Florida Senate - 2025 SB 1536
By Senator Collins
14-00733A-25 20251536__
1 A bill to be entitled
2 An act relating to cybersecurity; amending s. 110.205,
3 F.S.; exempting certain personnel from the career
4 service system; providing for the establishment of
5 salary and benefits for certain positions; amending s.
6 282.0041, F.S.; providing definitions; amending s.
7 282.0051, F.S.; revising the purposes for which the
8 Florida Digital Service is established; requiring the
9 Florida Digital Service to ensure that independent
10 project oversight on certain state agency information
11 technology projects is performed in a certain manner;
12 revising the date by which the Department of
13 Management Services, acting through the Florida
14 Digital Service, must provide certain recommendations
15 to the Executive Office of the Governor and the
16 Legislature; deleting certain duties of the Florida
17 Digital Service; revising the total project cost of
18 certain projects for which the Florida Digital Service
19 must provide project oversight; specifying the date by
20 which the Florida Digital Service must provide certain
21 reports; requiring the state chief information
22 officer, in consultation with the Secretary of
23 Management Services, to designate a state chief
24 technology officer; providing duties of the state
25 chief technology officer; revising the total project
26 cost of certain projects for which certain procurement
27 actions must be taken; deleting provisions prohibiting
28 the department, acting through the Florida Digital
29 Service, from retrieving or disclosing certain data in
30 certain circumstances; amending s. 282.00515, F.S.;
31 conforming a cross-reference; amending s. 282.318,
32 F.S.; providing that the Florida Digital Service is
33 the lead entity for a certain purpose; requiring the
34 Cybersecurity Operations Center to provide certain
35 notifications; requiring the state chief information
36 officer to make certain reports in consultation with
37 the state chief information security officer;
38 requiring a state agency to report ransomware and
39 cybersecurity incidents within certain time periods;
40 requiring the Cybersecurity Operations Center to
41 notify certain entities immediately of reported
42 incidents and take certain actions; requiring the
43 state chief information security officer to notify the
44 Legislature of certain incidents within a certain time
45 period; requiring certain notification to be provided
46 in a secure environment; requiring the Cybersecurity
47 Operations Center to provide a certain report to
48 certain entities by a specified date; requiring the
49 Florida Digital Service to provide cybersecurity
50 briefings to certain legislative committees;
51 authorizing the Florida Digital Service to obtain
52 certain access to certain infrastructure and direct
53 certain measures; requiring a state agency head to
54 designate a chief information security officer
55 annually by a specified date; providing that certain
56 agencies shall be under the general supervision of the
57 agency head or designee for administrative purposes
58 but reports to the state chief information officer;
59 authorizing an agency to request that the department
60 procure a chief information security officer; revising
61 the purpose of an agency’s information security
62 manager and the date by which he or she must be
63 designated; authorizing the department to brief
64 certain legislative committees in a closed setting on
65 certain records that are confidential and exempt from
66 public records requirements; requiring such
67 legislative committees to maintain the confidential
68 and exempt status of certain records; authorizing
69 certain legislators to attend meetings of the Florida
70 Cybersecurity Advisory Council; amending s. 282.3185,
71 F.S.; requiring a local government to report
72 ransomware and certain cybersecurity incidents to the
73 Cybersecurity Operations Center within certain time
74 periods; requiring the Cybersecurity Operations Center
75 to notify certain entities immediately of certain
76 incidents and take certain actions; requiring that
77 certain notification be provided in a secure
78 environment; amending s. 282.319, F.S.; revising the
79 membership of the Florida Cybersecurity Advisory
80 Council; creating s. 282.3191, F.S.; requiring the
81 Florida Center for Cybersecurity at the University of
82 South Florida to annually conduct certain
83 comprehensive risk assessments; requiring that the
84 center use the data collected and analyzed to provide
85 certain recommendations; requiring the center to
86 submit such assessments and recommendations to the
87 Governor, the Legislature, and the executive director
88 of the Florida Cybersecurity Advisory Council;
89 providing an effective date.
90
91 Be It Enacted by the Legislature of the State of Florida:
92
93 Section 1. Paragraph (e) of subsection (2) of section
94 110.205, Florida Statutes, is amended, and paragraph (y) is
95 added to subsection (2) of that section, to read:
96 110.205 Career service; exemptions.—
97 (2) EXEMPT POSITIONS.—The exempt positions that are not
98 covered by this part include the following:
99 (e) The state chief information officer, the state chief
100 data officer, the state chief technology officer, and the state
101 chief information security officer. The Department of Management
102 Services shall set the salary and benefits of these positions in
103 accordance with the rules of the Senior Management Service.
