Florida Senate - 2022 SB 2518
By the Committee on Appropriations
576-02891-22 20222518__
1 A bill to be entitled
2 An act relating to information technology; providing
3 for a type two transfer of the specified functions and
4 components of the Florida Digital Service to the
5 Executive Office of the Governor; providing for the
6 continuation of certain contracts and interagency
7 agreements; providing that all functions, records,
8 personnel, contracts, interagency agreements, and
9 equipment of the Department of Management Services
10 State Data Center are consolidated in the Northwest
11 Regional Data Center; transferring remaining funds
12 from the Working Capital Trust Fund to the Northwest
13 Regional Data Center for specified purposes; creating
14 s. 14.2017, F.S.; creating the Enterprise Florida
15 First Technology Center within the Executive Office of
16 the Governor; providing for the management of the
17 center by a director; prescribing qualifications of
18 the director and state chief data officer; providing
19 that the center is a separate budget entity;
20 prescribing duties of the center and the director;
21 amending s. 20.22, F.S.; removing the Florida Digital
22 Service from the divisions, programs, and services
23 within the Department of Management Services, to
24 conform to changes made by the act; amending s.
25 282.0041, F.S.; revising the definition of the term
26 “service-level agreement”; amending s. 282.0051, F.S.;
27 creating the Enterprise Florida First Technology
28 Center within the Executive Office of the Governor;
29 deleting references to the Florida Digital Service to
30 conform to changes made by the act; requiring the
31 center to consult with the Department of Management
32 Services to establish an information technology policy
33 for specified procurement activities; requiring the
34 Enterprise Florida First Technology Center to adopt
35 rules; conforming provisions to changes made by the
36 act; repealing s. 282.201, F.S., relating to the state
37 data center; amending s. 282.318, F.S.; designating
38 the Enterprise Florida First Technology Center as the
39 lead entity in state agency cybersecurity matters;
40 requiring the center to adopt certain rules; requiring
41 the center to designate an employee as the state chief
42 information security officer; conforming provisions to
43 changes made by the act; amending s. 282.319, F.S.;
44 housing the Florida Cybersecurity Advisory Council
45 within the Executive Office of the Governor, rather
46 than the Department of Management Services, to conform
47 to changes made by the act; providing that the
48 director of the Office of Policy and Budget, rather
49 than the Secretary of Management Services, is the
50 executive director of advisory council; conforming
51 provisions to changes made by the act; amending s.
52 287.0591, F.S.; requiring the Enterprise Florida First
53 Technology Center to participate in certain
54 solicitations for information technology commodities
55 and services; requiring the Department of Management
56 Services to consult with the Enterprise Florida First
57 Technology Center in prequalifying entities to provide
58 information technology services to the state; amending
59 s. 1004.649, F.S.; designating the Northwest Regional
60 Data Center as the state data center; specifying
61 required duties of the Northwest Regional Data Center;
62 specifying additional requirements for service-level
63 agreements with state agency customers; exempting
64 certain entities from using the data center;
65 prohibiting state agencies from engaging in certain
66 activities, unless otherwise authorized; modifying
67 provisions governing the transition of state agency
68 customers to a cloud-based data center; amending ss.
69 282.00515, 443.1113, and 943.0415, F.S.; conforming a
70 cross reference and provisions to changes made by the
71 act; providing an effective date.
72
73 Be It Enacted by the Legislature of the State of Florida:
74
75 Section 1. All powers; duties; functions; records; offices;
76 personnel; associated administrative support positions;
77 property; pending issues and existing contracts; administrative
78 authority; administrative rules in chapter 74, Florida
79 Administrative Code, in effect as of July 1, 2022; and
80 unexpended balances of appropriations and allocations from the
81 General Revenue Fund of the Department of Management Services
82 Florida Digital Service, with the exception of the State Data
83 Center, are transferred by a type two transfer pursuant to s.
84 20.06(2), Florida Statutes, to the Executive Office of the
85 Governor.
86 Section 2. Any contract or interagency agreement existing
87 before July 1, 2022, between the Department of Management
88 Services Florida Digital Service, or any entity or agent of the
89 agency, and any other agency, entity, or person shall continue
90 as a contract or agreement of the successor department or entity
91 responsible for the program, activity, or function relative to
92 the contract or agreement.
93 Section 3. All functions, records, personnel, contracts,
94 interagency agreements, and equipment in the current Department
95 of Management Services State Data Center are consolidated in the
96 Northwest Regional Data Center. The unexpended balance of funds
97 remaining in the Working Capital Trust Fund on June 30, 2022, is
98 transferred to the Northwest Regional Data Center to be used to
99 satisfy customer refunds or excess assessments for fiscal year
100 2021-2022.
101 Section 4. Section 14.2017, Florida Statutes, is created to
102 read:
103 14.2017 Enterprise Florida First Technology Center.—
104 (1) The Enterprise Florida First Technology Center is
105 established within the Executive Office of the Governor, headed
106 for all purposes by a director who holds the title of state
107 chief information officer. The Enterprise Florida First
108 Technology Center shall be a separate budget entity and shall
109 prepare and submit a budget request in accordance with chapter
110 216. The center shall be responsible for all professional,
111 technical, and administrative support functions necessary to
112 carry out its responsibilities under chapter 282. The director
113 of the center shall be appointed by and serves at the pleasure
114 of the Governor and must be a proven, effective administrator
115 who has at least 10 years of executive-level experience in the
116 public or private sector, preferably with experience in the
117 development of information technology strategic planning and the
118 development and implementation of fiscal and substantive
119 information technology policy and standards.
