, the details of 197 the ransom demanded. 198 c.(I) A state agency shall report all ransomware incidents 199 and any cybersecurity incident determined by the state agency to 200 be of severity level 3, 4, or 5 to the Cybersecurity Operations 201 Center and the Cybercrime Office of the Department of Law 202 Enforcement as soon as possible but no later than 48 hours after 203 discovery of the cybersecurity incident and no later than 12 204 hours after discovery of the ransomware incident. The report 205 must contain the information required in sub-subparagraph b. 206 (II) The Cybersecurity Operations Center shall notify the 207 President of the Senate and the Speaker of the House of 208 Representatives of any severity level 3, 4, or 5 incident as 209 soon as possible but no later than 12 hours after receiving a 210 state agency’s incident report. The notification must include a 211 high-level description of the incident and the likely effects. 212 d. A state agency shall report a cybersecurity incident 213 determined by the state agency to be of severity level 1 or 2 to 214 the Cybersecurity Operations Center and the Cybercrime Office of 215 the Department of Law Enforcement as soon as possible. The 216 report must contain the information required in sub-subparagraph 217 b. 218 e. The Cybersecurity Operations Center shall provide a 219 consolidated incident report on a quarterly basis to the 220 President of the Senate, the Speaker of the House of 221 Representatives, and the Florida Cybersecurity Advisory Council. 222 The report provided to the Florida Cybersecurity Advisory 223 Council may not contain the name of any agency, network 224 information, or system identifying information but must contain 225 sufficient relevant information to allow the Florida 226 Cybersecurity Advisory Council to fulfill its responsibilities 227 as required in s. 282.319(9). 228 10. Incorporating information obtained through detection 229 and response activities into the agency’s cybersecurity incident 230 response plans. 231 11. Developing agency strategic and operational 232 cybersecurity plans required pursuant to this section. 233 12. Establishing the managerial, operational, and technical 234 safeguards for protecting state government data and information 235 technology resources that align with the state agency risk 236 management strategy and that protect the confidentiality, 237 integrity, and availability of information and data. 238 13. Establishing procedures for procuring information 239 technology commodities and services that require the commodity 240 or service to meet the National Institute of Standards and 241 Technology Cybersecurity Framework. 242 14. Submitting after-action reports following a 243 cybersecurity incident or ransomware incident. Such guidelines 244 and processes for submitting after-action reports must be 245 developed and published by December 1, 2022. 246 (g) Annually provide cybersecurity training to all state 247 agency technology professionals and employees with access to 248 highly sensitive information which thatdevelops, assesses, and 249 documents competencies by role and skill level. The 250 cybersecurity training curriculum must include training on the 251 identification of each cybersecurity incident severity level 252 referenced in sub-subparagraph (c)9.a. The training may be 253 provided in collaboration with the Cybercrime Office of the 254 Department of Law Enforcement, a private sector entity, or an 255 institution of the State University System. 256 (4) Each state agency head shall, at a minimum: 257 (i) Provide cybersecurity awareness training to all state 258 agency employees within in the first30 days after commencing 259 employment, and annually thereafter, concerning cybersecurity 260 risks and the responsibility of employees to comply with 261 policies, standards, guidelines, and operating procedures 262 adopted by the state agency to reduce those risks. The training 263 may be provided in collaboration with the Cybercrime Office of 264 the Department of Law Enforcement, a private sector entity, or 265 an institution of the State University System. 266 (j) Develop a process for detecting, reporting, and 267 responding to threats, breaches, or cybersecurity incidents 268 which is consistent with the security rules, guidelines, and 269 processes established by the department through the Florida 270 Digital Service. 271 1. All cybersecurity incidents and ransomware incidents 272 breachesmust be reported by state agencies. Such reports to the273 Florida Digital Service within the department and the Cybercrime274 Office of the Department of Law Enforcement andmust comply with 275 the notification procedures and reporting timeframes established 276 pursuant to paragraph (3)(c). 277 2. For cybersecurity breaches, state agencies shall provide 278 notice in accordance with s. 501.171. 279 (k) Submit to the Florida Digital Service, within 1 week 280 after the remediation of a cybersecurity incident or ransomware 281 incident, an after-action report that summarizes the incident, 282 the incident’s resolution, and any insights gained as a result 283 of the incident. 284 Section 3. Section 282.3185, Florida Statutes, is created 285 to read: 286 282.3185 Local government cybersecurity.— 287 (1) SHORT TITLE.—This section may be cited as the “Local 288 Government Cybersecurity Act.” 289 (2) DEFINITION.