Florida Senate - 2025 (PROPOSED BILL) SPB 7026
FOR CONSIDERATION By the Committee on Appropriations
576-02447-25 20257026pb
1 A bill to be entitled
2 An act relating to information technology; creating s.
3 20.70, F.S.; creating the Agency for State Systems and
4 Enterprise Technology (ASSET); providing that the
5 Governor and Cabinet are the head of the agency;
6 establishing divisions and offices of the agency;
7 providing for an executive director of the agency;
8 providing that the executive director also serves as
9 the state chief information officer; providing for the
10 appointment and removal of such executive director;
11 prohibiting the state chief information officer from
12 having financial, personal, or business conflicts of
13 interest related to certain vendors, contractors, and
14 service providers of the state; requiring that the
15 state chief information officer selection committee
16 within ASSET be appointed and provide a specified
17 number of nominees upon a vacancy of such officer;
18 providing the composition of such committee; providing
19 the qualifications for the state chief information
20 officer; providing that persons who currently serve,
21 or have served, as state agency heads are ineligible
22 to serve as the state chief information officer;
23 transferring the state chief information officer of
24 the Department of Management Services to ASSET until
25 the Governor and the Cabinet appoint a permanent
26 officer; requiring that such appointment occur by a
27 specified date; amending s. 97.0525, F.S.; requiring
28 that the Division of Elections comprehensive risk
29 assessment comply with the risk assessment methodology
30 developed by ASSET; amending s. 112.22, F.S.; defining
31 the term “ASSET”; deleting the term “department”;
32 revising the definition of the term “prohibited
33 application”; authorizing public employers to request
34 a certain waiver from ASSET; requiring ASSET to take
35 specified actions; deleting obsolete language;
36 requiring ASSET to adopt rules; amending s. 119.0725,
37 F.S.; providing that confidential and exempt
38 information must be made available to ASSET; amending
39 s. 216.023, F.S.; requiring agencies and the judicial
40 branch to include a cumulative inventory and a certain
41 status report of specified projects with their
42 legislative budget requests; defining the term
43 “technology-related project”; deleting a provision
44 requiring state agencies and the judicial branch to
45 include a cumulative inventory and a certain status
46 report of specified projects as part of a budget
47 request; conforming a cross-reference; amending s.
48 282.0041, F.S.; deleting and revising definitions;
49 defining the terms “ASSET” and “technical debt”;
50 amending s. 282.0051, F.S.; deleting obsolete
51 language; revising the powers, duties, and functions
52 of the Department of Management Services, through the
53 Florida Digital Service; deleting a requirement that
54 the state chief information officer, in consultation
55 with the Secretary of Management Services, designate a
56 state chief data officer; deleting requirements of the
57 department, acting through the Florida Digital
58 Service, relating to the use of appropriated funds for
59 certain actions; deleting provisions related to
60 information technology projects that have a total
61 project cost in excess of $10 million; providing for
62 the future repeal of the section; deleting a
63 requirement to adopt rules; repealing s. 282.00515,
64 F.S., relating to duties of Cabinet agencies; creating
65 s. 282.006, F.S.; requiring ASSET to operate as the
66 state enterprise organization for information
67 technology governance and as the lead entity
68 responsible for understanding needs and environments,
69 creating standards and strategy, supporting state
70 agency technology efforts, and reporting on the state
71 of information technology in this state; providing
72 legislative intent; requiring ASSET to establish the
73 strategic direction of information technology in the
74 state; requiring ASSET to develop and publish
75 information technology policy for a specified purpose;
76 requiring that such policy be updated as necessary to
77 meet certain requirements and advancements in
78 technology; requiring ASSET to take specified actions
79 related to oversight of the state’s technology
80 enterprise; requiring ASSET to produce specified
81 reports, recommendations, and analyses and provide
82 such reports, recommendations, and analyses to the
83 Governor, the Commissioner of Agriculture, the Chief
84 Executive Officer, the Attorney General, and the
85 Legislature by specified dates and at specified
86 intervals; providing requirements for such reports;
87 requiring ASSET to conduct a market analysis at a
88 certain interval beginning on a specified date;
89 providing requirements for the market analysis;
90 requiring that each market analysis be used to prepare
91 a strategic plan for specified purposes; requiring
92 that copies of the market analysis and strategic plan
93 be submitted by a specified date; authorizing ASSET to
94 adopt rules; creating s. 282.0061, F.S.; providing
95 legislative intent; requiring ASSET to complete a
96 certain full baseline needs assessment of state
97 agencies, develop a specified plan to conduct such
98 assessments, and submit such plan to the Governor, the
99 Commissioner of Agriculture, the Chief Financial
100 Officer, the Attorney General, and the Legislature
101 within a specified timeframe; requiring ASSET to
102 support state agency strategic planning efforts and
103 assist such agencies with a certain phased roadmap;
104 providing requirements for such roadmaps; requiring
105 ASSET to make recommendations for standardizing data
106 across state agencies for a specified purpose and
107 identify any opportunities for standardization and
108 consolidation of information technology services
109 across state agencies and support specified functions;
110 requiring ASSET to develop standards for use by state
111 agencies and enforce consistent standards and promote
112 best practices across all state agencies; requiring
113 ASSET to provide a certain report to the Governor, the
114 Commissioner of Agriculture, the Chief Financial
115 Officer, the Attorney General, and the Legislature by
116 a specified date; providing requirements of the
117 report; providing the duties and responsibilities of
118 ASSET related to state agency technology projects;
119 requiring ASSET, in consultation with state agencies,
120 to create a methodology, approach, and applicable
121 templates and formats for identifying and collecting
122 information technology expenditure data at the state
123 agency level; requiring ASSET to obtain, review, and
124 maintain records of the appropriations, expenditures,
125 and revenues for information technology for each state
126 agency; requiring ASSET to prescribe the format for
127 state agencies to provide financial information to
128 ASSET for inclusion in a certain annual report;
129 requiring state agencies to submit such information by
130 a specified date annually; requiring that such
131 information be reported to ASSET to determine all
132 costs and expenditures of information technology
133 assets and resources provided to state agencies;
134 requiring ASSET to work with state agencies to provide
135 alternative standards, policies, or requirements under
136 specified circumstances; creating s. 282.0062, F.S.;
137 establishing workgroups within ASSET to facilitate
138 coordination with state agencies; providing for the
139 membership and duties of such workgroups; creating s.
140 282.0063, F.S.; requiring ASSET to perform specified
141 actions to develop and manage career paths,
142 progressions, and training programs for the benefit of
143 state agency personnel; creating s. 282.0064, F.S.;
144 requiring ASSET, in coordination with the Department
145 of Management Services, to establish a policy for all
146 information technology-related solicitations,
147 contracts, and procurements; providing requirements
148 for the policy related to state term contracts, all
149 contracts, and information technology projects that
150 require oversight; prohibiting entities providing
151 independent verification and validation from having
152 certain interests, responsibilities, or other
153 participation in the project; providing the primary
154 objective of independent verification and validation;
155 requiring the entity performing such verification and
156 validation to provide specified regular reports and
157 assessments; requiring the Division of State
158 Purchasing within the Department of Management
159 Services to coordinate with ASSET on state term
160 contract solicitations and invitations to negotiate;
161 requiring ASSET to evaluate vendor responses and
162 answer vendor questions on such solicitations and
163 invitations; creating s. 282.0065, F.S.; requiring
164 ASSET to establish, maintain, and manage a certain
165 test laboratory, beginning at a specified time;
166 providing the purpose of the laboratory; requiring
167 ASSET to take specified actions relating to the
168 laboratory; creating s. 282.0066, F.S.; requiring
169 ASSET to develop, implement, and maintain a certain
170 library; providing requirements for the library;
171 requiring ASSET to establish procedures that ensure
172 the integrity, security, and availability of the
173 library; requiring ASSET to regularly update documents
174 and materials in the library to reflect current state
175 and federal requirements, industry best practices, and
176 emerging technologies; requiring state agencies to
177 reference and adhere to the policies, standards, and
178 guidelines of the library in specified tasks;
179 requiring ASSET to create mechanisms for state
180 agencies to submit feedback, request clarifications,
181 and recommend updates; authorizing state agencies to
182 request exemptions to specific policies, standards, or
183 guidelines under specified circumstances; providing
184 the mechanism for a state agency to request such
185 exemption; requiring ASSET to review the request and
186 make a recommendation to the state chief information
187 officer; requiring the state chief information officer
188 to present the exemption to the chief information
189 officer workgroup; requiring that approval of the
190 exemption be by majority vote; requiring that state
191 agencies granted an exemption be reviewed periodically
192 to determine whether such exemption is necessary or if
193 compliance can be achieved; amending s. 282.318, F.S.;
194 revising the duties of the Department of Management
195 Services, acting through the Florida Digital Service,
196 relating to cybersecurity; requiring state agencies to
197 report all ransomware incidents to the state chief
198 information security officer instead of the
199 Cybersecurity Operations Center; requiring the state
200 chief information security officer, instead of the
201 Cybersecurity Operations Center, to notify the
202 Legislature of certain incidents; requiring state
203 agencies to notify the state chief information
204 security officer within specified timeframes after the
205 discovery of a specified cybersecurity incident or
206 ransomware incident; requiring the state chief
207 information security officer, instead of the
208 Cybersecurity Operations Center, to provide a certain
209 report on a quarterly basis to the Legislature;
210 revising the actions that state agency heads are
211 required to perform relating to cybersecurity;
212 reducing the timeframe that the state agency strategic
213 cybersecurity plan must cover; requiring that a
214 specified comprehensive risk assessment be done
215 biennially; providing requirements for such
216 assessment; revising the definition of the term “state
217 agency”; providing that ASSET is the lead entity
218 responsible for establishing enterprise technology and
219 cybersecurity standards and processes and security
220 measures that comply with specified standards;
221 requiring ASSET to adopt specified rules; requiring
222 that ASSET take specified actions; revising the
223 responsibilities of the state chief information
224 security officer; requiring that ASSET develop and
225 publish a specified framework that includes certain
226 guidelines and processes for use by state agencies;
227 requiring that ASSET, in consultation with the state
228 chief information technology procurement officer,
229 establish specified procedures for procuring
230 information technology commodities and services;
231 requiring ASSET, thorough the state chief information
232 security officer and the Division of Enterprise
233 Information Technology Workforce Development, to
234 provide a certain annual training to specified
235 persons; conforming provisions to changes made by the
236 act; amending s. 282.3185, F.S.; requiring the state
237 chief information security officer to perform
238 specified actions relating to cybersecurity training
239 for state employees; requiring local governments to
240 notify the state chief information security officer of
241 compliance with specified provisions as soon as
242 possible; requiring local governments to notify the
243 state chief information security officer, instead of
244 the Cybersecurity Operations Center, of cybersecurity
245 or ransomware incidents; revising the timeframes in
246 which such notifications must be made; requiring the
247 state chief information security officer to notify the
248 state chief information officer, the Governor, the
249 Commissioner of Agriculture, the Chief Financial
250 Officer, the Attorney General, and the Legislature of
251 certain incidents within a specified timeframe;
252 authorizing local governments to report certain
253 cybersecurity incidents to the state chief information
254 security officer instead of the Cybersecurity
255 Operations Center; requiring the state chief
256 information security officer to provide a certain
257 consolidated incident report within a specified
258 timeframe to the Governor, the Commissioner of
259 Agriculture, the Chief Financial Officer, the Attorney
260 General, and the Legislature; conforming provisions to
261 changes made by the act; requiring the state chief
262 information security officer to establish certain
263 guidelines and processes by a specified date;
264 conforming cross-references; repealing s. 282.319,
265 F.S., relating to the Florida Cybersecurity Advisory
266 Council; establishing positions within ASSET;
267 establishing the Division of Enterprise Information
268 Technology Services and the Division of Enterprise
269 Information Technology Purchasing and associated
270 bureaus; providing the responsibilities of the
271 bureaus; establishing the chief information officer
272 policy workgroup; providing the membership, purpose,
273 chair, and duties of the workgroup; providing for the
274 expiration of the workgroup upon completion of its
275 duties; amending s. 282.201, F.S.; revising
276 requirements of the state data center; abrogating the
277 scheduled repeal of the Division of Emergency
278 Management’s exemption from using the state data
279 center; deleting Department of Management Services
280 responsibilities related to the state data center;
281 deleting provisions relating to contracting with the
282 Northwest Regional Data Center; transferring,
283 renumbering, and amending s. 1004.649, F.S.; requiring
284 the Northwest Regional Data Center, by a specified
285 date annually, to provide the projected costs of
286 providing data center services for the following
287 fiscal year to the Office of Policy and Budget in the
288 Executive Office of the Governor and to the chairs of
289 the legislative appropriations committees; deleting a
290 requirement that the data center prepare and submit
291 certain invoices to the Department of Management
292 Services for approval; conforming a cross-reference;
293 amending s. 20.22, F.S.; deleting the Florida Digital
294 Service from the list of divisions, programs, and
295 services of the Department of Management Services;
296 amending s. 282.802, F.S.; providing that the
297 Government Technology Modernization Council is located
298 within ASSET; providing that the state chief
299 information officer, or his or her designee, is the ex
300 officio executive director of the council; conforming
301 provisions to changes made by the act; requiring the
302 council annually to submit to the Commissioner of
303 Agriculture, the Chief Financial Officer, and the
304 Attorney General certain legislative recommendations;
305 amending s. 282.604, F.S.; requiring ASSET, with input
306 from stakeholders, to adopt rules; amending s.
307 287.0591, F.S.; requiring the state chief information
308 officer, instead of the Florida Digital Service, to
309 participate in certain solicitations; amending s.
310 288.012, F.S.; conforming a cross-reference; amending
311 s. 443.1113, F.S.; requiring the Department of
312 Commerce to seek input on recommended enhancements
313 from ASSET instead of the Florida Digital Service;
314 amending s. 943.0415, F.S.; authorizing the Cybercrime
315 Office to consult with the state chief information
316 security officer of ASSET instead of the Florida
317 Digital Service; amending s. 1004.444, F.S.;
318 authorizing the Florida Center for Cybersecurity to
319 conduct, consult, or assist state agencies upon
320 receiving a request for assistance from such agencies;
321 providing effective dates.
322
323 Be It Enacted by the Legislature of the State of Florida:
324
325 Section 1. Section 20.70, Florida Statutes, is created to
326 read:
327 20.70 Agency for State Systems and Enterprise Technology.
328 There is created the Agency for State Systems and Enterprise
329 Technology. The head of the agency is the Governor and Cabinet.
330 (1) DIVISIONS AND OFFICES.—The following divisions and
331 offices of the Agency for State Systems and Enterprise
332 Technology are established:
333 (a) The Division of Administrative Services.
334 (b) The Office of Information Technology.
335 (c) Beginning July 1, 2026:
336 1. The Division of Enterprise Data and Interoperability.
337 2. The Division of Enterprise Security.
338 3. The Division of Enterprise Information Technology
339 Services.
340 4. The Division of Enterprise Information Technology
341 Purchasing.
342 5. The Division of Enterprise Information Technology
343 Workforce Development.
344 (2) EXECUTIVE DIRECTOR.—The executive director of the
345 Agency for State Systems and Enterprise Technology also serves
346 as the state chief information officer. The Governor and Cabinet
347 shall appoint a state chief information officer from nominees of
348 the state chief information officer selection committee. The
349 appointment must be made by a majority vote of the Governor and
350 Cabinet and is subject to confirmation by the Senate. Removal of
351 the state chief information officer is subject to a majority
352 vote of the Governor and Cabinet. The state chief information
353 officer is prohibited from having any financial, personal, or
354 business conflicts of interest related to technology vendors,
355 contractors, or other information technology service providers
356 doing business with the state.
357 (3) STATE CHIEF INFORMATION OFFICER SELECTION COMMITTEE.—
358 (a) Upon a vacancy or anticipated vacancy, the state chief
359 information officer selection committee within the Agency for
360 State Systems and Enterprise Technology shall be appointed to
361 nominate up to three qualified appointees for the position of
362 state chief information officer to the Governor and Cabinet for
363 appointment.
