Florida Senate - 2022 CONFERENCE COMMITTEE AMENDMENT
Bill No. SB 2518, 1st Eng.
Ì375046-Î375046
LEGISLATIVE ACTION
Senate . House
.
.
.
Floor: AD/CR . Floor: AD
03/14/2022 12:18 PM . 03/14/2022 12:49 PM
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Conference Committee on SB 2518, 1st Eng. recommended the
following:
1 Senate Conference Committee Amendment (with title
2 amendment)
3
4 Delete everything after the enacting clause
5 and insert:
6 Section 1. All functions, records, personnel, contracts,
7 interagency agreements, and assets of the current Department of
8 Management Services State Data Center are transferred to the
9 Northwest Regional Data Center.
10 Section 2. Subsection (30) of section 282.0041, Florida
11 Statutes, is amended to read:
12 282.0041 Definitions.—As used in this chapter, the term:
13 (30) “Service-level agreement” means a written contract
14 between the Department of Management Services or a provider of
15 data center services and a customer entity which specifies the
16 scope of services provided, service level, the duration of the
17 agreement, the responsible parties, and service costs. A
18 service-level agreement is not a rule pursuant to chapter 120.
19 Section 3. Paragraphs (j) and (q) of subsection (1) and
20 paragraphs (a) and (b) of subsection (3) of section 282.0051,
21 Florida Statutes, are amended to read:
22 282.0051 Department of Management Services; Florida Digital
23 Service; powers, duties, and functions.—
24 (1) The Florida Digital Service has been created within the
25 department to propose innovative solutions that securely
26 modernize state government, including technology and information
27 services, to achieve value through digital transformation and
28 interoperability, and to fully support the cloud-first policy as
29 specified in s. 282.206. The department, through the Florida
30 Digital Service, shall have the following powers, duties, and
31 functions:
32 (j) Provide operational management and oversight of the
33 state data center established pursuant to s. 282.201, which
34 includes:
35 1. Implementing industry standards and best practices for
36 the state data center’s facilities, operations, maintenance,
37 planning, and management processes.
38 2. Developing and implementing cost-recovery mechanisms
39 that recover the full direct and indirect cost of services
40 through charges to applicable customer entities. Such cost
41 recovery mechanisms must comply with applicable state and
42 federal regulations concerning distribution and use of funds and
43 must ensure that, for any fiscal year, no service or customer
44 entity subsidizes another service or customer entity. The
45 Florida Digital Service may recommend other payment mechanisms
46 to the Executive Office of the Governor, the President of the
47 Senate, and the Speaker of the House of Representatives. Such
48 mechanism may be implemented only if specifically authorized by
49 the Legislature.
50 3. Developing and implementing appropriate operating
51 guidelines and procedures necessary for the state data center to
52 perform its duties pursuant to s. 282.201. The guidelines and
53 procedures must comply with applicable state and federal laws,
54 regulations, and policies and conform to generally accepted
55 governmental accounting and auditing standards. The guidelines
56 and procedures must include, but need not be limited to:
57 a. Implementing a consolidated administrative support
58 structure responsible for providing financial management,
59 procurement, transactions involving real or personal property,
60 human resources, and operational support.
61 b. Implementing an annual reconciliation process to ensure
62 that each customer entity is paying for the full direct and
63 indirect cost of each service as determined by the customer
64 entity’s use of each service.
65 c. Providing rebates that may be credited against future
66 billings to customer entities when revenues exceed costs.
67 d. Requiring customer entities to validate that sufficient
68 funds exist in the appropriate data processing appropriation
69 category or will be transferred into the appropriate data
70 processing appropriation category before implementation of a
71 customer entity’s request for a change in the type or level of
72 service provided, if such change results in a net increase to
73 the customer entity’s cost for that fiscal year.
74 e. By November 15 of each year, providing to the Office of
75 Policy and Budget in the Executive Office of the Governor and to
76 the chairs of the legislative appropriations committees the
77 projected costs of providing data center services for the
78 following fiscal year.