104 (y) Chief information security officers, information
105 security managers designated pursuant to s. 282.318(4), and
106 personnel employed by or reporting to the state chief
107 information security officer, the state chief data officer, or
108 an agency information security manager. Unless otherwise fixed
109 by law, the department shall establish the salary and benefits
110 for these positions in accordance with the rules of the Selected
111 Exempt Service, except that the salary and benefits for the
112 agency information security manager shall be established by the
113 department in accordance with the rules of the Senior Management
114 Service.
115 Section 2. Present subsections (3), (4), and (5), (6)
116 through (16), and (17) through (38) of section 282.0041, Florida
117 Statutes, are redesignated as subsections (4), (5), and (6), (8)
118 through (18), and (20) through (41), respectively, and new
119 subsections (3), (7), and (19) are added to that section, to
120 read:
121 282.0041 Definitions.—As used in this chapter, the term:
122 (3) “As a service” means the contracting with or
123 outsourcing to a third party of a defined role or function as a
124 means of delivery.
125 (7) “Cloud provider” means an entity that provides cloud
126 computing services.
127 (19) “Enterprise digital data” means information held by a
128 state agency in electronic form which is deemed to be data owned
129 by the state and held for state purposes by the state agency.
130 Enterprise digital data that is subject to statutory
131 requirements for particular types of sensitive data or to
132 contractual limitations for data marked as trade secrets or
133 sensitive corporate data held by state agencies must be treated
134 in accordance with such requirements or limitations. The
135 department shall maintain personnel with appropriate licenses,
136 certifications, or classifications to steward such enterprise
137 digital data, as necessary. Enterprise digital data must be
138 maintained in accordance with chapter 119. This subsection may
139 not be construed to create or expand an exemption from public
140 records requirements under s. 119.07(1) or s. 24(a), Art. I of
141 the State Constitution.
142 Section 3. Subsections (1), (4), and (5) of section
143 282.0051, Florida Statutes, are amended, and paragraph (c) is
144 added to subsection (2) of that section, to read:
145 282.0051 Department of Management Services; Florida Digital
146 Service; powers, duties, and functions.—
147 (1) The Florida Digital Service is established has been
148 created within the department to lead enterprise information
149 technology and cybersecurity efforts; to safeguard enterprise
150 digital data; to propose, test, develop, and deploy innovative
151 solutions that securely modernize state government, including
152 technology and information services;, to achieve value through
153 digital transformation and interoperability;, and to fully
154 support the cloud-first policy as specified in s. 282.206. The
155 department, through the Florida Digital Service, shall have the
156 following powers, duties, and functions:
157 (a) Develop and publish information technology policy for
158 the management of the state’s information technology resources.
159 (b) Develop an enterprise architecture that:
160 1. Acknowledges the unique needs of the entities within the
161 enterprise in the development and publication of standards and
162 terminologies to facilitate digital interoperability;
163 2. Supports the cloud-first policy as specified in s.
164 282.206; and
165 3. Addresses how information technology infrastructure may
166 be modernized to achieve cloud-first objectives.
167 (c) Establish project management and oversight standards
168 with which state agencies must comply when implementing
169 information technology projects. The department, acting through
170 the Florida Digital Service, shall provide training
171 opportunities to state agencies to assist in the adoption of the
172 project management and oversight standards. To support data
173 driven decisionmaking, the standards must include, but are not
174 limited to:
175 1. Performance measurements and metrics that objectively
176 reflect the status of an information technology project based on
177 a defined and documented project scope, cost, and schedule.
178 2. Methodologies for calculating acceptable variances in
179 the projected versus actual scope, schedule, or cost of an
180 information technology project.
181 3. Reporting requirements, including requirements designed
182 to alert all defined stakeholders that an information technology
183 project has exceeded acceptable variances defined and documented
184 in a project plan.
185 4. Content, format, and frequency of project updates.
186 5. Technical standards to ensure an information technology
187 project complies with the enterprise architecture.
