Florida Senate - 2023 SB 1708
By Senator DiCeglie
18-00829A-23 20231708__
1 A bill to be entitled
2 An act relating to cybersecurity; providing a short
3 title; amending s. 282.0041, F.S.; revising
4 definitions; amending s. 282.0051, F.S.; clarifying
5 the powers, duties, and functions of the Florida
6 Digital Service; revising the cost threshold of state
7 agency information technology projects for which the
8 Florida Digital Service must perform project
9 oversight; requiring the Florida Digital Service to
10 establish an operations committee for a certain
11 purpose; providing for membership of the committee;
12 requiring the Governor to appoint a state chief
13 information officer subject to confirmation by the
14 Senate; conforming provisions to changes made by the
15 act; amending s. 282.201, F.S.; requiring the Florida
16 Digital Service to oversee the state data center;
17 requiring the Florida Digital Service to be provided
18 with full access to state data center infrastructure;
19 requiring the Northwest Regional Data Center to
20 provide the Florida Digital Service with access to
21 certain information; conforming provisions to changes
22 made by the act; amending s. 282.318, F.S.; clarifying
23 the authority of the Florida Digital Service;
24 requiring the Florida Digital Service to oversee
25 certain cybersecurity audits; requiring state agencies
26 to report ransomware and cybersecurity incidents
27 within a certain time period; requiring the Florida
28 Digital Service to notify the Governor and Legislature
29 of certain incidents; requiring that certain
30 notification be provided in a secure environment;
31 requiring the Florida Digital Service to provide
32 cybersecurity briefings to certain legislative
33 committees; authorizing the Florida Digital Service to
34 respond to certain cybersecurity incidents;
35 authorizing certain legislative committees to hold
36 closed meetings to receive certain briefings;
37 requiring such committees to maintain the confidential
38 and exempt status of certain records; amending s.
39 282.3185, F.S.; requiring a local government to report
40 ransomware and cybersecurity incidents within a
41 certain time period; requiring the Florida Digital
42 Service to notify the Governor and Legislature of
43 certain incidents; requiring that certain notification
44 be provided in a secure environment; amending s.
45 282.319, F.S.; revising the membership of the Florida
46 Cybersecurity Advisory Council; requiring that members
47 of certain legislative committees be invited to attend
48 meetings of the council; providing construction;
49 creating s. 282.3195, F.S.; creating the State
50 Technology Advancement Council within the Executive
51 Office of the Governor; providing for the purpose,
52 membership, terms of office, and meetings of the
53 council and members; providing requirements for
54 members relating to confidential and exempt
55 information and certain agreements; requiring the
56 council to submit an annual report to the Governor and
57 Legislature beginning on a specified date; creating s.
58 768.401, F.S.; providing a presumption against
59 liability in connection with a cybersecurity incident
60 for a county, municipality, or commercial entity that
61 complies with certain requirements; requiring certain
62 entities to adopt certain revised frameworks or
63 standards within a specified time period; providing
64 that a private cause of action is not established;
65 providing that certain failures are not evidence of
66 negligence and do not constitute negligence per se;
67 amending s. 1004.649, F.S.; conforming provisions to
68 changes made by the act; providing an effective date.
69
70 Be It Enacted by the Legislature of the State of Florida:
71
72 Section 1. This act may be cited as the “Florida Cyber
73 Protection Act.”
74 Section 2. Subsections (1), (7), (19), and (28) of section
75 282.0041, Florida Statutes, are amended to read:
76 282.0041 Definitions.—As used in this chapter, the term:
77 (1) “Agency assessment” means the amount each customer
78 entity must pay annually for services from the Florida Digital
79 Service Department of Management Services and includes
80 administrative and data center services costs.
81 (7) “Customer entity” means an entity that obtains services
82 from the Florida Digital Service Department of Management
83 Services.
84 (19) “Incident” means a violation or an imminent threat of
85 violation, whether such violation is accidental or deliberate,
86 of information technology resources, security, policies, or
87 practices which may jeopardize the confidentiality, integrity,
88 or availability of an information technology system or the
89 information the system processes, stores, or transmits. An
90 imminent threat of violation refers to a situation in which a
91 state agency, county, or municipality has a factual basis for
92 believing that a specific incident is about to occur.
93 (28) “Ransomware incident” means a malicious cybersecurity
94 incident in which a person or an entity introduces software that
95 gains unauthorized access to or encrypts, modifies, or otherwise
96 renders unavailable a state agency’s, county’s, or
97 municipality’s data and thereafter the person or entity demands
98 a ransom to prevent the publication of the data, restore access
99 to the data, or otherwise remediate the impact of the software.
100 Such incidents are commonly referred to as cyberextortion.
101 Section 3. Section 282.0051, Florida Statutes, is amended
102 to read:
103 282.0051 Department of Management Services; Florida Digital
104 Service; powers, duties, and functions.—
105 (1) The Florida Digital Service is has been created within
106 the department to propose innovative solutions that securely
107 modernize state government, including technology and information
108 services, to achieve value through digital transformation and
109 interoperability, and to fully support the cloud-first policy as
110 specified in s. 282.206. The department, through the Florida
111 Digital Service, shall have the following powers, duties, and
112 functions:
113 (a) Develop and publish information technology policy for
114 the management of the state’s information technology resources.
115 (b) Develop an enterprise architecture that:
116 1. Acknowledges the unique needs of the entities within the
117 enterprise in the development and publication of standards and
118 terminologies to facilitate digital interoperability;
119 2. Supports the cloud-first policy as specified in s.
120 282.206; and
121 3. Addresses how information technology infrastructure may
122 be modernized to achieve cloud-first objectives.
123 (c) Establish project management and oversight standards
124 with which state agencies must comply when implementing
125 information technology projects. The department, acting through
126 the Florida Digital Service, shall provide training
127 opportunities to state agencies to assist in the adoption of the
128 project management and oversight standards. To support data
129 driven decisionmaking, the standards must include, but are not
130 limited to:
131 1. Performance measurements and metrics that objectively
132 reflect the status of an information technology project based on
133 a defined and documented project scope, cost, and schedule.
134 2. Methodologies for calculating acceptable variances in
135 the projected versus actual scope, schedule, or cost of an
136 information technology project.
137 3. Reporting requirements, including requirements designed
138 to alert all defined stakeholders that an information technology
139 project has exceeded acceptable variances defined and documented
140 in a project plan.
141 4. Content, format, and frequency of project updates.
142 5. Technical standards to ensure an information technology
143 project complies with the enterprise architecture.