79 f. Providing a plan for consideration by the Legislative
80 Budget Commission if the cost of a service is increased for a
81 reason other than a customer entity’s request made pursuant to
82 sub-subparagraph d. Such a plan is required only if the service
83 cost increase results in a net increase to a customer entity for
84 that fiscal year.
85 g. Standardizing and consolidating procurement and
86 contracting practices.
87 4. In collaboration with the Department of Law Enforcement,
88 developing and implementing a process for detecting, reporting,
89 and responding to cybersecurity incidents, breaches, and
90 threats.
91 5. Adopting rules relating to the operation of the state
92 data center, including, but not limited to, budgeting and
93 accounting procedures, cost-recovery methodologies, and
94 operating procedures.
95 (p)1.(q)1. Establish an information technology policy for
96 all information technology-related state contracts, including
97 state term contracts for information technology commodities,
98 consultant services, and staff augmentation services. The
99 information technology policy must include:
100 a. Identification of the information technology product and
101 service categories to be included in state term contracts.
102 b. Requirements to be included in solicitations for state
103 term contracts.
104 c. Evaluation criteria for the award of information
105 technology-related state term contracts.
106 d. The term of each information technology-related state
107 term contract.
108 e. The maximum number of vendors authorized on each state
109 term contract.
110 f. At a minimum, a requirement that any contract for
111 information technology commodities or services meet the National
112 Institute of Standards and Technology Cybersecurity Framework.
113 g. For an information technology project wherein project
114 oversight is required pursuant to paragraph (d) or paragraph (m)
115 (n), a requirement that independent verification and validation
116 be employed throughout the project life cycle with the primary
117 objective of independent verification and validation being to
118 provide an objective assessment of products and processes
119 throughout the project life cycle. An entity providing
120 independent verification and validation may not have technical,
121 managerial, or financial interest in the project and may not
122 have responsibility for, or participate in, any other aspect of
123 the project.
124 2. Evaluate vendor responses for information technology
125 related state term contract solicitations and invitations to
126 negotiate.
127 3. Answer vendor questions on information technology
128 related state term contract solicitations.
129 4. Ensure that the information technology policy
130 established pursuant to subparagraph 1. is included in all
131 solicitations and contracts that are administratively executed
132 by the department.
133 (3) The department, acting through the Florida Digital
134 Service and from funds appropriated to the Florida Digital
135 Service, shall:
136 (a) Create, not later than December 1, 2022 October 1,
137 2021, and maintain a comprehensive indexed data catalog in
138 collaboration with the enterprise that lists the data elements
139 housed within the enterprise and the legacy system or
140 application in which these data elements are located. The data
141 catalog must, at a minimum, specifically identify all data that
142 is restricted from public disclosure based on federal or state
143 laws and regulations and require that all such information be
144 protected in accordance with s. 282.318.
145 (b) Develop and publish, not later than December 1, 2022
146 October 1, 2021, in collaboration with the enterprise, a data
147 dictionary for each agency that reflects the nomenclature in the
148 comprehensive indexed data catalog.
149 Section 4. Section 282.201, Florida Statutes, is amended to
150 read:
151 282.201 State data center.—The state data center is
152 established within the department. The provision of data center
153 services must comply with applicable state and federal laws,
154 regulations, and policies, including all applicable security,
155 privacy, and auditing requirements. The department shall appoint
156 a director of the state data center, preferably an individual
157 who has experience in leading data center facilities and has
158 expertise in cloud-computing management.
159 (1) STATE DATA CENTER DUTIES.—The state data center shall:
160 (a) Offer, develop, and support the services and
161 applications defined in service-level agreements executed with
162 its customer entities.
163 (b) Maintain performance of the state data center by
164 ensuring proper data backup, data backup recovery, disaster
165 recovery, and appropriate security, power, cooling, fire
166 suppression, and capacity.
167 (c) Develop and implement business continuity and disaster
168 recovery plans, and annually conduct a live exercise of each
169 plan.
