Florida Senate - 2025 COMMITTEE AMENDMENT
Bill No. SPB 7026
Ì867736MÎ867736
LEGISLATIVE ACTION
Senate . House
Comm: FAV .
03/20/2025 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Appropriations (Harrell) recommended the
following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 2537 - 2901
4 and insert:
5 6. State chief of information technology workforce
6 development.
7 (2) BUREAUS.—
8 (a) The Division of Enterprise Information Technology
9 Services shall include:
10 1. The Bureau of Enterprise Information Technology
11 Operations, responsible for assessing state agency information
12 technology needs and risks as established under s. 282.006,
13 Florida Statutes.
14 2. The Bureau of Enterprise Information Technology Quality
15 Assurance, responsible for activities established under s.
16 282.006, Florida Statutes.
17 3. The Bureau of Enterprise Information Technology Project
18 Management, responsible for project management oversight and
19 activities established under s. 282.006, Florida Statutes.
20 4. The Bureau of Enterprise Information Technology Contract
21 Management, responsible for contract management oversight and
22 activities established under s. 282.006, Florida Statutes.
23 (b) The Division of Enterprise Information Technology
24 Purchasing shall include:
25 1. The Bureau of Enterprise Information Technology
26 Procurement Services, responsible for procurement activities
27 established under s. 282.006, Florida Statutes.
28 2. The Bureau of Enterprise Information Technology
29 Procurement Policy and Oversight, responsible for activities
30 established under s. 282.006, Florida Statutes.
31 (3) WORKGROUP.—
32 (a) The chief information officer policy workgroup shall be
33 composed of all state agency chief information officers.
34 (b) The purpose of the workgroup is to provide the
35 Legislature with input and feedback regarding the structure,
36 budget, and governance of the Agency for State Systems and
37 Enterprise Technology.
38 (c) The chair of the workgroup shall be the interim state
39 chief information officer.
40 (d) The voting members of the workgroup shall include the
41 chair of the workgroup and the chief information officers from
42 the Department of Financial Services, the Department of
43 Agriculture and Consumer Services, and the Department of Legal
44 Affairs.
45 (e) The chair of the workgroup shall submit a report to the
46 Governor, the Commissioner of Agriculture, the Chief Financial
47 Officer, the Attorney General, the President of the Senate, and
48 the Speaker of the House of Representatives which includes
49 recommendations and justifications for changes by December 1,
50 2025. The final report must be voted on and accepted by a
51 unanimous vote of the voting members of the workgroup.
52 (f) The workgroup shall expire after submission of the
53 report required in paragraph (e).
54 Section 24. Section 282.201, Florida Statutes, is amended
55 to read:
56 282.201 State data center.—The state data center is
57 established within the Northwest Regional Data Center pursuant
58 to s. 282.0211 and shall meet or exceed the information
59 technology standards specified in ss. 282.006 and 282.318 the
60 department. The provision of data center services must comply
61 with applicable state and federal laws, regulations, and
62 policies, including all applicable security, privacy, and
63 auditing requirements. The department shall appoint a director
64 of the state data center who has experience in leading data
65 center facilities and has expertise in cloud-computing
66 management.
67 (1) STATE DATA CENTER DUTIES.—The state data center shall:
68 (a) Offer, develop, and support the services and
69 applications defined in service-level agreements executed with
70 its customer entities.
71 (b) Maintain performance of the state data center by
72 ensuring proper data backup; data backup recovery; disaster
73 recovery; and appropriate security, power, cooling, fire
74 suppression, and capacity.
75 (c) Develop and implement business continuity and disaster
76 recovery plans, and annually conduct a live exercise of each
77 plan.
78 (d) Enter into a service-level agreement with each customer
79 entity to provide the required type and level of service or
80 services. If a customer entity fails to execute an agreement
81 within 60 days after commencement of a service, the state data
82 center may cease service. A service-level agreement may not have
83 a term exceeding 3 years and at a minimum must:
84 1. Identify the parties and their roles, duties, and
85 responsibilities under the agreement.
