SB 2518 Second Engrossed
20222518e2
1 A bill to be entitled
2 An act relating to information technology; providing
3 that all functions, records, personnel, contracts,
4 interagency agreements, and assets of the Department
5 of Management Services State Data Center are
6 transferred to the Northwest Regional Data Center;
7 amending s. 282.0041, F.S.; revising the definition of
8 the term “service-level agreement”; amending s.
9 282.0051, F.S.; deleting the operational management
10 and oversight of the state data center from the
11 powers, duties, and functions of the department,
12 acting through Florida Digital Service; requiring the
13 department, acting through the Florida Digital
14 Service, to create a certain indexed data catalog and
15 develop and publish a certain data dictionary by a
16 specified date; amending s. 282.201, F.S.; requiring
17 the department to assist customer entities
18 transitioning from other cloud-computing services to
19 the Northwest Regional Data Center or a cloud
20 computing service procured by the state data center;
21 providing responsibilities to the department relating
22 to the operational management and oversight of the
23 state data center; requiring the department to adopt
24 specified rules; requiring the secretary of the
25 department to contract with the Northwest Regional
26 Data Center to carry out the department’s duties and
27 responsibilities by a specified date; providing
28 contract requirements; requiring the department to
29 provide contract oversight for the data center;
30 requiring the department to approve or deny certain
31 requests within a specified timeframe; providing that
32 no action on an invoice is an approval by default;
33 requiring the data center to submit approved invoices
34 directly to state agency customers; amending s.
35 1004.649, F.S.; designating the Northwest Regional
36 Data Center as the state data center; specifying
37 additional requirements for service-level agreements
38 with state agency customers; specifying required
39 duties of the Northwest Regional Data Center;
40 prohibiting state agencies from engaging in certain
41 activities, unless otherwise authorized; modifying
42 provisions governing the transition of state agency
43 customers to a cloud-based data center; amending s.
44 282.00515, F.S.; conforming a cross-reference;
45 providing an effective date.
46
47 Be It Enacted by the Legislature of the State of Florida:
48
49 Section 1. All functions, records, personnel, contracts,
50 interagency agreements, and assets of the current Department of
51 Management Services State Data Center are transferred to the
52 Northwest Regional Data Center.
53 Section 2. Subsection (30) of section 282.0041, Florida
54 Statutes, is amended to read:
55 282.0041 Definitions.—As used in this chapter, the term:
56 (30) “Service-level agreement” means a written contract
57 between the Department of Management Services or a provider of
58 data center services and a customer entity which specifies the
59 scope of services provided, service level, the duration of the
60 agreement, the responsible parties, and service costs. A
61 service-level agreement is not a rule pursuant to chapter 120.
62 Section 3. Paragraphs (j) and (q) of subsection (1) and
63 paragraphs (a) and (b) of subsection (3) of section 282.0051,
64 Florida Statutes, are amended to read:
65 282.0051 Department of Management Services; Florida Digital
66 Service; powers, duties, and functions.—
67 (1) The Florida Digital Service has been created within the
68 department to propose innovative solutions that securely
69 modernize state government, including technology and information
70 services, to achieve value through digital transformation and
71 interoperability, and to fully support the cloud-first policy as
72 specified in s. 282.206. The department, through the Florida
73 Digital Service, shall have the following powers, duties, and
74 functions:
75 (j) Provide operational management and oversight of the
76 state data center established pursuant to s. 282.201, which
77 includes:
78 1. Implementing industry standards and best practices for
79 the state data center’s facilities, operations, maintenance,
80 planning, and management processes.
81 2. Developing and implementing cost-recovery mechanisms
82 that recover the full direct and indirect cost of services
83 through charges to applicable customer entities. Such cost
84 recovery mechanisms must comply with applicable state and
85 federal regulations concerning distribution and use of funds and
86 must ensure that, for any fiscal year, no service or customer
87 entity subsidizes another service or customer entity. The
88 Florida Digital Service may recommend other payment mechanisms
89 to the Executive Office of the Governor, the President of the
90 Senate, and the Speaker of the House of Representatives. Such
91 mechanism may be implemented only if specifically authorized by
92 the Legislature.
93 3. Developing and implementing appropriate operating
94 guidelines and procedures necessary for the state data center to
95 perform its duties pursuant to s. 282.201. The guidelines and
96 procedures must comply with applicable state and federal laws,
97 regulations, and policies and conform to generally accepted
98 governmental accounting and auditing standards. The guidelines
99 and procedures must include, but need not be limited to:
100 a. Implementing a consolidated administrative support
101 structure responsible for providing financial management,
102 procurement, transactions involving real or personal property,
103 human resources, and operational support.