144 (d) Perform project oversight on all state agency
145 information technology projects that have total project costs of
146 $5 $10 million or more and that are funded in the General
147 Appropriations Act or any other law. The department, acting
148 through the Florida Digital Service, shall report at least
149 quarterly to the Executive Office of the Governor, the President
150 of the Senate, and the Speaker of the House of Representatives
151 on any information technology project that the Florida Digital
152 Service department identifies as high-risk due to the project
153 exceeding acceptable variance ranges defined and documented in a
154 project plan. The report must include a risk assessment,
155 including fiscal risks, associated with proceeding to the next
156 stage of the project, and a recommendation for corrective
157 actions required, including suspension or termination of the
158 project.
159 (e) Identify opportunities for standardization and
160 consolidation of information technology services that support
161 interoperability and the cloud-first policy, as specified in s.
162 282.206, and business functions and operations, including
163 administrative functions such as purchasing, accounting and
164 reporting, cash management, and personnel, and that are common
165 across state agencies. The department, acting through the
166 Florida Digital Service, shall biennially on January 1 of each
167 even-numbered year provide recommendations for standardization
168 and consolidation to the Executive Office of the Governor, the
169 President of the Senate, and the Speaker of the House of
170 Representatives.
171 (f) Establish best practices for the procurement of
172 information technology products and cloud-computing services in
173 order to reduce costs, increase the quality of data center
174 services, or improve government services.
175 (g) Develop standards for information technology reports
176 and updates, including, but not limited to, operational work
177 plans, project spend plans, and project status reports, for use
178 by state agencies.
179 (h) Upon request, assist state agencies in the development
180 of information technology-related legislative budget requests.
181 (i) Conduct annual assessments of state agencies to
182 determine compliance with all information technology standards
183 and guidelines developed and published by the Florida Digital
184 Service department and provide results of the assessments to the
185 Executive Office of the Governor, the President of the Senate,
186 and the Speaker of the House of Representatives.
187 (j) Conduct a market analysis not less frequently than
188 every 3 years beginning in 2021 to determine whether the
189 information technology resources within the enterprise are
190 utilized in the most cost-effective and cost-efficient manner,
191 while recognizing that the replacement of certain legacy
192 information technology systems within the enterprise may be cost
193 prohibitive or cost inefficient due to the remaining useful life
194 of those resources; whether the enterprise is complying with the
195 cloud-first policy specified in s. 282.206; and whether the
196 enterprise is utilizing best practices with respect to
197 information technology, information services, and the
198 acquisition of emerging technologies and information services.
199 Each market analysis shall be used to prepare a strategic plan
200 for continued and future information technology and information
201 services for the enterprise, including, but not limited to,
202 proposed acquisition of new services or technologies and
203 approaches to the implementation of any new services or
204 technologies. Copies of each market analysis and accompanying
205 strategic plan must be submitted to the Executive Office of the
206 Governor, the President of the Senate, and the Speaker of the
207 House of Representatives not later than December 31 of each year
208 that a market analysis is conducted.
209 (k) Recommend other information technology services that
210 should be designed, delivered, and managed as enterprise
211 information technology services. Recommendations must include
212 the identification of existing information technology resources
213 associated with the services, if existing services must be
214 transferred as a result of being delivered and managed as
215 enterprise information technology services.
216 (l) In consultation with state agencies, propose a
217 methodology and approach for identifying and collecting both
218 current and planned information technology expenditure data at
219 the state agency level.
220 (m)1. Notwithstanding any other law, provide project
221 oversight on any information technology project of the
222 Department of Financial Services, the Department of Legal
223 Affairs, and the Department of Agriculture and Consumer Services
224 which has a total project cost of $20 million or more. Such
225 information technology projects must also comply with the
226 applicable information technology architecture, project
227 management and oversight, and reporting standards established by
228 the department, acting through the Florida Digital Service.
229 2. When performing the project oversight function specified
230 in subparagraph 1., report at least quarterly to the Executive
231 Office of the Governor, the President of the Senate, and the
232 Speaker of the House of Representatives on any information
233 technology project that the department, acting through the
234 Florida Digital Service, identifies as high-risk due to the
235 project exceeding acceptable variance ranges defined and
236 documented in the project plan. The report shall include a risk
237 assessment, including fiscal risks, associated with proceeding
238 to the next stage of the project and a recommendation for
239 corrective actions required, including suspension or termination
240 of the project.
241 (n) If an information technology project implemented by a
242 state agency must be connected to or otherwise accommodated by
243 an information technology system administered by the Department
244 of Financial Services, the Department of Legal Affairs, or the
245 Department of Agriculture and Consumer Services, consult with
246 these departments regarding the risks and other effects of such
247 projects on their information technology systems and work
248 cooperatively with these departments regarding the connections,
249 interfaces, timing, or accommodations required to implement such
250 projects.
251 (o) If adherence to standards or policies adopted by or
252 established pursuant to this section causes conflict with
253 federal regulations or requirements imposed on an entity within
254 the enterprise and results in adverse action against an entity
255 or federal funding, work with the entity to provide alternative
256 standards, policies, or requirements that do not conflict with
257 the federal regulation or requirement. The department, acting
258 through the Florida Digital Service, shall annually report such
259 alternative standards to the Executive Office of the Governor,
260 the President of the Senate, and the Speaker of the House of
261 Representatives.
262 (p)1. Establish an information technology policy for all
263 information technology-related state contracts, including state
264 term contracts for information technology commodities,
265 consultant services, and staff augmentation services. The
266 information technology policy must include:
267 a. Identification of the information technology product and
268 service categories to be included in state term contracts.
269 b. Requirements to be included in solicitations for state
270 term contracts.
271 c. Evaluation criteria for the award of information
272 technology-related state term contracts.
273 d. The term of each information technology-related state
274 term contract.
275 e. The maximum number of vendors authorized on each state
276 term contract.
277 f. At a minimum, a requirement that any contract for
278 information technology commodities or services meet the National
279 Institute of Standards and Technology Cybersecurity Framework.
280 g. For an information technology project wherein project
281 oversight is required pursuant to paragraph (d) or paragraph
282 (m), a requirement that independent verification and validation
283 be employed throughout the project life cycle with the primary
284 objective of independent verification and validation being to
285 provide an objective assessment of products and processes
286 throughout the project life cycle. An entity providing
287 independent verification and validation may not have technical,
288 managerial, or financial interest in the project and may not
289 have responsibility for, or participate in, any other aspect of
290 the project.