364 (b) The selection committee shall be composed of the
365 following members:
366 1. A state agency chief information officer of an executive
367 agency, appointed by the Governor and who shall serve as chair
368 of the committee.
369 2. The chief information officer of the Department of
370 Agriculture and Consumer Services, appointed by the Commissioner
371 of Agriculture.
372 3. The chief information officer of the Department of
373 Financial Services, appointed by the Chief Financial Officer.
374 4. The chief information officer of the Department of Legal
375 Affairs, appointed by the Attorney General.
376 (4) QUALIFICATIONS FOR THE STATE CHIEF INFORMATION
377 OFFICER.—
378 (a) Education requirements.—The state chief information
379 officer must meet one of the following criteria:
380 1. Hold a bachelor’s degree from an accredited institution
381 in information technology, computer science, business
382 administration, public administration, or a related field; or
383 2. Hold a master’s degree in any of the fields listed
384 above, which may be substituted for a portion of the experience
385 requirement, as determined by the selection committee.
386 (b) Professional experience requirements.—The state chief
387 information officer must have at least 10 years of progressively
388 responsible experience in information technology management,
389 digital transformation, cybersecurity, or information technology
390 governance, including:
391 1. A minimum of 5 years in an executive or senior
392 leadership role, overseeing information technology strategy,
393 operations, or enterprise technology management in either the
394 public or private sector;
395 2. Managing large-scale information technology projects,
396 enterprise infrastructure, and implementation of emerging
397 technologies;
398 3. Budget planning, procurement oversight, and financial
399 management of information technology investments; and
400 4. Working with state and federal information technology
401 regulations, digital services, and cybersecurity compliance
402 frameworks.
403 (c) Technical and policy expertise.—The state chief
404 information officer must have demonstrated expertise in:
405 1. Cybersecurity and data protection by demonstrating
406 knowledge of cybersecurity risk management, compliance with
407 NIST, ISO 27001, and applicable federal and state security
408 regulations;
409 2. Cloud and digital services with experience with cloud
410 computing, enterprise systems modernization, digital
411 transformation, and emerging information technology trends;
412 3. Information technology governance and policy development
413 by demonstrating an understanding of statewide information
414 technology governance structures, digital services, and
415 information technology procurement policies; and
416 4. Public sector information technology management by
417 demonstrating familiarity with government information technology
418 funding models, procurement requirements, and legislative
419 processes affecting information technology strategy.
420 (d) Leadership and administrative competencies.—The state
421 chief information officer must demonstrate:
422 1. Strategic vision and innovation by possessing the
423 capability to modernize information technology systems, drive
424 digital transformation, and align information technology
425 initiatives with state goals;
426 2. Collaboration and engagement with stakeholders by
427 working with legislators, state agency heads, local governments,
428 and private sector partners to implement information technology
429 initiatives;
430 3. Crisis management and cyber resilience by possessing the
431 capability to develop and lead cyber incident response, disaster
432 recovery, and information technology continuity plans; and
433 4. Fiscal management and budget expertise managing multi
434 million-dollar information technology budgets, cost-control
435 strategies, and financial oversight of information technology
436 projects.
437 (e) Previous appointment or service.—A person who is
438 currently serving or has previously served as the head of a
439 state agency in the state is ineligible for nomination,
440 appointment, or service as the state chief information officer.
441 Section 2. Until a state chief information officer is
442 appointed pursuant to s. 20.70, Florida Statutes, the current
443 state chief information officer of the Department of Management
444 Services shall be transferred to the Agency for State Systems
445 and Enterprise Technology and serve as interim state chief
446 information officer. A state chief information officer for the
447 Agency for State Systems and Enterprise Technology must be
448 appointed by the Governor and Cabinet by January 2, 2026.
449 Appointments to the state chief information officer selection
450 committee must be made by August 1, 2025.
451 Section 3. Effective July 1, 2026, paragraph (b) of
452 subsection (3) of section 97.0525, Florida Statutes, is amended
453 to read:
454 97.0525 Online voter registration.—
455 (3)
456 (b) The division shall conduct a comprehensive risk
457 assessment of the online voter registration system every 2
458 years. The comprehensive risk assessment must comply with the
459 risk assessment methodology developed by the Agency for State
460 Systems and Enterprise Technology Department of Management
461 Services for identifying security risks, determining the
462 magnitude of such risks, and identifying areas that require
463 safeguards. In addition, the comprehensive risk assessment must
464 incorporate all of the following:
465 1. Load testing and stress testing to ensure that the
466 online voter registration system has sufficient capacity to
467 accommodate foreseeable use, including during periods of high
468 volume of website users in the week immediately preceding the
469 book-closing deadline for an election.
470 2. Screening of computers and networks used to support the
471 online voter registration system for malware and other
472 vulnerabilities.
473 3. Evaluation of database infrastructure, including
474 software and operating systems, in order to fortify defenses
475 against cyberattacks.
476 4. Identification of any anticipated threats to the
477 security and integrity of data collected, maintained, received,
478 or transmitted by the online voter registration system.
479 Section 4. Effective July 1, 2026, paragraphs (a) and (f)
480 of subsection (1), paragraphs (b) and (c) of subsection (2), and
481 subsections (3) and (4) of section 112.22, Florida Statutes, are
482 amended to read:
483 112.22 Use of applications from foreign countries of
484 concern prohibited.—
485 (1) As used in this section, the term:
486 (a) “ASSET” means the Agency for State Systems and
487 Enterprise Technology “Department” means the Department of
488 Management Services.
489 (f) “Prohibited application” means an application that
490 meets the following criteria:
491 1. Any Internet application that is created, maintained, or
492 owned by a foreign principal and that participates in activities
493 that include, but are not limited to:
494 a. Collecting keystrokes or sensitive personal, financial,
495 proprietary, or other business data;
496 b. Compromising e-mail and acting as a vector for
497 ransomware deployment;
498 c. Conducting cyber-espionage against a public employer;
499 d. Conducting surveillance and tracking of individual
500 users; or
501 e. Using algorithmic modifications to conduct
502 disinformation or misinformation campaigns; or
503 2. Any Internet application ASSET the department deems to
504 present a security risk in the form of unauthorized access to or
505 temporary unavailability of the public employer’s records,
506 digital assets, systems, networks, servers, or information.
507 (2)
508 (b) A person, including an employee or officer of a public
509 employer, may not download or access any prohibited application
510 on any government-issued device.
511 1. This paragraph does not apply to a law enforcement
512 officer as defined in s. 943.10(1) if the use of the prohibited
513 application is necessary to protect the public safety or conduct
514 an investigation within the scope of his or her employment.
515 2. A public employer may request a waiver from ASSET the
516 department to allow designated employees or officers to download
517 or access a prohibited application on a government-issued
518 device.
519 (c) Within 15 calendar days after ASSET the department
520 issues or updates its list of prohibited applications pursuant
521 to paragraph (3)(a), an employee or officer of a public employer
522 who uses a government-issued device must remove, delete, or
523 uninstall any prohibited applications from his or her
524 government-issued device.
525 (3) ASSET The department shall do all of the following:
526 (a) Compile and maintain a list of prohibited applications
527 and publish the list on its website. ASSET The department shall
528 update this list quarterly and shall provide notice of any
529 update to public employers.
530 (b) Establish procedures for granting or denying requests
531 for waivers pursuant to subparagraph (2)(b)2. The request for a
532 waiver must include all of the following:
533 1. A description of the activity to be conducted and the
534 state interest furthered by the activity.
535 2. The maximum number of government-issued devices and
536 employees or officers to which the waiver will apply.
537 3. The length of time necessary for the waiver. Any waiver
538 granted pursuant to subparagraph (2)(b)2. must be limited to a
539 timeframe of no more than 1 year, but ASSET the department may
540 approve an extension.
541 4. Risk mitigation actions that will be taken to prevent
542 access to sensitive data, including methods to ensure that the
543 activity does not connect to a state system, network, or server.
544 5. A description of the circumstances under which the
545 waiver applies.
546 (4)(a) Notwithstanding s. 120.74(4) and (5), the department
547 is authorized, and all conditions are deemed met, to adopt
548 emergency rules pursuant to s. 120.54(4) and to implement
549 paragraph (3)(a). Such rulemaking must occur initially by filing
550 emergency rules within 30 days after July 1, 2023.
551 (b) ASSET The department shall adopt rules necessary to
552 administer this section.
553 Section 5. Effective July 1, 2026, paragraph (a) of
554 subsection (5) of section 119.0725, Florida Statutes, is amended
555 to read:
556 119.0725 Agency cybersecurity information; public records
557 exemption; public meetings exemption.—
558 (5)(a) Information made confidential and exempt pursuant to
559 this section must shall be made available to a law enforcement
560 agency, the Auditor General, the Cybercrime Office of the
561 Department of Law Enforcement, the Agency for State Systems and
562 Enterprise Technology Florida Digital Service within the
563 Department of Management Services, and, for agencies under the
564 jurisdiction of the Governor, the Chief Inspector General.
565 Section 6. Subsection (7) of section 216.023, Florida
566 Statutes, is amended to read:
567 216.023 Legislative budget requests to be furnished to
568 Legislature by agencies.—
569 (7) As part of the legislative budget request, each state
570 agency and the judicial branch shall include a cumulative an
571 inventory and status report of all ongoing technology-related
572 projects ongoing during the prior fiscal year or undertaken in
573 the prior fiscal year. For the purposes of this subsection, the
574 term “technology-related project” means a project that has been
575 funded or has had or is expected to have expenditures in more
576 than one fiscal year; has that have a cumulative estimated or
577 realized cost of more than $1 million; and does not include the
578 continuance of existing hardware and software maintenance
579 agreements, renewal of existing software licensing agreements,
580 or the replacement of desktop units with new technology that is
581 substantially similar to the technology being replaced. The
582 inventory must, at a minimum, contain all of the following
583 information:
584 (a) The name of the technology system.
585 (b) A brief description of the purpose and function of the
586 system.
587 (c) A brief description of the goals of the project.
588 (d) The initiation date of the project.
589 (e) The key performance indicators for the project.
590 (f) Any other metrics for the project evaluating the health
591 and status of the project.
592 (g) The original and current baseline estimated end dates
593 of the project.
594 (h) The original and current estimated costs of the
595 project.
596 (i) Total funds appropriated or allocated to the project
597 and the current realized cost for the project by fiscal year.
598
599 For purposes of this subsection, an ongoing technology-related
600 project is one which has been funded or has had or is expected
601 to have expenditures in more than one fiscal year. An ongoing
602 technology-related project does not include the continuance of
603 existing hardware and software maintenance agreements, the
604 renewal of existing software licensing agreements, or the
605 replacement of desktop units with new technology that is
606 substantially similar to the technology being replaced. This
607 subsection expires July 1, 2025.
608 Section 7. Effective July 1, 2026, paragraph (a) of
609 subsection (4) and subsection (7) of section 216.023, Florida
610 Statutes, are amended to read:
611 216.023 Legislative budget requests to be furnished to
612 Legislature by agencies.—
613 (4)(a) The legislative budget request for each program must
614 contain:
615 1. The constitutional or statutory authority for a program,
616 a brief purpose statement, and approved program components.
617 2. Information on expenditures for 3 fiscal years (actual
618 prior-year expenditures, current-year estimated expenditures,
619 and agency budget requested expenditures for the next fiscal
620 year) by appropriation category.
621 3. Details on trust funds and fees.
622 4. The total number of positions (authorized, fixed, and
623 requested).
624 5. An issue narrative describing and justifying changes in
625 amounts and positions requested for current and proposed
626 programs for the next fiscal year.
627 6. Information resource requests.
628 7. Supporting information, including applicable cost
629 benefit analyses, business case analyses, performance
630 contracting procedures, service comparisons, and impacts on
631 performance standards for any request to outsource or privatize
632 state agency functions. The cost-benefit and business case
633 analyses must include an assessment of the impact on each
634 affected activity from those identified in accordance with
635 paragraph (b). Performance standards must include standards for
636 each affected activity and be expressed in terms of the
637 associated unit of activity.
638 8. An evaluation of major outsourcing and privatization
639 initiatives undertaken during the last 5 fiscal years having
640 aggregate expenditures exceeding $10 million during the term of
641 the contract. The evaluation must include an assessment of
642 contractor performance, a comparison of anticipated service
643 levels to actual service levels, and a comparison of estimated
644 savings to actual savings achieved. Consolidated reports issued
645 by the Department of Management Services may be used to satisfy
646 this requirement.
647 9. Supporting information for any proposed consolidated
648 financing of deferred-payment commodity contracts including
649 guaranteed energy performance savings contracts. Supporting
650 information must also include narrative describing and
651 justifying the need, baseline for current costs, estimated cost
652 savings, projected equipment purchases, estimated contract
653 costs, and return on investment calculation.
654 10. For projects that exceed $10 million in total cost, the
655 statutory reference of the existing policy or the proposed
656 substantive policy that establishes and defines the project’s
657 governance structure, planned scope, main business objectives
658 that must be achieved, and estimated completion timeframes. The
659 governance structure for information technology-related projects
660 must incorporate the applicable project management and oversight
661 standards established pursuant to s. 282.0061 s. 282.0051.
662 Information technology budget requests for the continuance of
663 existing hardware and software maintenance agreements, renewal
664 of existing software licensing agreements, or the replacement of
665 desktop units with new technology that is similar to the
666 technology currently in use are exempt from this requirement.
667 (7) As part of the legislative budget request, each state
668 agency and the judicial branch shall include a cumulative
669 inventory and status report of all technology-related projects
670 ongoing during the prior fiscal year or undertaken in the prior
671 fiscal year. For the purposes of this subsection, the term
672 “technology-related project” means a project that has been
673 funded or has had or is expected to have expenditures in more
674 than one fiscal year; has a cumulative estimated or realized
675 cost of more than $1 million; and does not include the
676 continuance of existing hardware and software maintenance
677 agreements, renewal of existing software licensing agreements,
678 or the replacement of desktop units with new technology that is
679 substantially similar to the technology being replaced. The
680 inventory must, at a minimum, contain all of the following
681 information:
682 (a) The name of the technology system.
683 (b) A brief description of the purpose and function of the
684 system.
685 (c) A brief description of the goals of the project.
686 (d) The initiation date of the project.
687 (e) The key performance indicators for the project.
688 (f) Any other metrics for the project evaluating the health
689 and status of the project.
690 (g) The original and current baseline estimated end dates
691 of the project.
692 (h) The original and current estimated costs of the
693 project.
694 (i) Total funds appropriated or allocated to the project
695 and the current realized cost for the project by fiscal year.
696 Section 8. Present subsections (36), (37), and (38) of
697 section 282.0041, Florida Statutes, are redesignated as
698 subsections (37), (38), and (39), respectively, and a new
699 subsection (36) is added to that section, and subsections (1)
700 and (34) of that section are amended, to read:
701 282.0041 Definitions.—As used in this chapter, the term:
702 (1) “ASSET” means the Agency for State Systems and
703 Enterprise Technology “Agency assessment” means the amount each
704 customer entity must pay annually for services from the
705 Department of Management Services and includes administrative
706 and data center services costs.
707 (34) “State agency” means any official, officer,
708 commission, board, authority, council, committee, or department
709 of the executive branch of state government; the Justice
710 Administrative Commission; the Northwest Regional Data Center;
711 and the Public Service Commission. The term does not include
712 university boards of trustees or state universities. As used in
713 part I of this chapter, except as otherwise specifically
714 provided, the term includes does not include the Department of
715 Legal Affairs, the Department of Agriculture and Consumer
716 Services, and or the Department of Financial Services.
717 (36) “Technical debt” means the accumulated cost and
718 operational impact resulting from the use of suboptimal,
719 expedient, or outdated technology solutions that require future
720 remediation, refactoring, or replacement to ensure
721 maintainability, security, efficiency, and compliance with
722 enterprise architecture standards.