120 (2) The state chief information officer shall designate a
121 state chief data officer. The chief data officer must be a
122 proven and effective administrator who must have significant and
123 substantive experience in data management, data governance,
124 interoperability, and security.
125 (3) The state chief information officer shall facilitate
126 meetings with all state agency chief information officers for
127 the purpose of communication regarding standards, rules,
128 projects, and significant events related to information
129 technology. These meetings must be held at least quarterly.
130 Section 5. Paragraph (b) of subsection (2) of section
131 20.22, Florida Statutes, is amended to read:
132 20.22 Department of Management Services.—There is created a
133 Department of Management Services.
134 (2) The following divisions, programs, and services within
135 the Department of Management Services are established:
136 (b) The Florida Digital Service.
137 Section 6. Subsection (30) of section 282.0041, Florida
138 Statutes, is amended to read:
139 282.0041 Definitions.—As used in this chapter, the term:
140 (30) “Service-level agreement” means a written contract
141 between the Department of Management Services or a provider of
142 data center services and a customer entity which specifies the
143 scope of services provided, service level, the duration of the
144 agreement, the responsible parties, and service costs. A
145 service-level agreement is not a rule pursuant to chapter 120.
146 Section 7. Section 282.0051, Florida Statutes, is amended
147 to read:
148 282.0051 Executive Office of the Governor Department of
149 Management Services; Enterprise Florida First Technology Center
150 Florida Digital Service; powers, duties, and functions.—
151 (1) The Enterprise Florida First Technology Center Florida
152 Digital Service has been created within the Executive Office of
153 the Governor department to propose innovative solutions that
154 securely modernize state government, including technology and
155 information services, to achieve value through digital
156 transformation and interoperability, and to fully support the
157 cloud-first policy as specified in s. 282.206. The Executive
158 Office of the Governor department, through the Enterprise
159 Florida First Technology Center Florida Digital Service, shall
160 have the following powers, duties, and functions:
161 (a) Develop and publish information technology policy for
162 the management of the state’s information technology resources.
163 (b) Develop an enterprise architecture that:
164 1. Acknowledges the unique needs of the entities within the
165 enterprise in the development and publication of standards and
166 terminologies to facilitate digital interoperability;
167 2. Supports the cloud-first policy as specified in s.
168 282.206; and
169 3. Addresses how information technology infrastructure may
170 be modernized to achieve cloud-first objectives.
171 (c) Establish project management and oversight standards
172 with which state agencies must comply when implementing
173 information technology projects. The center department, acting
174 through the Florida Digital Service, shall provide training
175 opportunities to state agencies to assist in the adoption of the
176 project management and oversight standards. To support data
177 driven decisionmaking, the standards must include, but are not
178 limited to:
179 1. Performance measurements and metrics that objectively
180 reflect the status of an information technology project based on
181 a defined and documented project scope, cost, and schedule.
182 2. Methodologies for calculating acceptable variances in
183 the projected versus actual scope, schedule, or cost of an
184 information technology project.
185 3. Reporting requirements, including requirements designed
186 to alert all defined stakeholders that an information technology
187 project has exceeded acceptable variances defined and documented
188 in a project plan.
189 4. Content, format, and frequency of project updates.
190 5. Technical standards to ensure an information technology
191 project complies with the enterprise architecture.
192 (d) Perform project oversight on all state agency
193 information technology projects that have total project costs of
194 $10 million or more and that are funded in the General
195 Appropriations Act or any other law. The center department,
196 acting through the Florida Digital Service, shall report at
197 least quarterly to the Executive Office of the Governor, the
198 President of the Senate, and the Speaker of the House of
199 Representatives on any information technology project that the
200 center department identifies as high-risk due to the project
201 exceeding acceptable variance ranges defined and documented in a
202 project plan. The report must include a risk assessment,
203 including fiscal risks, associated with proceeding to the next
204 stage of the project, and a recommendation for corrective
205 actions required, including suspension or termination of the
206 project.
207 (e) Identify opportunities for standardization and
208 consolidation of information technology services that support
209 interoperability and the cloud-first policy, as specified in s.
210 282.206, and business functions and operations, including
211 administrative functions such as purchasing, accounting and
212 reporting, cash management, and personnel, and that are common
213 across state agencies. The center department, acting through the
214 Florida Digital Service, shall biennially on January 1 of each
215 even-numbered year provide recommendations for standardization
216 and consolidation to the Executive Office of the Governor, the
217 President of the Senate, and the Speaker of the House of
218 Representatives.
219 (f) Establish best practices for the procurement of
220 information technology products and cloud-computing services in
221 order to reduce costs, increase the quality of data center
222 services, or improve government services.
223 (g) Develop standards for information technology reports
224 and updates, including, but not limited to, operational work
225 plans, project spend plans, and project status reports, for use
226 by state agencies.
227 (h) Upon request, assist state agencies in the development
228 of information technology-related legislative budget requests.
229 (i) Conduct annual assessments of state agencies to
230 determine compliance with all information technology standards
231 and guidelines developed and published by the center department
232 and provide results of the assessments to the Executive Office
233 of the Governor, the President of the Senate, and the Speaker of
234 the House of Representatives.
235 (j) Provide operational management and oversight of the
236 state data center established pursuant to s. 282.201, which
237 includes:
238 1. Implementing industry standards and best practices for
239 the state data center’s facilities, operations, maintenance,
240 planning, and management processes.
241 2. Developing and implementing cost-recovery mechanisms
242 that recover the full direct and indirect cost of services
243 through charges to applicable customer entities. Such cost
244 recovery mechanisms must comply with applicable state and
245 federal regulations concerning distribution and use of funds and
246 must ensure that, for any fiscal year, no service or customer
247 entity subsidizes another service or customer entity. The
248 Florida Digital Service may recommend other payment mechanisms
249 to the Executive Office of the Governor, the President of the
250 Senate, and the Speaker of the House of Representatives. Such
251 mechanism may be implemented only if specifically authorized by
252 the Legislature.