104 b. Implementing an annual reconciliation process to ensure
105 that each customer entity is paying for the full direct and
106 indirect cost of each service as determined by the customer
107 entity’s use of each service.
108 c. Providing rebates that may be credited against future
109 billings to customer entities when revenues exceed costs.
110 d. Requiring customer entities to validate that sufficient
111 funds exist in the appropriate data processing appropriation
112 category or will be transferred into the appropriate data
113 processing appropriation category before implementation of a
114 customer entity’s request for a change in the type or level of
115 service provided, if such change results in a net increase to
116 the customer entity’s cost for that fiscal year.
117 e. By November 15 of each year, providing to the Office of
118 Policy and Budget in the Executive Office of the Governor and to
119 the chairs of the legislative appropriations committees the
120 projected costs of providing data center services for the
121 following fiscal year.
122 f. Providing a plan for consideration by the Legislative
123 Budget Commission if the cost of a service is increased for a
124 reason other than a customer entity’s request made pursuant to
125 sub-subparagraph d. Such a plan is required only if the service
126 cost increase results in a net increase to a customer entity for
127 that fiscal year.
128 g. Standardizing and consolidating procurement and
129 contracting practices.
130 4. In collaboration with the Department of Law Enforcement,
131 developing and implementing a process for detecting, reporting,
132 and responding to cybersecurity incidents, breaches, and
133 threats.
134 5. Adopting rules relating to the operation of the state
135 data center, including, but not limited to, budgeting and
136 accounting procedures, cost-recovery methodologies, and
137 operating procedures.
138 (p)1.(q)1. Establish an information technology policy for
139 all information technology-related state contracts, including
140 state term contracts for information technology commodities,
141 consultant services, and staff augmentation services. The
142 information technology policy must include:
143 a. Identification of the information technology product and
144 service categories to be included in state term contracts.
145 b. Requirements to be included in solicitations for state
146 term contracts.
147 c. Evaluation criteria for the award of information
148 technology-related state term contracts.
149 d. The term of each information technology-related state
150 term contract.
151 e. The maximum number of vendors authorized on each state
152 term contract.
153 f. At a minimum, a requirement that any contract for
154 information technology commodities or services meet the National
155 Institute of Standards and Technology Cybersecurity Framework.
156 g. For an information technology project wherein project
157 oversight is required pursuant to paragraph (d) or paragraph (m)
158 (n), a requirement that independent verification and validation
159 be employed throughout the project life cycle with the primary
160 objective of independent verification and validation being to
161 provide an objective assessment of products and processes
162 throughout the project life cycle. An entity providing
163 independent verification and validation may not have technical,
164 managerial, or financial interest in the project and may not
165 have responsibility for, or participate in, any other aspect of
166 the project.
167 2. Evaluate vendor responses for information technology
168 related state term contract solicitations and invitations to
169 negotiate.
170 3. Answer vendor questions on information technology
171 related state term contract solicitations.
172 4. Ensure that the information technology policy
173 established pursuant to subparagraph 1. is included in all
174 solicitations and contracts that are administratively executed
175 by the department.
176 (3) The department, acting through the Florida Digital
177 Service and from funds appropriated to the Florida Digital
178 Service, shall:
179 (a) Create, not later than December 1, 2022 October 1,
180 2021, and maintain a comprehensive indexed data catalog in
181 collaboration with the enterprise that lists the data elements
182 housed within the enterprise and the legacy system or
183 application in which these data elements are located. The data
184 catalog must, at a minimum, specifically identify all data that
185 is restricted from public disclosure based on federal or state
186 laws and regulations and require that all such information be
187 protected in accordance with s. 282.318.
188 (b) Develop and publish, not later than December 1, 2022
189 October 1, 2021, in collaboration with the enterprise, a data
190 dictionary for each agency that reflects the nomenclature in the
191 comprehensive indexed data catalog.
192 Section 4. Section 282.201, Florida Statutes, is amended to
193 read:
194 282.201 State data center.—The state data center is
195 established within the department. The provision of data center
196 services must comply with applicable state and federal laws,
197 regulations, and policies, including all applicable security,
198 privacy, and auditing requirements. The department shall appoint
199 a director of the state data center, preferably an individual
200 who has experience in leading data center facilities and has
201 expertise in cloud-computing management.
202 (1) STATE DATA CENTER DUTIES.—The state data center shall:
203 (a) Offer, develop, and support the services and
204 applications defined in service-level agreements executed with
205 its customer entities.
206 (b) Maintain performance of the state data center by
207 ensuring proper data backup, data backup recovery, disaster
208 recovery, and appropriate security, power, cooling, fire
209 suppression, and capacity.