86 2. State the duration of the contract term and specify the
87 conditions for renewal.
88 3. Identify the scope of work.
89 4. Identify the products or services to be delivered with
90 sufficient specificity to permit an external financial or
91 performance audit.
92 5. Establish the services to be provided, the business
93 standards that must be met for each service, the cost of each
94 service by agency application, and the metrics and processes by
95 which the business standards for each service are to be
96 objectively measured and reported.
97 6. Provide a timely billing methodology to recover the
98 costs of services provided to the customer entity pursuant to s.
99 215.422.
100 7. Provide a procedure for modifying the service-level
101 agreement based on changes in the type, level, and cost of a
102 service.
103 8. Include a right-to-audit clause to ensure that the
104 parties to the agreement have access to records for audit
105 purposes during the term of the service-level agreement.
106 9. Provide that a service-level agreement may be terminated
107 by either party for cause only after giving the other party and
108 the department notice in writing of the cause for termination
109 and an opportunity for the other party to resolve the identified
110 cause within a reasonable period.
111 10. Provide for mediation of disputes by the Division of
112 Administrative Hearings pursuant to s. 120.573.
113 (e) For purposes of chapter 273, be the custodian of
114 resources and equipment located in and operated, supported, and
115 managed by the state data center.
116 (f) Assume administrative access rights to resources and
117 equipment, including servers, network components, and other
118 devices, consolidated into the state data center.
119 1. Upon consolidation, a state agency shall relinquish
120 administrative rights to consolidated resources and equipment.
121 State agencies required to comply with federal and state
122 criminal justice information security rules and policies shall
123 retain administrative access rights sufficient to comply with
124 the management control provisions of those rules and policies;
125 however, the state data center shall have the appropriate type
126 or level of rights to allow the center to comply with its duties
127 pursuant to this section. The Department of Law Enforcement
128 shall serve as the arbiter of disputes pertaining to the
129 appropriate type and level of administrative access rights
130 pertaining to the provision of management control in accordance
131 with the federal criminal justice information guidelines.
132 2. The state data center shall provide customer entities
133 with access to applications, servers, network components, and
134 other devices necessary for entities to perform business
135 activities and functions, and as defined and documented in a
136 service-level agreement.
137 (g) In its procurement process, show preference for cloud
138 computing solutions that minimize or do not require the
139 purchasing, financing, or leasing of state data center
140 infrastructure, and that meet the needs of customer agencies,
141 that reduce costs, and that meet or exceed the applicable state
142 and federal laws, regulations, and standards for cybersecurity.
143 (h) Assist customer entities in transitioning from state
144 data center services to the Northwest Regional Data Center or
145 other third-party cloud-computing services procured by a
146 customer entity or by the Northwest Regional Data Center on
147 behalf of a customer entity.
148 (1)(2) USE OF THE STATE DATA CENTER.—
149 (a) The following are exempt from the use of the state data
150 center: the Department of Law Enforcement, the Department of the
151 Lottery’s Gaming System, Systems Design and Development in the
152 Office of Policy and Budget, the regional traffic management
153 centers as described in s. 335.14(2) and the Office of Toll
154 Operations of the Department of Transportation, the State Board
155 of Administration, state attorneys, public defenders, criminal
156 conflict and civil regional counsel, capital collateral regional
157 counsel, and the Florida Housing Finance Corporation, and the
158 Division of Emergency Management within the Executive Office of
159 the Governor.
160 (b) The Division of Emergency Management is exempt from the
161 use of the state data center. This paragraph expires July 1,
162 2025.
163 (2)(3) AGENCY LIMITATIONS.—Unless exempt from the use of
164 the state data center pursuant to this section or authorized by
165 the Legislature, a state agency may not:
166 (a) Create a new agency computing facility or data center,
167 or expand the capability to support additional computer
168 equipment in an existing agency computing facility or data
169 center; or
170 (b) Terminate services with the state data center without
171 giving written notice of intent to terminate services 180 days
172 before such termination.
