SB 2518                                         Second Engrossed
       
       
       
       
       
       
       
       
       20222518e2
       
    1                        A bill to be entitled                      
    2         An act relating to information technology; providing
    3         that all functions, records, personnel, contracts,
    4         interagency agreements, and assets of the Department
    5         of Management Services State Data Center are
    6         transferred to the Northwest Regional Data Center;
    7         amending s. 282.0041, F.S.; revising the definition of
    8         the term “service-level agreement”; amending s.
    9         282.0051, F.S.; deleting the operational management
   10         and oversight of the state data center from the
   11         powers, duties, and functions of the department,
   12         acting through Florida Digital Service; requiring the
   13         department, acting through the Florida Digital
   14         Service, to create a certain indexed data catalog and
   15         develop and publish a certain data dictionary by a
   16         specified date; amending s. 282.201, F.S.; requiring
   17         the department to assist customer entities
   18         transitioning from other cloud-computing services to
   19         the Northwest Regional Data Center or a cloud
   20         computing service procured by the state data center;
   21         providing responsibilities to the department relating
   22         to the operational management and oversight of the
   23         state data center; requiring the department to adopt
   24         specified rules; requiring the secretary of the
   25         department to contract with the Northwest Regional
   26         Data Center to carry out the department’s duties and
   27         responsibilities by a specified date; providing
   28         contract requirements; requiring the department to
   29         provide contract oversight for the data center;
   30         requiring the department to approve or deny certain
   31         requests within a specified timeframe; providing that
   32         no action on an invoice is an approval by default;
   33         requiring the data center to submit approved invoices
   34         directly to state agency customers; amending s.
   35         1004.649, F.S.; designating the Northwest Regional
   36         Data Center as the state data center; specifying
   37         additional requirements for service-level agreements
   38         with state agency customers; specifying required
   39         duties of the Northwest Regional Data Center;
   40         prohibiting state agencies from engaging in certain
   41         activities, unless otherwise authorized; modifying
   42         provisions governing the transition of state agency
   43         customers to a cloud-based data center; amending s.
   44         282.00515, F.S.; conforming a cross-reference;
   45         providing an effective date.
   46          
   47  Be It Enacted by the Legislature of the State of Florida:
   48  
   49         Section 1. All functions, records, personnel, contracts,
   50  interagency agreements, and assets of the current Department of
   51  Management Services State Data Center are transferred to the
   52  Northwest Regional Data Center.
   53         Section 2. Subsection (30) of section 282.0041, Florida
   54  Statutes, is amended to read:
   55         282.0041 Definitions.—As used in this chapter, the term:
   56         (30) “Service-level agreement” means a written contract
   57  between the Department of Management Services or a provider of
   58  data center services and a customer entity which specifies the
   59  scope of services provided, service level, the duration of the
   60  agreement, the responsible parties, and service costs. A
   61  service-level agreement is not a rule pursuant to chapter 120.
   62         Section 3. Paragraphs (j) and (q) of subsection (1) and
   63  paragraphs (a) and (b) of subsection (3) of section 282.0051,
   64  Florida Statutes, are amended to read:
   65         282.0051 Department of Management Services; Florida Digital
   66  Service; powers, duties, and functions.—
   67         (1) The Florida Digital Service has been created within the
   68  department to propose innovative solutions that securely
   69  modernize state government, including technology and information
   70  services, to achieve value through digital transformation and
   71  interoperability, and to fully support the cloud-first policy as
   72  specified in s. 282.206. The department, through the Florida
   73  Digital Service, shall have the following powers, duties, and
   74  functions:
   75         (j) Provide operational management and oversight of the
   76  state data center established pursuant to s. 282.201, which
   77  includes:
   78         1. Implementing industry standards and best practices for
   79  the state data center’s facilities, operations, maintenance,
   80  planning, and management processes.