253 3. Developing and implementing appropriate operating
254 guidelines and procedures necessary for the state data center to
255 perform its duties pursuant to s. 282.201. The guidelines and
256 procedures must comply with applicable state and federal laws,
257 regulations, and policies and conform to generally accepted
258 governmental accounting and auditing standards. The guidelines
259 and procedures must include, but need not be limited to:
260 a. Implementing a consolidated administrative support
261 structure responsible for providing financial management,
262 procurement, transactions involving real or personal property,
263 human resources, and operational support.
264 b. Implementing an annual reconciliation process to ensure
265 that each customer entity is paying for the full direct and
266 indirect cost of each service as determined by the customer
267 entity’s use of each service.
268 c. Providing rebates that may be credited against future
269 billings to customer entities when revenues exceed costs.
270 d. Requiring customer entities to validate that sufficient
271 funds exist in the appropriate data processing appropriation
272 category or will be transferred into the appropriate data
273 processing appropriation category before implementation of a
274 customer entity’s request for a change in the type or level of
275 service provided, if such change results in a net increase to
276 the customer entity’s cost for that fiscal year.
277 e. By November 15 of each year, providing to the Office of
278 Policy and Budget in the Executive Office of the Governor and to
279 the chairs of the legislative appropriations committees the
280 projected costs of providing data center services for the
281 following fiscal year.
282 f. Providing a plan for consideration by the Legislative
283 Budget Commission if the cost of a service is increased for a
284 reason other than a customer entity’s request made pursuant to
285 sub-subparagraph d. Such a plan is required only if the service
286 cost increase results in a net increase to a customer entity for
287 that fiscal year.
288 g. Standardizing and consolidating procurement and
289 contracting practices.
290 4. Collaborate In collaboration with the Department of Law
291 Enforcement, to develop and implement developing and
292 implementing a process for detecting, reporting, and responding
293 to cybersecurity incidents, breaches, and threats.
294 5. Adopting rules relating to the operation of the state
295 data center, including, but not limited to, budgeting and
296 accounting procedures, cost-recovery methodologies, and
297 operating procedures.
298 (k) Conduct a market analysis not less frequently than
299 every 3 years beginning in 2021 to determine whether the
300 information technology resources within the enterprise are
301 utilized in the most cost-effective and cost-efficient manner,
302 while recognizing that the replacement of certain legacy
303 information technology systems within the enterprise may be cost
304 prohibitive or cost inefficient due to the remaining useful life
305 of those resources; whether the enterprise is complying with the
306 cloud-first policy specified in s. 282.206; and whether the
307 enterprise is utilizing best practices with respect to
308 information technology, information services, and the
309 acquisition of emerging technologies and information services.
310 Each market analysis shall be used to prepare a strategic plan
311 for continued and future information technology and information
312 services for the enterprise, including, but not limited to,
313 proposed acquisition of new services or technologies and
314 approaches to the implementation of any new services or
315 technologies. Copies of each market analysis and accompanying
316 strategic plan must be submitted to the Executive Office of the
317 Governor, the President of the Senate, and the Speaker of the
318 House of Representatives not later than December 31 of each year
319 that a market analysis is conducted.
320 (l) Recommend other information technology services that
321 should be designed, delivered, and managed as enterprise
322 information technology services. Recommendations must include
323 the identification of existing information technology resources
324 associated with the services, if existing services must be
325 transferred as a result of being delivered and managed as
326 enterprise information technology services.
327 (m) In consultation with state agencies, propose a
328 methodology and approach for identifying and collecting both
329 current and planned information technology expenditure data at
330 the state agency level.
331 (n)1. Notwithstanding any other law, provide project
332 oversight on any information technology project of the
333 Department of Financial Services, the Department of Legal
334 Affairs, and the Department of Agriculture and Consumer Services
335 which has a total project cost of $20 million or more. Such
336 information technology projects must also comply with the
337 applicable information technology architecture, project
338 management and oversight, and reporting standards established by
339 the center department, acting through the Florida Digital
340 Service.
341 2. When performing the project oversight function specified
342 in subparagraph 1., report at least quarterly to the Executive
343 Office of the Governor, the President of the Senate, and the
344 Speaker of the House of Representatives on any information
345 technology project that the center department, acting through
346 the Florida Digital Service, identifies as high-risk due to the
347 project exceeding acceptable variance ranges defined and
348 documented in the project plan. The report must shall include a
349 risk assessment, including fiscal risks, associated with
350 proceeding to the next stage of the project and a recommendation
351 for corrective actions required, including suspension or
352 termination of the project.
353 (o) If an information technology project implemented by a
354 state agency must be connected to or otherwise accommodated by
355 an information technology system administered by the Department
356 of Financial Services, the Department of Legal Affairs, or the
357 Department of Agriculture and Consumer Services, consult with
358 these departments regarding the risks and other effects of such
359 projects on their information technology systems and work
360 cooperatively with these departments regarding the connections,
361 interfaces, timing, or accommodations required to implement such
362 projects.