188 (d) Ensure that independent Perform project oversight on
189 all state agency information technology projects that have total
190 project costs of $25 $10 million or more and that are funded in
191 the General Appropriations Act or any other law is performed in
192 compliance with applicable state and federal law. The
193 department, acting through the Florida Digital Service, shall
194 report at least quarterly to the Executive Office of the
195 Governor, the President of the Senate, and the Speaker of the
196 House of Representatives on any information technology project
197 that the department identifies as high-risk due to the project
198 exceeding acceptable variance ranges defined and documented in a
199 project plan. The report must include a risk assessment,
200 including fiscal risks, associated with proceeding to the next
201 stage of the project, and a recommendation for corrective
202 actions required, including suspension or termination of the
203 project.
204 (e) Identify opportunities for standardization and
205 consolidation of information technology services that support
206 interoperability and the cloud-first policy, as specified in s.
207 282.206, and business functions and operations, including
208 administrative functions such as purchasing, accounting and
209 reporting, cash management, and personnel, and that are common
210 across state agencies. The department, acting through the
211 Florida Digital Service, shall biennially on January 15 1 of
212 each even-numbered year provide recommendations for
213 standardization and consolidation to the Executive Office of the
214 Governor, the President of the Senate, and the Speaker of the
215 House of Representatives.
216 (f) Establish best practices for the procurement of
217 information technology products and cloud-computing services in
218 order to reduce costs, increase the quality of data center
219 services, or improve government services.
220 (g) Develop standards for information technology reports
221 and updates, including, but not limited to, operational work
222 plans, project spend plans, and project status reports, for use
223 by state agencies.
224 (h) Upon request, assist state agencies in the development
225 of information technology-related legislative budget requests.
226 (i) Conduct annual assessments of state agencies to
227 determine compliance with all information technology standards
228 and guidelines developed and published by the department and
229 provide results of the assessments to the Executive Office of
230 the Governor, the President of the Senate, and the Speaker of
231 the House of Representatives.
232 (i)(j) Conduct a market analysis not less frequently than
233 every 3 years beginning in 2021 to determine whether the
234 information technology resources within the enterprise are
235 utilized in the most cost-effective and cost-efficient manner,
236 while recognizing that the replacement of certain legacy
237 information technology systems within the enterprise may be cost
238 prohibitive or cost inefficient due to the remaining useful life
239 of those resources; whether the enterprise is complying with the
240 cloud-first policy specified in s. 282.206; and whether the
241 enterprise is utilizing best practices with respect to
242 information technology, information services, and the
243 acquisition of emerging technologies and information services.
244 Each market analysis shall be used to prepare a strategic plan
245 for continued and future information technology and information
246 services for the enterprise, including, but not limited to,
247 proposed acquisition of new services or technologies and
248 approaches to the implementation of any new services or
249 technologies. Copies of each market analysis and accompanying
250 strategic plan must be submitted to the Executive Office of the
251 Governor, the President of the Senate, and the Speaker of the
252 House of Representatives not later than December 31 of each year
253 that a market analysis is conducted.
254 (j)(k) Recommend other information technology services that
255 should be designed, delivered, and managed as enterprise
256 information technology services. Recommendations must include
257 the identification of existing information technology resources
258 associated with the services, if existing services must be
259 transferred as a result of being delivered and managed as
260 enterprise information technology services.
261 (k)(l) In consultation with state agencies, propose a
262 methodology and approach for identifying and collecting both
263 current and planned information technology expenditure data at
264 the state agency level.
265 (l)1.(m)1. Notwithstanding any other law, provide project
266 oversight on any information technology project of the
267 Department of Financial Services, the Department of Legal
268 Affairs, and the Department of Agriculture and Consumer Services
269 which has a total project cost of $25 $20 million or more. Such
270 information technology projects must also comply with the
271 applicable information technology architecture, project
272 management and oversight, and reporting standards established by
273 the department, acting through the Florida Digital Service.
274 2. When ensuring performance of performing the project
275 oversight function specified in subparagraph 1., report by the
276 30th day after the end of each quarter at least quarterly to the
277 Executive Office of the Governor, the President of the Senate,
278 and the Speaker of the House of Representatives on any
279 information technology project that the department, acting
280 through the Florida Digital Service, identifies as high-risk due
281 to the project exceeding acceptable variance ranges defined and
282 documented in the project plan. The report shall include a risk
283 assessment, including fiscal risks, associated with proceeding
284 to the next stage of the project and a recommendation for
285 corrective actions required, including suspension or termination
286 of the project.