170 (d) Enter into a service-level agreement with each customer
171 entity to provide the required type and level of service or
172 services. If a customer entity fails to execute an agreement
173 within 60 days after commencement of a service, the state data
174 center may cease service. A service-level agreement may not have
175 a term exceeding 3 years and at a minimum must:
176 1. Identify the parties and their roles, duties, and
177 responsibilities under the agreement.
178 2. State the duration of the contract term and specify the
179 conditions for renewal.
180 3. Identify the scope of work.
181 4. Identify the products or services to be delivered with
182 sufficient specificity to permit an external financial or
183 performance audit.
184 5. Establish the services to be provided, the business
185 standards that must be met for each service, the cost of each
186 service by agency application, and the metrics and processes by
187 which the business standards for each service are to be
188 objectively measured and reported.
189 6. Provide a timely billing methodology to recover the
190 costs of services provided to the customer entity pursuant to s.
191 215.422.
192 7. Provide a procedure for modifying the service-level
193 agreement based on changes in the type, level, and cost of a
194 service.
195 8. Include a right-to-audit clause to ensure that the
196 parties to the agreement have access to records for audit
197 purposes during the term of the service-level agreement.
198 9. Provide that a service-level agreement may be terminated
199 by either party for cause only after giving the other party and
200 the department notice in writing of the cause for termination
201 and an opportunity for the other party to resolve the identified
202 cause within a reasonable period.
203 10. Provide for mediation of disputes by the Division of
204 Administrative Hearings pursuant to s. 120.573.
205 (e) For purposes of chapter 273, be the custodian of
206 resources and equipment located in and operated, supported, and
207 managed by the state data center.
208 (f) Assume administrative access rights to resources and
209 equipment, including servers, network components, and other
210 devices, consolidated into the state data center.
211 1. Upon consolidation, a state agency shall relinquish
212 administrative rights to consolidated resources and equipment.
213 State agencies required to comply with federal and state
214 criminal justice information security rules and policies shall
215 retain administrative access rights sufficient to comply with
216 the management control provisions of those rules and policies;
217 however, the state data center shall have the appropriate type
218 or level of rights to allow the center to comply with its duties
219 pursuant to this section. The Department of Law Enforcement
220 shall serve as the arbiter of disputes pertaining to the
221 appropriate type and level of administrative access rights
222 pertaining to the provision of management control in accordance
223 with the federal criminal justice information guidelines.
224 2. The state data center shall provide customer entities
225 with access to applications, servers, network components, and
226 other devices necessary for entities to perform business
227 activities and functions, and as defined and documented in a
228 service-level agreement.
229 (g) In its procurement process, show preference for cloud
230 computing solutions that minimize or do not require the
231 purchasing, financing, or leasing of state data center
232 infrastructure, and that meet the needs of customer agencies,
233 that reduce costs, and that meet or exceed the applicable state
234 and federal laws, regulations, and standards for cybersecurity.
235 (h) Assist customer entities in transitioning from state
236 data center services to the Northwest Regional Data Center or
237 other third-party cloud-computing services procured by a
238 customer entity or by the Northwest Regional Data Center on
239 behalf of a customer entity.
240 (2) USE OF THE STATE DATA CENTER.—The following are exempt
241 from the use of the state data center: the Department of Law
242 Enforcement, the Department of the Lottery’s Gaming System,
243 Systems Design and Development in the Office of Policy and
244 Budget, the regional traffic management centers as described in
245 s. 335.14(2) and the Office of Toll Operations of the Department
246 of Transportation, the State Board of Administration, state
247 attorneys, public defenders, criminal conflict and civil
248 regional counsel, capital collateral regional counsel, and the
249 Florida Housing Finance Corporation.
250 (3) AGENCY LIMITATIONS.—Unless exempt from the use of the
251 state data center pursuant to this section or authorized by the
252 Legislature, a state agency may not:
253 (a) Create a new agency computing facility or data center,
254 or expand the capability to support additional computer
255 equipment in an existing agency computing facility or data
256 center; or
257 (b) Terminate services with the state data center without
258 giving written notice of intent to terminate services 180 days
259 before such termination.