363 (p) If adherence to standards or policies adopted by or
364 established pursuant to this section causes conflict with
365 federal regulations or requirements imposed on an entity within
366 the enterprise and results in adverse action against an entity
367 or federal funding, work with the entity to provide alternative
368 standards, policies, or requirements that do not conflict with
369 the federal regulation or requirement. The center department,
370 acting through the Florida Digital Service, shall annually
371 report such alternative standards to the Executive Office of the
372 Governor, the President of the Senate, and the Speaker of the
373 House of Representatives.
374 (q)1. Establish, in consultation with the department, an
375 information technology policy for all information technology
376 related state contracts, including state term contracts for
377 information technology commodities, consultant services, and
378 staff augmentation services. The information technology policy
379 must include:
380 a. Identification of the information technology product and
381 service categories to be included in state term contracts.
382 b. Requirements to be included in solicitations for state
383 term contracts.
384 c. Evaluation criteria for the award of information
385 technology-related state term contracts.
386 d. The term of each information technology-related state
387 term contract.
388 e. The maximum number of vendors authorized on each state
389 term contract.
390 f. At a minimum, a requirement that any contract for
391 information technology commodities or services meet the National
392 Institute of Standards and Technology Cybersecurity Framework.
393 g. For an information technology project wherein project
394 oversight is required pursuant to paragraph (d) or paragraph
395 (n), a requirement that independent verification and validation
396 be employed throughout the project life cycle with the primary
397 objective of independent verification and validation being to
398 provide an objective assessment of products and processes
399 throughout the project life cycle. An entity providing
400 independent verification and validation may not have technical,
401 managerial, or financial interest in the project and may not
402 have responsibility for, or participate in, any other aspect of
403 the project.
404 2. Evaluate vendor responses for information technology
405 related state term contract solicitations and invitations to
406 negotiate.
407 3. Answer vendor questions on information technology
408 related state term contract solicitations.
409 4. Ensure that the information technology policy
410 established pursuant to subparagraph 1. is included in all
411 solicitations and contracts that are administratively executed
412 by the department.
413 (r) Recommend potential methods for standardizing data
414 across state agencies which will promote interoperability and
415 reduce the collection of duplicative data.
416 (s) Recommend open data technical standards and
417 terminologies for use by the enterprise.
418 (t) Ensure that enterprise information technology solutions
419 are capable of utilizing an electronic credential and comply
420 with the enterprise architecture standards.
421 (2)(a) The Secretary of Management Services shall designate
422 a state chief information officer, who shall administer the
423 Florida Digital Service. The state chief information officer,
424 prior to appointment, must have at least 5 years of experience
425 in the development of information system strategic planning and
426 development or information technology policy, and, preferably,
427 have leadership-level experience in the design, development, and
428 deployment of interoperable software and data solutions.
429 (b) The state chief information officer, in consultation
430 with the Secretary of Management Services, shall designate a
431 state chief data officer. The chief data officer must be a
432 proven and effective administrator who must have significant and
433 substantive experience in data management, data governance,
434 interoperability, and security.
435 (3) The Enterprise Florida First Technology Center
436 department, acting through the Florida Digital Service and from
437 funds appropriated to the center Florida Digital Service, shall:
438 (a) Create, not later than December 1, 2022 October 1,
439 2021, and maintain a comprehensive indexed data catalog in
440 collaboration with the enterprise that lists the data elements
441 housed within the enterprise and the legacy system or
442 application in which these data elements are located. The data
443 catalog must, at a minimum, specifically identify all data that
444 is restricted from public disclosure based on federal or state
445 laws and regulations and require that all such information be
446 protected in accordance with s. 282.318.
447 (b) Develop and publish, not later than December 1, 2022
448 October 1, 2021, in collaboration with the enterprise, a data
449 dictionary for each agency that reflects the nomenclature in the
450 comprehensive indexed data catalog.
451 (c) Adopt, by rule, standards that support the creation and
452 deployment of an application programming interface to facilitate
453 integration throughout the enterprise.
454 (d) Adopt, by rule, standards necessary to facilitate a
455 secure ecosystem of data interoperability that is compliant with
456 the enterprise architecture.
457 (e) Adopt, by rule, standards that facilitate the
458 deployment of applications or solutions to the existing
459 enterprise system in a controlled and phased approach.
460 (f) After submission of documented use cases developed in
461 conjunction with the affected agencies, assist the affected
462 agencies with the deployment, contingent upon a specific
463 appropriation therefor, of new interoperable applications and
464 solutions:
465 1. For the Department of Health, the Agency for Health Care
466 Administration, the Agency for Persons with Disabilities, the
467 Department of Education, the Department of Elderly Affairs, and
468 the Department of Children and Families.
469 2. To support military members, veterans, and their
470 families.
471 (3)(4) For information technology projects that have a
472 total project cost of $10 million or more:
473 (a) State agencies must provide the Enterprise Florida
474 First Technology Center Florida Digital Service with written
475 notice of any planned procurement of an information technology
476 project.
477 (b) The center Florida Digital Service must participate in
478 the development of specifications and recommend modifications to
479 any planned procurement of an information technology project by
480 state agencies so that the procurement complies with the
481 enterprise architecture.
482 (c) The center Florida Digital Service must participate in
483 post-award contract monitoring.
484 (4)(5) The Enterprise Florida First Technology Center
485 department, acting through the Florida Digital Service, may not
486 retrieve or disclose any data without a shared-data agreement in
487 place between the center department and the enterprise entity
488 that has primary custodial responsibility of, or data-sharing
489 responsibility for, that data.
490 (5)(6) The Enterprise Florida First Technology Center
491 department, acting through the Florida Digital Service, shall
492 adopt rules to administer this section.