173 (4) DEPARTMENT RESPONSIBILITIES.—The department shall
174 provide operational management and oversight of the state data
175 center, which includes:
176 (a) Implementing industry standards and best practices for
177 the state data center’s facilities, operations, maintenance,
178 planning, and management processes.
179 (b) Developing and implementing cost-recovery mechanisms
180 that recover the full direct and indirect cost of services
181 through charges to applicable customer entities. Such cost
182 recovery mechanisms must comply with applicable state and
183 federal regulations concerning distribution and use of funds and
184 must ensure that, for any fiscal year, no service or customer
185 entity subsidizes another service or customer entity. The
186 department may recommend other payment mechanisms to the
187 Executive Office of the Governor, the President of the Senate,
188 and the Speaker of the House of Representatives. Such mechanisms
189 may be implemented only if specifically authorized by the
190 Legislature.
191 (c) Developing and implementing appropriate operating
192 guidelines and procedures necessary for the state data center to
193 perform its duties pursuant to subsection (1). The guidelines
194 and procedures must comply with applicable state and federal
195 laws, regulations, and policies and conform to generally
196 accepted governmental accounting and auditing standards. The
197 guidelines and procedures must include, but need not be limited
198 to:
199 1. Implementing a consolidated administrative support
200 structure responsible for providing financial management,
201 procurement, transactions involving real or personal property,
202 human resources, and operational support.
203 2. Implementing an annual reconciliation process to ensure
204 that each customer entity is paying for the full direct and
205 indirect cost of each service as determined by the customer
206 entity’s use of each service.
207 3. Providing rebates that may be credited against future
208 billings to customer entities when revenues exceed costs.
209 4. Requiring customer entities to validate that sufficient
210 funds exist before implementation of a customer entity’s request
211 for a change in the type or level of service provided, if such
212 change results in a net increase to the customer entity’s cost
213 for that fiscal year.
214 5. By November 15 of each year, providing to the Office of
215 Policy and Budget in the Executive Office of the Governor and to
216 the chairs of the legislative appropriations committees the
217 projected costs of providing data center services for the
218 following fiscal year.
219 6. Providing a plan for consideration by the Legislative
220 Budget Commission if the cost of a service is increased for a
221 reason other than a customer entity’s request made pursuant to
222 subparagraph 4. Such a plan is required only if the service cost
223 increase results in a net increase to a customer entity for that
224 fiscal year.
225 7. Standardizing and consolidating procurement and
226 contracting practices.
227 (d) In collaboration with the Department of Law Enforcement
228 and the Florida Digital Service, developing and implementing a
229 process for detecting, reporting, and responding to
230 cybersecurity incidents, breaches, and threats.
231 (e) Adopting rules relating to the operation of the state
232 data center, including, but not limited to, budgeting and
233 accounting procedures, cost-recovery methodologies, and
234 operating procedures.
235 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
236 the department to carry out its duties and responsibilities
237 relating to the state data center, the secretary of the
238 department shall contract by July 1, 2022, with the Northwest
239 Regional Data Center pursuant to s. 287.057(11). The contract
240 shall provide that the Northwest Regional Data Center will
241 manage the operations of the state data center and provide data
242 center services to state agencies.
243 (a) The department shall provide contract oversight,
244 including, but not limited to, reviewing invoices provided by
245 the Northwest Regional Data Center for services provided to
246 state agency customers.
247 (b) The department shall approve or request updates to
248 invoices within 10 business days after receipt. If the
249 department does not respond to the Northwest Regional Data
250 Center, the invoice will be approved by default. The Northwest
251 Regional Data Center must submit approved invoices directly to
252 state agency customers.