   81         2. Developing and implementing cost-recovery mechanisms
   82  that recover the full direct and indirect cost of services
   83  through charges to applicable customer entities. Such cost
   84  recovery mechanisms must comply with applicable state and
   85  federal regulations concerning distribution and use of funds and
   86  must ensure that, for any fiscal year, no service or customer
   87  entity subsidizes another service or customer entity. The
   88  Florida Digital Service may recommend other payment mechanisms
   89  to the Executive Office of the Governor, the President of the
   90  Senate, and the Speaker of the House of Representatives. Such
   91  mechanism may be implemented only if specifically authorized by
   92  the Legislature.
   93         3. Developing and implementing appropriate operating
   94  guidelines and procedures necessary for the state data center to
   95  perform its duties pursuant to s. 282.201. The guidelines and
   96  procedures must comply with applicable state and federal laws,
   97  regulations, and policies and conform to generally accepted
   98  governmental accounting and auditing standards. The guidelines
   99  and procedures must include, but need not be limited to:
  100         a. Implementing a consolidated administrative support
  101  structure responsible for providing financial management,
  102  procurement, transactions involving real or personal property,
  103  human resources, and operational support.
  104         b. Implementing an annual reconciliation process to ensure
  105  that each customer entity is paying for the full direct and
  106  indirect cost of each service as determined by the customer
  107  entity’s use of each service.
  108         c. Providing rebates that may be credited against future
  109  billings to customer entities when revenues exceed costs.
  110         d. Requiring customer entities to validate that sufficient
  111  funds exist in the appropriate data processing appropriation
  112  category or will be transferred into the appropriate data
  113  processing appropriation category before implementation of a
  114  customer entity’s request for a change in the type or level of
  115  service provided, if such change results in a net increase to
  116  the customer entity’s cost for that fiscal year.
  117         e. By November 15 of each year, providing to the Office of
  118  Policy and Budget in the Executive Office of the Governor and to
  119  the chairs of the legislative appropriations committees the
  120  projected costs of providing data center services for the
  121  following fiscal year.
  122         f. Providing a plan for consideration by the Legislative
  123  Budget Commission if the cost of a service is increased for a
  124  reason other than a customer entity’s request made pursuant to
  125  sub-subparagraph d. Such a plan is required only if the service
  126  cost increase results in a net increase to a customer entity for
  127  that fiscal year.
  128         g. Standardizing and consolidating procurement and
  129  contracting practices.
  130         4.In collaboration with the Department of Law Enforcement,
  131  developing and implementing a process for detecting, reporting,
  132  and responding to cybersecurity incidents, breaches, and
  133  threats.
  134         5. Adopting rules relating to the operation of the state
  135  data center, including, but not limited to, budgeting and
  136  accounting procedures, cost-recovery methodologies, and
  137  operating procedures.
  138         (p)1.(q)1. Establish an information technology policy for
  139  all information technology-related state contracts, including
  140  state term contracts for information technology commodities,
  141  consultant services, and staff augmentation services. The
  142  information technology policy must include:
  143         a. Identification of the information technology product and
  144  service categories to be included in state term contracts.
  145         b. Requirements to be included in solicitations for state
  146  term contracts.
  147         c. Evaluation criteria for the award of information
  148  technology-related state term contracts.
  149         d. The term of each information technology-related state
  150  term contract.
  151         e. The maximum number of vendors authorized on each state
  152  term contract.
  153         f. At a minimum, a requirement that any contract for
  154  information technology commodities or services meet the National
  155  Institute of Standards and Technology Cybersecurity Framework.
  156         g. For an information technology project wherein project
  157  oversight is required pursuant to paragraph (d) or paragraph (m)
  158  (n), a requirement that independent verification and validation
  159  be employed throughout the project life cycle with the primary
  160  objective of independent verification and validation being to
  161  provide an objective assessment of products and processes
  162  throughout the project life cycle. An entity providing
  163  independent verification and validation may not have technical,
  164  managerial, or financial interest in the project and may not
  165  have responsibility for, or participate in, any other aspect of
  166  the project.
  167         2. Evaluate vendor responses for information technology
  168  related state term contract solicitations and invitations to
  169  negotiate.
  170         3. Answer vendor questions on information technology
  171  related state term contract solicitations.
  172         4. Ensure that the information technology policy
  173  established pursuant to subparagraph 1. is included in all
  174  solicitations and contracts that are administratively executed
  175  by the department.