210 (c) Develop and implement business continuity and disaster
211 recovery plans, and annually conduct a live exercise of each
212 plan.
213 (d) Enter into a service-level agreement with each customer
214 entity to provide the required type and level of service or
215 services. If a customer entity fails to execute an agreement
216 within 60 days after commencement of a service, the state data
217 center may cease service. A service-level agreement may not have
218 a term exceeding 3 years and at a minimum must:
219 1. Identify the parties and their roles, duties, and
220 responsibilities under the agreement.
221 2. State the duration of the contract term and specify the
222 conditions for renewal.
223 3. Identify the scope of work.
224 4. Identify the products or services to be delivered with
225 sufficient specificity to permit an external financial or
226 performance audit.
227 5. Establish the services to be provided, the business
228 standards that must be met for each service, the cost of each
229 service by agency application, and the metrics and processes by
230 which the business standards for each service are to be
231 objectively measured and reported.
232 6. Provide a timely billing methodology to recover the
233 costs of services provided to the customer entity pursuant to s.
234 215.422.
235 7. Provide a procedure for modifying the service-level
236 agreement based on changes in the type, level, and cost of a
237 service.
238 8. Include a right-to-audit clause to ensure that the
239 parties to the agreement have access to records for audit
240 purposes during the term of the service-level agreement.
241 9. Provide that a service-level agreement may be terminated
242 by either party for cause only after giving the other party and
243 the department notice in writing of the cause for termination
244 and an opportunity for the other party to resolve the identified
245 cause within a reasonable period.
246 10. Provide for mediation of disputes by the Division of
247 Administrative Hearings pursuant to s. 120.573.
248 (e) For purposes of chapter 273, be the custodian of
249 resources and equipment located in and operated, supported, and
250 managed by the state data center.
251 (f) Assume administrative access rights to resources and
252 equipment, including servers, network components, and other
253 devices, consolidated into the state data center.
254 1. Upon consolidation, a state agency shall relinquish
255 administrative rights to consolidated resources and equipment.
256 State agencies required to comply with federal and state
257 criminal justice information security rules and policies shall
258 retain administrative access rights sufficient to comply with
259 the management control provisions of those rules and policies;
260 however, the state data center shall have the appropriate type
261 or level of rights to allow the center to comply with its duties
262 pursuant to this section. The Department of Law Enforcement
263 shall serve as the arbiter of disputes pertaining to the
264 appropriate type and level of administrative access rights
265 pertaining to the provision of management control in accordance
266 with the federal criminal justice information guidelines.
267 2. The state data center shall provide customer entities
268 with access to applications, servers, network components, and
269 other devices necessary for entities to perform business
270 activities and functions, and as defined and documented in a
271 service-level agreement.
272 (g) In its procurement process, show preference for cloud
273 computing solutions that minimize or do not require the
274 purchasing, financing, or leasing of state data center
275 infrastructure, and that meet the needs of customer agencies,
276 that reduce costs, and that meet or exceed the applicable state
277 and federal laws, regulations, and standards for cybersecurity.
278 (h) Assist customer entities in transitioning from state
279 data center services to the Northwest Regional Data Center or
280 other third-party cloud-computing services procured by a
281 customer entity or by the Northwest Regional Data Center on
282 behalf of a customer entity.
283 (2) USE OF THE STATE DATA CENTER.—The following are exempt
284 from the use of the state data center: the Department of Law
285 Enforcement, the Department of the Lottery’s Gaming System,
286 Systems Design and Development in the Office of Policy and
287 Budget, the regional traffic management centers as described in
288 s. 335.14(2) and the Office of Toll Operations of the Department
289 of Transportation, the State Board of Administration, state
290 attorneys, public defenders, criminal conflict and civil
291 regional counsel, capital collateral regional counsel, and the
292 Florida Housing Finance Corporation.
293 (3) AGENCY LIMITATIONS.—Unless exempt from the use of the
294 state data center pursuant to this section or authorized by the
295 Legislature, a state agency may not:
296 (a) Create a new agency computing facility or data center,
297 or expand the capability to support additional computer
298 equipment in an existing agency computing facility or data
299 center; or
300 (b) Terminate services with the state data center without
301 giving written notice of intent to terminate services 180 days
302 before such termination.
303 (4) DEPARTMENT RESPONSIBILITIES.—The department shall
304 provide operational management and oversight of the state data
305 center, which includes:
306 (a) Implementing industry standards and best practices for
307 the state data center’s facilities, operations, maintenance,
308 planning, and management processes.