253 Section 25. Section 282.0211, Florida Statutes, is created
254 to read:
255 282.0211 Northwest Regional Data Center.—
256 (1) For the purpose of providing data center services to
257 its state agency customers, the Northwest Regional Data Center
258 is designated as the state data center for all state agencies
259 and shall:
260 (a) Operate under a governance structure that represents
261 its customers proportionally.
262 (b) Maintain an appropriate cost-allocation methodology
263 that accurately bills state agency customers based solely on the
264 actual direct and indirect costs of the services provided to
265 state agency customers and ensures that, for any fiscal year,
266 state agency customers are not subsidizing other customers of
267 the data center. Such cost-allocation methodology must comply
268 with applicable state and federal regulations concerning the
269 distribution and use of state and federal funds.
270 (c) Enter into a service-level agreement with each state
271 agency customer to provide services as defined and approved by
272 the governing board of the center. At a minimum, such service
273 level agreements must:
274 1. Identify the parties and their roles, duties, and
275 responsibilities under the agreement;
276 2. State the duration of the agreement term, which may not
277 exceed 3 years, and specify the conditions for up to two
278 optional 1-year renewals of the agreement before execution of a
279 new agreement;
280 3. Identify the scope of work;
281 4. Establish the services to be provided, the business
282 standards that must be met for each service, the cost of each
283 service, and the process by which the business standards for
284 each service are to be objectively measured and reported;
285 5. Provide a timely billing methodology for recovering the
286 cost of services provided pursuant to s. 215.422;
287 6. Provide a procedure for modifying the service-level
288 agreement to address any changes in projected costs of service;
289 7. Include a right-to-audit clause to ensure that the
290 parties to the agreement have access to records for audit
291 purposes during the term of the service-level agreement;
292 8. Identify the products or services to be delivered with
293 sufficient specificity to permit an external financial or
294 performance audit;
295 9. Provide that the service-level agreement may be
296 terminated by either party for cause only after giving the other
297 party notice in writing of the cause for termination and an
298 opportunity for the other party to resolve the identified cause
299 within a reasonable period; and
300 10. Provide state agency customer entities with access to
301 applications, servers, network components, and other devices
302 necessary for entities to perform business activities and
303 functions and as defined and documented in a service-level
304 agreement.
305 (d) In its procurement process, show preference for cloud
306 computing solutions that minimize or do not require the
307 purchasing or financing of state data center infrastructure,
308 that meet the needs of state agency customer entities, that
309 reduce costs, and that meet or exceed the applicable state and
310 federal laws, regulations, and standards for cybersecurity.
311 (e) Assist state agency customer entities in transitioning
312 from state data center services to other third-party cloud
313 computing services procured by a customer entity or by the
314 Northwest Regional Data Center on behalf of the customer entity.
315 (f) Provide to the Board of Governors the total annual
316 budget by major expenditure category, including, but not limited
317 to, salaries, expenses, operating capital outlay, contracted
318 services, or other personnel services, by July 30 each fiscal
319 year.
320 (g) Provide to each state agency customer its projected
321 annual cost for providing the agreed-upon data center services
322 by September 1 each fiscal year.
323 (h) By November 15 of each year, provide to the Office of
324 Policy and Budget in the Executive Office of the Governor and to
325 the chairs of the legislative appropriations committees the
326 projected costs of providing data center services for the
327 following fiscal year.
328 (i) Provide a plan for consideration by the Legislative
329 Budget Commission if the governing body of the center approves
330 the use of a billing rate schedule after the start of the fiscal
331 year that increases any state agency customer’s costs for that
332 fiscal year.
333 (j) Provide data center services that comply with
334 applicable state and federal laws, regulations, and policies,
335 including all applicable security, privacy, and auditing
336 requirements.
337 (k) Maintain performance of the data center facilities by
338 ensuring proper data backup; data backup recovery; disaster
339 recovery; and appropriate security, power, cooling, fire
340 suppression, and capacity.
341 (l) Submit invoices to state agency customers.
342 (m) As funded in the General Appropriations Act, provide
343 data center services to state agencies from multiple facilities.