291 2. Evaluate vendor responses for information technology
292 related state term contract solicitations and invitations to
293 negotiate.
294 3. Answer vendor questions on information technology
295 related state term contract solicitations.
296 4. Ensure that the information technology policy
297 established pursuant to subparagraph 1. is included in all
298 solicitations and contracts that are administratively executed
299 by the department.
300 (q) Recommend potential methods for standardizing data
301 across state agencies which will promote interoperability and
302 reduce the collection of duplicative data.
303 (r) Recommend open data technical standards and
304 terminologies for use by the enterprise.
305 (s) Ensure that enterprise information technology solutions
306 are capable of utilizing an electronic credential and comply
307 with the enterprise architecture standards.
308 (t) Establish an operations committee that shall meet as
309 necessary for the purpose of developing collaborative efforts
310 between agencies and other governmental entities relating to
311 cybersecurity issues, including the coordination of response
312 efforts relating to cybersecurity incidents and issues relating
313 to the interoperability of agency projects. The state chief
314 information security officer shall serve as the executive
315 director of the committee. The committee shall be composed of
316 the following members:
317 1. The Attorney General, or his or her designee.
318 2. The Secretary of State, or his or her designee.
319 3. The executive director of the Department of Law
320 Enforcement, or his or her designee.
321 4. A representative of each state agency.
322 5. A representative of the Florida State Guard.
323 6. A representative of the Florida National Guard.
324 (2)(a) The Governor shall appoint Secretary of Management
325 Services shall designate a state chief information officer,
326 subject to confirmation by the Senate, who shall administer the
327 Florida Digital Service. The state chief information officer,
328 before prior to appointment, must have at least 5 years of
329 experience in the development of information system strategic
330 planning and development or information technology policy, and,
331 preferably, have leadership-level experience in the design,
332 development, and deployment of interoperable software and data
333 solutions.
334 (b) The state chief information officer, in consultation
335 with the Secretary of Management Services, shall designate a
336 state chief data officer. The chief data officer must be a
337 proven and effective administrator who must have significant and
338 substantive experience in data management, data governance,
339 interoperability, and security.
340 (3) The department, acting through the Florida Digital
341 Service, and from funds appropriated to the Florida Digital
342 Service, shall:
343 (a) Create, not later than December 1, 2022, and maintain a
344 comprehensive indexed data catalog in collaboration with the
345 enterprise that lists the data elements housed within the
346 enterprise and the legacy system or application in which these
347 data elements are located. The data catalog must, at a minimum,
348 specifically identify all data that is restricted from public
349 disclosure based on federal or state laws and regulations and
350 require that all such information be protected in accordance
351 with s. 282.318.
352 (b) Develop and publish, not later than December 1, 2022,
353 in collaboration with the enterprise, a data dictionary for each
354 agency that reflects the nomenclature in the comprehensive
355 indexed data catalog.
356 (c) Adopt, by rule, standards that support the creation and
357 deployment of an application programming interface to facilitate
358 integration throughout the enterprise.
359 (d) Adopt, by rule, standards necessary to facilitate a
360 secure ecosystem of data interoperability that is compliant with
361 the enterprise architecture.
362 (e) Adopt, by rule, standards that facilitate the
363 deployment of applications or solutions to the existing
364 enterprise system in a controlled and phased approach.
365 (f) After submission of documented use cases developed in
366 conjunction with the affected agencies, assist the affected
367 agencies with the deployment, contingent upon a specific
368 appropriation therefor, of new interoperable applications and
369 solutions:
370 1. For the Department of Health, the Agency for Health Care
371 Administration, the Agency for Persons with Disabilities, the
372 Department of Education, the Department of Elderly Affairs, and
373 the Department of Children and Families.
374 2. To support military members, veterans, and their
375 families.
376 (4) For information technology projects that have a total
377 project costs cost of $5 $10 million or more:
378 (a) State agencies must provide the Florida Digital Service
379 with written notice of any planned procurement of an information
380 technology project.
381 (b) The Florida Digital Service must participate in the
382 development of specifications and recommend modifications to any
383 planned procurement of an information technology project by
384 state agencies so that the procurement complies with the
385 enterprise architecture.
386 (c) The Florida Digital Service must participate in post
387 award contract monitoring.
388 (5) The department, acting through the Florida Digital
389 Service, may not retrieve or disclose any data without a shared
390 data agreement in place between the department and the
391 enterprise entity that has primary custodial responsibility of,
392 or data-sharing responsibility for, that data.
393 (6) The department, acting through the Florida Digital
394 Service, shall adopt rules to administer this section.
395 Section 4. Section 282.201, Florida Statutes, is amended to
396 read:
397 282.201 State data center.—The state data center is
398 established within the department and shall be overseen by the
399 Florida Digital Service. The provision of data center services
400 must comply with applicable state and federal laws, regulations,
401 and policies, including all applicable security, privacy, and
402 auditing requirements. The Florida Digital Service department
403 shall appoint a director of the state data center who has
404 experience in leading data center facilities and has expertise
405 in cloud-computing management. The Florida Digital Service shall
406 be provided with full access to state data center
407 infrastructure.
408 (1) STATE DATA CENTER DUTIES.—The state data center shall:
409 (a) Offer, develop, and support the services and
410 applications defined in service-level agreements executed with
411 its customer entities.
412 (b) Maintain performance of the state data center by
413 ensuring proper data backup; data backup recovery; disaster
414 recovery; and appropriate security, power, cooling, fire
415 suppression, and capacity.
416 (c) Develop and implement business continuity and disaster
417 recovery plans, and annually conduct a live exercise of each
418 plan.
419 (d) Enter into a service-level agreement with each customer
420 entity to provide the required type and level of service or
421 services. If a customer entity fails to execute an agreement
422 within 60 days after commencement of a service, the state data
423 center may cease service. A service-level agreement may not have
424 a term exceeding 3 years and at a minimum must:
425 1. Identify the parties and their roles, duties, and
426 responsibilities under the agreement.
427 2. State the duration of the contract term and specify the
428 conditions for renewal.
429 3. Identify the scope of work.
430 4. Identify the products or services to be delivered with
431 sufficient specificity to permit an external financial or
432 performance audit.
433 5. Establish the services to be provided, the business
434 standards that must be met for each service, the cost of each
435 service by agency application, and the metrics and processes by
436 which the business standards for each service are to be
437 objectively measured and reported.
438 6. Provide a timely billing methodology to recover the
439 costs of services provided to the customer entity pursuant to s.