723 Section 9. Section 282.0051, Florida Statutes, is amended
724 to read:
725 282.0051 Department of Management Services; Florida Digital
726 Service; powers, duties, and functions.—
727 (1) The Florida Digital Service has been created within the
728 department to propose innovative solutions that securely
729 modernize state government, including technology and information
730 services, to achieve value through digital transformation and
731 interoperability, and to fully support the cloud-first policy as
732 specified in s. 282.206. The department, through the Florida
733 Digital Service, shall have the following powers, duties, and
734 functions:
735 (a) Assign and document state agency technical debt and
736 security risks. All results of the assessments and all
737 documentation, including source documents, meeting notes, and
738 internal work products, must be provided in native electronic
739 and paper formats to ASSET no later than June 15, 2026.
740 (b) Facilitate the transfer of existing cybersecurity tools
741 and services, provided to state agencies by the department
742 through the Florida Digital Service, directly to the respective
743 state agencies, accompanied by the necessary training, no later
744 than September 15, 2025.
745 (c) Direct the state chief information security officer to
746 provide a consolidated cybersecurity incident report by the 30th
747 day after the end of each quarter to the interim state chief
748 information officer, the Executive Office of the Governor, the
749 Commissioner of Agriculture, the Chief Financial Officer, the
750 Attorney General, the President of the Senate, and the Speaker
751 of the House of Representatives Develop and publish information
752 technology policy for the management of the state’s information
753 technology resources.
754 (b) Develop an enterprise architecture that:
755 1. Acknowledges the unique needs of the entities within the
756 enterprise in the development and publication of standards and
757 terminologies to facilitate digital interoperability;
758 2. Supports the cloud-first policy as specified in s.
759 282.206; and
760 3. Addresses how information technology infrastructure may
761 be modernized to achieve cloud-first objectives.
762 (c) Establish project management and oversight standards
763 with which state agencies must comply when implementing
764 information technology projects. The department, acting through
765 the Florida Digital Service, shall provide training
766 opportunities to state agencies to assist in the adoption of the
767 project management and oversight standards. To support data
768 driven decisionmaking, the standards must include, but are not
769 limited to:
770 1. Performance measurements and metrics that objectively
771 reflect the status of an information technology project based on
772 a defined and documented project scope, cost, and schedule.
773 2. Methodologies for calculating acceptable variances in
774 the projected versus actual scope, schedule, or cost of an
775 information technology project.
776 3. Reporting requirements, including requirements designed
777 to alert all defined stakeholders that an information technology
778 project has exceeded acceptable variances defined and documented
779 in a project plan.
780 4. Content, format, and frequency of project updates.
781 5. Technical standards to ensure an information technology
782 project complies with the enterprise architecture.
783 (d) Perform project oversight on all state agency
784 information technology projects that have total project costs of
785 $10 million or more and that are funded in the General
786 Appropriations Act or any other law. The department, acting
787 through the Florida Digital Service, shall report at least
788 quarterly to the Executive Office of the Governor, the President
789 of the Senate, and the Speaker of the House of Representatives
790 on any information technology project that the department
791 identifies as high-risk due to the project exceeding acceptable
792 variance ranges defined and documented in a project plan. The
793 report must include a risk assessment, including fiscal risks,
794 associated with proceeding to the next stage of the project, and
795 a recommendation for corrective actions required, including
796 suspension or termination of the project.
797 (e) Identify opportunities for standardization and
798 consolidation of information technology services that support
799 interoperability and the cloud-first policy, as specified in s.
800 282.206, and business functions and operations, including
801 administrative functions such as purchasing, accounting and
802 reporting, cash management, and personnel, and that are common
803 across state agencies. The department, acting through the
804 Florida Digital Service, shall biennially on January 1 of each
805 even-numbered year provide recommendations for standardization
806 and consolidation to the Executive Office of the Governor, the
807 President of the Senate, and the Speaker of the House of
808 Representatives.
809 (f) Establish best practices for the procurement of
810 information technology products and cloud-computing services in
811 order to reduce costs, increase the quality of data center
812 services, or improve government services.
813 (g) Develop standards for information technology reports
814 and updates, including, but not limited to, operational work
815 plans, project spend plans, and project status reports, for use
816 by state agencies.
817 (h) Upon request, assist state agencies in the development
818 of information technology-related legislative budget requests.
819 (i) Conduct annual assessments of state agencies to
820 determine compliance with all information technology standards
821 and guidelines developed and published by the department and
822 provide results of the assessments to the Executive Office of
823 the Governor, the President of the Senate, and the Speaker of
824 the House of Representatives.
825 (j) Conduct a market analysis not less frequently than
826 every 3 years beginning in 2021 to determine whether the
827 information technology resources within the enterprise are
828 utilized in the most cost-effective and cost-efficient manner,
829 while recognizing that the replacement of certain legacy
830 information technology systems within the enterprise may be cost
831 prohibitive or cost inefficient due to the remaining useful life
832 of those resources; whether the enterprise is complying with the
833 cloud-first policy specified in s. 282.206; and whether the
834 enterprise is utilizing best practices with respect to
835 information technology, information services, and the
836 acquisition of emerging technologies and information services.
837 Each market analysis shall be used to prepare a strategic plan
838 for continued and future information technology and information
839 services for the enterprise, including, but not limited to,
840 proposed acquisition of new services or technologies and
841 approaches to the implementation of any new services or
842 technologies. Copies of each market analysis and accompanying
843 strategic plan must be submitted to the Executive Office of the
844 Governor, the President of the Senate, and the Speaker of the
845 House of Representatives not later than December 31 of each year
846 that a market analysis is conducted.
847 (k) Recommend other information technology services that
848 should be designed, delivered, and managed as enterprise
849 information technology services. Recommendations must include
850 the identification of existing information technology resources
851 associated with the services, if existing services must be
852 transferred as a result of being delivered and managed as
853 enterprise information technology services.
854 (l) In consultation with state agencies, propose a
855 methodology and approach for identifying and collecting both
856 current and planned information technology expenditure data at
857 the state agency level.
858 (m)1. Notwithstanding any other law, provide project
859 oversight on any information technology project of the
860 Department of Financial Services, the Department of Legal
861 Affairs, and the Department of Agriculture and Consumer Services
862 which has a total project cost of $20 million or more. Such
863 information technology projects must also comply with the
864 applicable information technology architecture, project
865 management and oversight, and reporting standards established by
866 the department, acting through the Florida Digital Service.
867 2. When performing the project oversight function specified
868 in subparagraph 1., report at least quarterly to the Executive
869 Office of the Governor, the President of the Senate, and the
870 Speaker of the House of Representatives on any information
871 technology project that the department, acting through the
872 Florida Digital Service, identifies as high-risk due to the
873 project exceeding acceptable variance ranges defined and
874 documented in the project plan. The report shall include a risk
875 assessment, including fiscal risks, associated with proceeding
876 to the next stage of the project and a recommendation for
877 corrective actions required, including suspension or termination
878 of the project.
879 (n) If an information technology project implemented by a
880 state agency must be connected to or otherwise accommodated by
881 an information technology system administered by the Department
882 of Financial Services, the Department of Legal Affairs, or the
883 Department of Agriculture and Consumer Services, consult with
884 these departments regarding the risks and other effects of such
885 projects on their information technology systems and work
886 cooperatively with these departments regarding the connections,
887 interfaces, timing, or accommodations required to implement such
888 projects.
889 (o) If adherence to standards or policies adopted by or
890 established pursuant to this section causes conflict with
891 federal regulations or requirements imposed on an entity within
892 the enterprise and results in adverse action against an entity
893 or federal funding, work with the entity to provide alternative
894 standards, policies, or requirements that do not conflict with
895 the federal regulation or requirement. The department, acting
896 through the Florida Digital Service, shall annually report such
897 alternative standards to the Executive Office of the Governor,
898 the President of the Senate, and the Speaker of the House of
899 Representatives.
900 (p)1. Establish an information technology policy for all
901 information technology-related state contracts, including state
902 term contracts for information technology commodities,
903 consultant services, and staff augmentation services. The
904 information technology policy must include:
905 a. Identification of the information technology product and
906 service categories to be included in state term contracts.
907 b. Requirements to be included in solicitations for state
908 term contracts.
909 c. Evaluation criteria for the award of information
910 technology-related state term contracts.
911 d. The term of each information technology-related state
912 term contract.
913 e. The maximum number of vendors authorized on each state
914 term contract.
915 f. At a minimum, a requirement that any contract for
916 information technology commodities or services meet the National
917 Institute of Standards and Technology Cybersecurity Framework.
918 g. For an information technology project wherein project
919 oversight is required pursuant to paragraph (d) or paragraph
920 (m), a requirement that independent verification and validation
921 be employed throughout the project life cycle with the primary
922 objective of independent verification and validation being to
923 provide an objective assessment of products and processes
924 throughout the project life cycle. An entity providing
925 independent verification and validation may not have technical,
926 managerial, or financial interest in the project and may not
927 have responsibility for, or participate in, any other aspect of
928 the project.
929 2. Evaluate vendor responses for information technology
930 related state term contract solicitations and invitations to
931 negotiate.
932 3. Answer vendor questions on information technology
933 related state term contract solicitations.
934 4. Ensure that the information technology policy
935 established pursuant to subparagraph 1. is included in all
936 solicitations and contracts that are administratively executed
937 by the department.
938 (q) Recommend potential methods for standardizing data
939 across state agencies which will promote interoperability and
940 reduce the collection of duplicative data.
941 (r) Recommend open data technical standards and
942 terminologies for use by the enterprise.
943 (s) Ensure that enterprise information technology solutions
944 are capable of utilizing an electronic credential and comply
945 with the enterprise architecture standards.
946 (2)(a) The Secretary of Management Services shall designate
947 a state chief information officer, who shall administer the
948 Florida Digital Service. The state chief information officer,
949 prior to appointment, must have at least 5 years of experience
950 in the development of information system strategic planning and
951 development or information technology policy, and, preferably,
952 have leadership-level experience in the design, development, and
953 deployment of interoperable software and data solutions.
954 (b) The state chief information officer, in consultation
955 with the Secretary of Management Services, shall designate a
956 state chief data officer. The chief data officer must be a
957 proven and effective administrator who must have significant and
958 substantive experience in data management, data governance,
959 interoperability, and security.
960 (3) The department, acting through the Florida Digital
961 Service and from funds appropriated to the Florida Digital
962 Service, shall:
963 (a) Create, not later than December 1, 2022, and maintain a
964 comprehensive indexed data catalog in collaboration with the
965 enterprise that lists the data elements housed within the
966 enterprise and the legacy system or application in which these
967 data elements are located. The data catalog must, at a minimum,
968 specifically identify all data that is restricted from public
969 disclosure based on federal or state laws and regulations and
970 require that all such information be protected in accordance
971 with s. 282.318.
972 (b) Develop and publish, not later than December 1, 2022,
973 in collaboration with the enterprise, a data dictionary for each
974 agency that reflects the nomenclature in the comprehensive
975 indexed data catalog.
976 (c) Adopt, by rule, standards that support the creation and
977 deployment of an application programming interface to facilitate
978 integration throughout the enterprise.
979 (d) Adopt, by rule, standards necessary to facilitate a
980 secure ecosystem of data interoperability that is compliant with
981 the enterprise architecture.
982 (e) Adopt, by rule, standards that facilitate the
983 deployment of applications or solutions to the existing
984 enterprise system in a controlled and phased approach.
985 (f) After submission of documented use cases developed in
986 conjunction with the affected agencies, assist the affected
987 agencies with the deployment, contingent upon a specific
988 appropriation therefor, of new interoperable applications and
989 solutions:
990 1. For the Department of Health, the Agency for Health Care
991 Administration, the Agency for Persons with Disabilities, the
992 Department of Education, the Department of Elderly Affairs, and
993 the Department of Children and Families.
994 2. To support military members, veterans, and their
995 families.
996 (4) For information technology projects that have a total
997 project cost of $10 million or more:
998 (a) State agencies must provide the Florida Digital Service
999 with written notice of any planned procurement of an information
1000 technology project.
1001 (b) The Florida Digital Service must participate in the
1002 development of specifications and recommend modifications to any
1003 planned procurement of an information technology project by
1004 state agencies so that the procurement complies with the
1005 enterprise architecture.
1006 (c) The Florida Digital Service must participate in post
1007 award contract monitoring.
1008 (2)(5) The department, acting through the Florida Digital
1009 Service, may not retrieve or disclose any data without a shared
1010 data agreement in place between the department and the
1011 enterprise entity that has primary custodial responsibility of,
1012 or data-sharing responsibility for, that data.
1013 (3) This section is repealed July 1, 2026.
1014 (6) The department, acting through the Florida Digital
1015 Service, shall adopt rules to administer this section.
1016 Section 10. Section 282.00515, Florida Statutes, is
1017 repealed.
1018 Section 11. Effective July 1, 2026, section 282.006,
1019 Florida Statutes, is created to read:
1020 282.006 Agency for State Systems and Enterprise Technology;
1021 duties; enterprise responsibilities; reporting.—
1022 (1) The Agency for State Systems and Enterprise Technology
1023 established in s. 20.70 shall operate as the state enterprise
1024 organization for information technology governance and is the
1025 lead entity responsible for understanding the unique state
1026 agency information technology needs and environments, creating
1027 enterprise technology standards and strategy, supporting state
1028 agency technology efforts, and reporting on the status of
1029 technology for the enterprise.
1030 (2) The Legislature intends for ASSET policy, standards,
1031 guidance, and oversight to allow for adaptability to emerging
1032 technology and organizational needs while maintaining compliance
1033 with industry best practices. All policies, standards, and
1034 guidelines established pursuant to this chapter must be
1035 technology-agnostic and may not prescribe specific tools,
1036 platforms, or vendors.
1037 (3) ASSET shall establish the strategic direction of
1038 information technology in the state. ASSET shall develop and
1039 publish information technology policy that aligns with industry
1040 best practices for the management of the state’s information
1041 technology resources. The policy must be updated as necessary to
1042 meet the requirements of this chapter and advancements in
1043 technology.
1044 (4) Related to its oversight of the state’s technology
1045 enterprise, ASSET shall:
1046 (a) In coordination with state agency technology subject
1047 matter experts, develop, publish, and maintain an enterprise
1048 architecture that:
1049 1. Acknowledges the unique needs of the entities within the
1050 enterprise in the development and publication of standards and
1051 terminologies to facilitate digital interoperability;
1052 2. Supports the cloud-first policy as specified in s.
1053 282.206;
1054 3. Addresses how information technology infrastructure may
1055 be modernized to achieve security, scalability, maintainability,
1056 interoperability, and improved cost-efficiency goals; and
1057 4. Includes, at a minimum, best practices, guidelines, and
1058 standards for:
1059 a. Data models and taxonomies.
1060 b. Master data management.
1061 c. Data integration and interoperability.
1062 d. Data security and encryption.
1063 e. Bot prevention and data protection.
1064 f. Data backup and recovery.
1065 g. Application portfolio and catalog requirements.
1066 h. Application architectural patterns and principles.
1067 i. Technology and platform standards.
1068 j. Secure coding practices.
1069 k. Performance and scalability.
1070 l. Cloud infrastructure and architecture.
1071 m. Networking, connectivity, and security protocols.
1072 n. Authentication, authorization, and access controls.
1073 o. Disaster recovery.
1074 p. Quality assurance.
1075 q. Testing methodologies and measurements.
1076 r. Logging and log retention.
1077 s. Application and use of artificial intelligence.
1078 (b) Recommend open data technical standards and
1079 terminologies for use by the state’s technology enterprise.
1080 (c) Develop enterprise technology testing and quality
1081 assurance best practices and standards to ensure the
1082 reliability, security, and performance of information technology
1083 systems. Such best practices and standards must include:
1084 1. Functional testing to ensure software or systems meet
1085 required specifications.
1086 2. Performance and load testing to ensure software and
1087 systems operate efficiently under various conditions.
1088 3. Security testing to protect software and systems from
1089 vulnerabilities and cyber threats.