493 Section 8. Section 282.201, Florida Statutes, is repealed.
494 Section 9. Subsections (3), (4), (8), and (11) of section
495 282.318, Florida Statutes, are amended to read:
496 282.318 Cybersecurity.—
497 (3) The Enterprise Florida First Technology Center
498 department, acting through the Florida Digital Service, is the
499 lead entity responsible for establishing standards and processes
500 for assessing state agency cybersecurity risks and determining
501 appropriate security measures. Such standards and processes must
502 be consistent with generally accepted technology best practices,
503 including the National Institute for Standards and Technology
504 Cybersecurity Framework, for cybersecurity. The Enterprise
505 Florida First Technology Center department, acting through the
506 Florida Digital Service, shall adopt rules that mitigate risks;
507 safeguard state agency digital assets, data, information, and
508 information technology resources to ensure availability,
509 confidentiality, and integrity; and support a security
510 governance framework. The center department, acting through the
511 Florida Digital Service, shall also:
512 (a) Designate an employee of the center Florida Digital
513 Service as the state chief information security officer. The
514 state chief information security officer must have experience
515 and expertise in security and risk management for communications
516 and information technology resources. The state chief
517 information security officer is responsible for the development,
518 operation, and oversight of cybersecurity for state technology
519 systems. The state chief information security officer shall be
520 notified of all confirmed or suspected incidents or threats of
521 state agency information technology resources and must report
522 such incidents or threats to the state chief information officer
523 and the Governor.
524 (b) Develop, and annually update by February 1, a statewide
525 cybersecurity strategic plan that includes security goals and
526 objectives for cybersecurity, including the identification and
527 mitigation of risk, proactive protections against threats,
528 tactical risk detection, threat reporting, and response and
529 recovery protocols for a cyber incident.
530 (c) Develop and publish for use by state agencies a
531 cybersecurity governance framework that, at a minimum, includes
532 guidelines and processes for:
533 1. Establishing asset management procedures to ensure that
534 an agency’s information technology resources are identified and
535 managed consistent with their relative importance to the
536 agency’s business objectives.
537 2. Using a standard risk assessment methodology that
538 includes the identification of an agency’s priorities,
539 constraints, risk tolerances, and assumptions necessary to
540 support operational risk decisions.
541 3. Completing comprehensive risk assessments and
542 cybersecurity audits, which may be completed by a private sector
543 vendor, and submitting completed assessments and audits to the
544 center department.
545 4. Identifying protection procedures to manage the
546 protection of an agency’s information, data, and information
547 technology resources.
548 5. Establishing procedures for accessing information and
549 data to ensure the confidentiality, integrity, and availability
550 of such information and data.
551 6. Detecting threats through proactive monitoring of
552 events, continuous security monitoring, and defined detection
553 processes.
554 7. Establishing agency cybersecurity incident response
555 teams and describing their responsibilities for responding to
556 cybersecurity incidents, including breaches of personal
557 information containing confidential or exempt data.
558 8. Recovering information and data in response to a
559 cybersecurity incident. The recovery may include recommended
560 improvements to the agency processes, policies, or guidelines.
561 9. Establishing a cybersecurity incident reporting process
562 that includes procedures and tiered reporting timeframes for
563 notifying the center department and the Department of Law
564 Enforcement of cybersecurity incidents. The tiered reporting
565 timeframes shall be based upon the level of severity of the
566 cybersecurity incidents being reported.
567 10. Incorporating information obtained through detection
568 and response activities into the agency’s cybersecurity incident
569 response plans.
570 11. Developing agency strategic and operational
571 cybersecurity plans required pursuant to this section.
572 12. Establishing the managerial, operational, and technical
573 safeguards for protecting state government data and information
574 technology resources that align with the state agency risk
575 management strategy and that protect the confidentiality,
576 integrity, and availability of information and data.
577 13. Establishing procedures for procuring information
578 technology commodities and services that require the commodity
579 or service to meet the National Institute of Standards and
580 Technology Cybersecurity Framework.
581 (d) Assist state agencies in complying with this section.
582 (e) In collaboration with the Cybercrime Office of the
583 Department of Law Enforcement, annually provide training for
584 state agency information security managers and computer security
585 incident response team members that contains training on
586 cybersecurity, including cybersecurity threats, trends, and best
587 practices.
588 (f) Annually review the strategic and operational
589 cybersecurity plans of state agencies.
590 (g) Provide cybersecurity training to all state agency
591 technology professionals that develops, assesses, and documents
592 competencies by role and skill level. The training may be
593 provided in collaboration with the Cybercrime Office of the
594 Department of Law Enforcement, a private sector entity, or an
595 institution of the state university system.
596 (h) Operate and maintain a Cybersecurity Operations Center
597 led by the state chief information security officer, which must
598 be primarily virtual and staffed with tactical detection and
599 incident response personnel. The Cybersecurity Operations Center
600 shall serve as a clearinghouse for threat information and
601 coordinate with the Department of Law Enforcement to support
602 state agencies and their response to any confirmed or suspected
603 cybersecurity incident.
604 (i) Lead an Emergency Support Function, ESF CYBER, under
605 the state comprehensive emergency management plan as described
606 in s. 252.35.
607 (4) Each state agency head shall, at a minimum:
608 (a) Designate an information security manager to administer
609 the cybersecurity program of the state agency. This designation
610 must be provided annually in writing to the Enterprise Florida
611 First Technology Center department by January 1. A state
612 agency’s information security manager, for purposes of these
613 information security duties, shall report directly to the agency
614 head.
615 (b) In consultation with the center department, through the
616 Florida Digital Service, and the Cybercrime Office of the
617 Department of Law Enforcement, establish an agency cybersecurity
618 response team to respond to a cybersecurity incident. The agency
619 cybersecurity response team shall convene upon notification of a
620 cybersecurity incident and must immediately report all confirmed
621 or suspected incidents to the state chief information security
622 officer, or his or her designee, and comply with all applicable
623 guidelines and processes established pursuant to paragraph
624 (3)(c).