287 (m)(n) If an information technology project implemented by
288 a state agency must be connected to or otherwise accommodated by
289 an information technology system administered by the Department
290 of Financial Services, the Department of Legal Affairs, or the
291 Department of Agriculture and Consumer Services, consult with
292 these departments regarding the risks and other effects of such
293 projects on their information technology systems and work
294 cooperatively with these departments regarding the connections,
295 interfaces, timing, or accommodations required to implement such
296 projects.
297 (n)(o) If adherence to standards or policies adopted by or
298 established pursuant to this section causes conflict with
299 federal regulations or requirements imposed on an entity within
300 the enterprise and results in adverse action against an entity
301 or federal funding, work with the entity to provide alternative
302 standards, policies, or requirements that do not conflict with
303 the federal regulation or requirement. The department, acting
304 through the Florida Digital Service, shall annually by January
305 15 report such alternative standards to the Executive Office of
306 the Governor, the President of the Senate, and the Speaker of
307 the House of Representatives.
308 (o)1.(p)1. Establish an information technology policy for
309 all information technology-related state contracts, including
310 state term contracts for information technology commodities,
311 consultant services, and staff augmentation services. The
312 information technology policy must include:
313 a. Identification of the information technology product and
314 service categories to be included in state term contracts.
315 b. Requirements to be included in solicitations for state
316 term contracts.
317 c. Evaluation criteria for the award of information
318 technology-related state term contracts.
319 d. The term of each information technology-related state
320 term contract.
321 e. The maximum number of vendors authorized on each state
322 term contract.
323 f. At a minimum, a requirement that any contract for
324 information technology commodities or services meet the National
325 Institute of Standards and Technology Cybersecurity Framework.
326 g. For an information technology project wherein project
327 oversight is required pursuant to paragraph (d) or paragraph (l)
328 (m), a requirement that independent verification and validation
329 be employed throughout the project life cycle with the primary
330 objective of independent verification and validation being to
331 provide an objective assessment of products and processes
332 throughout the project life cycle. An entity providing
333 independent verification and validation may not have technical,
334 managerial, or financial interest in the project and may not
335 have responsibility for, or participate in, any other aspect of
336 the project.
337 2. Evaluate vendor responses for information technology
338 related state term contract solicitations and invitations to
339 negotiate.
340 3. Answer vendor questions on information technology
341 related state term contract solicitations.
342 4. Ensure that the information technology policy
343 established pursuant to subparagraph 1. is included in all
344 solicitations and contracts that are administratively executed
345 by the department.
346 (p)(q) Recommend potential methods for standardizing data
347 across state agencies which will promote interoperability and
348 reduce the collection of duplicative data.
349 (q)(r) Recommend open data technical standards and
350 terminologies for use by the enterprise.
351 (r)(s) Ensure that enterprise information technology
352 solutions are capable of utilizing an electronic credential and
353 comply with the enterprise architecture standards.
354 (2)
355 (c) The state chief information officer, in consultation
356 with the Secretary of Management Services, shall designate a
357 state chief technology officer who shall be responsible for all
358 of the following:
359 1. Establishing and maintaining an enterprise architecture
360 framework that ensures information technology investments align
361 with the state’s strategic objectives and initiatives pursuant
362 to paragraph (1)(b).
363 2. Conducting comprehensive evaluations of potential
364 technological solutions and cultivating strategic partnerships,
365 internally with state enterprise agencies and externally with
366 the private sector, to leverage collective expertise, foster
367 collaboration, and advance the state’s technological
368 capabilities.
369 3. Supervising program management of enterprise information
370 technology initiatives pursuant to paragraphs (1)(c), (d), and
371 (l); providing advisory support and oversight for technology
372 related projects; and continuously identifying and recommending
373 best practices to optimize outcomes of technology projects and
374 enhance the enterprise’s technological efficiency and
375 effectiveness.
376 (4) For information technology projects that have a total
377 project cost of $25 $10 million or more:
378 (a) State agencies must provide the Florida Digital Service
379 with written notice of any planned procurement of an information
380 technology project.
381 (b) The Florida Digital Service must participate in the
382 development of specifications and recommend modifications to any
383 planned procurement of an information technology project by
384 state agencies so that the procurement complies with the
385 enterprise architecture.
386 (c) The Florida Digital Service must participate in post
387 award contract monitoring.