260 (4) DEPARTMENT RESPONSIBILITIES.—The department shall
261 provide operational management and oversight of the state data
262 center, which includes:
263 (a) Implementing industry standards and best practices for
264 the state data center’s facilities, operations, maintenance,
265 planning, and management processes.
266 (b) Developing and implementing cost-recovery mechanisms
267 that recover the full direct and indirect cost of services
268 through charges to applicable customer entities. Such cost
269 recovery mechanisms must comply with applicable state and
270 federal regulations concerning distribution and use of funds and
271 must ensure that, for any fiscal year, no service or customer
272 entity subsidizes another service or customer entity. The
273 department may recommend other payment mechanisms to the
274 Executive Office of the Governor, the President of the Senate,
275 and the Speaker of the House of Representatives. Such mechanism
276 may be implemented only if specifically authorized by the
277 Legislature.
278 (c) Developing and implementing appropriate operating
279 guidelines and procedures necessary for the state data center to
280 perform its duties pursuant to subsection (1). The guidelines
281 and procedures must comply with applicable state and federal
282 laws, regulations, and policies and conform to generally
283 accepted governmental accounting and auditing standards. The
284 guidelines and procedures must include, but need not be limited
285 to:
286 1. Implementing a consolidated administrative support
287 structure responsible for providing financial management,
288 procurement, transactions involving real or personal property,
289 human resources, and operational support.
290 2. Implementing an annual reconciliation process to ensure
291 that each customer entity is paying for the full direct and
292 indirect cost of each service as determined by the customer
293 entity’s use of each service.
294 3. Providing rebates that may be credited against future
295 billings to customer entities when revenues exceed costs.
296 4. Requiring customer entities to validate that sufficient
297 funds exist before implementation of a customer entity’s request
298 for a change in the type or level of service provided, if such
299 change results in a net increase to the customer entity’s cost
300 for that fiscal year.
301 5. By November 15 of each year, providing to the Office of
302 Policy and Budget in the Executive Office of the Governor and to
303 the chairs of the legislative appropriations committees the
304 projected costs of providing data center services for the
305 following fiscal year.
306 6. Providing a plan for consideration by the Legislative
307 Budget Commission if the cost of a service is increased for a
308 reason other than a customer entity’s request made pursuant to
309 subparagraph 4. Such a plan is required only if the service cost
310 increase results in a net increase to a customer entity for that
311 fiscal year.
312 7. Standardizing and consolidating procurement and
313 contracting practices.
314 (d) In collaboration with the Department of Law Enforcement
315 and the Florida Digital Service, developing and implementing a
316 process for detecting, reporting, and responding to
317 cybersecurity incidents, breaches, and threats.
318 (e) Adopting rules relating to the operation of the state
319 data center, including, but not limited to, budgeting and
320 accounting procedures, cost-recovery methodologies, and
321 operating procedures.
322 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
323 the department to carry out its duties and responsibilities
324 relating to the state data center, the secretary of the
325 department shall contract by July 1, 2022, with the Northwest
326 Regional Data Center pursuant to s. 287.057(11). The contract
327 shall provide that the Northwest Regional Data Center will
328 manage the operations of the state data center and provide data
329 center services to state agencies.
330 (a) The department shall provide contract oversight,
331 including, but not limited to, reviewing invoices provided by
332 the Northwest Regional Data Center for services provided to
333 state agency customers.
334 (b) The department shall approve or request updates to
335 invoices within 10 business days after receipt. If the
336 department does not respond to the Northwest Regional Data
337 Center, the invoice will be approved by default. The Northwest
338 Regional Data Center must submit approved invoices directly to
339 state agency customers.