  176         (3) The department, acting through the Florida Digital
  177  Service and from funds appropriated to the Florida Digital
  178  Service, shall:
  179         (a) Create, not later than December 1, 2022 October 1,
  180  2021, and maintain a comprehensive indexed data catalog in
  181  collaboration with the enterprise that lists the data elements
  182  housed within the enterprise and the legacy system or
  183  application in which these data elements are located. The data
  184  catalog must, at a minimum, specifically identify all data that
  185  is restricted from public disclosure based on federal or state
  186  laws and regulations and require that all such information be
  187  protected in accordance with s. 282.318.
  188         (b) Develop and publish, not later than December 1, 2022
  189  October 1, 2021, in collaboration with the enterprise, a data
  190  dictionary for each agency that reflects the nomenclature in the
  191  comprehensive indexed data catalog.
  192         Section 4. Section 282.201, Florida Statutes, is amended to
  193  read:
  194         282.201 State data center.—The state data center is
  195  established within the department. The provision of data center
  196  services must comply with applicable state and federal laws,
  197  regulations, and policies, including all applicable security,
  198  privacy, and auditing requirements. The department shall appoint
  199  a director of the state data center, preferably an individual
  200  who has experience in leading data center facilities and has
  201  expertise in cloud-computing management.
  202         (1) STATE DATA CENTER DUTIES.—The state data center shall:
  203         (a) Offer, develop, and support the services and
  204  applications defined in service-level agreements executed with
  205  its customer entities.
  206         (b) Maintain performance of the state data center by
  207  ensuring proper data backup, data backup recovery, disaster
  208  recovery, and appropriate security, power, cooling, fire
  209  suppression, and capacity.
  210         (c) Develop and implement business continuity and disaster
  211  recovery plans, and annually conduct a live exercise of each
  212  plan.
  213         (d) Enter into a service-level agreement with each customer
  214  entity to provide the required type and level of service or
  215  services. If a customer entity fails to execute an agreement
  216  within 60 days after commencement of a service, the state data
  217  center may cease service. A service-level agreement may not have
  218  a term exceeding 3 years and at a minimum must:
  219         1. Identify the parties and their roles, duties, and
  220  responsibilities under the agreement.
  221         2. State the duration of the contract term and specify the
  222  conditions for renewal.
  223         3. Identify the scope of work.
  224         4. Identify the products or services to be delivered with
  225  sufficient specificity to permit an external financial or
  226  performance audit.
  227         5. Establish the services to be provided, the business
  228  standards that must be met for each service, the cost of each
  229  service by agency application, and the metrics and processes by
  230  which the business standards for each service are to be
  231  objectively measured and reported.
  232         6. Provide a timely billing methodology to recover the
  233  costs of services provided to the customer entity pursuant to s.
  234  215.422.
  235         7. Provide a procedure for modifying the service-level
  236  agreement based on changes in the type, level, and cost of a
  237  service.
  238         8. Include a right-to-audit clause to ensure that the
  239  parties to the agreement have access to records for audit
  240  purposes during the term of the service-level agreement.
  241         9. Provide that a service-level agreement may be terminated
  242  by either party for cause only after giving the other party and
  243  the department notice in writing of the cause for termination
  244  and an opportunity for the other party to resolve the identified
  245  cause within a reasonable period.
  246         10. Provide for mediation of disputes by the Division of
  247  Administrative Hearings pursuant to s. 120.573.
  248         (e) For purposes of chapter 273, be the custodian of
  249  resources and equipment located in and operated, supported, and
  250  managed by the state data center.
  251         (f) Assume administrative access rights to resources and
  252  equipment, including servers, network components, and other
  253  devices, consolidated into the state data center.
  254         1. Upon consolidation, a state agency shall relinquish
  255  administrative rights to consolidated resources and equipment.