1090 4. Compatibility and interoperability testing to ensure
1091 software and systems operate seamlessly across environments.
1092 (5) ASSET shall produce the following reports and provide
1093 them to the Governor, the Commissioner of Agriculture, the Chief
1094 Financial Officer, the Attorney General, the President of the
1095 Senate, and the Speaker of the House of Representatives:
1096 (a) Annually by December 15, an enterprise analysis report
1097 that includes all of the following:
1098 1. Results of the state agency needs assessments, including
1099 any plan to address technical debt as required by s. 282.0061
1100 pursuant to the schedule adopted.
1101 2. Alternative standards related to federal funding adopted
1102 pursuant to s. 282.0061.
1103 3. Information technology financial data for each state
1104 agency for the previous fiscal year. This portion of the annual
1105 report must include, at a minimum, the following recurring and
1106 nonrecurring information:
1107 a. Total number of full-time equivalent positions.
1108 b. Total amount of salary.
1109 c. Total amount of benefits.
1110 d. Total number of comparable full-time equivalent
1111 positions and total amount of expenditures for information
1112 technology staff augmentation.
1113 e. Total number of contracts and purchase orders and total
1114 amount of associated expenditures for information technology
1115 managed services.
1116 f. Total amount of expenditures by state term contract as
1117 defined in s. 287.012, contracts procured using alternative
1118 purchasing methods as authorized pursuant to s. 287.042(16), and
1119 state agency procurements through request for proposal,
1120 invitation to negotiate, invitation to bid, single source, and
1121 emergency purchases.
1122 g. Total amount of expenditures for hardware.
1123 h. Total amount of expenditures for non-cloud software.
1124 i. Total amount of expenditures for cloud software licenses
1125 and services with a separate amount for expenditures for state
1126 data center services.
1127 j. Total amount of expenditures for cloud data center
1128 services with a separate amount for expenditures for state data
1129 center services.
1130 k. Total amount of expenditures for administrative costs.
1131 4. Consolidated information for the previous fiscal year
1132 about state information technology projects, which must include,
1133 at a minimum, the following information:
1134 a. Anticipated funding requirements for information
1135 technology support over the next 5 years.
1136 b. An inventory of current information technology assets
1137 and major projects. The term “major project” includes projects
1138 costing more than $500,000 to implement.
1139 c. Significant unmet needs for information technology
1140 resources over the next 5 fiscal years, ranked in priority order
1141 according to their urgency.
1142 5. A review and summary of whether the information
1143 technology contract policy established pursuant to s. 282.0064
1144 is included in all solicitations and contracts.
1145 6. Information related to the information technology test
1146 laboratory created in s. 282.0065, including usage statistics
1147 and key findings, and recommendations for improving the state’s
1148 information technology procurement processes.
1149 (b) Biennially by December 15 of even-numbered years, a
1150 report on the strategic direction of information technology in
1151 the state which includes all of the following:
1152 1. Recommendations for standardization and consolidation of
1153 information technology services that are identified as common
1154 across state agencies as required in s. 282.0061.
1155 2. Recommendations for information technology services that
1156 should be designed, delivered, and managed as enterprise
1157 information technology services. Recommendations must include
1158 the identification of existing information technology resources
1159 associated with the services, if existing services must be
1160 transferred as a result of being delivered and managed as
1161 enterprise information technology services, and which entity is
1162 best suited to manage the service.
1163 (c)1. When conducted as provided in this paragraph, a
1164 market analysis and accompanying strategic plan submitted by
1165 December 31 of each year that the market analysis is conducted.
1166 2. No less frequently than every 3 years, ASSET shall
1167 conduct market analysis to determine whether the:
1168 a. Information technology resources within the enterprise
1169 are used in the most cost-effective and cost-efficient manner,
1170 while recognizing that the replacement of certain legacy
1171 information technology systems within the enterprise may be cost
1172 prohibitive or cost inefficient due to the remaining useful life
1173 of those resources; and
1174 b. Enterprise is using best practices with respect to
1175 information technology, information services, and the
1176 acquisition of emerging technologies and information services.
1177 3. Each market analysis must be used to prepare a strategic
1178 plan for continued and future information technology and
1179 information services for the enterprise, including, but not
1180 limited to, proposed acquisition of new services or technologies
1181 and approaches to the implementation of any new services or
1182 technologies.
1183 (6) ASSET may adopt rules to implement this chapter.
1184 Section 12. Effective July 1, 2026, section 282.0061,
1185 Florida Statutes, is created to read:
1186 282.0061 ASSET support of state agencies; information
1187 technology procurement and projects.—
1188 (1) LEGISLATIVE INTENT.—The Legislature intends for ASSET
1189 to support state agencies in their information technology
1190 efforts through the adoption of policies, standards, and
1191 guidance and by providing oversight that recognizes unique state
1192 agency information technology needs, environments, and goals.
1193 ASSET assistance and support must allow for adaptability to
1194 emerging technologies and organizational needs while maintaining
1195 compliance with industry best practices. ASSET may not prescribe
1196 specific tools, platforms, or vendors.
1197 (2) NEEDS ASSESSMENTS.—
1198 (a) By January 1, 2028, ASSET shall conduct full baseline
1199 needs assessments of state agencies to document their distinct
1200 technical environments, existing technical debt, security risks,
1201 and compliance with all information technology standards and
1202 guidelines developed and published by ASSET. The needs
1203 assessment must use the Capability Maturity Model to evaluate
1204 each state agency’s information technology capabilities,
1205 providing a maturity level rating for each assessed domain.
1206 After completion of the full baseline needs assessments, such
1207 assessments must be maintained and updated on a regular schedule
1208 adopted by ASSET.
1209 (b) In assessing the existing technical debt portion of the
1210 needs assessment, ASSET shall analyze the state’s legacy
1211 information technology systems and develop a plan to document
1212 the needs and costs for replacement systems. The plan must
1213 include an inventory of legacy applications and infrastructure;
1214 the required capabilities not available with the legacy system;
1215 the estimated process, timeline, and cost to migrate from legacy
1216 environments; and any other information necessary for fiscal or
1217 technology planning. The plan must determine and document the
1218 estimated timeframe during which the state agency can continue
1219 to efficiently use legacy information technology systems,
1220 resources, security, and data management to support operations.
1221 State agencies shall provide all necessary documentation to
1222 enable accurate reporting on legacy systems.
1223 (c) ASSET shall develop a plan and schedule to conduct the
1224 initial full baseline needs assessments. By October 1, 2026,
1225 ASSET shall submit the plan to the Governor, the Commissioner of
1226 Agriculture, the Chief Financial Officer, the Attorney General,
1227 the President of the Senate, and the Speaker of the House of
1228 Representatives.
1229 (d) ASSET shall support state agency strategic planning
1230 efforts and assist state agencies with the production of a
1231 phased roadmap to address known technology gaps and deficiencies
1232 as identified in the needs assessments. The roadmaps must
1233 include specific strategies and initiatives aimed at advancing
1234 the state agency’s maturity level in accordance with the
1235 Capability Maturity Model. State agencies shall create,
1236 maintain, and submit the roadmap on an annual basis with their
1237 legislative budget requests required under s. 216.023.
1238 (3) STANDARDIZATION.—ASSET shall:
1239 (a) Recommend in its annual enterprise analysis required
1240 under s. 282.006 any potential methods for standardizing data
1241 across state agencies which will promote interoperability and
1242 reduce the collection of duplicative data.
1243 (b) Identify any opportunities in its annual enterprise
1244 analysis required under s. 282.006 for standardization and
1245 consolidation of information technology services that are common
1246 across all state agencies and that support:
1247 1. Improved interoperability, security, scalability,
1248 maintainability, and cost efficiency; and
1249 2. Business functions and operations, including
1250 administrative functions such as purchasing, accounting and
1251 reporting, cash management, and personnel.
1252 (4) DATA MANAGEMENT.—
1253 (a) ASSET shall develop standards for use by state agencies
1254 which support best practices for master data management at the
1255 state agency level to facilitate enterprise data sharing and
1256 interoperability.
1257 (b) ASSET shall establish a methodology and strategy for
1258 implementing statewide master data management and submit a
1259 report to the Governor, the Commissioner of Agriculture, the
1260 Chief Financial Officer, the Attorney General, the President of
1261 the Senate, and the Speaker of the House of Representatives by
1262 December 1, 2028. The report must include the vision, goals, and
1263 benefits of implementing a statewide master data management
1264 initiative, an analysis of the current state of data management,
1265 and the recommended strategy, methodology, and estimated
1266 timeline and resources needed at a state agency and enterprise
1267 level to accomplish the initiative.
1268 (5) INFORMATION TECHNOLOGY PROJECTS.—ASSET has the
1269 following duties and responsibilities related to state agency
1270 technology projects:
1271 (a) Provide procurement advisory and review services for
1272 information technology projects to all state agencies, including
1273 procurement and contract development assistance to meet the
1274 information technology contract policy established pursuant to
1275 s. 282.0064.
1276 (b) Establish best practices and enterprise procurement
1277 processes and develop metrics to support these processes for the
1278 procurement of information technology products and services in
1279 order to reduce costs or improve the provision of government
1280 services.
1281 (c) Upon request, assist state agencies in the development
1282 of information technology-related legislative budget requests.
1283 (d) Develop standards and accountability measures for
1284 information technology projects, including criteria for
1285 effective project management and oversight. State agencies must
1286 satisfy these standards and measures when implementing
1287 information technology projects. To support data-driven
1288 decisionmaking, the standards and measures must include, but are
1289 not limited to:
1290 1. Performance measurements and metrics that objectively
1291 reflect the status of an information technology project based on
1292 a defined and documented project scope, to include the volume of
1293 impacted stakeholders, cost, and schedule.
1294 2. Methodologies for calculating and defining acceptable
1295 variances in the projected versus actual scope, schedule, or
1296 cost of an information technology project.
1297 3. Reporting requirements designed to alert all defined
1298 stakeholders that an information technology project has exceeded
1299 acceptable variances defined and documented in a project plan as
1300 well as any variances that represent a schedule delay of 1 month
1301 or more or a cost increase of $1 million or more.
1302 4. Technical standards to ensure an information technology
1303 project complies with the enterprise architecture standards.
1304 (e) Develop information technology project reports for use
1305 by state agencies, including, but not limited to, operational
1306 work plans, project spending plans, and project status reports.
1307 Reporting standards must include content, format, and frequency
1308 of project updates.
1309 (f) Provide training opportunities to state agencies to
1310 assist in the adoption of the project management and oversight
1311 standards.
1312 (g) Perform project oversight on all state agency
1313 information technology projects that have total project costs of
1314 $10 million or more. ASSET shall report by the 30th day after
1315 the end of each quarter to the Executive Office of the Governor,
1316 the Commissioner of Agriculture, the Chief Financial Officer,
1317 the Attorney General, the President of the Senate, and the
1318 Speaker of the House of Representatives on any information
1319 technology project that ASSET identifies as high-risk. The
1320 report must include a risk assessment, including fiscal risks,
1321 associated with proceeding to the next stage of the project, and
1322 a recommendation for corrective actions required, including
1323 suspension or termination of the project.
1324 (6) INFORMATION TECHNOLOGY FINANCIAL DATA.—
1325 (a) In consultation with state agencies, ASSET shall create
1326 a methodology, an approach, and applicable templates and formats
1327 for identifying and collecting both current and planned
1328 information technology expenditure data at the state agency
1329 level. ASSET shall continuously obtain, review, and maintain
1330 records of the appropriations, expenditures, and revenues for
1331 information technology for each state agency.
1332 (b) ASSET shall prescribe the format for state agencies to
1333 provide all necessary financial information to ASSET for
1334 inclusion in the annual report required under s. 282.006. State
1335 agencies must provide the information to ASSET by October 1 for
1336 the previous fiscal year. The information must be reported by
1337 ASSET in order to determine all costs and expenditures for
1338 information technology assets and resources provided by the
1339 state agencies or through contracts or grants.
1340 (7) FEDERAL CONFLICTS.—ASSET shall work with state agencies
1341 to provide alternative standards, policies, or requirements that
1342 do not conflict with federal regulations or requirements, if
1343 adherence to standards or policies adopted by or established
1344 pursuant to this section conflict with federal regulations or
1345 requirements imposed on an entity within the enterprise and
1346 results in, or is expected to result in, adverse action against
1347 the state agencies or loss of federal funding.
1348 Section 13. Effective July 1, 2026, section 282.0062,
1349 Florida Statutes, is created to read:
1350 282.0062 ASSET workgroups.—The following workgroups are
1351 established within ASSET to facilitate coordination with state
1352 agencies:
1353 (1) CHIEF INFORMATION OFFICER WORKGROUP.—
1354 (a) The chief information officer workgroup, composed of
1355 all state agency chief information officers, shall consider and
1356 make recommendations to the state chief information officer and
1357 the state chief information architect on such matters as
1358 enterprise information technology policies, standards, services,
1359 and architecture. The workgroup may also identify and recommend
1360 opportunities for the establishment of public-private
1361 partnerships when considering technology infrastructure and
1362 services in order to accelerate project delivery and provide a
1363 source of new or increased project funding.
1364 (b) At a minimum, the state chief information officer shall
1365 consult with the workgroup on a quarterly basis with regard to
1366 executing the duties and responsibilities of the state agencies
1367 related to statewide information technology strategic planning
1368 and policy.
1369 (2) ENTERPRISE DATA AND INTEROPERABILITY WORKGROUP.—
1370 (a) The enterprise data and interoperability workgroup,
1371 composed of chief data officer representatives from all state
1372 agencies, shall consider and make recommendations to the state
1373 chief data officer on such matters as enterprise data policies,
1374 standards, services, and architecture that promote data
1375 consistency, accessibility, and seamless integration across the
1376 enterprise.
1377 (b) At a minimum, the state chief data officer shall
1378 consult with the workgroup on a quarterly basis with regard to
1379 executing the duties and responsibilities of the state agencies
1380 related to statewide data governance planning and policy.
1381 (3) ENTERPRISE SECURITY WORKGROUP.—
1382 (a) The enterprise security workgroup, composed of chief
1383 security officer representatives from all state agencies, shall
1384 consider and make recommendations to the state chief security
1385 officer on such matters as cybersecurity policies, standards,
1386 services, and architecture that promote the protection of state
1387 assets.
1388 (b) At a minimum, the state chief security officer shall
1389 consult with the workgroup on a quarterly basis with regard to
1390 executing the duties and responsibilities of the state agencies
1391 related to cybersecurity governance and policy development.
1392 (4) ENTERPRISE INFORMATION TECHNOLOGY OPERATIONS
1393 WORKGROUP.—
1394 (a) The enterprise information technology operations
1395 workgroup, composed of information technology business analyst
1396 representatives from all state agencies, shall consider and make
1397 recommendations to the state chief technology officer on such
1398 matters as information technology needs assessments policies,
1399 standards, and services that promote the strategic alignment of
1400 technology with operational needs and the evaluation of
1401 solutions across the enterprise.
1402 (b) At a minimum, the state chief technology officer shall
1403 consult with the workgroup on a quarterly basis with regard to
1404 executing the duties and responsibilities of the state agencies
1405 related to statewide process improvement and optimization.
1406 (5) ENTERPRISE INFORMATION TECHNOLOGY QUALITY ASSURANCE
1407 WORKGROUP.—
1408 (a) The enterprise information technology quality assurance
1409 workgroup, composed of testing and quality assurance
1410 representatives from all state agencies, shall consider and make
1411 recommendations to the state chief technology officer on such
1412 matters as testing methodologies, tools, and best practices to
1413 reduce risks related to software defects, cybersecurity threats,
1414 and operational failures.
1415 (b) At a minimum, the state chief technology officer shall
1416 consult with the workgroup on a quarterly basis with regard to
1417 executing the duties and responsibilities of the state agencies
1418 related to enterprise software testing and quality assurance
1419 standards.