440 215.422.
441 7. Provide a procedure for modifying the service-level
442 agreement based on changes in the type, level, and cost of a
443 service.
444 8. Include a right-to-audit clause to ensure that the
445 parties to the agreement have access to records for audit
446 purposes during the term of the service-level agreement.
447 9. Provide that a service-level agreement may be terminated
448 by either party for cause only after giving the other party and
449 the Florida Digital Service department notice in writing of the
450 cause for termination and an opportunity for the other party to
451 resolve the identified cause within a reasonable period.
452 10. Provide for mediation of disputes by the Division of
453 Administrative Hearings pursuant to s. 120.573.
454 (e) For purposes of chapter 273, be the custodian of
455 resources and equipment located in and operated, supported, and
456 managed by the state data center.
457 (f) Assume administrative access rights to resources and
458 equipment, including servers, network components, and other
459 devices, consolidated into the state data center.
460 1. Upon consolidation, a state agency shall relinquish
461 administrative rights to consolidated resources and equipment.
462 State agencies required to comply with federal and state
463 criminal justice information security rules and policies shall
464 retain administrative access rights sufficient to comply with
465 the management control provisions of those rules and policies;
466 however, the state data center shall have the appropriate type
467 or level of rights to allow the center to comply with its duties
468 pursuant to this section. The Department of Law Enforcement
469 shall serve as the arbiter of disputes pertaining to the
470 appropriate type and level of administrative access rights
471 pertaining to the provision of management control in accordance
472 with the federal criminal justice information guidelines.
473 2. The state data center shall provide customer entities
474 with access to applications, servers, network components, and
475 other devices necessary for entities to perform business
476 activities and functions, and as defined and documented in a
477 service-level agreement.
478 (g) In its procurement process, show preference for cloud
479 computing solutions that minimize or do not require the
480 purchasing, financing, or leasing of state data center
481 infrastructure, and that meet the needs of customer agencies,
482 that reduce costs, and that meet or exceed the applicable state
483 and federal laws, regulations, and standards for cybersecurity.
484 (h) Assist customer entities in transitioning from state
485 data center services to the Northwest Regional Data Center or
486 other third-party cloud-computing services procured by a
487 customer entity or by the Northwest Regional Data Center on
488 behalf of a customer entity.
489 (2) USE OF THE STATE DATA CENTER.—The following are exempt
490 from the use of the state data center: the Department of Law
491 Enforcement, the Department of the Lottery’s Gaming System,
492 Systems Design and Development in the Office of Policy and
493 Budget, the regional traffic management centers as described in
494 s. 335.14(2) and the Office of Toll Operations of the Department
495 of Transportation, the State Board of Administration, state
496 attorneys, public defenders, criminal conflict and civil
497 regional counsel, capital collateral regional counsel, and the
498 Florida Housing Finance Corporation.
499 (3) AGENCY LIMITATIONS.—Unless exempt from the use of the
500 state data center pursuant to this section or authorized by the
501 Legislature, a state agency may not:
502 (a) Create a new agency computing facility or data center,
503 or expand the capability to support additional computer
504 equipment in an existing agency computing facility or data
505 center; or
506 (b) Terminate services with the state data center without
507 giving written notice of intent to terminate services 180 days
508 before such termination.
509 (4) FLORIDA DIGITAL SERVICE DEPARTMENT RESPONSIBILITIES.
510 The Florida Digital Service department shall provide operational
511 management and oversight of the state data center, which
512 includes:
513 (a) Implementing industry standards and best practices for
514 the state data center’s facilities, operations, maintenance,
515 planning, and management processes.
516 (b) Developing and implementing cost-recovery mechanisms
517 that recover the full direct and indirect cost of services
518 through charges to applicable customer entities. Such cost
519 recovery mechanisms must comply with applicable state and
520 federal regulations concerning distribution and use of funds and
521 must ensure that, for any fiscal year, no service or customer
522 entity subsidizes another service or customer entity. The
523 Florida Digital Service department may recommend other payment
524 mechanisms to the Executive Office of the Governor, the
525 President of the Senate, and the Speaker of the House of
526 Representatives. Such mechanisms may be implemented only if
527 specifically authorized by the Legislature.
528 (c) Developing and implementing appropriate operating
529 guidelines and procedures necessary for the state data center to
530 perform its duties pursuant to subsection (1). The guidelines
531 and procedures must comply with applicable state and federal
532 laws, regulations, and policies and conform to generally
533 accepted governmental accounting and auditing standards. The
534 guidelines and procedures must include, but need not be limited
535 to:
536 1. Implementing a consolidated administrative support
537 structure responsible for providing financial management,
538 procurement, transactions involving real or personal property,
539 human resources, and operational support.
540 2. Implementing an annual reconciliation process to ensure
541 that each customer entity is paying for the full direct and
542 indirect cost of each service as determined by the customer
543 entity’s use of each service.
544 3. Providing rebates that may be credited against future
545 billings to customer entities when revenues exceed costs.
546 4. Requiring customer entities to validate that sufficient
547 funds exist before implementation of a customer entity’s request
548 for a change in the type or level of service provided, if such
549 change results in a net increase to the customer entity’s cost
550 for that fiscal year.
551 5. By November 15 of each year, providing to the Office of
552 Policy and Budget in the Executive Office of the Governor and to
553 the chairs of the legislative appropriations committees the
554 projected costs of providing data center services for the
555 following fiscal year.
556 6. Providing a plan for consideration by the Legislative
557 Budget Commission if the cost of a service is increased for a
558 reason other than a customer entity’s request made pursuant to
559 subparagraph 4. Such a plan is required only if the service cost
560 increase results in a net increase to a customer entity for that
561 fiscal year.
562 7. Standardizing and consolidating procurement and
563 contracting practices.
564 (d) In collaboration with the Department of Law Enforcement
565 and the Florida Digital Service, developing and implementing a
566 process for detecting, reporting, and responding to
567 cybersecurity incidents, breaches, and threats.
568 (e) Adopting rules relating to the operation of the state
569 data center, including, but not limited to, budgeting and
570 accounting procedures, cost-recovery methodologies, and
571 operating procedures.
572 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
573 the Florida Digital Service department to carry out its duties
574 and responsibilities relating to the state data center, the
575 state chief information officer shall assume responsibility for
576 the contract entered into by the secretary of the department
577 shall contract by July 1, 2022, with the Northwest Regional Data
578 Center pursuant to s. 287.057(11). The contract shall provide
579 that the Northwest Regional Data Center will manage the
580 operations of the state data center and provide data center
581 services to state agencies. Notwithstanding the terms of the
582 contract, the Northwest Regional Data Center must provide the
583 Florida Digital Service with access to information regarding the
584 operations of the state data center.