344 (2) Unless exempt from the requirement to use the state
345 data center pursuant to s. 282.201(1) or as authorized by the
346 Legislature, a state agency may not do any of the following:
347 (a) Terminate services with the Northwest Regional Data
348 Center without giving written notice of intent to terminate
349 services 180 days before such termination.
350 (b) Procure third-party cloud-computing services without
351 evaluating the cloud-computing services provided by the
352 Northwest Regional Data Center.
353 (c) Exceed 30 days from receipt of approved invoices to
354 remit payment for state data center services provided by the
355 Northwest Regional Data Center.
356 (3) The Northwest Regional Data Center’s authority to
357 provide data center services to its state agency customers may
358 be terminated if:
359 (a) The center requests such termination to the Board of
360 Governors, the President of the Senate, and the Speaker of the
361 House of Representatives; or
362 (b) The center fails to comply with the provisions of this
363 section.
364 (4) If such authority is terminated, the center has 1 year
365 to provide for the transition of its state agency customers to a
366 qualified alternative cloud-based data center that meets the
367 enterprise architecture standards established pursuant to this
368 chapter.
369 Section 26. Section 1004.649, Florida Statutes, is amended
370 to read:
371 1004.649 Northwest Regional Data Center.—There is created
372 at Florida State University the Northwest Regional Data Center.
373 The data center shall serve as the state data center as
374 designated in s. 282.201
375 (1) For the purpose of providing data center services to
376 its state agency customers, the Northwest Regional Data Center
377 is designated as a state data center for all state agencies and
378 shall:
379 (a) Operate under a governance structure that represents
380 its customers proportionally.
381 (b) Maintain an appropriate cost-allocation methodology
382 that accurately bills state agency customers based solely on the
383 actual direct and indirect costs of the services provided to
384 state agency customers and ensures that, for any fiscal year,
385 state agency customers are not subsidizing other customers of
386 the data center. Such cost-allocation methodology must comply
387 with applicable state and federal regulations concerning the
388 distribution and use of state and federal funds.
389 (c) Enter into a service-level agreement with each state
390 agency customer to provide services as defined and approved by
391 the governing board of the center. At a minimum, such service
392 level agreements must:
393 1. Identify the parties and their roles, duties, and
394 responsibilities under the agreement;
395 2. State the duration of the agreement term, which may not
396 exceed 3 years, and specify the conditions for up to two
397 optional 1-year renewals of the agreement before execution of a
398 new agreement;
399 3. Identify the scope of work;
400 4. Establish the services to be provided, the business
401 standards that must be met for each service, the cost of each
402 service, and the process by which the business standards for
403 each service are to be objectively measured and reported;
404 5. Provide a timely billing methodology for recovering the
405 cost of services provided pursuant to s. 215.422;
406 6. Provide a procedure for modifying the service-level
407 agreement to address any changes in projected costs of service;
408 7. Include a right-to-audit clause to ensure that the
409 parties to the agreement have access to records for audit
410 purposes during the term of the service-level agreement;
411 8. Identify the products or services to be delivered with
412 sufficient specificity to permit an external financial or
413 performance audit;
414 9. Provide that the service-level agreement may be
415 terminated by either party for cause only after giving the other
416 party notice in writing of the cause for termination and an
417 opportunity for the other party to resolve the identified cause
418 within a reasonable period; and
419 10. Provide state agency customer entities with access to
420 applications, servers, network components, and other devices
421 necessary for entities to perform business activities and
422 functions and as defined and documented in a service-level
423 agreement.
424 (d) In its procurement process, show preference for cloud
425 computing solutions that minimize or do not require the
426 purchasing or financing of state data center infrastructure,
427 that meet the needs of state agency customer entities, that
428 reduce costs, and that meet or exceed the applicable state and
429 federal laws, regulations, and standards for cybersecurity.