1420 (6) ENTERPRISE INFORMATION TECHNOLOGY PROJECT MANAGEMENT
1421 WORKGROUP.—
1422 (a) The enterprise information technology project
1423 management workgroup, composed of information technology project
1424 manager representatives from all state agencies, shall consider
1425 and make recommendations to the state chief technology officer
1426 on such matters as information technology project management
1427 policies, standards, accountability measures, and services that
1428 promote project governance and standardization across the
1429 enterprise.
1430 (b) At a minimum, the state chief technology officer shall
1431 consult with the workgroup on a quarterly basis with regard to
1432 executing the duties and responsibilities of the state agencies
1433 related to project management and oversight.
1434 (7) ENTERPRISE INFORMATION TECHNOLOGY CONTRACT MANAGEMENT
1435 WORKGROUP.—
1436 (a) The enterprise information technology contract
1437 management workgroup, composed of information technology
1438 contract manager representatives from all state agencies, shall
1439 consider and make recommendations to the state chief technology
1440 officer on such matters as information technology contract
1441 management policies and standards that promote best practices
1442 for vendor oversight, risk management and compliance, and
1443 performance monitoring and reporting across the enterprise.
1444 (b) At a minimum, the state chief technology officer shall
1445 consult with the workgroup on a quarterly basis with regard to
1446 executing the duties and responsibilities of the state agencies
1447 related to contract management and vendor accountability.
1448 (8) ENTERPRISE INFORMATION TECHNOLOGY PURCHASING
1449 WORKGROUP.—
1450 (a) The enterprise information technology purchasing
1451 workgroup, composed of information technology procurement
1452 representatives from all state agencies, shall consider and make
1453 recommendations to the state chief technology procurement
1454 officer on such matters as information technology procurement
1455 policies, standards, and purchasing strategy and optimization
1456 that promote best practices for contract negotiation,
1457 consolidation, and effective service-level agreement
1458 implementation across the enterprise.
1459 (b) At a minimum, the state chief technology procurement
1460 officer shall consult with the workgroup on a quarterly basis
1461 with regard to executing the duties and responsibilities of the
1462 state agencies related to technology evaluation, purchasing, and
1463 cost savings.
1464 Section 14. Effective July 1, 2026, section 282.0063,
1465 Florida Statutes, is created to read:
1466 282.0063 State information technology professionals career
1467 paths and training.—
1468 (1) ASSET shall develop standardized frameworks for, and
1469 career paths, progressions, and training programs for, the
1470 benefit of state agency information technology personnel. To
1471 meet that goal, ASSET shall:
1472 (a) Assess current and future information technology
1473 workforce needs across state agencies, identifying skill gaps
1474 and developing strategies to address them.
1475 (b) Develop and establish a training program for state
1476 agencies to support the understanding and implementation of each
1477 element of the enterprise architecture.
1478 (c) Establish training programs, certifications, and
1479 continuing education opportunities to enhance information
1480 technology competencies, including cybersecurity, cloud
1481 computing, and emerging technologies.
1482 (d) Support initiatives to upskill existing employees in
1483 emerging technologies and automation, ensuring state agencies
1484 remain competitive and innovative.
1485 (e) Develop strategies to recruit and retain information
1486 technology professionals, including internship programs,
1487 partnerships with educational institutions, scholarships for
1488 service, and initiatives to attract diverse talent.
1489 (2) ASSET shall consult with CareerSource Florida, Inc.,
1490 the Department of Commerce, and the Department of Education in
1491 the implementation of this section.
1492 (3) Specifically, in consultation with the Division of
1493 State Human Resource Management in the Department of Management
1494 Services, ASSET shall:
1495 (a) Define career progression frameworks for information
1496 technology personnel, for supporting leadership development, and
1497 for providing mentorship programs.
1498 (b) Establish guidelines and best practices for information
1499 technology professional development and performance management
1500 across state agencies.
1501 Section 15. Effective July 1, 2026, section 282.0064,
1502 Florida Statutes, is created to read:
1503 282.0064 Information technology contract policy.—
1504 (1) In coordination with the Department of Management
1505 Services, ASSET shall establish a policy for all information
1506 technology-related solicitations and contracts, including state
1507 term contracts; contracts sourced using alternative purchasing
1508 methods as authorized pursuant to s. 287.042(16); sole source
1509 and emergency procurements; and contracts for commodities,
1510 consultant services, and staff augmentation services.
1511 (2) Related to state term contracts, the information
1512 technology policy must include:
1513 (a) Identification of the information technology product
1514 and service categories to be included in state term contracts.
1515 (b) The term of each information technology-related state
1516 term contract.
1517 (c) The maximum number of vendors authorized on each state
1518 term contract.
1519 (3) For all contracts, the information technology policy
1520 must include:
1521 (a) Evaluation criteria for the award of information
1522 technology-related contracts.
1523 (b) Requirements to be included in solicitations.
1524 (c) At a minimum, a requirement that any contract for
1525 information technology commodities or services must meet the
1526 requirements of the enterprise architecture and National
1527 Institute of Standards and Technology Cybersecurity Framework.
1528 (4) The policy must include the following requirements for
1529 any information technology project that requires project
1530 oversight through independent verification and validation:
1531 (a) An entity providing independent verification and
1532 validation may not have any:
1533 1. Technical, managerial, or financial interest in the
1534 project; or
1535 2. Responsibility for or participation in any other aspect
1536 of the project.
1537 (b) The primary objective of independent verification and
1538 validation must be to provide an objective assessment throughout
1539 the entire project life cycle, reporting directly to all
1540 relevant stakeholders. An independent verification and
1541 validation entity shall independently verify and validate
1542 whether:
1543 1. The project is being built and implemented in accordance
1544 with defined technical architecture, specifications, and
1545 requirements.
1546 2. The project is adhering to established project
1547 management processes.
1548 3. The procurement of products, tools, and services and
1549 resulting contracts align with current statutory and regulatory
1550 requirements.
1551 4. The value of services delivered is commensurate with
1552 project costs.
1553 5. The completed project meets the actual needs of the
1554 intended users.
1555 (c) The entity performing independent verification and
1556 validation shall provide regular reports and assessments
1557 directly to the designated oversight body, identifying risks,
1558 deficiencies, and recommendations for corrective actions to
1559 ensure project success and compliance with statutory
1560 requirements.
1561 (5) The Division of State Purchasing in the Department of
1562 Management Services shall coordinate with ASSET on state term
1563 contract solicitations and invitations to negotiate related to
1564 information technology. ASSET shall evaluate vendor responses
1565 and answer vendor questions on such solicitations or invitations
1566 to negotiate.
1567 Section 16. Effective July 1, 2026, section 282.0065,
1568 Florida Statutes, is created to read:
1569 282.0065 ASSET information technology test laboratory.—
1570 (1) Beginning July 1, 2027, or after all elements of the
1571 enterprise architecture are published, whichever is later, and
1572 subject to specific appropriation, ASSET shall establish,
1573 maintain, and manage an information technology test laboratory
1574 to support state agencies in evaluating information technology
1575 services, software, and tools before procurement and
1576 implementation.
1577 (2) The purpose of the information technology test
1578 laboratory is to:
1579 (a) Serve as an independent environment for state agencies
1580 to develop, test, and refine proofs of concept for information
1581 technology solutions to assess functionality, security,
1582 interoperability, and performance; and
1583 (b) Assist state agencies in defining and improving
1584 procurement requirements based on real-world testing and
1585 evaluation.
1586 (3) ASSET shall:
1587 (a) Operate and maintain the test laboratory and ensure
1588 that it remains fully operational with the necessary
1589 infrastructure, resources, and security controls to support
1590 state agency testing activities.
1591 (b) Facilitate proofs of concept for state agencies by
1592 providing the agencies with controlled environments to assess
1593 emerging technologies, validate vendor claims, and conduct
1594 comparative evaluations of information technology solutions.
1595 (c) Support the development of requirements for state
1596 agency information technology projects by assisting state
1597 agencies in refining technical specifications, performance
1598 benchmarks, and security requirements prior to issuing
1599 procurement solicitations.
1600 (d) Ensure the security and compliance of the test
1601 laboratory by implementing safeguards to protect sensitive data,
1602 ensure compliance with applicable laws, and prevent unauthorized
1603 access to testing environments.
1604 (e) Provide access to emerging technologies by partnering
1605 with industry and research institutions to ensure that state
1606 agencies have the opportunity to evaluate the latest information
1607 technology innovations relevant to government operations.
1608 (f) Enter into partnerships with public and private
1609 entities to support the information technology test laboratory’s
1610 operations, provided that such partnerships comply with
1611 conflict-of-interest policies and procurement regulations.
1612 (g) Establish policies, procedures, and eligibility
1613 criteria for state agencies to access and use the lab.
1614 Section 17. Section 282.0066, Florida Statutes, is created
1615 to read:
1616 282.0066 Enterprise Information Technology Library.—
1617 (1) ASSET shall develop, implement, and maintain a library
1618 to serve as the official repository for all enterprise
1619 information technology policies, standards, guidelines, and best
1620 practices applicable to state agencies. The library must be
1621 online and accessible by all state agencies through a secure
1622 authentication system.
1623 (2) In developing the library, ASSET shall create a
1624 structured index and search functionality to facilitate
1625 efficient retrieval of information and maintain version control
1626 and revision history for all published documents.
1627 (3) The library must include standardized checklists
1628 organized by technical subject areas to assist state agencies in
1629 measuring compliance with the information technology policies,
1630 standards, guidelines, and best practices.
1631 (4) ASSET shall establish procedures to ensure the
1632 integrity, security, and availability of the library, including
1633 appropriate access controls, encryption, and disaster recovery
1634 measures. ASSET must regularly update documents and materials of
1635 the library to reflect current state and federal requirements,
1636 industry best practices, and emerging technologies.
1637 (5)(a) All state agencies shall reference and adhere to the
1638 policies, standards, guidelines, and best practices contained in
1639 the online library in information technology planning,
1640 procurement, implementation, and operations. ASSET shall create
1641 mechanisms for state agencies to submit feedback, request
1642 clarifications, and recommend updates.
1643 (b)1. A state agency may request an exemption to a specific
1644 policy, standard, or guideline when compliance is not
1645 technically feasible, would cause undue hardship, or conflicts
1646 with agency specific statutory requirements. The state agency
1647 requesting an exception must submit a formal justification to
1648 ASSET detailing all of the following:
1649 a. The specific requirement for which an exemption is
1650 sought.
1651 b. The reason compliance is not feasible or practical.
1652 c. Any compensating controls or alternative measures the
1653 state agency will implement to mitigate associated risks.
1654 d. The anticipated duration of the exemption.
1655 2. ASSET shall review all exemption requests and provide a
1656 recommendation to the state chief information officer who shall
1657 present the compliance exemption requests to the chief
1658 information officer workgroup. Approval of exemption requests
1659 must be made by a majority vote of the workgroup. Approved
1660 exemptions must be documented, including conditions and
1661 expiration dates.
1662 3. A state agency with an approved exemption must undergo
1663 periodic review to determine whether the exemption remains
1664 necessary or if compliance can be achieved.
1665 Section 18. Paragraphs (b), (c), (g), (h), and (i) of
1666 subsection (3) and paragraphs (b), (c), (d), and (j) of
1667 subsection (4) of section 282.318, Florida Statutes, are amended
1668 to read:
1669 282.318 Cybersecurity.—
1670 (3) The department, acting through the Florida Digital
1671 Service, is the lead entity responsible for establishing
1672 standards and processes for assessing state agency cybersecurity
1673 risks and determining appropriate security measures. Such
1674 standards and processes must be consistent with generally
1675 accepted technology best practices, including the National
1676 Institute for Standards and Technology Cybersecurity Framework,
1677 for cybersecurity. The department, acting through the Florida
1678 Digital Service, shall adopt rules that mitigate risks;
1679 safeguard state agency digital assets, data, information, and
1680 information technology resources to ensure availability,
1681 confidentiality, and integrity; and support a security
1682 governance framework. The department, acting through the Florida
1683 Digital Service, shall also:
1684 (b) Develop, and annually update by February 1, a statewide
1685 cybersecurity strategic plan that includes security goals and
1686 objectives for cybersecurity, including the identification and
1687 mitigation of risk, proactive protections against threats,
1688 tactical risk detection, threat reporting, and response and
1689 recovery protocols for a cyber incident.
1690 (c) Develop and publish for use by state agencies a
1691 cybersecurity governance framework that, at a minimum, includes
1692 guidelines and processes for:
1693 1. Establishing asset management procedures to ensure that
1694 an agency’s information technology resources are identified and
1695 managed consistent with their relative importance to the
1696 agency’s business objectives.
1697 2. Using a standard risk assessment methodology that
1698 includes the identification of an agency’s priorities,
1699 constraints, risk tolerances, and assumptions necessary to
1700 support operational risk decisions.
1701 3. Completing comprehensive risk assessments and
1702 cybersecurity audits, which may be completed by a private sector
1703 vendor, and submitting completed assessments and audits to the
1704 department.
1705 4. Identifying protection procedures to manage the
1706 protection of an agency’s information, data, and information
1707 technology resources.
1708 5. Establishing procedures for accessing information and
1709 data to ensure the confidentiality, integrity, and availability
1710 of such information and data.
1711 6. Detecting threats through proactive monitoring of
1712 events, continuous security monitoring, and defined detection
1713 processes.
1714 7. Establishing agency cybersecurity incident response
1715 teams and describing their responsibilities for responding to
1716 cybersecurity incidents, including breaches of personal
1717 information containing confidential or exempt data.
1718 8. Recovering information and data in response to a
1719 cybersecurity incident. The recovery may include recommended
1720 improvements to the agency processes, policies, or guidelines.
1721 9. Establishing a cybersecurity incident reporting process
1722 that includes procedures for notifying the department and the
1723 Department of Law Enforcement of cybersecurity incidents.
1724 a. The level of severity of the cybersecurity incident is
1725 defined by the National Cyber Incident Response Plan of the
1726 United States Department of Homeland Security as follows:
1727 (I) Level 5 is an emergency-level incident within the
1728 specified jurisdiction that poses an imminent threat to the
1729 provision of wide-scale critical infrastructure services;
1730 national, state, or local government security; or the lives of
1731 the country’s, state’s, or local government’s residents.
1732 (II) Level 4 is a severe-level incident that is likely to
1733 result in a significant impact in the affected jurisdiction to
1734 public health or safety; national, state, or local security;
1735 economic security; or civil liberties.
1736 (III) Level 3 is a high-level incident that is likely to
1737 result in a demonstrable impact in the affected jurisdiction to
1738 public health or safety; national, state, or local security;
1739 economic security; civil liberties; or public confidence.
1740 (IV) Level 2 is a medium-level incident that may impact
1741 public health or safety; national, state, or local security;
1742 economic security; civil liberties; or public confidence.
1743 (V) Level 1 is a low-level incident that is unlikely to
1744 impact public health or safety; national, state, or local
1745 security; economic security; civil liberties; or public
1746 confidence.
1747 b. The cybersecurity incident reporting process must
1748 specify the information that must be reported by a state agency
1749 following a cybersecurity incident or ransomware incident,
1750 which, at a minimum, must include the following:
1751 (I) A summary of the facts surrounding the cybersecurity
1752 incident or ransomware incident.
1753 (II) The date on which the state agency most recently
1754 backed up its data; the physical location of the backup, if the
1755 backup was affected; and if the backup was created using cloud
1756 computing.
1757 (III) The types of data compromised by the cybersecurity
1758 incident or ransomware incident.
1759 (IV) The estimated fiscal impact of the cybersecurity
1760 incident or ransomware incident.
1761 (V) In the case of a ransomware incident, the details of
1762 the ransom demanded.
1763 c.(I) A state agency shall report all ransomware incidents
1764 and any cybersecurity incident determined by the state agency to
1765 be of severity level 3, 4, or 5 to the state chief information
1766 security officer Cybersecurity Operations Center and the
1767 Cybercrime Office of the Department of Law Enforcement as soon
1768 as possible but no later than 48 hours after discovery of the
1769 cybersecurity incident and no later than 12 hours after
1770 discovery of the ransomware incident. The report must contain
1771 the information required in sub-subparagraph b.