585 (a) The Florida Digital Service department shall provide
586 contract oversight, including, but not limited to, reviewing
587 invoices provided by the Northwest Regional Data Center for
588 services provided to state agency customers.
589 (b) The Florida Digital Service department shall approve or
590 request updates to invoices within 10 business days after
591 receipt. If the Florida Digital Service department does not
592 respond to the Northwest Regional Data Center, the invoice will
593 be approved by default. The Northwest Regional Data Center must
594 submit approved invoices directly to state agency customers.
595 Section 5. Present subsection (10) of section 282.318,
596 Florida Statutes, is redesignated as subsection (11), a new
597 subsection (10) is added to that section, and subsections (3),
598 (4), and (7) and present subsection (10) are amended, to read:
599 282.318 Cybersecurity.—
600 (3) The department, acting through the Florida Digital
601 Service, is the lead entity responsible for establishing
602 standards and processes for assessing state agency cybersecurity
603 risks and determining appropriate security measures. Such
604 standards and processes must be consistent with generally
605 accepted technology best practices, including the National
606 Institute for Standards and Technology Cybersecurity Framework,
607 for cybersecurity. The department, acting through the Florida
608 Digital Service, shall adopt rules that mitigate risks;
609 safeguard state agency digital assets, data, information, and
610 information technology resources to ensure availability,
611 confidentiality, and integrity; and support a security
612 governance framework. The department, acting through the Florida
613 Digital Service, shall also:
614 (a) Designate an employee of the Florida Digital Service as
615 the state chief information security officer. The state chief
616 information security officer must have experience and expertise
617 in security and risk management for communications and
618 information technology resources. The state chief information
619 security officer is responsible for the development, operation,
620 and oversight of cybersecurity for state technology systems. The
621 state chief information security officer shall be notified of
622 all confirmed or suspected incidents or threats of state agency
623 information technology resources and must report such incidents
624 or threats to the state chief information officer and the
625 Governor.
626 (b) Develop, and annually update by February 1, a statewide
627 cybersecurity strategic plan that includes security goals and
628 objectives for cybersecurity, including the identification and
629 mitigation of risk, proactive protections against threats,
630 tactical risk detection, threat reporting, and response and
631 recovery protocols for a cyber incident.
632 (c) Develop and publish for use by state agencies a
633 cybersecurity governance framework that, at a minimum, includes
634 guidelines and processes for:
635 1. Establishing asset management procedures to ensure that
636 an agency’s information technology resources are identified and
637 managed consistent with their relative importance to the
638 agency’s business objectives.
639 2. Using a standard risk assessment methodology that
640 includes the identification of an agency’s priorities,
641 constraints, risk tolerances, and assumptions necessary to
642 support operational risk decisions.
643 3. Completing comprehensive risk assessments and
644 cybersecurity audits, which may be completed by a private sector
645 vendor, and submitting completed assessments and audits to the
646 Florida Digital Service. The Florida Digital Service shall
647 oversee any cybersecurity audit completed by a private sector
648 vendor to ensure that the audit meets applicable standards,
649 processes, and timelines department.
650 4. Identifying protection procedures to manage the
651 protection of an agency’s information, data, and information
652 technology resources.
653 5. Establishing procedures for accessing information and
654 data to ensure the confidentiality, integrity, and availability
655 of such information and data.
656 6. Detecting threats through proactive monitoring of
657 events, continuous security monitoring, and defined detection
658 processes.
659 7. Establishing agency cybersecurity incident response
660 teams and describing their responsibilities for responding to
661 cybersecurity incidents, including breaches of personal
662 information containing confidential or exempt data.
663 8. Recovering information and data in response to a
664 cybersecurity incident. The recovery may include recommended
665 improvements to the agency processes, policies, or guidelines.
666 9. Establishing a cybersecurity incident reporting process
667 that includes procedures for notifying the Florida Digital
668 Service department and the Department of Law Enforcement of
669 cybersecurity incidents.
670 a. The level of severity of the cybersecurity incident is
671 defined by the National Cyber Incident Response Plan of the
672 United States Department of Homeland Security as follows:
673 (I) Level 5 is an emergency-level incident within the
674 specified jurisdiction that poses an imminent threat to the
675 provision of wide-scale critical infrastructure services;
676 national, state, or local government security; or the lives of
677 the country’s, state’s, or local government’s residents.
678 (II) Level 4 is a severe-level incident that is likely to
679 result in a significant impact in the affected jurisdiction to
680 public health or safety; national, state, or local security;
681 economic security; or civil liberties.
682 (III) Level 3 is a high-level incident that is likely to
683 result in a demonstrable impact in the affected jurisdiction to
684 public health or safety; national, state, or local security;
685 economic security; civil liberties; or public confidence.
686 (IV) Level 2 is a medium-level incident that may impact
687 public health or safety; national, state, or local security;
688 economic security; civil liberties; or public confidence.
689 (V) Level 1 is a low-level incident that is unlikely to
690 impact public health or safety; national, state, or local
691 security; economic security; civil liberties; or public
692 confidence.
693 b. The cybersecurity incident reporting process must
694 specify the information that must be reported by a state agency
695 following a cybersecurity incident or ransomware incident,
696 which, at a minimum, must include the following:
697 (I) A summary of the facts surrounding the cybersecurity
698 incident or ransomware incident.
699 (II) The date on which the state agency most recently
700 backed up its data; the physical location of the backup, if the
701 backup was affected; and if the backup was created using cloud
702 computing.
703 (III) The types of data compromised by the cybersecurity
704 incident or ransomware incident.
705 (IV) The estimated fiscal impact of the cybersecurity
706 incident or ransomware incident.
707 (V) In the case of a ransomware incident, the details of
708 the ransom demanded.
709 c.(I) A state agency shall report all ransomware incidents
710 and any cybersecurity incidents incident determined by the state
711 agency to be of severity level 3, 4, or 5 to the Florida Digital
712 Service, the Cybersecurity Operations Center, and the Cybercrime
713 Office of the Department of Law Enforcement as soon as possible
714 but no later than 4 48 hours after discovery of the
715 cybersecurity incident and no later than 2 12 hours after
716 discovery of the ransomware incident. The report must contain
717 the information required in sub-subparagraph b. The Florida
718 Digital Service shall notify the Governor, the President of the
719 Senate, and the Speaker of the House of Representatives of any
720 incident discovered by a state agency but not timely reported
721 under this sub-sub-subparagraph.