  256  State agencies required to comply with federal and state
  257  criminal justice information security rules and policies shall
  258  retain administrative access rights sufficient to comply with
  259  the management control provisions of those rules and policies;
  260  however, the state data center shall have the appropriate type
  261  or level of rights to allow the center to comply with its duties
  262  pursuant to this section. The Department of Law Enforcement
  263  shall serve as the arbiter of disputes pertaining to the
  264  appropriate type and level of administrative access rights
  265  pertaining to the provision of management control in accordance
  266  with the federal criminal justice information guidelines.
  267         2. The state data center shall provide customer entities
  268  with access to applications, servers, network components, and
  269  other devices necessary for entities to perform business
  270  activities and functions, and as defined and documented in a
  271  service-level agreement.
  272         (g) In its procurement process, show preference for cloud
  273  computing solutions that minimize or do not require the
  274  purchasing, financing, or leasing of state data center
  275  infrastructure, and that meet the needs of customer agencies,
  276  that reduce costs, and that meet or exceed the applicable state
  277  and federal laws, regulations, and standards for cybersecurity.
  278         (h) Assist customer entities in transitioning from state
  279  data center services to the Northwest Regional Data Center or
  280  other third-party cloud-computing services procured by a
  281  customer entity or by the Northwest Regional Data Center on
  282  behalf of a customer entity.
  283         (2) USE OF THE STATE DATA CENTER.—The following are exempt
  284  from the use of the state data center: the Department of Law
  285  Enforcement, the Department of the Lottery’s Gaming System,
  286  Systems Design and Development in the Office of Policy and
  287  Budget, the regional traffic management centers as described in
  288  s. 335.14(2) and the Office of Toll Operations of the Department
  289  of Transportation, the State Board of Administration, state
  290  attorneys, public defenders, criminal conflict and civil
  291  regional counsel, capital collateral regional counsel, and the
  292  Florida Housing Finance Corporation.
  293         (3) AGENCY LIMITATIONS.—Unless exempt from the use of the
  294  state data center pursuant to this section or authorized by the
  295  Legislature, a state agency may not:
  296         (a) Create a new agency computing facility or data center,
  297  or expand the capability to support additional computer
  298  equipment in an existing agency computing facility or data
  299  center; or
  300         (b) Terminate services with the state data center without
  301  giving written notice of intent to terminate services 180 days
  302  before such termination.
  303         (4) DEPARTMENT RESPONSIBILITIES.—The department shall
  304  provide operational management and oversight of the state data
  305  center, which includes:
  306         (a)Implementing industry standards and best practices for
  307  the state data center’s facilities, operations, maintenance,
  308  planning, and management processes.
  309         (b)Developing and implementing cost-recovery mechanisms
  310  that recover the full direct and indirect cost of services
  311  through charges to applicable customer entities. Such cost
  312  recovery mechanisms must comply with applicable state and
  313  federal regulations concerning distribution and use of funds and
  314  must ensure that, for any fiscal year, no service or customer
  315  entity subsidizes another service or customer entity. The
  316  department may recommend other payment mechanisms to the
  317  Executive Office of the Governor, the President of the Senate,
  318  and the Speaker of the House of Representatives. Such mechanism
  319  may be implemented only if specifically authorized by the
  320  Legislature.
  321         (c)Developing and implementing appropriate operating
  322  guidelines and procedures necessary for the state data center to
  323  perform its duties pursuant to subsection (1). The guidelines
  324  and procedures must comply with applicable state and federal
  325  laws, regulations, and policies and conform to generally
  326  accepted governmental accounting and auditing standards. The
  327  guidelines and procedures must include, but need not be limited
  328  to:
  329         1.Implementing a consolidated administrative support
  330  structure responsible for providing financial management,
  331  procurement, transactions involving real or personal property,
  332  human resources, and operational support.
  333         2.Implementing an annual reconciliation process to ensure
  334  that each customer entity is paying for the full direct and
  335  indirect cost of each service as determined by the customer
  336  entity’s use of each service.
  337         3.Providing rebates that may be credited against future
  338  billings to customer entities when revenues exceed costs.
  339         4.Requiring customer entities to validate that sufficient
  340  funds exist before implementation of a customer entity’s request
  341  for a change in the type or level of service provided, if such
  342  change results in a net increase to the customer entity’s cost
  343  for that fiscal year.