625 (c) Submit to the Executive Office of the Governor
626 department annually by July 31, the state agency’s strategic and
627 operational cybersecurity plans developed pursuant to rules and
628 guidelines established by the center department, through the
629 Florida Digital Service.
630 1. The state agency strategic cybersecurity plan must cover
631 a 3-year period and, at a minimum, define security goals,
632 intermediate objectives, and projected agency costs for the
633 strategic issues of agency information security policy, risk
634 management, security training, security incident response, and
635 disaster recovery. The plan must be based on the statewide
636 cybersecurity strategic plan created by the center department
637 and include performance metrics that can be objectively measured
638 to reflect the status of the state agency’s progress in meeting
639 security goals and objectives identified in the agency’s
640 strategic information security plan.
641 2. The state agency operational cybersecurity plan must
642 include a progress report that objectively measures progress
643 made towards the prior operational cybersecurity plan and a
644 project plan that includes activities, timelines, and
645 deliverables for security objectives that the state agency will
646 implement during the current fiscal year.
647 (d) Conduct, and update every 3 years, a comprehensive risk
648 assessment, which may be completed by a private sector vendor,
649 to determine the security threats to the data, information, and
650 information technology resources, including mobile devices and
651 print environments, of the agency. The risk assessment must
652 comply with the risk assessment methodology developed by the
653 center department and is confidential and exempt from s.
654 119.07(1), except that such information shall be available to
655 the Auditor General, the center Florida Digital Service within
656 the department, the Cybercrime Office of the Department of Law
657 Enforcement, and, for state agencies under the jurisdiction of
658 the Governor, the Chief Inspector General. If a private sector
659 vendor is used to complete a comprehensive risk assessment, it
660 must attest to the validity of the risk assessment findings.
661 (e) Develop, and periodically update, written internal
662 policies and procedures, which include procedures for reporting
663 cybersecurity incidents and breaches to the Cybercrime Office of
664 the Department of Law Enforcement and the center Florida Digital
665 Service within the department. Such policies and procedures must
666 be consistent with the rules, guidelines, and processes
667 established by the center department to ensure the security of
668 the data, information, and information technology resources of
669 the agency. The internal policies and procedures that, if
670 disclosed, could facilitate the unauthorized modification,
671 disclosure, or destruction of data or information technology
672 resources are confidential information and exempt from s.
673 119.07(1), except that such information shall be available to
674 the Auditor General, the Cybercrime Office of the Department of
675 Law Enforcement, the center Florida Digital Service within the
676 department, and, for state agencies under the jurisdiction of
677 the Governor, the Chief Inspector General.
678 (f) Implement managerial, operational, and technical
679 safeguards and risk assessment remediation plans recommended by
680 the center department to address identified risks to the data,
681 information, and information technology resources of the agency.
682 The center department, through the Florida Digital Service,
683 shall track implementation by state agencies upon development of
684 such remediation plans in coordination with agency inspectors
685 general.
686 (g) Ensure that periodic internal audits and evaluations of
687 the agency’s cybersecurity program for the data, information,
688 and information technology resources of the agency are
689 conducted. The results of such audits and evaluations are
690 confidential information and exempt from s. 119.07(1), except
691 that such information shall be available to the Auditor General,
692 the Cybercrime Office of the Department of Law Enforcement, the
693 center Florida Digital Service within the department, and, for
694 agencies under the jurisdiction of the Governor, the Chief
695 Inspector General.
696 (h) Ensure that the cybersecurity requirements in the
697 written specifications for the solicitation, contracts, and
698 service-level agreement of information technology and
699 information technology resources and services meet or exceed the
700 applicable state and federal laws, regulations, and standards
701 for cybersecurity, including the National Institute of Standards
702 and Technology Cybersecurity Framework. Service-level agreements
703 must identify service provider and state agency responsibilities
704 for privacy and security, protection of government data,
705 personnel background screening, and security deliverables with
706 associated frequencies.
707 (i) Provide cybersecurity awareness training to all state
708 agency employees in the first 30 days after commencing
709 employment concerning cybersecurity risks and the responsibility
710 of employees to comply with policies, standards, guidelines, and
711 operating procedures adopted by the state agency to reduce those
712 risks. The training may be provided in collaboration with the
713 Cybercrime Office of the Department of Law Enforcement, a
714 private sector entity, or an institution of the state university
715 system.
716 (j) Develop a process for detecting, reporting, and
717 responding to threats, breaches, or cybersecurity incidents
718 which is consistent with the security rules, guidelines, and
719 processes established by the center department through the
720 Florida Digital Service.
721 1. All cybersecurity incidents and breaches must be
722 reported to the center Florida Digital Service within the
723 department and the Cybercrime Office of the Department of Law
724 Enforcement and must comply with the notification procedures and
725 reporting timeframes established pursuant to paragraph (3)(c).
726 2. For cybersecurity breaches, state agencies shall provide
727 notice in accordance with s. 501.171.
728 (8) The portions of records made confidential and exempt in
729 subsections (5), (6), and (7) shall be available to the Auditor
730 General, the Cybercrime Office of the Department of Law
731 Enforcement, the center Florida Digital Service within the
732 department, and, for agencies under the jurisdiction of the
733 Governor, the Chief Inspector General. Such portions of records
734 may be made available to a local government, another state
735 agency, or a federal agency for cybersecurity purposes or in
736 furtherance of the state agency’s official duties.
737 (11) The Enterprise Florida First Technology Center
738 department shall adopt rules relating to cybersecurity and to
739 administer this section.