722 (II) The Cybersecurity Operations Center shall notify the
723 President of the Senate and the Speaker of the House of
724 Representatives of any severity level 3, 4, or 5 incident as
725 soon as possible but no later than 12 hours after receiving a
726 state agency’s incident report. The notification must include a
727 high-level description of the incident and the likely effects
728 and must be provided in a secure environment.
729 d. A state agency shall report a cybersecurity incident
730 determined by the state agency to be of severity level 1 or 2 to
731 the Cybersecurity Operations Center and the Cybercrime Office of
732 the Department of Law Enforcement as soon as possible. The
733 report must contain the information required in sub-subparagraph
734 b.
735 e. The Cybersecurity Operations Center shall provide a
736 consolidated incident report on a quarterly basis to the
737 President of the Senate, the Speaker of the House of
738 Representatives, and the Florida Cybersecurity Advisory Council.
739 The report provided to the Florida Cybersecurity Advisory
740 Council may not contain the name of any agency, network
741 information, or system identifying information but must contain
742 sufficient relevant information to allow the Florida
743 Cybersecurity Advisory Council to fulfill its responsibilities
744 as required in s. 282.319(9).
745 10. Incorporating information obtained through detection
746 and response activities into the agency’s cybersecurity incident
747 response plans.
748 11. Developing agency strategic and operational
749 cybersecurity plans required pursuant to this section.
750 12. Establishing the managerial, operational, and technical
751 safeguards for protecting state government data and information
752 technology resources that align with the state agency risk
753 management strategy and that protect the confidentiality,
754 integrity, and availability of information and data.
755 13. Establishing procedures for procuring information
756 technology commodities and services that require the commodity
757 or service to meet the National Institute of Standards and
758 Technology Cybersecurity Framework.
759 14. Submitting after-action reports following a
760 cybersecurity incident or ransomware incident. Such guidelines
761 and processes for submitting after-action reports must be
762 developed and published by December 1, 2022.
763 (d) Assist state agencies in complying with this section.
764 (e) In collaboration with the Cybercrime Office of the
765 Department of Law Enforcement, annually provide training for
766 state agency information security managers and computer security
767 incident response team members that contains training on
768 cybersecurity, including cybersecurity threats, trends, and best
769 practices.
770 (f) Annually review the strategic and operational
771 cybersecurity plans of state agencies.
772 (g) Annually provide cybersecurity training to all state
773 agency technology professionals and employees with access to
774 highly sensitive information which develops, assesses, and
775 documents competencies by role and skill level. The
776 cybersecurity training curriculum must include training on the
777 identification of each cybersecurity incident severity level
778 referenced in sub-subparagraph (c)9.a. The training may be
779 provided in collaboration with the Cybercrime Office of the
780 Department of Law Enforcement, a private sector entity, or an
781 institution of the State University System.
782 (h) Operate and maintain a Cybersecurity Operations Center
783 led by the state chief information security officer, which must
784 be primarily virtual and staffed with tactical detection and
785 incident response personnel. The Cybersecurity Operations Center
786 shall serve as a clearinghouse for threat information and
787 coordinate with the Department of Law Enforcement to support
788 state agencies and their response to any confirmed or suspected
789 cybersecurity incident.
790 (i) Lead an Emergency Support Function, ESF CYBER, under
791 the state comprehensive emergency management plan as described
792 in s. 252.35.
793 (j) Provide cybersecurity briefings to the members of any
794 legislative committee or subcommittee responsible for policy
795 matters relating to cybersecurity.
796 (k) Have the authority to respond to any state agency
797 cybersecurity incident.
798 (4) Each state agency head shall, at a minimum:
799 (a) Designate an information security manager to administer
800 the cybersecurity program of the state agency. This designation
801 must be provided annually in writing to the Florida Digital
802 Service department by January 1. A state agency’s information
803 security manager, for purposes of these information security
804 duties, shall report directly to the agency head.
805 (b) In consultation with the department, through the
806 Florida Digital Service, and the Cybercrime Office of the
807 Department of Law Enforcement, establish an agency cybersecurity
808 response team to respond to a cybersecurity incident. The agency
809 cybersecurity response team shall convene upon notification of a
810 cybersecurity incident and must immediately report all confirmed
811 or suspected incidents to the state chief information security
812 officer, or his or her designee, and comply with all applicable
813 guidelines and processes established pursuant to paragraph
814 (3)(c).
815 (c) Submit to the Florida Digital Service department
816 annually by July 31, the state agency’s strategic and
817 operational cybersecurity plans developed pursuant to rules and
818 guidelines established by the department, through the Florida
819 Digital Service.
820 1. The state agency strategic cybersecurity plan must cover
821 a 3-year period and, at a minimum, define security goals,
822 intermediate objectives, and projected agency costs for the
823 strategic issues of agency information security policy, risk
824 management, security training, security incident response, and
825 disaster recovery. The plan must be based on the statewide
826 cybersecurity strategic plan created by the Florida Digital
827 Service department and include performance metrics that can be
828 objectively measured to reflect the status of the state agency’s
829 progress in meeting security goals and objectives identified in
830 the agency’s strategic information security plan.
831 2. The state agency operational cybersecurity plan must
832 include a progress report that objectively measures progress
833 made towards the prior operational cybersecurity plan and a
834 project plan that includes activities, timelines, and
835 deliverables for security objectives that the state agency will
836 implement during the current fiscal year.
837 (d) Conduct, and update every 3 years, a comprehensive risk
838 assessment, which may be completed by a private sector vendor,
839 to determine the security threats to the data, information, and
840 information technology resources, including mobile devices and
841 print environments, of the agency. The risk assessment must
842 comply with the risk assessment methodology developed by the
843 Florida Digital Service department and is confidential and
844 exempt from s. 119.07(1), except that such information shall be
845 available to the Auditor General, the Florida Digital Service
846 within the department, the Cybercrime Office of the Department
847 of Law Enforcement, and, for state agencies under the
848 jurisdiction of the Governor, the Chief Inspector General. If a
849 private sector vendor is used to complete a comprehensive risk
850 assessment, it must attest to the validity of the risk
851 assessment findings.