340 Section 5. Section 1004.649, Florida Statutes, is amended
341 to read:
342 1004.649 Northwest Regional Data Center.—
343 (1) For the purpose of providing data center services to
344 its state agency customers, the Northwest Regional Data Center
345 is designated as a state data center for all state agencies and
346 shall:
347 (a) Operate under a governance structure that represents
348 its customers proportionally.
349 (b) Maintain an appropriate cost-allocation methodology
350 that accurately bills state agency customers based solely on the
351 actual direct and indirect costs of the services provided to
352 state agency customers, and ensures that for any fiscal year,
353 state agency customers are not subsidizing other customers of
354 the data center. Such cost-allocation methodology must comply
355 with applicable state and federal regulations concerning the
356 distribution and use of state and federal funds.
357 (c) Enter into a service-level agreement with each state
358 agency customer to provide services as defined and approved by
359 the governing board of the center. At a minimum, such service
360 level agreements must:
361 1. Identify the parties and their roles, duties, and
362 responsibilities under the agreement;
363 2. State the duration of the agreement term, which may not
364 exceed 3 years, and specify the conditions for up to two
365 optional 1-year renewals of the agreement before execution of a
366 new agreement renewal;
367 3. Identify the scope of work;
368 4. Establish the services to be provided, the business
369 standards that must be met for each service, the cost of each
370 service, and the process by which the business standards for
371 each service are to be objectively measured and reported;
372 5. Provide a timely billing methodology for recovering the
373 cost of services provided pursuant to s. 215.422;
374 6. Provide a procedure for modifying the service-level
375 agreement to address any changes in projected costs of service;
376 7. Include a right-to-audit clause to ensure that the
377 parties to the agreement have access to records for audit
378 purposes during the term of the service-level agreement Prohibit
379 the transfer of computing services between the Northwest
380 Regional Data Center and the state data center established
381 pursuant to s. 282.201 without at least 180 days’ written
382 notification of service cancellation;
383 8. Identify the products or services to be delivered with
384 sufficient specificity to permit an external financial or
385 performance audit; and
386 9. Provide that the service-level agreement may be
387 terminated by either party for cause only after giving the other
388 party notice in writing of the cause for termination and an
389 opportunity for the other party to resolve the identified cause
390 within a reasonable period; and
391 10. Provide state agency customer entities with access to
392 applications, servers, network components, and other devices
393 necessary for entities to perform business activities and
394 functions and as defined and documented in a service-level
395 agreement.
396 (d) In its procurement process, show preference for cloud
397 computing solutions that minimize or do not require the
398 purchasing or financing of state data center infrastructure,
399 that meet the needs of state agency customer entities, that
400 reduce costs, and that meet or exceed the applicable state and
401 federal laws, regulations, and standards for cybersecurity.
402 (e) Assist state agency customer entities in transitioning
403 from state data center services to other third-party cloud
404 computing services procured by a customer entity or by the
405 Northwest Regional Data Center on behalf of the customer entity.
406 (f) Provide to the Board of Governors the total annual
407 budget by major expenditure category, including, but not limited
408 to, salaries, expenses, operating capital outlay, contracted
409 services, or other personnel services by July 30 each fiscal
410 year.
411 (g)(e) Provide to each state agency customer its projected
412 annual cost for providing the agreed-upon data center services
413 by September 1 each fiscal year.
414 (h)(f) Provide a plan for consideration by the Legislative
415 Budget Commission if the governing body of the center approves
416 the use of a billing rate schedule after the start of the fiscal
417 year that increases any state agency customer’s costs for that
418 fiscal year.
419 (i) Provide data center services that comply with
420 applicable state and federal laws, regulations, and policies,
421 including all applicable security, privacy, and auditing
422 requirements.
423 (j) Maintain performance of the data center facilities by
424 ensuring proper data backup, data backup recovery, disaster
425 recovery, and appropriate security, power, cooling, fire
426 suppression, and capacity.
427 (k) Prepare and submit state agency customer invoices to
428 the Department of Management Services for approval. Upon
429 approval or by default pursuant to s. 282.201(5), submit
430 invoices to state agency customers.