388 (5) The department, acting through the Florida Digital
389 Service, may not retrieve or disclose any data without a shared
390 data agreement in place between the department and the
391 enterprise entity that has primary custodial responsibility of,
392 or data-sharing responsibility for, that data.
393 Section 4. Subsection (1) of section 282.00515, Florida
394 Statutes, is amended to read:
395 282.00515 Duties of Cabinet agencies.—
396 (1) The Department of Legal Affairs, the Department of
397 Financial Services, and the Department of Agriculture and
398 Consumer Services shall adopt the standards established in s.
399 282.0051(1)(b), (c), and (q) (r) and (3)(e) or adopt alternative
400 standards based on best practices and industry standards that
401 allow for open data interoperability.
402 Section 5. Present paragraphs (a) through (k) of subsection
403 (4) and subsection (10) of section 282.318, Florida Statutes,
404 are redesignated as paragraphs (b) through (l) of subsection (4)
405 and subsection (11), respectively, a new paragraph (a) is added
406 to subsection (4) and a new subsection (10) is added to that
407 section, and subsection (3) and present paragraph (a) of
408 subsection (4) of that section are amended, to read:
409 282.318 Cybersecurity.—
410 (3) The department, acting through the Florida Digital
411 Service, is the lead entity responsible for leading enterprise
412 information technology and cybersecurity efforts, safeguarding
413 enterprise digital data, and establishing standards and
414 processes for assessing state agency cybersecurity risks and
415 determining appropriate security measures. Such standards and
416 processes must be consistent with generally accepted technology
417 best practices, including the National Institute for Standards
418 and Technology Cybersecurity Framework, for cybersecurity. The
419 department, acting through the Florida Digital Service, shall
420 adopt rules that mitigate risks; safeguard state agency digital
421 assets, data, information, and information technology resources
422 to ensure availability, confidentiality, and integrity; and
423 support a security governance framework. The department, acting
424 through the Florida Digital Service, shall also:
425 (a) Designate an employee of the Florida Digital Service as
426 the state chief information security officer. The state chief
427 information security officer must have experience and expertise
428 in security and risk management for communications and
429 information technology resources. The state chief information
430 security officer is responsible for the development, operation,
431 and oversight of cybersecurity for state technology systems. The
432 Cybersecurity Operations Center shall immediately notify the
433 state chief information officer and the state chief information
434 security officer shall be notified of all confirmed or suspected
435 incidents or threats of state agency information technology
436 resources. The state chief information officer, in consultation
437 with the state chief information security officer, and must
438 report such incidents or threats to the state chief information
439 officer and the Governor.
440 (b) Develop, and annually update by February 1, a statewide
441 cybersecurity strategic plan that includes security goals and
442 objectives for cybersecurity, including the identification and
443 mitigation of risk, proactive protections against threats,
444 tactical risk detection, threat reporting, and response and
445 recovery protocols for a cyber incident.
446 (c) Develop and publish for use by state agencies a
447 cybersecurity governance framework that, at a minimum, includes
448 guidelines and processes for:
449 1. Establishing asset management procedures to ensure that
450 an agency’s information technology resources are identified and
451 managed consistent with their relative importance to the
452 agency’s business objectives.
453 2. Using a standard risk assessment methodology that
454 includes the identification of an agency’s priorities,
455 constraints, risk tolerances, and assumptions necessary to
456 support operational risk decisions.
457 3. Completing comprehensive risk assessments and
458 cybersecurity audits, which may be completed by a private sector
459 vendor, and submitting completed assessments and audits to the
460 department.
461 4. Identifying protection procedures to manage the
462 protection of an agency’s information, data, and information
463 technology resources.
464 5. Establishing procedures for accessing information and
465 data to ensure the confidentiality, integrity, and availability
466 of such information and data.
467 6. Detecting threats through proactive monitoring of
468 events, continuous security monitoring, and defined detection
469 processes.
470 7. Establishing agency cybersecurity incident response
471 teams and describing their responsibilities for responding to
472 cybersecurity incidents, including breaches of personal
473 information containing confidential or exempt data.
474 8. Recovering information and data in response to a
475 cybersecurity incident. The recovery may include recommended
476 improvements to the agency processes, policies, or guidelines.