430 (e) Assist state agency customer entities in transitioning
431 from state data center services to other third-party cloud
432 computing services procured by a customer entity or by the
433 Northwest Regional Data Center on behalf of the customer entity.
434 (f) Provide to the Board of Governors the total annual
435 budget by major expenditure category, including, but not limited
436 to, salaries, expenses, operating capital outlay, contracted
437 services, or other personnel services by July 30 each fiscal
438 year.
439 (g) Provide to each state agency customer its projected
440 annual cost for providing the agreed-upon data center services
441 by September 1 each fiscal year.
442 (h) Provide a plan for consideration by the Legislative
443 Budget Commission if the governing body of the center approves
444 the use of a billing rate schedule after the start of the fiscal
445 year that increases any state agency customer’s costs for that
446 fiscal year.
447 (i) Provide data center services that comply with
448 applicable state and federal laws, regulations, and policies,
449 including all applicable security, privacy, and auditing
450 requirements.
451 (j) Maintain performance of the data center facilities by
452 ensuring proper data backup; data backup recovery; disaster
453 recovery; and appropriate security, power, cooling, fire
454 suppression, and capacity.
455 (k) Prepare and submit state agency customer invoices to
456 the Department of Management Services for approval. Upon
457 approval or by default pursuant to s. 282.201(5), submit
458 invoices to state agency customers.
459 (l) As funded in the General Appropriations Act, provide
460 data center services to state agencies from multiple facilities.
461 (2) Unless exempt from the requirement to use the state
462 data center pursuant to s. 282.201(2) or as authorized by the
463 Legislature, a state agency may not do any of the following:
464 (a) Terminate services with the Northwest Regional Data
465 Center without giving written notice of intent to terminate
466 services 180 days before such termination.
467 (b) Procure third-party cloud-computing services without
468 evaluating the cloud-computing services provided by the
469 Northwest Regional Data Center.
470 (c) Exceed 30 days from receipt of approved invoices to
471 remit payment for state data center services provided by the
472 Northwest Regional Data Center.
473 (3) The Northwest Regional Data Center’s authority to
474 provide data center services to its state agency customers may
475 be terminated if:
476 (a) The center requests such termination to the Board of
477 Governors, the President of the Senate, and the Speaker of the
478 House of Representatives; or
479 (b) The center fails to comply with the provisions of this
480 section.
481 (4) If such authority is terminated, the center has 1 year
482 to provide for the transition of its state agency customers to a
483 qualified alternative cloud-based data center that meets the
484 enterprise architecture standards established by the Florida
485 Digital Service.
486
487 ================= T I T L E A M E N D M E N T ================
488 And the title is amended as follows:
489 Delete lines 275 - 292
490 and insert:
491 duties; amending s. 282.201, F.S.; establishing the
492 state data center within the Northwest Regional Data
493 Center; requiring the Northwest Regional Data Center
494 to meet or exceed specified information technology
495 standards; revising requirements of the state data
496 center; abrogating the scheduled repeal of the
497 Division of Emergency Management’s exemption from
498 using the state data center; deleting Department of
499 Management Services’ responsibilities related to the
500 state data center; deleting provisions relating to
501 contracting with the Northwest Regional Data Center;
502 creating s. 282.0211, F.S.; designating the Northwest
503 Regional Data Center as a state data center for all
504 state agencies; requiring the data center to engage in
505 specified actions; prohibiting state agencies from
506 terminating services with the data center without
507 giving written notice within a specified timeframe,
508 procuring third-party cloud-computing services without
509 evaluating the data center’s cloud-computing services,
510 and exceeding a specified timeframe to remit payments
511 for data center services provided by the data center;
512 specifying circumstances under which the data center’s
513 designation may be terminated; providing that the data
514 center has a specified timeframe to provide for the
515 transition of state agency customers to a qualified
516 alternative cloud-based data center that meets
517 specified standards; amending s. 1004.649, F.S.;
518 creating the Northwest Regional Data Center at Florida
519 State University; conforming provisions to changes
520 made by the act;