309 (b) Developing and implementing cost-recovery mechanisms
310 that recover the full direct and indirect cost of services
311 through charges to applicable customer entities. Such cost
312 recovery mechanisms must comply with applicable state and
313 federal regulations concerning distribution and use of funds and
314 must ensure that, for any fiscal year, no service or customer
315 entity subsidizes another service or customer entity. The
316 department may recommend other payment mechanisms to the
317 Executive Office of the Governor, the President of the Senate,
318 and the Speaker of the House of Representatives. Such mechanism
319 may be implemented only if specifically authorized by the
320 Legislature.
321 (c) Developing and implementing appropriate operating
322 guidelines and procedures necessary for the state data center to
323 perform its duties pursuant to subsection (1). The guidelines
324 and procedures must comply with applicable state and federal
325 laws, regulations, and policies and conform to generally
326 accepted governmental accounting and auditing standards. The
327 guidelines and procedures must include, but need not be limited
328 to:
329 1. Implementing a consolidated administrative support
330 structure responsible for providing financial management,
331 procurement, transactions involving real or personal property,
332 human resources, and operational support.
333 2. Implementing an annual reconciliation process to ensure
334 that each customer entity is paying for the full direct and
335 indirect cost of each service as determined by the customer
336 entity’s use of each service.
337 3. Providing rebates that may be credited against future
338 billings to customer entities when revenues exceed costs.
339 4. Requiring customer entities to validate that sufficient
340 funds exist before implementation of a customer entity’s request
341 for a change in the type or level of service provided, if such
342 change results in a net increase to the customer entity’s cost
343 for that fiscal year.
344 5. By November 15 of each year, providing to the Office of
345 Policy and Budget in the Executive Office of the Governor and to
346 the chairs of the legislative appropriations committees the
347 projected costs of providing data center services for the
348 following fiscal year.
349 6. Providing a plan for consideration by the Legislative
350 Budget Commission if the cost of a service is increased for a
351 reason other than a customer entity’s request made pursuant to
352 subparagraph 4. Such a plan is required only if the service cost
353 increase results in a net increase to a customer entity for that
354 fiscal year.
355 7. Standardizing and consolidating procurement and
356 contracting practices.
357 (d) In collaboration with the Department of Law Enforcement
358 and the Florida Digital Service, developing and implementing a
359 process for detecting, reporting, and responding to
360 cybersecurity incidents, breaches, and threats.
361 (e) Adopting rules relating to the operation of the state
362 data center, including, but not limited to, budgeting and
363 accounting procedures, cost-recovery methodologies, and
364 operating procedures.
365 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
366 the department to carry out its duties and responsibilities
367 relating to the state data center, the secretary of the
368 department shall contract by July 1, 2022, with the Northwest
369 Regional Data Center pursuant to s. 287.057(11). The contract
370 shall provide that the Northwest Regional Data Center will
371 manage the operations of the state data center and provide data
372 center services to state agencies.
373 (a) The department shall provide contract oversight,
374 including, but not limited to, reviewing invoices provided by
375 the Northwest Regional Data Center for services provided to
376 state agency customers.
377 (b) The department shall approve or request updates to
378 invoices within 10 business days after receipt. If the
379 department does not respond to the Northwest Regional Data
380 Center, the invoice will be approved by default. The Northwest
381 Regional Data Center must submit approved invoices directly to
382 state agency customers.
383 Section 5. Section 1004.649, Florida Statutes, is amended
384 to read:
385 1004.649 Northwest Regional Data Center.—
386 (1) For the purpose of providing data center services to
387 its state agency customers, the Northwest Regional Data Center
388 is designated as a state data center for all state agencies and
389 shall:
390 (a) Operate under a governance structure that represents
391 its customers proportionally.
392 (b) Maintain an appropriate cost-allocation methodology
393 that accurately bills state agency customers based solely on the
394 actual direct and indirect costs of the services provided to
395 state agency customers, and ensures that for any fiscal year,
396 state agency customers are not subsidizing other customers of
397 the data center. Such cost-allocation methodology must comply
398 with applicable state and federal regulations concerning the
399 distribution and use of state and federal funds.