—As used in this section, the term “local 290 government” means any county or municipality. 291 (3) CYBERSECURITY TRAINING.— 292 (a) The Florida Digital Service shall: 293 1. Develop a basic cybersecurity training curriculum for 294 local government employees. All local government employees with 295 access to the local government’s network must complete the basic 296 cybersecurity training within 30 days after commencing 297 employment and annually thereafter. 298 2. Develop an advanced cybersecurity training curriculum 299 for local governments which is consistent with the cybersecurity 300 training required under s. 282.318(3)(g). All local government 301 technology professionals and employees with access to highly 302 sensitive information must complete the advanced cybersecurity 303 training within 30 days after commencing employment and annually 304 thereafter. 305 (b) The Florida Digital Service may provide the 306 cybersecurity training required by this subsection in 307 collaboration with the Cybercrime Office of the Department of 308 Law Enforcement, a private sector entity, or an institution of 309 the State University System. 310 (4) CYBERSECURITY STANDARDS.— 311 (a) Each local government shall adopt cybersecurity 312 standards that safeguard its data, information technology, and 313 information technology resources to ensure availability, 314 confidentiality, and integrity. The cybersecurity standards must 315 be consistent with generally accepted best practices for 316 cybersecurity, including the National Institute of Standards and 317 Technology Cybersecurity Framework. 318 (b) Each county with a population of 75,000 or more must 319 adopt the cybersecurity standards required by this subsection by 320 January 1, 2024. Each county with a population of less than 321 75,000 must adopt the cybersecurity standards required by this 322 subsection by January 1, 2025. 323 (c) Each municipality with a population of 25,000 or more 324 must adopt the cybersecurity standards required by this 325 subsection by January 1, 2024. Each municipality with a 326 population of less than 25,000 must adopt the cybersecurity 327 standards required by this subsection by January 1, 2025. 328 (d) Each local government shall notify the Florida Digital 329 Service of its compliance with this subsection as soon as 330 possible. 331 (5) INCIDENT NOTIFICATION.— 332 (a) A local government shall provide notification of a 333 cybersecurity incident or ransomware incident to the 334 Cybersecurity Operations Center, Cybercrime Office of the 335 Department of Law Enforcement, and sheriff who has jurisdiction 336 over the local government in accordance with paragraph (b). The 337 notification must include, at a minimum, the following 338 information: 339 1. A summary of the facts surrounding the cybersecurity 340 incident or ransomware incident. 341 2. The date on which the local government most recently 342 backed up its data, the physical location of the backup, if the 343 backup was affected, and if the backup was created using cloud 344 computing. 345 3. The types of data compromised by the cybersecurity 346 incident or ransomware incident. 347 4. The estimated fiscal impact of the cybersecurity 348 incident or ransomware incident. 349 5. In the case of a ransomware incident, the details of the 350 ransom demanded. 351 6. A statement requesting or declining assistance from the 352 Cybersecurity Operations Center, the Cybercrime Office of the 353 Department of Law Enforcement, or the sheriff who has 354 jurisdiction over the local government. 355 (b)1. A local government shall report all ransomware 356 incidents and any cybersecurity incident determined by the local 357 government to be of severity level 3, 4, or 5 as provided in s. 358 282.318(3)(c) to the Cybersecurity Operations Center, the 359 Cybercrime Office of the Department of Law Enforcement, and the 360 sheriff who has jurisdiction over the local government as soon 361 as possible but no later than 48 hours after discovery of the 362 cybersecurity incident and no later than 12 hours after 363 discovery of the ransomware incident. The report must contain 364 the information required in paragraph (a). 365 2. The Cybersecurity Operations Center shall notify the 366 President of the Senate and the Speaker of the House of 367 Representatives of any severity level 3, 4, or 5 incident as 368 soon as possible but no later than 12 hours after receiving a 369 local government’s incident report. The notification must 370 include a high-level description of the incident and the likely 371 effects. 372 (c) A local government may report a cybersecurity incident 373 determined by the local government to be of severity level 1 or 374 2 as provided in s. 282.318(3)(c) to the Cybersecurity 375 Operations Center, the Cybercrime Office of the Department of 376 Law Enforcement, and the sheriff who has jurisdiction over the 377 local government. The report shall contain the information 378 required in paragraph (a). 379 (d) The Cybersecurity Operations Center shall provide a 380 consolidated incident report on a quarterly basis to the 381 President of the Senate, the Speaker of the House of 382 Representatives, and the Florida Cybersecurity Advisory Council. 