431 (l) As funded in the General Appropriations Act, provide
432 data center services to state agencies from multiple facilities.
433 (2) Unless exempt from the requirement to use the state
434 data center pursuant to s. 282.201(2) or as authorized by the
435 Legislature, a state agency may not do any of the following:
436 (a) Terminate services with the Northwest Regional Data
437 Center without giving written notice of intent to terminate
438 services 180 days before such termination.
439 (b) Procure third-party cloud-computing services without
440 evaluating the cloud-computing services provided by the
441 Northwest Regional Data Center.
442 (c) Exceed 30 days from receipt of approved invoices to
443 remit payment for state data center services provided by the
444 Northwest Regional Data Center.
445 (3)(2) The Northwest Regional Data Center’s authority to
446 provide data center services to its state agency customers may
447 be terminated if:
448 (a) The center requests such termination to the Board of
449 Governors, the Senate President, and the Speaker of the House of
450 Representatives; or
451 (b) The center fails to comply with the provisions of this
452 section.
453 (4)(3) If such authority is terminated, the center has
454 shall have 1 year to provide for the transition of its state
455 agency customers to a qualified alternative cloud-based data
456 center that meets the enterprise architecture standards
457 established by the Florida Digital Service the state data center
458 established pursuant to s. 282.201.
459 Section 6. Subsection (1) of section 282.00515, Florida
460 Statutes, is amended to read:
461 282.00515 Duties of Cabinet agencies.—
462 (1) The Department of Legal Affairs, the Department of
463 Financial Services, and the Department of Agriculture and
464 Consumer Services shall adopt the standards established in s.
465 282.0051(1)(b), (c), and (r) (s) and (3)(e) or adopt alternative
466 standards based on best practices and industry standards that
467 allow for open data interoperability.
468 Section 7. This act shall take effect July 1, 2022.
469
470 ================= T I T L E A M E N D M E N T ================
471 And the title is amended as follows:
472 Delete everything before the enacting clause
473 and insert:
474 A bill to be entitled
475 An act relating to information technology; providing
476 that all functions, records, personnel, contracts,
477 interagency agreements, and assets of the Department
478 of Management Services State Data Center are
479 transferred to the Northwest Regional Data Center;
480 amending s. 282.0041, F.S.; revising the definition of
481 the term “service-level agreement”; amending s.
482 282.0051, F.S.; deleting the operational management
483 and oversight of the state data center from the
484 powers, duties, and functions of the department,
485 acting through Florida Digital Service; requiring the
486 department, acting through the Florida Digital
487 Service, to create a certain indexed data catalog and
488 develop and publish a certain data dictionary by a
489 specified date; amending s. 282.201, F.S.; requiring
490 the department to assist customer entities
491 transitioning from other cloud-computing services to
492 the Northwest Regional Data Center or a cloud
493 computing service procured by the state data center;
494 providing responsibilities to the department relating
495 to the operational management and oversight of the
496 state data center; requiring the department to adopt
497 specified rules; requiring the secretary of the
498 department to contract with the Northwest Regional
499 Data Center to carry out the department’s duties and
500 responsibilities by a specified date; providing
501 contract requirements; requiring the department to
502 provide contract oversight for the data center;
503 requiring the department to approve or deny certain
504 requests within a specified timeframe; providing that
505 no action on an invoice is an approval by default;
506 requiring the data center to submit approved invoices
507 directly to state agency customers; amending s.
508 1004.649, F.S.; designating the Northwest Regional
509 Data Center as the state data center; specifying
510 additional requirements for service-level agreements
511 with state agency customers; specifying required
512 duties of the Northwest Regional Data Center;
513 prohibiting state agencies from engaging in certain
514 activities, unless otherwise authorized; modifying
515 provisions governing the transition of state agency
516 customers to a cloud-based data center; amending s.
517 282.00515, F.S.; conforming a cross-reference;
518 providing an effective date.