400 (c) Enter into a service-level agreement with each state
401 agency customer to provide services as defined and approved by
402 the governing board of the center. At a minimum, such service
403 level agreements must:
404 1. Identify the parties and their roles, duties, and
405 responsibilities under the agreement;
406 2. State the duration of the agreement term, which may not
407 exceed 3 years, and specify the conditions for up to two
408 optional 1-year renewals of the agreement before execution of a
409 new agreement renewal;
410 3. Identify the scope of work;
411 4. Establish the services to be provided, the business
412 standards that must be met for each service, the cost of each
413 service, and the process by which the business standards for
414 each service are to be objectively measured and reported;
415 5. Provide a timely billing methodology for recovering the
416 cost of services provided pursuant to s. 215.422;
417 6. Provide a procedure for modifying the service-level
418 agreement to address any changes in projected costs of service;
419 7. Include a right-to-audit clause to ensure that the
420 parties to the agreement have access to records for audit
421 purposes during the term of the service-level agreement Prohibit
422 the transfer of computing services between the Northwest
423 Regional Data Center and the state data center established
424 pursuant to s. 282.201 without at least 180 days’ written
425 notification of service cancellation;
426 8. Identify the products or services to be delivered with
427 sufficient specificity to permit an external financial or
428 performance audit; and
429 9. Provide that the service-level agreement may be
430 terminated by either party for cause only after giving the other
431 party notice in writing of the cause for termination and an
432 opportunity for the other party to resolve the identified cause
433 within a reasonable period; and
434 10. Provide state agency customer entities with access to
435 applications, servers, network components, and other devices
436 necessary for entities to perform business activities and
437 functions and as defined and documented in a service-level
438 agreement.
439 (d) In its procurement process, show preference for cloud
440 computing solutions that minimize or do not require the
441 purchasing or financing of state data center infrastructure,
442 that meet the needs of state agency customer entities, that
443 reduce costs, and that meet or exceed the applicable state and
444 federal laws, regulations, and standards for cybersecurity.
445 (e) Assist state agency customer entities in transitioning
446 from state data center services to other third-party cloud
447 computing services procured by a customer entity or by the
448 Northwest Regional Data Center on behalf of the customer entity.
449 (f) Provide to the Board of Governors the total annual
450 budget by major expenditure category, including, but not limited
451 to, salaries, expenses, operating capital outlay, contracted
452 services, or other personnel services by July 30 each fiscal
453 year.
454 (g)(e) Provide to each state agency customer its projected
455 annual cost for providing the agreed-upon data center services
456 by September 1 each fiscal year.
457 (h)(f) Provide a plan for consideration by the Legislative
458 Budget Commission if the governing body of the center approves
459 the use of a billing rate schedule after the start of the fiscal
460 year that increases any state agency customer’s costs for that
461 fiscal year.
462 (i) Provide data center services that comply with
463 applicable state and federal laws, regulations, and policies,
464 including all applicable security, privacy, and auditing
465 requirements.
466 (j) Maintain performance of the data center facilities by
467 ensuring proper data backup, data backup recovery, disaster
468 recovery, and appropriate security, power, cooling, fire
469 suppression, and capacity.
470 (k) Prepare and submit state agency customer invoices to
471 the Department of Management Services for approval. Upon
472 approval or by default pursuant to s. 282.201(5), submit
473 invoices to state agency customers.
474 (l) As funded in the General Appropriations Act, provide
475 data center services to state agencies from multiple facilities.
476 (2) Unless exempt from the requirement to use the state
477 data center pursuant to s. 282.201(2) or as authorized by the
478 Legislature, a state agency may not do any of the following:
479 (a) Terminate services with the Northwest Regional Data
480 Center without giving written notice of intent to terminate
481 services 180 days before such termination.
482 (b) Procure third-party cloud-computing services without
483 evaluating the cloud-computing services provided by the
484 Northwest Regional Data Center.
485 (c) Exceed 30 days from receipt of approved invoices to
486 remit payment for state data center services provided by the
487 Northwest Regional Data Center.
488 (3)(2) The Northwest Regional Data Center’s authority to
489 provide data center services to its state agency customers may
490 be terminated if:
491 (a) The center requests such termination to the Board of
492 Governors, the Senate President, and the Speaker of the House of
493 Representatives; or
494 (b) The center fails to comply with the provisions of this
495 section.
496 (4)(3) If such authority is terminated, the center has
497 shall have 1 year to provide for the transition of its state
498 agency customers to a qualified alternative cloud-based data
499 center that meets the enterprise architecture standards
500 established by the Florida Digital Service the state data center
501 established pursuant to s. 282.201.
502 Section 6. Subsection (1) of section 282.00515, Florida
503 Statutes, is amended to read:
504 282.00515 Duties of Cabinet agencies.—
505 (1) The Department of Legal Affairs, the Department of
506 Financial Services, and the Department of Agriculture and
507 Consumer Services shall adopt the standards established in s.
508 282.0051(1)(b), (c), and (r) (s) and (3)(e) or adopt alternative
509 standards based on best practices and industry standards that
510 allow for open data interoperability.
511 Section 7. This act shall take effect July 1, 2022.