1772 (II) The state chief information security officer
1773 Cybersecurity Operations Center shall notify the President of
1774 the Senate and the Speaker of the House of Representatives of
1775 any severity level 3, 4, or 5 incident as soon as possible but
1776 no later than 12 hours after receiving a state agency’s incident
1777 report. The notification must include a high-level description
1778 of the incident and the likely effects.
1779 d. A state agency shall report a cybersecurity incident
1780 determined by the state agency to be of severity level 1 or 2 to
1781 the state chief information security officer Cybersecurity
1782 Operations Center and the Cybercrime Office of the Department of
1783 Law Enforcement as soon as possible, but no later than 96 hours
1784 after the discovery of the cybersecurity incident and no later
1785 than 72 hours after the discovery of the ransomware incident.
1786 The report must contain the information required in sub
1787 subparagraph b.
1788 e. The state chief information security officer
1789 Cybersecurity Operations Center shall provide a consolidated
1790 incident report on a quarterly basis to the President of the
1791 Senate and, the Speaker of the House of Representatives, and the
1792 Florida Cybersecurity Advisory Council. The report provided to
1793 the Florida Cybersecurity Advisory Council may not contain the
1794 name of any agency, network information, or system identifying
1795 information but must contain sufficient relevant information to
1796 allow the Florida Cybersecurity Advisory Council to fulfill its
1797 responsibilities as required in s. 282.319(9).
1798 2.10. Incorporating information obtained through detection
1799 and response activities into the agency’s cybersecurity incident
1800 response plans.
1801 3.11. Developing agency strategic and operational
1802 cybersecurity plans required pursuant to this section.
1803 4.12. Establishing the managerial, operational, and
1804 technical safeguards for protecting state government data and
1805 information technology resources that align with the state
1806 agency risk management strategy and that protect the
1807 confidentiality, integrity, and availability of information and
1808 data.
1809 13. Establishing procedures for procuring information
1810 technology commodities and services that require the commodity
1811 or service to meet the National Institute of Standards and
1812 Technology Cybersecurity Framework.
1813 5.14. Submitting after-action reports following a
1814 cybersecurity incident or ransomware incident. Such guidelines
1815 and processes for submitting after-action reports must be
1816 developed and published by December 1, 2022.
1817 (f)(g) Annually provide cybersecurity training to all state
1818 agency technology professionals and employees with access to
1819 highly sensitive information which develops, assesses, and
1820 documents competencies by role and skill level. The
1821 cybersecurity training curriculum must include training on the
1822 identification of each cybersecurity incident severity level
1823 referenced in sub-subparagraph (b)1.a. (c)9.a. The training may
1824 be provided in collaboration with the Cybercrime Office of the
1825 Department of Law Enforcement, a private sector entity, or an
1826 institution of the State University System.
1827 (h) Operate and maintain a Cybersecurity Operations Center
1828 led by the state chief information security officer, which must
1829 be primarily virtual and staffed with tactical detection and
1830 incident response personnel. The Cybersecurity Operations Center
1831 shall serve as a clearinghouse for threat information and
1832 coordinate with the Department of Law Enforcement to support
1833 state agencies and their response to any confirmed or suspected
1834 cybersecurity incident.
1835 (i) Lead an Emergency Support Function, ESF CYBER, under
1836 the state comprehensive emergency management plan as described
1837 in s. 252.35.
1838 (4) Each state agency head shall, at a minimum:
1839 (b) In consultation with the department, through the
1840 Florida Digital Service, and the Cybercrime Office of the
1841 Department of Law Enforcement, establish an agency cybersecurity
1842 response team to respond to a cybersecurity incident. The agency
1843 cybersecurity response team shall convene upon notification of a
1844 cybersecurity incident and must immediately report all confirmed
1845 or suspected incidents to the state chief information security
1846 officer, or his or her designee, and comply with all applicable
1847 guidelines and processes established pursuant to paragraph
1848 (3)(b) (3)(c).
1849 (c) Submit to the state chief information security officer
1850 department annually by July 31, the state agency’s strategic and
1851 operational cybersecurity plans developed pursuant to rules and
1852 guidelines established by the state chief information security
1853 officer department, through the Florida Digital Service.
1854 1. The state agency strategic cybersecurity plan must cover
1855 a 2-year 3-year period and, at a minimum, define security goals,
1856 intermediate objectives, and projected agency costs for the
1857 strategic issues of agency information security policy, risk
1858 management, security training, security incident response, and
1859 disaster recovery. The plan must be based on the statewide
1860 cybersecurity strategic plan created by the state chief
1861 information security officer department and include performance
1862 metrics that can be objectively measured to reflect the status
1863 of the state agency’s progress in meeting security goals and
1864 objectives identified in the agency’s strategic information
1865 security plan.
1866 2. The state agency operational cybersecurity plan must
1867 include a set of measures that objectively assesses the
1868 performance of the agency’s cybersecurity program in accordance
1869 with its risk management plan progress report that objectively
1870 measures progress made towards the prior operational
1871 cybersecurity plan and a project plan that includes activities,
1872 timelines, and deliverables for security objectives that the
1873 state agency will implement during the current fiscal year.
1874 (d) Conduct, and update every 2 3 years, a comprehensive
1875 risk assessment, which may be completed by a private sector
1876 vendor, to determine the security threats to the data,
1877 information, and information technology resources, including
1878 mobile devices and print environments, of the agency. The risk
1879 assessment must comply with the risk assessment methodology
1880 developed by the state chief information security officer
1881 department and is confidential and exempt from s. 119.07(1),
1882 except that such information shall be available to the Auditor
1883 General, the state chief information security officer Florida
1884 Digital Service within the department, the Cybercrime Office of
1885 the Department of Law Enforcement, and, for state agencies under
1886 the jurisdiction of the Governor, the Chief Inspector General.
1887 If a private sector vendor is used to complete a comprehensive
1888 risk assessment, it must attest to the validity of the risk
1889 assessment findings. The comprehensive risk assessment must
1890 include all of the following:
1891 1. The results of vulnerability and penetration tests on
1892 any Internet website or mobile application that processes any
1893 sensitive personal information or confidential information and a
1894 plan to address any vulnerability identified in the tests.
1895 2. A written acknowledgment that the executive director or
1896 the secretary of the agency, the chief financial officer of the
1897 agency, and each executive manager as designated by the state
1898 agency have been made aware of the risks revealed during the
1899 preparation of the agency’s operations cybersecurity plan and
1900 the comprehensive risk assessment.
1901 (j) Develop a process for detecting, reporting, and
1902 responding to threats, breaches, or cybersecurity incidents
1903 which is consistent with the security rules, guidelines, and
1904 processes established by the department through the Florida
1905 Digital Service.
1906 1. All cybersecurity incidents and ransomware incidents
1907 must be reported by state agencies. Such reports must comply
1908 with the notification procedures and reporting timeframes
1909 established pursuant to paragraph (3)(b) (3)(c).
1910 2. For cybersecurity breaches, state agencies shall provide
1911 notice in accordance with s. 501.171.
1912 Section 19. Effective July 1, 2026, subsections (2), (3),
1913 (4), (7), and (10) of section 282.318, Florida Statutes, as
1914 amended by this act, are amended to read:
1915 282.318 Cybersecurity.—
1916 (2) As used in this section, the term “state agency” has
1917 the same meaning as provided in s. 282.0041, except that the
1918 term includes the Department of Legal Affairs, the Department of
1919 Agriculture and Consumer Services, and the Department of
1920 Financial Services.
1921 (3) ASSET The department, acting through the Florida
1922 Digital Service, is the lead entity responsible for establishing
1923 enterprise technology and cybersecurity standards and processes
1924 for assessing state agency cybersecurity risks and determining
1925 appropriate security measures that comply with all national and
1926 state data compliance security standards. Such standards and
1927 processes must be consistent with generally accepted technology
1928 best practices, including the National Institute for Standards
1929 and Technology Cybersecurity Framework, for cybersecurity. ASSET
1930 The department, acting through the Florida Digital Service,
1931 shall adopt rules that mitigate risks; safeguard state agency
1932 digital assets, data, information, and information technology
1933 resources to ensure availability, confidentiality, and
1934 integrity; and support a security governance framework. ASSET
1935 The department, acting through the Florida Digital Service,
1936 shall also:
1937 (a) Designate an employee of the Florida Digital Service as
1938 the state chief information security officer. The state chief
1939 information security officer must have experience and expertise
1940 in security and risk management for communications and
1941 information technology resources. The state chief information
1942 security officer is responsible for the development of
1943 enterprise cybersecurity policy, standards, operation, and
1944 security architecture oversight of cybersecurity for state
1945 technology systems. The state chief information security officer
1946 shall be notified of all confirmed or suspected incidents or
1947 threats of state agency information technology resources and
1948 must report such incidents or threats to the state chief
1949 information officer and the Governor.
1950 (b) Develop, and annually update by February 1, a statewide
1951 cybersecurity strategic plan that includes security goals and
1952 objectives for cybersecurity, including the identification and
1953 mitigation of risk, proactive protections against threats,
1954 tactical risk detection, threat reporting, and response and
1955 recovery protocols for a cyber incident.
1956 (c)(b) Develop and publish for use by state agencies a
1957 cybersecurity governance framework that, at a minimum, includes
1958 guidelines and processes for:
1959 1. Establishing asset management procedures to ensure that
1960 an agency’s information technology resources are identified and
1961 managed consistently with their relative importance to the
1962 agency’s business objectives.
1963 2. Using a standard risk assessment methodology that
1964 includes the identification of an agency’s priorities,
1965 constraints, risk tolerances, and assumptions necessary to
1966 support operational risk decisions.
1967 3. Completing comprehensive risk assessments and
1968 cybersecurity audits, which may be completed by a private sector
1969 vendor, and submitting completed assessments and audits to the
1970 department.
1971 4. Identifying protection procedures to manage the
1972 protection of an agency’s information, data, and information
1973 technology resources.
1974 5. Establishing procedures for accessing information and
1975 data to ensure the confidentiality, integrity, and availability
1976 of such information and data.
1977 6. Detecting threats through proactive monitoring of
1978 events, continuous security monitoring, and defined detection
1979 processes.
1980 7. Establishing agency cybersecurity incident response
1981 teams and describing their responsibilities for responding to
1982 cybersecurity incidents, including breaches of personal
1983 information containing confidential or exempt data.
1984 8. Recovering information and data in response to a
1985 cybersecurity incident. The recovery may include recommended
1986 improvements to the agency processes, policies, or guidelines.
1987 9. Establishing a cybersecurity incident reporting process
1988 that includes procedures for notifying ASSET the department and
1989 the Department of Law Enforcement of cybersecurity incidents.
1990 a. The level of severity of the cybersecurity incident is
1991 defined by the National Cyber Incident Response Plan of the
1992 United States Department of Homeland Security as follows:
1993 (I) Level 5 is an emergency-level incident within the
1994 specified jurisdiction that poses an imminent threat to the
1995 provision of wide-scale critical infrastructure services;
1996 national, state, or local government security; or the lives of
1997 the country’s, state’s, or local government’s residents.
1998 (II) Level 4 is a severe-level incident that is likely to
1999 result in a significant impact in the affected jurisdiction to
2000 public health or safety; national, state, or local security;
2001 economic security; or civil liberties.
2002 (III) Level 3 is a high-level incident that is likely to
2003 result in a demonstrable impact in the affected jurisdiction to
2004 public health or safety; national, state, or local security;
2005 economic security; civil liberties; or public confidence.
2006 (IV) Level 2 is a medium-level incident that may impact
2007 public health or safety; national, state, or local security;
2008 economic security; civil liberties; or public confidence.
2009 (V) Level 1 is a low-level incident that is unlikely to
2010 impact public health or safety; national, state, or local
2011 security; economic security; civil liberties; or public
2012 confidence.
2013 b. The cybersecurity incident reporting process must
2014 specify the information that must be reported by a state agency
2015 following a cybersecurity incident or ransomware incident,
2016 which, at a minimum, must include the following:
2017 (I) A summary of the facts surrounding the cybersecurity
2018 incident or ransomware incident.
2019 (II) The date on which the state agency most recently
2020 backed up its data; the physical location of the backup, if the
2021 backup was affected; and if the backup was created using cloud
2022 computing.
2023 (III) The types of data compromised by the cybersecurity
2024 incident or ransomware incident.
2025 (IV) The estimated fiscal impact of the cybersecurity
2026 incident or ransomware incident.
2027 (V) In the case of a ransomware incident, the details of
2028 the ransom demanded.
2029 c.(I) A state agency shall report all ransomware incidents
2030 and any cybersecurity incident determined by the state agency to
2031 be of severity level 3, 4, or 5 to the state chief information
2032 security officer and the Cybercrime Office of the Department of
2033 Law Enforcement as soon as possible but no later than 48 hours
2034 after discovery of the cybersecurity incident and no later than
2035 12 hours after discovery of the ransomware incident. The report
2036 must contain the information required in sub-subparagraph b.
2037 (II) The state chief information security officer shall
2038 notify the President of the Senate and the Speaker of the House
2039 of Representatives of any severity level 3, 4, or 5 incident as
2040 soon as possible but no later than 12 hours after receiving a
2041 state agency’s incident report. The notification must include a
2042 high-level description of the incident and the likely effects.
2043 d. A state agency shall report a cybersecurity incident
2044 determined by the state agency to be of severity level 1 or 2 to
2045 the state chief information security officer and the Cybercrime
2046 Office of the Department of Law Enforcement as soon as possible,
2047 but no later than 96 hours after the discovery of the
2048 cybersecurity incident and no later than 72 hours after the
2049 discovery of the ransomware incident. The report must contain
2050 the information required in sub-subparagraph b.
2051 e. The state chief information security officer shall
2052 provide a consolidated incident report on a quarterly basis to
2053 the Executive office of the Governor, the Commissioner of
2054 Agriculture, the Chief Financial Officer, the Attorney General,
2055 the President of the Senate, and the Speaker of the House of
2056 Representatives.
2057 10.2. Incorporating information obtained through detection
2058 and response activities into the agency’s cybersecurity incident
2059 response plans.
2060 11.3. Developing agency strategic and operational
2061 cybersecurity plans required pursuant to this section.
2062 12.4. Establishing the managerial, operational, and
2063 technical safeguards for protecting state government data and
2064 information technology resources that align with the state
2065 agency risk management strategy and that protect the
2066 confidentiality, integrity, and availability of information and
2067 data.
2068 13. In coordination with the state chief information
2069 technology procurement officer, establishing procedures for
2070 procuring information technology commodities and services that
2071 require the commodity or service to meet the National Institute
2072 of Standards and Technology Cybersecurity Framework.
2073 14.5. Submitting after-action reports following a
2074 cybersecurity incident or ransomware incident. Such guidelines
2075 and processes for submitting after-action reports must be
2076 developed and published by July 1, 2027 December 1, 2022.
2077 (d)(c) Assist state agencies in complying with this
2078 section.
2079 (e)(d) In collaboration with the Cybercrime Office of the
2080 Department of Law Enforcement and through the state chief
2081 information security officer and the Division of Enterprise
2082 Information Technology Workforce Development, annually provide
2083 training for state agency information security managers and
2084 computer security incident response team members that contains
2085 training on cybersecurity, including cybersecurity threats,
2086 trends, and best practices.
2087 (f)(e) Annually review the strategic and operational
2088 cybersecurity plans of state agencies.
2089 (g)(f) Annually provide cybersecurity training through the
2090 state chief information security officer and the Division of
2091 Enterprise Information Technology Workforce Development to all
2092 state agency technology professionals and employees with access
2093 to highly sensitive information which develops, assesses, and
2094 documents competencies by role and skill level. The
2095 cybersecurity training curriculum must include training on the
2096 identification of each cybersecurity incident severity level
2097 referenced in sub-subparagraph (c)9.a. (b)1.a. The training may
2098 be provided in collaboration with the Cybercrime Office of the
2099 Department of Law Enforcement, a private sector entity, or an
2100 institution of the State University System.