740 Section 10. Subsections (1), (3), (6), and (9) of section
741 282.319, Florida Statutes, are amended to read:
742 282.319 Florida Cybersecurity Advisory Council.—
743 (1) The Florida Cybersecurity Advisory Council, an advisory
744 council as defined in s. 20.03(7), is housed created within the
745 Executive Office of the Governor department. Except as otherwise
746 provided in this section, the advisory council shall operate in
747 a manner consistent with s. 20.052.
748 (3) The council shall assist the Enterprise Florida First
749 Technology Center Florida Digital Service in implementing best
750 cybersecurity practices, taking into consideration the final
751 recommendations of the Florida Cybersecurity Task Force created
752 under chapter 2019-118, Laws of Florida.
753 (6) The director of the Office of Policy and Budget
754 Secretary of Management Services, or his or her designee, shall
755 serve as the ex officio, nonvoting executive director of the
756 council.
757 (9) The council shall meet at least quarterly to:
758 (a) Review existing state agency cybersecurity policies.
759 (b) Assess ongoing risks to state agency information
760 technology.
761 (c) Recommend a reporting and information sharing system to
762 notify state agencies of new risks.
763 (d) Recommend data breach simulation exercises.
764 (e) Assist the Enterprise Florida First Technology Center
765 Florida Digital Service in developing cybersecurity best
766 practice recommendations for state agencies which that include
767 recommendations regarding:
768 1. Continuous risk monitoring.
769 2. Password management.
770 3. Protecting data in legacy and new systems.
771 (f) Examine inconsistencies between state and federal law
772 regarding cybersecurity.
773 Section 11. Subsections (4) and (6) of section 287.0591,
774 Florida Statutes, are amended to read:
775 287.0591 Information technology; vendor disqualification.—
776 (4) If the department issues a competitive solicitation for
777 information technology commodities, consultant services, or
778 staff augmentation contractual services, the Enterprise Florida
779 First Technology Center Florida Digital Service within the
780 Executive Office of the Governor must department shall
781 participate in such solicitations.
782 (6) Beginning October 1, 2021, and each October 1
783 thereafter, the department, in consultation with the Enterprise
784 Florida First Technology Center, shall prequalify firms and
785 individuals to provide information technology staff augmentation
786 contractual services on state term contract. In order to
787 prequalify a firm or individual for participation on the state
788 term contract, the department must consider, at a minimum, the
789 capability, experience, and past performance record of the firm
790 or individual. A firm or individual removed from the source of
791 supply pursuant to s. 287.042(1)(b) or placed on a disqualified
792 vendor list pursuant to s. 287.133 or s. 287.134 is immediately
793 disqualified from state term contract eligibility. Once a firm
794 or individual has been prequalified to provide information
795 technology staff augmentation contractual services on state term
796 contract, the firm or individual may respond to requests for
797 quotes from an agency to provide such services.
798 Section 12. Section 1004.649, Florida Statutes, is amended
799 to read:
800 1004.649 Northwest Regional Data Center.—
801 (1) The Northwest Regional Data Center is designated as the
802 state data center and preferred cloud services provider for all
803 state agencies. The Northwest Regional Data Center can provide
804 data center services to state agencies from multiple facilities
805 as funded in the General Appropriations Act.
806 (2) For the purpose of providing data center services to
807 its state agency customers, the Northwest Regional Data Center
808 shall:
809 (a) Operate under a governance structure that represents
810 its customers proportionally.
811 (b) Maintain an appropriate cost-allocation methodology
812 that accurately bills state agency customers based solely on the
813 actual direct and indirect costs of the services provided to
814 state agency customers, and ensures that for any fiscal year,
815 state agency customers are not subsidizing other customers of
816 the data center. Such cost-allocation methodology must comply
817 with applicable state and federal regulations concerning the
818 distribution and use of state and federal funds.
819 (c) Enter into a service-level agreement with each state
820 agency customer to provide services as defined and approved by
821 the governing board of the center. At a minimum, such service
822 level agreements must:
823 1. Identify the parties and their roles, duties, and
824 responsibilities under the agreement;
825 2. State the duration of the agreement term, which may not
826 exceed 3 years, and specify the conditions for up to two
827 optional 1-year renewals of the agreement before execution of a
828 new agreement renewal;
829 3. Identify the scope of work;
830 4. Establish the services to be provided, the business
831 standards that must be met for each service, the cost of each
832 service, and the process by which the business standards for
833 each service are to be objectively measured and reported;
834 5. Provide a timely billing methodology for recovering the
835 cost of services provided pursuant to s. 215.422;
836 6. Provide a procedure for modifying the service-level
837 agreement to address any changes in projected costs of service;
838 7. Include a right-to-audit clause to ensure that the
839 parties to the agreement have access to records for audit
840 purposes during the term of the service-level agreement Prohibit
841 the transfer of computing services between the Northwest
842 Regional Data Center and the state data center established
843 pursuant to s. 282.201 without at least 180 days’ written
844 notification of service cancellation;
845 8. Identify the products or services to be delivered with
846 sufficient specificity to permit an external financial or
847 performance audit; and
848 9. Provide that the service-level agreement may be
849 terminated by either party for cause only after giving the other
850 party notice in writing of the cause for termination and an
851 opportunity for the other party to resolve the identified cause
852 within a reasonable period; and
853 10. Provide state agency customer entities with access to
854 application, servers, network components, and other devices
855 necessary for entities to perform business activities and
856 functions and as defined and documented in a service-level
857 agreement.
858 (d) In its procurement process, show preference for cloud
859 based computing solutions that minimize or do not require the
860 purchasing, financing, or leasing of state data center
861 infrastructure, that meet the needs of state agency customer
862 entities that reduce costs, and that meet or exceed the
863 applicable state and federal laws, regulations, and standards
864 for cybersecurity.