477 9. Establishing a cybersecurity incident reporting process
478 that includes procedures for notifying the department and the
479 Department of Law Enforcement of cybersecurity incidents.
480 a. The level of severity of the cybersecurity incident is
481 defined by the National Cyber Incident Response Plan of the
482 United States Department of Homeland Security as follows:
483 (I) Level 5 is an emergency-level incident within the
484 specified jurisdiction that poses an imminent threat to the
485 provision of wide-scale critical infrastructure services;
486 national, state, or local government security; or the lives of
487 the country’s, state’s, or local government’s residents.
488 (II) Level 4 is a severe-level incident that is likely to
489 result in a significant impact in the affected jurisdiction to
490 public health or safety; national, state, or local security;
491 economic security; or civil liberties.
492 (III) Level 3 is a high-level incident that is likely to
493 result in a demonstrable impact in the affected jurisdiction to
494 public health or safety; national, state, or local security;
495 economic security; civil liberties; or public confidence.
496 (IV) Level 2 is a medium-level incident that may impact
497 public health or safety; national, state, or local security;
498 economic security; civil liberties; or public confidence.
499 (V) Level 1 is a low-level incident that is unlikely to
500 impact public health or safety; national, state, or local
501 security; economic security; civil liberties; or public
502 confidence.
503 b. The cybersecurity incident reporting process must
504 specify the information that must be reported by a state agency
505 following a cybersecurity incident or ransomware incident,
506 which, at a minimum, must include the following:
507 (I) A summary of the facts surrounding the cybersecurity
508 incident or ransomware incident.
509 (II) The date on which the state agency most recently
510 backed up its data; the physical location of the backup, if the
511 backup was affected; and if the backup was created using cloud
512 computing.
513 (III) The types of data compromised by the cybersecurity
514 incident or ransomware incident.
515 (IV) The estimated fiscal impact of the cybersecurity
516 incident or ransomware incident.
517 (V) In the case of a ransomware incident, the details of
518 the ransom demanded.
519 c.(I) A state agency shall report all ransomware incidents
520 and any cybersecurity incidents incident determined by the state
521 agency to be of severity level 3, 4, or 5 to the Cybersecurity
522 Operations Center and the Cybercrime Office of the Department of
523 Law Enforcement as soon as possible but no later than 12 48
524 hours after discovery of the cybersecurity incident and no later
525 than 6 12 hours after discovery of the ransomware incident. The
526 report must contain the information required in sub-subparagraph
527 b.
528 (II) The Cybersecurity Operations Center shall:
529 (A) Immediately notify the Cybercrime Office of the
530 Department of Law Enforcement of a reported incident and provide
531 to the office regular reports on the status of the incident,
532 preserve forensic data to support a subsequent investigation,
533 and provide aid to the investigative efforts of the office upon
534 the office’s request if the state chief information security
535 officer finds that the investigation does not impede remediation
536 of the incident and that there is no risk to the public and no
537 risk to critical state functions.
538 (B) Immediately notify the state chief information officer
539 and the state chief information security officer of a reported
540 incident. The state chief information security officer shall
541 notify the President of the Senate and the Speaker of the House
542 of Representatives of any severity level 3, 4, or 5 incident as
543 soon as possible but no later than 24 12 hours after receiving a
544 state agency’s incident report. The notification must include a
545 high-level description of the incident and the likely effects
546 and must be provided in a secure environment.
547 d. A state agency shall report a cybersecurity incident
548 determined by the state agency to be of severity level 1 or 2 to
549 the Cybersecurity Operations Center and the Cybercrime Office of
550 the Department of Law Enforcement as soon as possible. The
551 report must contain the information required in sub-subparagraph
552 b.
553 d.e. The Cybersecurity Operations Center shall provide a
554 consolidated incident report by the 30th day after the end of
555 each quarter on a quarterly basis to the Governor, the Attorney
556 General, the executive director of the Department of Law
557 Enforcement, the President of the Senate, the Speaker of the
558 House of Representatives, and the Florida Cybersecurity Advisory
559 Council. The report provided to the Florida Cybersecurity
560 Advisory Council may not contain the name of any agency, network
561 information, or system identifying information but must contain
562 sufficient relevant information to allow the Florida
563 Cybersecurity Advisory Council to fulfill its responsibilities
564 as required in s. 282.319(9).
565 10. Incorporating information obtained through detection
566 and response activities into the agency’s cybersecurity incident
567 response plans.
568 11. Developing agency strategic and operational
569 cybersecurity plans required pursuant to this section.