852 (e) Develop, and periodically update, written internal
853 policies and procedures, which include procedures for reporting
854 cybersecurity incidents and breaches to the Cybercrime Office of
855 the Department of Law Enforcement and the Florida Digital
856 Service within the department. Such policies and procedures must
857 be consistent with the rules, guidelines, and processes
858 established by the Florida Digital Service department to ensure
859 the security of the data, information, and information
860 technology resources of the agency. The internal policies and
861 procedures that, if disclosed, could facilitate the unauthorized
862 modification, disclosure, or destruction of data or information
863 technology resources are confidential information and exempt
864 from s. 119.07(1), except that such information shall be
865 available to the Auditor General, the Cybercrime Office of the
866 Department of Law Enforcement, the Florida Digital Service
867 within the department, and, for state agencies under the
868 jurisdiction of the Governor, the Chief Inspector General.
869 (f) Implement managerial, operational, and technical
870 safeguards and risk assessment remediation plans recommended by
871 the Florida Digital Service department to address identified
872 risks to the data, information, and information technology
873 resources of the agency. The department, through the Florida
874 Digital Service, shall track implementation by state agencies
875 upon development of such remediation plans in coordination with
876 agency inspectors general.
877 (g) Ensure that periodic internal audits and evaluations of
878 the agency’s cybersecurity program for the data, information,
879 and information technology resources of the agency are
880 conducted. The results of such audits and evaluations are
881 confidential information and exempt from s. 119.07(1), except
882 that such information shall be available to the Auditor General,
883 the Cybercrime Office of the Department of Law Enforcement, the
884 Florida Digital Service within the department, and, for agencies
885 under the jurisdiction of the Governor, the Chief Inspector
886 General.
887 (h) Ensure that the cybersecurity requirements in the
888 written specifications for the solicitation, contracts, and
889 service-level agreement of information technology and
890 information technology resources and services meet or exceed the
891 applicable state and federal laws, regulations, and standards
892 for cybersecurity, including the National Institute of Standards
893 and Technology Cybersecurity Framework. Service-level agreements
894 must identify service provider and state agency responsibilities
895 for privacy and security, protection of government data,
896 personnel background screening, and security deliverables with
897 associated frequencies.
898 (i) Provide cybersecurity awareness training to all state
899 agency employees within 30 days after commencing employment, and
900 annually thereafter, concerning cybersecurity risks and the
901 responsibility of employees to comply with policies, standards,
902 guidelines, and operating procedures adopted by the state agency
903 to reduce those risks. The training may be provided in
904 collaboration with the Cybercrime Office of the Department of
905 Law Enforcement, a private sector entity, or an institution of
906 the State University System.
907 (j) Develop a process for detecting, reporting, and
908 responding to threats, breaches, or cybersecurity incidents
909 which is consistent with the security rules, guidelines, and
910 processes established by the department through the Florida
911 Digital Service.
912 1. All cybersecurity incidents and ransomware incidents
913 must be reported by state agencies. Such reports must comply
914 with the notification procedures and reporting timeframes
915 established pursuant to paragraph (3)(c).
916 2. For cybersecurity breaches, state agencies shall provide
917 notice in accordance with s. 501.171.
918 (k) Submit to the Florida Digital Service, within 1 week
919 after the remediation of a cybersecurity incident or ransomware
920 incident, an after-action report that summarizes the incident,
921 the incident’s resolution, and any insights gained as a result
922 of the incident.
923 (7) The portions of records made confidential and exempt in
924 subsections (5) and (6) shall be available to the Auditor
925 General, the Cybercrime Office of the Department of Law
926 Enforcement, the Florida Digital Service within the department,
927 and, for agencies under the jurisdiction of the Governor, the
928 Chief Inspector General. Such portions of records may be made
929 available to a local government, another state agency, or a
930 federal agency for cybersecurity purposes or in furtherance of
931 the state agency’s official duties.
932 (10) Any legislative committee or subcommittee responsible
933 for policy matters relating to cybersecurity may hold meetings
934 closed by the respective legislative body under the rules of
935 such legislative body at which such committee or subcommittee is
936 briefed on records made confidential and exempt under
937 subsections (5) and (6). The committee or subcommittee must
938 maintain the confidential and exempt status of such records.
939 (11)(10) The Florida Digital Service department shall adopt
940 rules relating to cybersecurity and to administer this section.
941 Section 6. Paragraphs (b) and (c) of subsection (5) of
942 section 282.3185, Florida Statutes, are amended to read:
943 282.3185 Local government cybersecurity.—
944 (5) INCIDENT NOTIFICATION.—
945 (b)1. A local government shall report all ransomware
946 incidents and any cybersecurity incidents incident determined by
947 the local government to be of severity level 3, 4, or 5 as
948 provided in s. 282.318(3)(c) to the Florida Digital Service, the
949 Cybersecurity Operations Center, the Cybercrime Office of the
950 Department of Law Enforcement, and the sheriff who has
951 jurisdiction over the local government as soon as possible but
952 no later than 4 48 hours after discovery of the cybersecurity
953 incident and no later than 2 12 hours after discovery of the
954 ransomware incident. The report must contain the information
955 required in paragraph (a). The Florida Digital Service shall
956 notify the Governor, the President of the Senate, and the
957 Speaker of the House of Representatives of any incident
958 discovered by a local government but not timely reported under
959 this subparagraph.
960 2. The Cybersecurity Operations Center shall notify the
961 President of the Senate and the Speaker of the House of
962 Representatives of any severity level 3, 4, or 5 incident as
963 soon as possible but no later than 12 hours after receiving a
964 local government’s incident report. The notification must
965 include a high-level description of the incident and the likely
966 effects and must be provided in a secure environment.
967 (c) A local government may report a cybersecurity incident
968 determined by the local government to be of severity level 1 or
969 2 as provided in s. 282.318(3)(c) to the Cybersecurity
970 Operations Center, the Cybercrime Office of the Department of
971 Law Enforcement, and the sheriff who has jurisdiction over the
972 local government. The report shall contain the information
973 required in paragraph (a).
974 Section 7. Present subsections (10) through (13) of section
975 282.319, Florida Statutes, are redesignated as subsections (11)
976 through (14), respectively, a new subsection (10) is added to
977 that section, and paragraph (j) of subsection (4) and subsection
978 (6) are amended, to read:
979 282.319 Florida Cybersecurity Advisory Council.—
980 (4) The council shall be comprised of the following
981 members:
982 (j) Three representatives from critical infrastructure
983 sectors, one of whom must be from a water treatment facility,
984 appointed by the Governor.
985 (6) The state chief information officer Secretary of
986 Management Services, or his or her designee, shall serve as the
987 ex officio, nonvoting executive director of the council.