865 (e) Assist state agency customer entities in transitioning
866 from state data center services to third-party cloud-based
867 computing services procured by a customer entity or by the
868 Northwest Regional Data Center on behalf of the customer entity.
869 (f) Provide to the Board of Governors the total annual
870 budget by major expenditure category, including, but not limited
871 to, salaries, expenses, operating capital outlay, contracted
872 services, or other personnel services by July 30 each fiscal
873 year.
874 (g)(e) Provide to each state agency customer its projected
875 annual cost for providing the agreed-upon data center services
876 by September 1 each fiscal year.
877 (h)(f) Provide a plan for consideration by the Legislative
878 Budget Commission if the governing body of the center approves
879 the use of a billing rate schedule after the start of the fiscal
880 year that increases any state agency customer’s costs for that
881 fiscal year.
882 (i) Provide data center services that comply with
883 applicable state and federal laws, regulations, and policies,
884 including all applicable security, privacy, and auditing
885 requirements.
886 (j) Maintain performance of the data center facilities by
887 ensuring proper data backup, data backup recovery, disaster
888 recovery, and appropriate security, power, cooling, fire
889 suppression, and capacity.
890 (3) The following entities are exempt from the requirement
891 to use the Northwest Regional Data Center:
892 (a) The Department of Law Enforcement.
893 (b) The Department of the Lottery’s Gaming System.
894 (c) Systems Design and Development in the Office of Policy
895 and Budget.
896 (d) The regional traffic management centers described in s.
897 335.14(2) and the Office of Toll Operations of the Department of
898 Transportation.
899 (e) The State Board of Administration.
900 (f) The offices of the state attorneys, public defenders,
901 criminal conflict and regional counsels, and the capital
902 collateral regional counsel.
903 (g) The Florida Housing Finance Corporation.
904 (4) Unless exempt from the requirement to use the Northwest
905 Regional Data Center pursuant to this section or as authorized
906 by the Legislature, a state agency may not do any of the
907 following:
908 (a) Create a new agency computing facility or data center
909 or expand the capability to support additional computer
910 equipment in an existing agency computing facility or data
911 center.
912 (b) Terminate services with the Northwest Regional Data
913 Center without giving written notice of intent to terminate
914 services 180 days before such termination.
915 (c) Procure third-party cloud-based computing services
916 without evaluating the cloud-based computing services provided
917 by the Northwest Regional Data Center.
918 (5)(2) The Northwest Regional Data Center’s authority to
919 provide data center services to its state agency customers may
920 be terminated if:
921 (a) The center requests such termination to the Board of
922 Governors, the Senate President, and the Speaker of the House of
923 Representatives; or
924 (b) The center fails to comply with the provisions of this
925 section.
926 (6)(3) If such authority is terminated, the center has
927 shall have 1 year to provide for the transition of its state
928 agency customers to a qualified alternative cloud-based data
929 center that meets the enterprise architecture standards
930 established by the Enterprise Florida First Technology Center
931 the state data center established pursuant to s. 282.201.
932 Section 13. Subsections (1) and (4) of section 282.00515,
933 Florida Statutes, are amended to read:
934 282.00515 Duties of Cabinet agencies.—
935 (1) The Department of Legal Affairs, the Department of
936 Financial Services, and the Department of Agriculture and
937 Consumer Services shall adopt the standards established in s.
938 282.0051(1)(b), (c), and (s) and (2)(e) (3)(e) or adopt
939 alternative standards based on best practices and industry
940 standards that allow for open data interoperability.
941 (4)(a) Nothing in this section or in s. 282.0051 requires
942 the Department of Legal Affairs, the Department of Financial
943 Services, or the Department of Agriculture and Consumer Services
944 to integrate with information technology outside its own
945 department or with the Enterprise Florida First Technology
946 Center Florida Digital Service.
947 (b) The center department, acting through the Florida
948 Digital Service, may not retrieve or disclose any data without a
949 shared-data agreement in place between the center department and
950 the Department of Legal Affairs, the Department of Financial
951 Services, or the Department of Agriculture and Consumer
952 Services.
953 Section 14. Subsection (4) of section 443.1113, Florida
954 Statutes, is amended to read:
955 443.1113 Reemployment Assistance Claims and Benefits
956 Information System.—
957 (4)(a) The Department of Economic Opportunity shall perform
958 an annual review of the system and identify enhancements or
959 modernization efforts that improve the delivery of services to
960 claimants and employers and reporting to state and federal
961 entities. These improvements must include, but need not be
962 limited to:
963 1. Infrastructure upgrades through cloud services.
964 2. Software improvements.
965 3. Enhanced data analytics and reporting.
966 4. Increased cybersecurity pursuant to s. 282.318.
967 (b) The department shall seek input on recommended
968 enhancements from, at a minimum, the following entities:
969 1. The Enterprise Florida First Technology Center Florida
970 Digital Service within the Executive Office of the Governor
971 Department of Management Services.
972 2. The General Tax Administration Program Office within the
973 Department of Revenue.
974 3. The Division of Accounting and Auditing within the
975 Department of Financial Services.
976 Section 15. Subsection (5) of section 943.0415, Florida
977 Statutes, is amended to read:
978 943.0415 Cybercrime Office.—There is created within the
979 Department of Law Enforcement the Cybercrime Office. The office
980 may:
981 (5) Consult with the Enterprise Florida First Technology
982 Center Florida Digital Service within the Executive Office of
983 the Governor Department of Management Services in the adoption
984 of rules relating to the information technology security
985 provisions in s. 282.318.
986 Section 16. This act shall take effect July 1, 2022.