2101 (4) Each state agency head shall, at a minimum:
2102 (a) Designate an information security manager to administer
2103 the cybersecurity program of the state agency. This designation
2104 must be provided annually in writing to ASSET the department by
2105 January 1. A state agency’s information security manager, for
2106 purposes of these information security duties, shall report
2107 directly to the agency head.
2108 (b) In consultation with the state chief information
2109 security officer department, through the Florida Digital
2110 Service, and the Cybercrime Office of the Department of Law
2111 Enforcement, establish an agency cybersecurity response team to
2112 respond to a cybersecurity incident. The agency cybersecurity
2113 response team shall convene upon notification of a cybersecurity
2114 incident and must immediately report all confirmed or suspected
2115 incidents to the state chief information security officer, or
2116 his or her designee, and comply with all applicable guidelines
2117 and processes established pursuant to paragraph (3)(c) (3)(b).
2118 (c) Submit to state chief information security officer
2119 annually by July 31 the state agency’s strategic and operational
2120 cybersecurity plans developed pursuant to rules and guidelines
2121 established by the state chief information security officer.
2122 1. The state agency strategic cybersecurity plan must cover
2123 a 2-year period and, at a minimum, define security goals,
2124 intermediate objectives, and projected agency costs for the
2125 strategic issues of agency information security policy, risk
2126 management, security training, security incident response, and
2127 disaster recovery. The plan must be based on the statewide
2128 cybersecurity strategic plan created by the state chief
2129 information security officer and include performance metrics
2130 that can be objectively measured to reflect the status of the
2131 state agency’s progress in meeting security goals and objectives
2132 identified in the agency’s strategic information security plan.
2133 2. The state agency operational cybersecurity plan must
2134 include a set of measures that objectively assess the
2135 performance of the agency’s cybersecurity program in accordance
2136 with its risk management plan.
2137 (d) Conduct, and update every 2 years, a comprehensive risk
2138 assessment, which may be completed by a private sector vendor,
2139 to determine the security threats to the data, information, and
2140 information technology resources, including mobile devices and
2141 print environments, of the agency. The risk assessment must
2142 comply with the risk assessment methodology developed by the
2143 state chief information security officer and is confidential and
2144 exempt from s. 119.07(1), except that such information shall be
2145 available to the Auditor General, the state chief information
2146 security officer, the Cybercrime Office of the Department of Law
2147 Enforcement, and, for state agencies under the jurisdiction of
2148 the Governor, the Chief Inspector General. If a private sector
2149 vendor is used to complete a comprehensive risk assessment, it
2150 must attest to the validity of the risk assessment findings. The
2151 comprehensive risk assessment must include all of the following:
2152 1. The results of vulnerability and penetration tests on
2153 any Internet website or mobile application that processes any
2154 sensitive personal information or confidential information and a
2155 plan to address any vulnerability identified in the tests.
2156 2. A written acknowledgment that the executive director or
2157 secretary of the agency, the chief financial officer of the
2158 agency, and each executive manager as designated by the state
2159 agency have been made aware of the risks revealed during the
2160 preparation of the agency’s operational cybersecurity plan and
2161 the comprehensive risk assessment.
2162 (e) Develop, and periodically update, written internal
2163 policies and procedures, which include procedures for reporting
2164 cybersecurity incidents and breaches to the Cybercrime Office of
2165 the Department of Law Enforcement and the state chief
2166 information security officer Florida Digital Service within the
2167 department. Such policies and procedures must be consistent with
2168 the rules, guidelines, and processes established by ASSET the
2169 department to ensure the security of the data, information, and
2170 information technology resources of the agency. The internal
2171 policies and procedures that, if disclosed, could facilitate the
2172 unauthorized modification, disclosure, or destruction of data or
2173 information technology resources are confidential information
2174 and exempt from s. 119.07(1), except that such information shall
2175 be available to the Auditor General, the Cybercrime Office of
2176 the Department of Law Enforcement, the state chief information
2177 security officer the Florida Digital Service within the
2178 department, and, for state agencies under the jurisdiction of
2179 the Governor, the Chief Inspector General.
2180 (f) Implement managerial, operational, and technical
2181 safeguards and risk assessment remediation plans recommended by
2182 ASSET the department to address identified risks to the data,
2183 information, and information technology resources of the agency.
2184 The state chief information security officer department, through
2185 the Florida Digital Service, shall track implementation by state
2186 agencies upon development of such remediation plans in
2187 coordination with agency inspectors general.
2188 (g) Ensure that periodic internal audits and evaluations of
2189 the agency’s cybersecurity program for the data, information,
2190 and information technology resources of the agency are
2191 conducted. The results of such audits and evaluations are
2192 confidential information and exempt from s. 119.07(1), except
2193 that such information shall be available to the Auditor General,
2194 the Cybercrime Office of the Department of Law Enforcement, the
2195 state chief information security officer Florida Digital Service
2196 within the department, and, for agencies under the jurisdiction
2197 of the Governor, the Chief Inspector General.
2198 (h) Ensure that the cybersecurity requirements in the
2199 written specifications for the solicitation, contracts, and
2200 service-level agreement of information technology and
2201 information technology resources and services meet or exceed the
2202 applicable state and federal laws, regulations, and standards
2203 for cybersecurity, including the National Institute of Standards
2204 and Technology Cybersecurity Framework. Service-level agreements
2205 must identify service provider and state agency responsibilities
2206 for privacy and security, protection of government data,
2207 personnel background screening, and security deliverables with
2208 associated frequencies.
2209 (i) Provide cybersecurity awareness training to all state
2210 agency employees within 30 days after commencing employment, and
2211 annually thereafter, concerning cybersecurity risks and the
2212 responsibility of employees to comply with policies, standards,
2213 guidelines, and operating procedures adopted by the state agency
2214 to reduce those risks. The training may be provided in
2215 collaboration with the Cybercrime Office of the Department of
2216 Law Enforcement, a private sector entity, or an institution of
2217 the State University System.
2218 (j) Develop a process for detecting, reporting, and
2219 responding to threats, breaches, or cybersecurity incidents
2220 which is consistent with the security rules, guidelines, and
2221 processes established by ASSET the department through the state
2222 chief information security officer Florida Digital Service.
2223 1. All cybersecurity incidents and ransomware incidents
2224 must be reported by state agencies. Such reports must comply
2225 with the notification procedures and reporting timeframes
2226 established pursuant to paragraph (3)(c) (3)(b).
2227 2. For cybersecurity breaches, state agencies shall provide
2228 notice in accordance with s. 501.171.
2229 (k) Submit to the state chief information security officer
2230 Florida Digital Service, within 1 week after the remediation of
2231 a cybersecurity incident or ransomware incident, an after-action
2232 report that summarizes the incident, the incident’s resolution,
2233 and any insights gained as a result of the incident.
2234 (7) The portions of records made confidential and exempt in
2235 subsections (5) and (6) shall be available to the Auditor
2236 General, the Cybercrime Office of the Department of Law
2237 Enforcement, the state chief information security officer, the
2238 Legislature Florida Digital Service within the department, and,
2239 for agencies under the jurisdiction of the Governor, the Chief
2240 Inspector General. Such portions of records may be made
2241 available to a local government, another state agency, or a
2242 federal agency for cybersecurity purposes or in furtherance of
2243 the state agency’s official duties.
2244 (10) ASSET The department shall adopt rules relating to
2245 cybersecurity and to administer this section.
2246 Section 20. Section 282.3185, Florida Statutes, is amended
2247 to read:
2248 282.3185 Local government cybersecurity.—
2249 (1) SHORT TITLE.—This section may be cited as the “Local
2250 Government Cybersecurity Act.”
2251 (2) DEFINITION.—As used in this section, the term “local
2252 government” means any county or municipality.
2253 (3) CYBERSECURITY TRAINING.—
2254 (a) The state chief information security officer Florida
2255 Digital Service shall:
2256 1. Develop a basic cybersecurity training curriculum for
2257 local government employees. All local government employees with
2258 access to the local government’s network must complete the basic
2259 cybersecurity training within 30 days after commencing
2260 employment and annually thereafter.
2261 2. Develop an advanced cybersecurity training curriculum
2262 for local governments which is consistent with the cybersecurity
2263 training required under s. 282.318(3)(f) s. 282.318(3)(g). All
2264 local government technology professionals and employees with
2265 access to highly sensitive information must complete the
2266 advanced cybersecurity training within 30 days after commencing
2267 employment and annually thereafter.
2268 (b) The state chief information security officer Florida
2269 Digital Service may provide the cybersecurity training required
2270 by this subsection in collaboration with the Cybercrime Office
2271 of the Department of Law Enforcement, a private sector entity,
2272 or an institution of the State University System.
2273 (4) CYBERSECURITY STANDARDS.—
2274 (a) Each local government shall adopt cybersecurity
2275 standards that safeguard its data, information technology, and
2276 information technology resources to ensure availability,
2277 confidentiality, and integrity. The cybersecurity standards must
2278 be consistent with generally accepted best practices for
2279 cybersecurity, including the National Institute of Standards and
2280 Technology Cybersecurity Framework.
2281 (b) Each county with a population of 75,000 or more must
2282 adopt the cybersecurity standards required by this subsection by
2283 January 1, 2024. Each county with a population of less than
2284 75,000 must adopt the cybersecurity standards required by this
2285 subsection by January 1, 2025.
2286 (c) Each municipality with a population of 25,000 or more
2287 must adopt the cybersecurity standards required by this
2288 subsection by January 1, 2024. Each municipality with a
2289 population of less than 25,000 must adopt the cybersecurity
2290 standards required by this subsection by January 1, 2025.
2291 (d) Each local government shall notify the state chief
2292 information security officer Florida Digital Service of its
2293 compliance with this subsection as soon as possible.
2294 (5) INCIDENT NOTIFICATION.—
2295 (a) A local government shall provide notification of a
2296 cybersecurity incident or ransomware incident to the state chief
2297 information security officer Cybersecurity Operations Center,
2298 the Cybercrime Office of the Department of Law Enforcement, and
2299 the sheriff who has jurisdiction over the local government in
2300 accordance with paragraph (b). The notification must include, at
2301 a minimum, the following information:
2302 1. A summary of the facts surrounding the cybersecurity
2303 incident or ransomware incident.
2304 2. The date on which the local government most recently
2305 backed up its data; the physical location of the backup, if the
2306 backup was affected; and if the backup was created using cloud
2307 computing.
2308 3. The types of data compromised by the cybersecurity
2309 incident or ransomware incident.
2310 4. The estimated fiscal impact of the cybersecurity
2311 incident or ransomware incident.
2312 5. In the case of a ransomware incident, the details of the
2313 ransom demanded.
2314 6. A statement requesting or declining assistance from the
2315 Cybersecurity Operations Center, the Cybercrime Office of the
2316 Department of Law Enforcement, or the sheriff who has
2317 jurisdiction over the local government.
2318 (b)1. A local government shall report all ransomware
2319 incidents and any cybersecurity incident determined by the local
2320 government to be of severity level 3, 4, or 5 as provided in s.
2321 282.318(3)(b) s. 282.318(3)(c) to the state chief information
2322 security officer Cybersecurity Operations Center, the Cybercrime
2323 Office of the Department of Law Enforcement, and the sheriff who
2324 has jurisdiction over the local government as soon as possible
2325 but no later than 12 48 hours after discovery of the
2326 cybersecurity incident and no later than 6 12 hours after
2327 discovery of the ransomware incident. The report must contain
2328 the information required in paragraph (a).
2329 2. The state chief information security officer
2330 Cybersecurity Operations Center shall notify the state chief
2331 information officer, the Governor, the Commissioner of
2332 Agriculture, the Chief Financial Officer, the Attorney General,
2333 the President of the Senate, and the Speaker of the House of
2334 Representatives of any severity level 3, 4, or 5 incident as
2335 soon as possible but no later than 12 hours after receiving a
2336 local government’s incident report. The notification must
2337 include a high-level description of the incident and the likely
2338 effects.
2339 (c) A local government may report a cybersecurity incident
2340 determined by the local government to be of severity level 1 or
2341 2 as provided in s. 282.318(3)(b) s. 282.318(3)(c) to the state
2342 chief information security officer Cybersecurity Operations
2343 Center, the Cybercrime Office of the Department of Law
2344 Enforcement, and the sheriff who has jurisdiction over the local
2345 government. The report shall contain the information required in
2346 paragraph (a).
2347 (d) The state chief information security officer
2348 Cybersecurity Operations Center shall provide a consolidated
2349 incident report by the 30th day after the end of each quarter on
2350 a quarterly basis to the Governor, the Commissioner of
2351 Agriculture, the Chief Financial Officer, the Attorney General,
2352 the President of the Senate, and the Speaker of the House of
2353 Representatives, and the Florida Cybersecurity Advisory Council.
2354 The report provided to the Florida Cybersecurity Advisory
2355 Council may not contain the name of any local government,
2356 network information, or system identifying information but must
2357 contain sufficient relevant information to allow the Florida
2358 Cybersecurity Advisory Council to fulfill its responsibilities
2359 as required in s. 282.319(9).
2360 (6) AFTER-ACTION REPORT.—A local government must submit to
2361 the state chief information security officer Florida Digital
2362 Service, within 1 week after the remediation of a cybersecurity
2363 incident or ransomware incident, an after-action report that
2364 summarizes the incident, the incident’s resolution, and any
2365 insights gained as a result of the incident. By December 1, 2027
2366 2022, the state chief information security officer Florida
2367 Digital Service shall establish guidelines and processes for
2368 submitting an after-action report.
2369 Section 21. Effective July 1, 2026, paragraph (a) of
2370 subsection (3) and paragraphs (b) and (c) of subsection (5) of
2371 section 282.3185, Florida Statutes, as amended by this act, are
2372 amended to read:
2373 282.3185 Local government cybersecurity.—
2374 (3) CYBERSECURITY TRAINING.—
2375 (a) The state chief information security officer shall:
2376 1. Develop a basic cybersecurity training curriculum for
2377 local government employees. All local government employees with
2378 access to the local government’s network must complete the basic
2379 cybersecurity training within 30 days after commencing
2380 employment and annually thereafter.
2381 2. Develop an advanced cybersecurity training curriculum
2382 for local governments which is consistent with the cybersecurity
2383 training required under s. 282.318(3)(g) s. 282.318(3)(f). All
2384 local government technology professionals and employees with
2385 access to highly sensitive information must complete the
2386 advanced cybersecurity training within 30 days after commencing
2387 employment and annually thereafter.
2388 (5) INCIDENT NOTIFICATION.—
2389 (b)1. A local government shall report all ransomware
2390 incidents and any cybersecurity incident determined by the local
2391 government to be of severity level 3, 4, or 5 as provided in s.
2392 282.318(3)(c) s. 282.318(3)(b) to the state chief information
2393 security officer, the Cybercrime Office of the Department of Law
2394 Enforcement, and the sheriff who has jurisdiction over the local
2395 government as soon as possible but no later than 12 hours after
2396 discovery of the cybersecurity incident and no later than 6
2397 hours after discovery of the ransomware incident. The report
2398 must contain the information required in paragraph (a).
2399 2. The state chief information security officer shall
2400 notify the state chief information officer, the Governor, the
2401 Commission of Agriculture, the Chief Financial Officer, the
2402 Attorney General, the President of the Senate and the Speaker of
2403 the House of Representatives of any severity level 3, 4, or 5
2404 incident as soon as possible but no later than 12 hours after
2405 receiving a local government’s incident report. The notification
2406 must include a high-level description of the incident and the
2407 likely effects.
2408 (c) A local government may report a cybersecurity incident
2409 determined by the local government to be of severity level 1 or
2410 2 as provided in s. 282.318(3)(c) s. 282.318(3)(b) to the state
2411 chief information security officer, the Cybercrime Office of the
2412 Department of Law Enforcement, and the sheriff who has
2413 jurisdiction over the local government. The report shall contain
2414 the information required in paragraph (a).