  344         5.By November 15 of each year, providing to the Office of
  345  Policy and Budget in the Executive Office of the Governor and to
  346  the chairs of the legislative appropriations committees the
  347  projected costs of providing data center services for the
  348  following fiscal year.
  349         6.Providing a plan for consideration by the Legislative
  350  Budget Commission if the cost of a service is increased for a
  351  reason other than a customer entity’s request made pursuant to
  352  subparagraph 4. Such a plan is required only if the service cost
  353  increase results in a net increase to a customer entity for that
  354  fiscal year.
  355         7.Standardizing and consolidating procurement and
  356  contracting practices.
  357         (d)In collaboration with the Department of Law Enforcement
  358  and the Florida Digital Service, developing and implementing a
  359  process for detecting, reporting, and responding to
  360  cybersecurity incidents, breaches, and threats.
  361         (e)Adopting rules relating to the operation of the state
  362  data center, including, but not limited to, budgeting and
  363  accounting procedures, cost-recovery methodologies, and
  364  operating procedures.
  365         (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
  366  the department to carry out its duties and responsibilities
  367  relating to the state data center, the secretary of the
  368  department shall contract by July 1, 2022, with the Northwest
  369  Regional Data Center pursuant to s. 287.057(11). The contract
  370  shall provide that the Northwest Regional Data Center will
  371  manage the operations of the state data center and provide data
  372  center services to state agencies.
  373         (a) The department shall provide contract oversight,
  374  including, but not limited to, reviewing invoices provided by
  375  the Northwest Regional Data Center for services provided to
  376  state agency customers.
  377         (b) The department shall approve or request updates to
  378  invoices within 10 business days after receipt. If the
  379  department does not respond to the Northwest Regional Data
  380  Center, the invoice will be approved by default. The Northwest
  381  Regional Data Center must submit approved invoices directly to
  382  state agency customers.
  383         Section 5. Section 1004.649, Florida Statutes, is amended
  384  to read:
  385         1004.649 Northwest Regional Data Center.—
  386         (1) For the purpose of providing data center services to
  387  its state agency customers, the Northwest Regional Data Center
  388  is designated as a state data center for all state agencies and
  389  shall:
  390         (a) Operate under a governance structure that represents
  391  its customers proportionally.
  392         (b) Maintain an appropriate cost-allocation methodology
  393  that accurately bills state agency customers based solely on the
  394  actual direct and indirect costs of the services provided to
  395  state agency customers, and ensures that for any fiscal year,
  396  state agency customers are not subsidizing other customers of
  397  the data center. Such cost-allocation methodology must comply
  398  with applicable state and federal regulations concerning the
  399  distribution and use of state and federal funds.
  400         (c) Enter into a service-level agreement with each state
  401  agency customer to provide services as defined and approved by
  402  the governing board of the center. At a minimum, such service
  403  level agreements must:
  404         1. Identify the parties and their roles, duties, and
  405  responsibilities under the agreement;
  406         2. State the duration of the agreement term, which may not
  407  exceed 3 years, and specify the conditions for up to two
  408  optional 1-year renewals of the agreement before execution of a
  409  new agreement renewal;
  410         3. Identify the scope of work;
  411         4. Establish the services to be provided, the business
  412  standards that must be met for each service, the cost of each
  413  service, and the process by which the business standards for
  414  each service are to be objectively measured and reported;
  415         5. Provide a timely billing methodology for recovering the
  416  cost of services provided pursuant to s. 215.422;
  417         6. Provide a procedure for modifying the service-level
  418  agreement to address any changes in projected costs of service;
  419         7. Include a right-to-audit clause to ensure that the
  420  parties to the agreement have access to records for audit
  421  purposes during the term of the service-level agreement Prohibit
  422  the transfer of computing services between the Northwest
  423  Regional Data Center and the state data center established
  424  pursuant to s. 282.201 without at least 180 days’ written
  425  notification of service cancellation;
  426         8. Identify the products or services to be delivered with
  427  sufficient specificity to permit an external financial or
  428  performance audit; and
  429         9. Provide that the service-level agreement may be
  430  terminated by either party for cause only after giving the other
  431  party notice in writing of the cause for termination and an
  432  opportunity for the other party to resolve the identified cause
  433  within a reasonable period; and
  434         10.Provide state agency customer entities with access to
  435  applications, servers, network components, and other devices
  436  necessary for entities to perform business activities and
  437  functions and as defined and documented in a service-level
  438  agreement.