383 The report provided to the Florida Cybersecurity Advisory 384 Council may not contain the name of any local government, 385 network information, or system identifying information but must 386 contain sufficient relevant information to allow the Florida 387 Cybersecurity Advisory Council to fulfill its responsibilities 388 as required in s. 282.319(9). 389 (6) AFTER-ACTION REPORT.—A local government must submit to 390 the Florida Digital Service, within 1 week after the remediation 391 of a cybersecurity incident or ransomware incident, an after 392 action report that summarizes the incident, the incident’s 393 resolution, and any insights gained as a result of the incident. 394 By December 1, 2022, the Florida Digital Service shall establish 395 guidelines and processes for submitting an after-action report. 396 Section 4. Section 282.3186, Florida Statutes, is created 397 to read: 398 282.3186 Ransomware incident compliance.—A state agency as 399 defined in s. 282.318(2), a county, or a municipality 400 experiencing a ransomware incident may not pay or otherwise 401 comply with a ransom demand. 402 Section 5. Subsection (2) of section 282.319, Florida 403 Statutes, is amended, paragraphs (g) and (h) are added to 404 subsection (9) of that section, and subsections (12) and (13) 405 are added to that section, to read: 406 282.319 Florida Cybersecurity Advisory Council.— 407 (2) The purpose of the council is to: 408 (a) Assist state agencies in protecting their information 409 technology resources from cybersecurity cyberthreats and 410 incidents. 411 (b) Advise counties and municipalities on cybersecurity, 412 including cybersecurity threats, trends, and best practices. 413 (9) The council shall meet at least quarterly to: 414 (g) Review information relating to cybersecurity incidents 415 and ransomware incidents to determine commonalities and develop 416 best practice recommendations for state agencies, counties, and 417 municipalities. 418 (h) Recommend any additional information that a county or 419 municipality should report to the Florida Digital Service as 420 part of its cybersecurity incident or ransomware incident 421 notification pursuant to s. 282.3185. 422 (12) Beginning December 1, 2022, and each December 1 423 thereafter, the council shall submit to the Governor, the 424 President of the Senate, and the Speaker of the House of 425 Representatives a comprehensive report that includes data, 426 trends, analysis, findings, and recommendations for state and 427 local action regarding ransomware incidents. At a minimum, the 428 report must include: 429 (a) Descriptive statistics including the amount of ransom 430 requested, duration of the ransomware incident, and overall 431 monetary cost to taxpayers of the ransomware incident. 432 (b) A detailed statistical analysis of the circumstances 433 that led to the ransomware incident which does not include the 434 name of the state agency, county, or municipality; network 435 information; or system identifying information. 436 (c) A detailed statistical analysis of the level of 437 cybersecurity employee training and frequency of data backup for 438 the state agency, county, or municipality that reported the 439 ransomware incident. 440 (d) Specific issues identified with current policies, 441 procedures, rules, or statutes and recommendations to address 442 such issues. 443 (e) Any other recommendations to prevent ransomware 444 incidents. 445 (13) For purposes of this section, the term “state agency” 446 has the same meaning as provided in s. 282.318(2). 447 Section 6. Section 815.062, Florida Statutes, is created to 448 read: 449 815.062 Offenses against governmental entities.— 450 (1) As used in this section, the term “governmental entity” 451 means any official, officer, commission, board, authority, 452 council, committee, or department of the executive, judicial, or 453 legislative branch of state government; any state university; or 454 any county or municipality, special district, water management 455 district, or other political subdivision of the state. 456 (2) A person who willfully, knowingly, and without 457 authorization introduces a computer contaminant that gains 458 unauthorized access to, encrypts, modifies, or otherwise renders 459 unavailable data, programs, or supporting documentation residing 460 or existing within a computer, computer system, computer 461 network, or electronic device owned or operated by a 462 governmental entity and demands a ransom to prevent the 463 publication of or restore access to the data, programs, or 464 supporting documentation or to otherwise remediate the impact of 465 the computer contaminant commits a felony of the first degree, 466 punishable as provided in s. 775.082, s. 775.083, or s. 775.084. 467 (3) An employee or contractor of a governmental entity with 468 access to the governmental entity’s network who willfully and 469 knowingly aids or abets another in the commission of a violation 470 of subsection (2) commits a felony of the first degree, 471 punishable as provided in s. 775.082, s. 775.083, or s. 775.084. 472 (4) In addition to any other penalty imposed, a person 473 convicted of a violation of this section must pay a fine equal 474 to twice the amount of the ransom demand. Moneys recovered under 475 this subsection shall be deposited into the General Revenue 476 Fund. 477 Section 7. The Legislature finds and declares that this act 478 fulfills an important state interest. 479 Section 8. This act shall take effect July 1, 2022.