570 12. Establishing the managerial, operational, and technical
571 safeguards for protecting state government data and information
572 technology resources that align with the state agency risk
573 management strategy and that protect the confidentiality,
574 integrity, and availability of information and data.
575 13. Establishing procedures for procuring information
576 technology commodities and services that require the commodity
577 or service to meet the National Institute of Standards and
578 Technology Cybersecurity Framework.
579 14. Submitting after-action reports following a
580 cybersecurity incident or ransomware incident. Such guidelines
581 and processes for submitting after-action reports must be
582 developed and published by December 1, 2022.
583 (d) Assist state agencies in complying with this section.
584 (e) In collaboration with the Cybercrime Office of the
585 Department of Law Enforcement, annually provide training for
586 state agency information security managers and computer security
587 incident response team members that contains training on
588 cybersecurity, including cybersecurity threats, trends, and best
589 practices.
590 (f) Annually review the strategic and operational
591 cybersecurity plans of state agencies.
592 (g) Annually provide cybersecurity training to all state
593 agency technology professionals and employees with access to
594 highly sensitive information which develops, assesses, and
595 documents competencies by role and skill level. The
596 cybersecurity training curriculum must include training on the
597 identification of each cybersecurity incident severity level
598 referenced in sub-subparagraph (c)9.a. The training may be
599 provided in collaboration with the Cybercrime Office of the
600 Department of Law Enforcement, a private sector entity, or an
601 institution of the State University System.
602 (h) Operate and maintain a Cybersecurity Operations Center
603 led by the state chief information security officer, which must
604 be primarily virtual and staffed with tactical detection and
605 incident response personnel. The Cybersecurity Operations Center
606 shall serve as a clearinghouse for threat information and
607 coordinate with the Department of Law Enforcement to support
608 state agencies and their response to any confirmed or suspected
609 cybersecurity incident.
610 (i) Lead an Emergency Support Function, ESF-20 ESF CYBER,
611 under the state comprehensive emergency management plan as
612 described in s. 252.35.
613 (j) Provide cybersecurity briefings to the members of any
614 legislative committee or subcommittee responsible for policy
615 matters relating to cybersecurity.
616 (k) Have the authority to obtain immediate access to public
617 or private infrastructure hosting enterprise digital data and to
618 direct, in consultation with the state agency that holds the
619 particular enterprise digital data, measures to assess, monitor,
620 and safeguard the enterprise digital data.
621 (4) Each state agency head shall, at a minimum:
622 (a) Designate a chief information security officer to
623 integrate the agency’s technical and operational cybersecurity
624 efforts with the Cybersecurity Operations Center. This
625 designation must be provided annually in writing to the Florida
626 Digital Service by January 15. For a state agency under the
627 jurisdiction of the Governor, the agency’s chief information
628 security officer shall be under the general supervision of the
629 agency head or designee for administrative purposes but shall
630 report to the state chief information officer. An agency may
631 request that the department procure a chief information security
632 officer as a service to fulfill the agency’s duties under this
633 paragraph.
634 (b)(a) Designate an information security manager to ensure
635 compliance with cybersecurity governance and with the state’s
636 enterprise security program and incident response plan. The
637 information security manager must coordinate with the agency’s
638 chief information security officer and the Cybersecurity
639 Operations Center to ensure that the unique needs of the agency
640 are met administer the cybersecurity program of the state
641 agency. This designation must be provided annually in writing to
642 the department by January 15 1. A state agency’s information
643 security manager, for purposes of these information security
644 duties, shall work in collaboration with the agency’s chief
645 information security officer and report directly to the agency
646 head.
647 (10) The department may brief any legislative committee or
648 subcommittee responsible for cybersecurity policy in a meeting
649 or other setting closed by the respective body under the rules
650 of such legislative body at which the legislative committee or
651 subcommittee is briefed on records made confidential and exempt
652 under subsections (5) and (6). The legislative committee or
653 subcommittee must maintain the confidential and exempt status of
654 such records. A legislator serving on a legislative committee or
655 subcommittee responsible for cybersecurity policy may also
656 attend meetings of the Florida Cybersecurity Advisory Council,
657 including any portions of such meetings that are exempt from s.
658 286.011 and s. 24(b), Art. I of the State Constitution.