  439         (d) In its procurement process, show preference for cloud
  440  computing solutions that minimize or do not require the
  441  purchasing or financing of state data center infrastructure,
  442  that meet the needs of state agency customer entities, that
  443  reduce costs, and that meet or exceed the applicable state and
  444  federal laws, regulations, and standards for cybersecurity.
  445         (e)Assist state agency customer entities in transitioning
  446  from state data center services to other third-party cloud
  447  computing services procured by a customer entity or by the
  448  Northwest Regional Data Center on behalf of the customer entity.
  449         (f) Provide to the Board of Governors the total annual
  450  budget by major expenditure category, including, but not limited
  451  to, salaries, expenses, operating capital outlay, contracted
  452  services, or other personnel services by July 30 each fiscal
  453  year.
  454         (g)(e) Provide to each state agency customer its projected
  455  annual cost for providing the agreed-upon data center services
  456  by September 1 each fiscal year.
  457         (h)(f) Provide a plan for consideration by the Legislative
  458  Budget Commission if the governing body of the center approves
  459  the use of a billing rate schedule after the start of the fiscal
  460  year that increases any state agency customer’s costs for that
  461  fiscal year.
  462         (i)Provide data center services that comply with
  463  applicable state and federal laws, regulations, and policies,
  464  including all applicable security, privacy, and auditing
  465  requirements.
  466         (j)Maintain performance of the data center facilities by
  467  ensuring proper data backup, data backup recovery, disaster
  468  recovery, and appropriate security, power, cooling, fire
  469  suppression, and capacity.
  470         (k) Prepare and submit state agency customer invoices to
  471  the Department of Management Services for approval. Upon
  472  approval or by default pursuant to s. 282.201(5), submit
  473  invoices to state agency customers.
  474         (l)As funded in the General Appropriations Act, provide
  475  data center services to state agencies from multiple facilities.
  476         (2)Unless exempt from the requirement to use the state
  477  data center pursuant to s. 282.201(2) or as authorized by the
  478  Legislature, a state agency may not do any of the following:
  479         (a)Terminate services with the Northwest Regional Data
  480  Center without giving written notice of intent to terminate
  481  services 180 days before such termination.
  482         (b)Procure third-party cloud-computing services without
  483  evaluating the cloud-computing services provided by the
  484  Northwest Regional Data Center.
  485         (c) Exceed 30 days from receipt of approved invoices to
  486  remit payment for state data center services provided by the
  487  Northwest Regional Data Center.
  488         (3)(2) The Northwest Regional Data Center’s authority to
  489  provide data center services to its state agency customers may
  490  be terminated if:
  491         (a) The center requests such termination to the Board of
  492  Governors, the Senate President, and the Speaker of the House of
  493  Representatives; or
  494         (b) The center fails to comply with the provisions of this
  495  section.
  496         (4)(3) If such authority is terminated, the center has
  497  shall have 1 year to provide for the transition of its state
  498  agency customers to a qualified alternative cloud-based data
  499  center that meets the enterprise architecture standards
  500  established by the Florida Digital Service the state data center
  501  established pursuant to s. 282.201.
  502         Section 6. Subsection (1) of section 282.00515, Florida
  503  Statutes, is amended to read:
  504         282.00515 Duties of Cabinet agencies.—
  505         (1) The Department of Legal Affairs, the Department of
  506  Financial Services, and the Department of Agriculture and
  507  Consumer Services shall adopt the standards established in s.
  508  282.0051(1)(b), (c), and (r) (s) and (3)(e) or adopt alternative
  509  standards based on best practices and industry standards that
  510  allow for open data interoperability.
  511         Section 7. This act shall take effect July 1, 2022.