988 (10) Members of any legislative committee or subcommittee
989 responsible for policy matters relating to cybersecurity must be
990 invited to and may attend meetings of the council. A council
991 meeting at which two or more members of the Legislature are in
992 attendance may not be construed as a meeting of a legislative
993 committee or subcommittee or as a prearranged gathering between
994 more than two members of the Legislature, the purpose of which
995 is to agree upon formal legislative action that will be taken at
996 a subsequent time.
997 Section 8. Section 282.3195, Florida Statutes, is created
998 to read:
999 282.3195 State Technology Advancement Council.—
1000 (1) The State Technology Advancement Council, an advisory
1001 council as defined in s. 20.03(7), is created within the
1002 Executive Office of the Governor. Except as otherwise provided
1003 in this section, the advisory council shall operate in a manner
1004 consistent with s. 20.052.
1005 (2) The purpose of the council is to:
1006 (a) Assist state agencies and advise the Legislature on
1007 innovative technologies.
1008 (b) Improve state technology project timelines.
1009 (c) Develop efficient state technology processes.
1010 (d) Assist in the creation of development and testing
1011 environments that allow state entities to proof technology
1012 concepts before engaging in procurement and otherwise develop
1013 processes to reduce wasteful spending on inappropriate
1014 technology.
1015 (e) Assist Florida College System institutions and state
1016 universities with technology transfer processes.
1017 (f) Support research on and development of innovative
1018 technologies.
1019 (3) The state chief information officer, or his or her
1020 designee, shall serve as the executive director of the council.
1021 The council shall be comprised of the following members
1022 appointed by the Governor:
1023 (a) A person with senior level experience in cloud
1024 computing technology.
1025 (b) An engineer.
1026 (c) A person with senior level experience in the space
1027 industry.
1028 (d) A data scientist.
1029 (e) Other persons with relevant experience as determined by
1030 the Governor.
1031 (4) Members shall serve for terms of 4 years; however, for
1032 the purpose of providing staggered terms, the initial
1033 appointments of two members shall be for terms of 2 years. A
1034 vacancy shall be filled for the remainder of the unexpired term
1035 in the same manner as the initial appointment. All members of
1036 the council are eligible for reappointment.
1037 (5) The state chief information officer shall serve as the
1038 ex officio, nonvoting executive director of the council.
1039 (6) Members shall serve without compensation but are
1040 entitled to receive reimbursement for per diem and travel
1041 expenses pursuant to s. 112.061.
1042 (7) Members of the council shall maintain the confidential
1043 or exempt status of information received in the performance of
1044 their duties and responsibilities as members of the council. In
1045 accordance with s. 112.313, a current or former member of the
1046 council may not disclose or use information not available to the
1047 general public and gained by reason of his or her official
1048 position, except for information relating exclusively to
1049 governmental practices, for his or her personal gain or benefit
1050 or for the personal gain or benefit of any other person or
1051 business entity. Members shall sign an agreement acknowledging
1052 the provisions of this subsection.
1053 (8) The council shall meet at least quarterly.
1054 (9) Beginning June 1, 2024, and annually on June 1
1055 thereafter, the council shall submit to the Governor, the
1056 President of the Senate, and the Speaker of the House of
1057 Representatives a report describing the activities of the
1058 council and providing recommendations as appropriate.
1059 Section 9. Section 768.401, Florida Statutes, is created to
1060 read:
1061 768.401 Limitation on liability for cybersecurity
1062 incidents.—
1063 (1) A county or municipality that substantially complies
1064 with s. 282.3185 shall gain a presumption against liability in
1065 connection with a cybersecurity incident.
1066 (2) A sole proprietorship, partnership, corporation, trust,
1067 estate, cooperative, association, or other commercial entity
1068 that acquires, maintains, stores, or uses personal information
1069 shall gain a presumption against liability in connection with a
1070 cybersecurity incident if the entity substantially complies with
1071 s. 501.171, if applicable, and has:
1072 (a) Adopted a cybersecurity program that substantially
1073 aligns with the current version of any of the following:
1074 1. The National Institute of Standards and Technology
1075 (NIST) Framework for Improving Critical Infrastructure
1076 Cybersecurity.
1077 2. NIST special publication 800-171.
1078 3. NIST special publications 800-53 and 800-53A.
1079 4. The Federal Risk and Authorization Management Program
1080 security assessment framework.
1081 5. CIS Critical Security Controls.
1082 6. The International Organization for
1083 Standardization/International Electrotechnical Commission 27000
1084 series family of standards; or
1085 (b) If regulated by the state or Federal Government, or
1086 both, or if otherwise subject to the requirements of any of the
1087 following laws and regulations, substantially complied its
1088 cybersecurity program to the current version of the following,
1089 as applicable:
1090 1. The security requirements of the Health Insurance
1091 Portability and Accountability Act of 1996, 45 C.F.R. part 164
1092 subpart C.
1093 2. Title V of the Gramm-Leach-Bliley Act of 1999, Pub. L.
1094 No. 106-102, as amended.
1095 3. The Federal Information Security Modernization Act of
1096 2014, Pub. L. No. 113-283.
1097 4. The Health Information Technology for Economic and
1098 Clinical Health Act, 45 C.F.R. part 162.
1099 (3) A commercial entity that substantially complies with a
1100 combination of industry-recognized cybersecurity frameworks or
1101 standards, including the payment card industry data security
1102 standard, to gain the presumption against liability pursuant to
1103 subsection (2) must, upon the revision of two or more of the
1104 frameworks or standards with which the entity complies, adopt
1105 the revised frameworks or standards within 1 year after the
1106 latest publication date stated in the revisions.
1107 (4) This section does not establish a private cause of
1108 action. Failure of a county, municipality, or commercial entity
1109 to substantially implement a cybersecurity program that is in
1110 compliance with this section is not evidence of negligence and
1111 does not constitute negligence per se.
1112 Section 10. Paragraph (k) of subsection (1) of section
1113 1004.649, Florida Statutes, is amended to read:
1114 1004.649 Northwest Regional Data Center.—
1115 (1) For the purpose of providing data center services to
1116 its state agency customers, the Northwest Regional Data Center
1117 is designated as a state data center for all state agencies and
1118 shall:
1119 (k) Prepare and submit state agency customer invoices to
1120 the Florida Digital Service Department of Management Services
1121 for approval. Upon approval or by default pursuant to s.
1122 282.201(5), submit invoices to state agency customers.
1123 Section 11. This act shall take effect July 1, 2023.