659 Section 6. Paragraphs (b) and (c) of subsection (5) of
660 section 282.3185, Florida Statutes, are amended to read:
661 282.3185 Local government cybersecurity.—
662 (5) INCIDENT NOTIFICATION.—
663 (b)1. A local government shall report all ransomware
664 incidents and any cybersecurity incident determined by the local
665 government to be of severity level 3, 4, or 5 as provided in s.
666 282.318(3)(c) to the Cybersecurity Operations Center, the
667 Cybercrime Office of the Department of Law Enforcement, and the
668 sheriff who has jurisdiction over the local government as soon
669 as possible but no later than 12 48 hours after discovery of the
670 cybersecurity incident and no later than 6 12 hours after
671 discovery of the ransomware incident. The report must contain
672 the information required in paragraph (a).
673 2. The Cybersecurity Operations Center shall:
674 a. Immediately notify the Cybercrime Office of the
675 Department of Law Enforcement and the sheriff who has
676 jurisdiction over the local government of a reported incident
677 and provide to the Cybercrime Office of the Department of Law
678 Enforcement and the sheriff who has jurisdiction over the local
679 government regular reports on the status of the incident,
680 preserve forensic data to support a subsequent investigation,
681 and provide aid to the investigative efforts of the Cybercrime
682 Office of the Department of Law Enforcement upon the office’s
683 request if the state chief information security officer finds
684 that the investigation does not impede remediation of the
685 incident and that there is no risk to the public and no risk to
686 critical state functions.
687 b. Immediately notify the state chief information security
688 officer of a reported incident. The state chief information
689 security officer shall notify the President of the Senate and
690 the Speaker of the House of Representatives of any severity
691 level 3, 4, or 5 incident as soon as possible but no later than
692 24 12 hours after receiving a local government’s incident
693 report. The notification must include a high-level description
694 of the incident and the likely effects and must be provided in a
695 secure environment.
696 (c) A local government may report a cybersecurity incident
697 determined by the local government to be of severity level 1 or
698 2 as provided in s. 282.318(3)(c) to the Cybersecurity
699 Operations Center, the Cybercrime Office of the Department of
700 Law Enforcement, and the sheriff who has jurisdiction over the
701 local government. The report shall contain the information
702 required in paragraph (a). The Cybersecurity Operations Center
703 shall immediately notify the Cybercrime Office of the Department
704 of Law Enforcement and the sheriff who has jurisdiction over the
705 local government of a reported incident and provide regular
706 reports on the status of the cybersecurity incident, preserve
707 forensic data to support a subsequent investigation, and provide
708 aid to the investigative efforts of the Cybercrime Office of the
709 Department of Law Enforcement upon request if the state chief
710 information security officer finds that the investigation does
711 not impede remediation of the cybersecurity incident and that
712 there is no risk to the public and no risk to critical state
713 functions.
714 Section 7. Paragraph (j) of subsection (4) of section
715 282.319, Florida Statutes, is amended, and paragraph (m) is
716 added to that subsection, to read:
717 282.319 Florida Cybersecurity Advisory Council.—
718 (4) The council shall be comprised of the following
719 members:
720 (j) Three representatives from critical infrastructure
721 sectors, one of whom must be from a utility provider water
722 treatment facility, appointed by the Governor.
723 (m) A representative of local government.
724 Section 8. Section 282.3191, Florida Statutes, is created
725 to read:
726 282.3191 Comprehensive risk assessments; recommendations.—
727 (1) To position this state as the national leader in
728 cybersecurity readiness and resilience to cybersecurity attacks,
729 the Florida Center for Cybersecurity at the University of South
730 Florida, also known as Cyber Florida at USF, shall annually
731 conduct, on a regular rolling basis by infrastructure sector or
732 in response to immediate needs and threats, comprehensive risk
733 assessments of the state’s critical infrastructure. Cyber
734 Florida at USF shall use the data collected and analyzed to
735 develop and provide recommendations to improve the state’s
736 preparedness and resilience to significant cybersecurity
737 incidents and potential vulnerabilities.
738 (2) Beginning on January 31, 2026, and each January 31
739 thereafter, Cyber Florida at USF shall submit a copy of the
740 assessments conducted and recommendations developed pursuant to
741 subsection (1) to the Governor, the President of the Senate, the
742 Speaker of the House of Representatives, and the executive
743 director of the Florida Cybersecurity Advisory Council.
744 Section 9. This act shall take effect July 1, 2025.