Florida Senate - 2023                        COMMITTEE AMENDMENT
       Bill No. SB 258
       
       
       
       
       
       
                                Ì887954WÎ887954                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  03/15/2023           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Governmental Oversight and Accountability
       (Burgess) recommended the following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Section 112.22, Florida Statutes, is created to
    6  read:
    7         112.22Use of applications from foreign countries of
    8  concern prohibited.—
    9         (1)As used in this section, the term:
   10         (a)“Department” means the Department of Management
   11  Services.
   12         (b)“Employee or officer” means a person who performs labor
   13  or services for a public employer in exchange for salary, wages,
   14  or other remuneration.
   15         (c)“Foreign country of concern” means the People’s
   16  Republic of China, the Russian Federation, the Islamic Republic
   17  of Iran, the Democratic People’s Republic of Korea, the Republic
   18  of Cuba, the Venezuelan regime of Nicolás Maduro, or the Syrian
   19  Arab Republic, including any agency of or any other entity under
   20  significant control of such foreign country of concern.
   21         (d)“Foreign principal” means:
   22         1.The government or an official of the government of a
   23  foreign country of concern;
   24         2.A political party or a member of a political party or
   25  any subdivision of a political party in a foreign country of
   26  concern;
   27         3.A partnership, an association, a corporation, an
   28  organization, or another combination of persons organized under
   29  the laws of or having its principal place of business in a
   30  foreign country of concern, or an affiliate or a subsidiary
   31  thereof; or
   32         4.Any person who is domiciled in a foreign country of
   33  concern and is not a citizen of the United States.
   34         (e)“Government-issued device” means a cellular telephone,
   35  desktop computer, laptop computer, computer tablet, or other
   36  electronic device capable of connecting to the Internet which is
   37  owned or leased by a public employer and issued to an employee
   38  or officer for work-related purposes.
   39         (f)“Prohibited application” means an application that
   40  meets the following criteria:
   41         1.Any Internet application that is created, maintained, or
   42  owned by a foreign principal and that participates in activities
   43  that include, but are not limited to:
   44         a.Collecting keystrokes or sensitive personal, financial,
   45  proprietary, or other business data;
   46         b.Compromising e-mail and acting as a vector for
   47  ransomware deployment;
   48         c.Conducting cyber-espionage against a public employer;
   49         d.Conducting surveillance and tracking of individual
   50  users; or
   51         e.Using algorithmic modifications to conduct
   52  disinformation or misinformation campaigns; and
   53         2.Any Internet application the department deems to present
   54  a security risk in the form of unauthorized access to or
   55  temporary unavailability of the public employer’s records,
   56  digital assets, systems, networks, servers, or information.
   57         (g)“Public employer” means the state or any agency,
   58  authority, branch, bureau, commission, department, division,
   59  special district, institution, university, institution of higher
   60  education, or board thereof; or any county, district school
   61  board, or municipality, or any agency, branch, department,
   62  board, or metropolitan planning organization thereof.
   63         (2)(a)A public employer shall do all of the following:
   64         1.Block all prohibited applications from public access on
   65  any network and virtual private network that it owns, operates,
   66  or maintains.
   67         2.Restrict access to any prohibited application on a
   68  government-issued device.
   69         3.Retain the ability to remotely wipe and uninstall any
   70  prohibited application from a government-issued device that is
   71  believed to have been adversely impacted, either intentionally
   72  or unintentionally, by a prohibited application.
   73         (b)A person, including an employee or officer of a public
   74  employer, may not download or access any prohibited application
   75  on any government-issued device.
   76         1.This paragraph does not apply to a law enforcement
   77  officer as defined in s. 943.10(1) if the use of the prohibited
   78  application is necessary to protect the public safety or conduct
   79  an investigation within the scope of his or her employment.
   80         2.A public employer may request a waiver from the
   81  department to allow designated employees or officers to download
   82  or access a prohibited application on a government-issued
   83  device.
   84         (c)Within 15 calendar days after the department issues or
   85  updates its list of prohibited applications pursuant to
   86  paragraph (3)(a), an employee or officer of a public employer
   87  who uses a government-issued device must remove, delete, or
   88  uninstall any prohibited applications from his or her
   89  government-issued device.
   90         (3)The department shall do all of the following:
   91         (a)Compile and maintain a list of prohibited applications
   92  and publish the list on its website. The department shall update
   93  this list quarterly and shall provide notice of any update to
   94  public employers.
   95         (b)Establish procedures for granting or denying requests
   96  for waivers pursuant to subparagraph (2)(b)2. The request for a
   97  waiver must include all of the following:
   98         1.A description of the activity to be conducted and the
   99  state interest furthered by the activity.
  100         2.The maximum number of government-issued devices and
  101  employees or officers to which the waiver will apply.
  102         3.The length of time for necessary for the waiver. Any
  103  waiver granted pursuant to subparagraph (2)(b)2. must be limited
  104  to a timeframe of no more than 1 year, but the department may
  105  approve an extension.
  106         4.Risk mitigation actions that will be taken to prevent
  107  access to sensitive data, including methods to ensure that the
  108  activity does not connect to a state system, network, or server.
  109         5.A description of the circumstances under which the
  110  waiver applies.
  111         (4)(a)Notwithstanding s. 120.74(4) and (5), the department
  112  is authorized, and all conditions are deemed met, to adopt
  113  emergency rules pursuant to s. 120.54(4) and to implement
  114  paragraph (3)(a). Such rulemaking must occur initially by filing
  115  emergency rules within 30 days after July 1, 2023.
  116         (b)The department shall adopt rules necessary to
  117  administer this section.
  118         Section 2. The Legislature finds that a proper and
  119  legitimate state purpose is served when efforts are taken to
  120  secure a public employer’s system, network, or server.
  121  Therefore, the Legislature determines and declares that this act
  122  fulfills an important state interest.
  123         Section 3. This act shall take effect July 1, 2023.
  124  
  125  ================= T I T L E  A M E N D M E N T ================
  126  And the title is amended as follows:
  127         Delete everything before the enacting clause
  128  and insert:
  129                        A bill to be entitled                      
  130         An act relating to prohibited applications on
  131         government-issued devices; creating s. 112.22, F.S.;
  132         defining terms; requiring public employers to take
  133         certain actions relating to prohibited applications;
  134         prohibiting employees and officers of public employers
  135         from downloading or accessing prohibited applications
  136         on government-issued devices; providing exceptions;
  137         providing a deadline by which specified employees must
  138         remove, delete, or uninstall a prohibited application;
  139         requiring the Department of Management Services to
  140         compile a specified list and establish procedures for
  141         a specified waiver; authorizing the department to
  142         adopt emergency rules; requiring that such rulemaking
  143         occur within a specified timeframe; requiring the
  144         department to adopt specified rules; providing a
  145         declaration of important state interest; providing an
  146         effective date.