2415 Section 22. Section 282.319, Florida Statutes, is repealed.
2416 Section 23. (1) POSITIONS.—
2417 (a) The following positions are established within the
2418 Agency for State Systems and Enterprise Technology:
2419 1. Chief operations officer.
2420 2. Chief information officer.
2421 (b) Effective July 1, 2026, the following positions are
2422 established within the Agency for State Systems and Enterprise
2423 Technology, all of whom shall be appointed by the executive
2424 director:
2425 1. Deputy executive director, who shall serve as the state
2426 chief information architect, and the following:
2427 a. A minimum of six lead technology coordinators. At least
2428 one coordinator shall be assigned to each of the following major
2429 program areas: health and human services, education, government
2430 operations, criminal and civil justice, agriculture and natural
2431 resources, and transportation and economic development.
2432 b. A minimum of six assistant technology coordinators. At
2433 least one coordinator shall be assigned to each of the following
2434 major program areas: health and human services, education,
2435 government operations, criminal and civil justice, agriculture
2436 and natural resources, and transportation and economic
2437 development.
2438 2. State chief information security officer and six lead
2439 security consultants. One consultant shall be assigned to each
2440 of the following major program areas: health and human services,
2441 education, government operations, criminal and civil justice,
2442 agriculture and natural resources, and transportation and
2443 economic development.
2444 3. State chief data officer and the following:
2445 a. A minimum of three data specialists with at least one
2446 specialist dedicated to each of the following areas of data
2447 expertise:
2448 (I) Personally identifiable information.
2449 (II) Protected health information.
2450 (III) Criminal justice information services.
2451 b. A minimum of six data security consultants. At least one
2452 consultant shall be assigned to each of the following major
2453 program areas: health and human services, education, government
2454 operations, criminal and civil justice, agriculture and natural
2455 resources, and transportation and economic development.
2456 4. State chief information technology procurement officer
2457 and a minimum of six lead information technology procurement
2458 consultants. At least one coordinator shall be assigned to each
2459 of the following major program areas: health and human services,
2460 education, government operations, criminal and civil justice,
2461 agriculture and natural resources, and transportation and
2462 economic development.
2463 5. State chief technology officer and the following:
2464 a. A minimum of 42 information technology business analyst
2465 consultants that shall be assigned to major program areas as
2466 follows:
2467 (I) At least 11 consultants shall be assigned to health and
2468 human services and dedicated to state agencies at a minimum as
2469 follows:
2470 (A) Two dedicated to the Department of Health.
2471 (B) Four dedicated to the Agency for Health Care
2472 Administration.
2473 (C) Three dedicated to the Department of Children and
2474 Families.
2475 (D) Two dedicated to the remaining health and human
2476 services state agencies.
2477 (II) At least four consultants shall be assigned to
2478 education.
2479 (III) At least eight consultants shall be assigned to
2480 government operations and dedicated to state agencies at a
2481 minimum as follows:
2482 (A) Two dedicated to the Department of Financial Services.
2483 (B) One dedicated to the Department of Business and
2484 Professional Regulation.
2485 (C) Two dedicated to the Department of Management Services.
2486 (D) Three dedicated to the remaining government operations
2487 state agencies.
2488 (IV) At least six consultants shall be assigned to criminal
2489 and civil justice and dedicated to state agencies at a minimum
2490 as follows:
2491 (A) One dedicated to the Department of Law Enforcement.
2492 (B) Two dedicated to the Department of Corrections.
2493 (C) One dedicated to the Department of Juvenile Justice.
2494 (D) One dedicated to the Department of Legal Affairs.
2495 (E) One dedicated to the remaining criminal and civil
2496 justice state agencies.
2497 (V) At least four consultants shall be assigned to
2498 agriculture and natural resources and dedicated to state
2499 agencies at a minimum as follows:
2500 (A) One dedicated the Department of Agriculture and
2501 Consumer Services.
2502 (B) One dedicated to the Department of Environmental
2503 Protection.
2504 (C) One dedicated to the Fish and Wildlife Conservation
2505 Commission.
2506 (D) One dedicated to the remaining agriculture and natural
2507 resources state agencies.
2508 (VI) At least nine consultants shall be assigned to
2509 transportation and economic development and dedicated to state
2510 agencies at a minimum as follows:
2511 (A) Two dedicated to the Department of Transportation.
2512 (B) Two dedicated to the Department of State.
2513 (C) One dedicated to the Department of Highway Safety and
2514 Motor Vehicles.
2515 (D) Two dedicated to the Department of Commerce.
2516 (E) One dedicated to the Division of Emergency Management.
2517 (F) One dedicated to the remaining transportation and
2518 economic development state agencies.
2519 b. A minimum of six information technology project
2520 management professional consultants. At least one consultant
2521 shall be assigned to each of the following major program areas:
2522 health and human services, education, government operations,
2523 criminal and civil justice, agriculture and natural resources,
2524 and transportation and economic development.
2525 c. A minimum of six information technology contract
2526 management consultants. At least one consultant shall be
2527 assigned to each of the following major program areas: health
2528 and human services, education, government operations, criminal
2529 and civil justice, agriculture and natural resources, and
2530 transportation and economic development.
2531 d. A minimum of six information technology quality
2532 assurance consultants. At least one consultant shall be assigned
2533 to each of the following major program areas: health and human
2534 services, education, government operations, criminal and civil
2535 justice, agriculture and natural resources, and transportation
2536 and economic development.
2537 (2) BUREAUS.—
2538 (a) The Division of Enterprise Information Technology
2539 Services shall include:
2540 1. The Bureau of Enterprise Information Technology
2541 Operations, responsible for assessing state agency information
2542 technology needs and risks as established under s. 282.006,
2543 Florida Statutes.
2544 2. The Bureau of Enterprise Information Technology Quality
2545 Assurance, responsible for activities established under s.
2546 282.006, Florida Statutes.
2547 3. The Bureau of Enterprise Information Technology Project
2548 Management, responsible for project management oversight and
2549 activities established under s. 282.006, Florida Statutes.
2550 4. The Bureau of Enterprise Information Technology Contract
2551 Management, responsible for contract management oversight and
2552 activities established under s. 282.006, Florida Statutes.
2553 (b) The Division of Enterprise Information Technology
2554 Purchasing shall include:
2555 1. The Bureau of Enterprise Information Technology
2556 Procurement Services, responsible for procurement activities
2557 established under s. 282.006, Florida Statutes.
2558 2. The Bureau of Enterprise Information Technology
2559 Procurement Policy and Oversight, responsible for activities
2560 established under s. 282.006, Florida Statutes.
2561 (3) WORKGROUP.—
2562 (a) The chief information officer policy workgroup shall be
2563 composed of all state agency chief information officers.
2564 (b) The purpose of the workgroup is to provide the
2565 Legislature with input and feedback regarding the structure,
2566 budget, and governance of the Agency for State Systems and
2567 Enterprise Technology.
2568 (c) The chair of the workgroup shall be the interim state
2569 chief information officer.
2570 (d) The voting members of the workgroup shall include the
2571 chair of the workgroup and the chief information officers from
2572 the Department of Financial Services, the Department of
2573 Agriculture and Consumer Services, and the Department of Legal
2574 Affairs.
2575 (e) The chair of the workgroup shall submit a report to the
2576 Governor, the Commissioner of Agriculture, the Chief Financial
2577 Officer, the Attorney General, the President of the Senate, and
2578 the Speaker of the House of Representatives which includes
2579 recommendations and justifications for changes by December 1,
2580 2025. The final report must be voted on and accepted by a
2581 unanimous vote of the voting members of the workgroup.
2582 (f) The workgroup shall expire after submission of the
2583 report required in paragraph (e).
2584 Section 24. Section 282.201, Florida Statutes, is amended
2585 to read:
2586 282.201 State data center.—The state data center is
2587 established within the Northwest Regional Data Center pursuant
2588 to s. 282.2011 the department. The provision of data center
2589 services must comply with applicable state and federal laws,
2590 regulations, and policies, including all applicable security,
2591 privacy, and auditing requirements. The department shall appoint
2592 a director of the state data center who has experience in
2593 leading data center facilities and has expertise in cloud
2594 computing management.
2595 (1) STATE DATA CENTER DUTIES.—The state data center shall:
2596 (a) Offer, develop, and support the services and
2597 applications defined in service-level agreements executed with
2598 its customer entities.
2599 (b) Maintain performance of the state data center by
2600 ensuring proper data backup; data backup recovery; disaster
2601 recovery; and appropriate security, power, cooling, fire
2602 suppression, and capacity.
2603 (c) Develop and implement business continuity and disaster
2604 recovery plans, and annually conduct a live exercise of each
2605 plan.
2606 (d) Enter into a service-level agreement with each customer
2607 entity to provide the required type and level of service or
2608 services. If a customer entity fails to execute an agreement
2609 within 60 days after commencement of a service, the state data
2610 center may cease service. A service-level agreement may not have
2611 a term exceeding 3 years and at a minimum must:
2612 1. Identify the parties and their roles, duties, and
2613 responsibilities under the agreement.
2614 2. State the duration of the contract term and specify the
2615 conditions for renewal.
2616 3. Identify the scope of work.
2617 4. Identify the products or services to be delivered with
2618 sufficient specificity to permit an external financial or
2619 performance audit.
2620 5. Establish the services to be provided, the business
2621 standards that must be met for each service, the cost of each
2622 service by agency application, and the metrics and processes by
2623 which the business standards for each service are to be
2624 objectively measured and reported.
2625 6. Provide a timely billing methodology to recover the
2626 costs of services provided to the customer entity pursuant to s.
2627 215.422.
2628 7. Provide a procedure for modifying the service-level
2629 agreement based on changes in the type, level, and cost of a
2630 service.
2631 8. Include a right-to-audit clause to ensure that the
2632 parties to the agreement have access to records for audit
2633 purposes during the term of the service-level agreement.
2634 9. Provide that a service-level agreement may be terminated
2635 by either party for cause only after giving the other party and
2636 the department notice in writing of the cause for termination
2637 and an opportunity for the other party to resolve the identified
2638 cause within a reasonable period.
2639 10. Provide for mediation of disputes by the Division of
2640 Administrative Hearings pursuant to s. 120.573.
2641 (e) For purposes of chapter 273, be the custodian of
2642 resources and equipment located in and operated, supported, and
2643 managed by the state data center.
2644 (f) Assume administrative access rights to resources and
2645 equipment, including servers, network components, and other
2646 devices, consolidated into the state data center.
2647 1. Upon consolidation, a state agency shall relinquish
2648 administrative rights to consolidated resources and equipment.
2649 State agencies required to comply with federal and state
2650 criminal justice information security rules and policies shall
2651 retain administrative access rights sufficient to comply with
2652 the management control provisions of those rules and policies;
2653 however, the state data center shall have the appropriate type
2654 or level of rights to allow the center to comply with its duties
2655 pursuant to this section. The Department of Law Enforcement
2656 shall serve as the arbiter of disputes pertaining to the
2657 appropriate type and level of administrative access rights
2658 pertaining to the provision of management control in accordance
2659 with the federal criminal justice information guidelines.
2660 2. The state data center shall provide customer entities
2661 with access to applications, servers, network components, and
2662 other devices necessary for entities to perform business
2663 activities and functions, and as defined and documented in a
2664 service-level agreement.
2665 (g) In its procurement process, show preference for cloud
2666 computing solutions that minimize or do not require the
2667 purchasing, financing, or leasing of state data center
2668 infrastructure, and that meet the needs of customer agencies,
2669 that reduce costs, and that meet or exceed the applicable state
2670 and federal laws, regulations, and standards for cybersecurity.
2671 (h) Assist customer entities in transitioning from state
2672 data center services to the Northwest Regional Data Center or
2673 other third-party cloud-computing services procured by a
2674 customer entity or by the Northwest Regional Data Center on
2675 behalf of a customer entity.
2676 (1)(2) USE OF THE STATE DATA CENTER.—
2677 (a) The following are exempt from the use of the state data
2678 center: the Department of Law Enforcement, the Department of the
2679 Lottery’s Gaming System, Systems Design and Development in the
2680 Office of Policy and Budget, the regional traffic management
2681 centers as described in s. 335.14(2) and the Office of Toll
2682 Operations of the Department of Transportation, the State Board
2683 of Administration, state attorneys, public defenders, criminal
2684 conflict and civil regional counsel, capital collateral regional
2685 counsel, and the Florida Housing Finance Corporation, and the
2686 Division of Emergency Management within the Executive Office of
2687 the Governor.
2688 (b) The Division of Emergency Management is exempt from the
2689 use of the state data center. This paragraph expires July 1,
2690 2025.
2691 (2)(3) AGENCY LIMITATIONS.—Unless exempt from the use of
2692 the state data center pursuant to this section or authorized by
2693 the Legislature, a state agency may not:
2694 (a) Create a new agency computing facility or data center,
2695 or expand the capability to support additional computer
2696 equipment in an existing agency computing facility or data
2697 center; or
2698 (b) Terminate services with the state data center without
2699 giving written notice of intent to terminate services 180 days
2700 before such termination.
2701 (4) DEPARTMENT RESPONSIBILITIES.—The department shall
2702 provide operational management and oversight of the state data
2703 center, which includes:
2704 (a) Implementing industry standards and best practices for
2705 the state data center’s facilities, operations, maintenance,
2706 planning, and management processes.
2707 (b) Developing and implementing cost-recovery mechanisms
2708 that recover the full direct and indirect cost of services
2709 through charges to applicable customer entities. Such cost
2710 recovery mechanisms must comply with applicable state and
2711 federal regulations concerning distribution and use of funds and
2712 must ensure that, for any fiscal year, no service or customer
2713 entity subsidizes another service or customer entity. The
2714 department may recommend other payment mechanisms to the
2715 Executive Office of the Governor, the President of the Senate,
2716 and the Speaker of the House of Representatives. Such mechanisms
2717 may be implemented only if specifically authorized by the
2718 Legislature.
2719 (c) Developing and implementing appropriate operating
2720 guidelines and procedures necessary for the state data center to
2721 perform its duties pursuant to subsection (1). The guidelines
2722 and procedures must comply with applicable state and federal
2723 laws, regulations, and policies and conform to generally
2724 accepted governmental accounting and auditing standards. The
2725 guidelines and procedures must include, but need not be limited
2726 to:
2727 1. Implementing a consolidated administrative support
2728 structure responsible for providing financial management,
2729 procurement, transactions involving real or personal property,
2730 human resources, and operational support.
2731 2. Implementing an annual reconciliation process to ensure
2732 that each customer entity is paying for the full direct and
2733 indirect cost of each service as determined by the customer
2734 entity’s use of each service.
2735 3. Providing rebates that may be credited against future
2736 billings to customer entities when revenues exceed costs.
2737 4. Requiring customer entities to validate that sufficient
2738 funds exist before implementation of a customer entity’s request
2739 for a change in the type or level of service provided, if such
2740 change results in a net increase to the customer entity’s cost
2741 for that fiscal year.
2742 5. By November 15 of each year, providing to the Office of
2743 Policy and Budget in the Executive Office of the Governor and to
2744 the chairs of the legislative appropriations committees the
2745 projected costs of providing data center services for the
2746 following fiscal year.
2747 6. Providing a plan for consideration by the Legislative
2748 Budget Commission if the cost of a service is increased for a
2749 reason other than a customer entity’s request made pursuant to
2750 subparagraph 4. Such a plan is required only if the service cost
2751 increase results in a net increase to a customer entity for that
2752 fiscal year.
2753 7. Standardizing and consolidating procurement and
2754 contracting practices.
2755 (d) In collaboration with the Department of Law Enforcement
2756 and the Florida Digital Service, developing and implementing a
2757 process for detecting, reporting, and responding to
2758 cybersecurity incidents, breaches, and threats.
2759 (e) Adopting rules relating to the operation of the state
2760 data center, including, but not limited to, budgeting and
2761 accounting procedures, cost-recovery methodologies, and
2762 operating procedures.
2763 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
2764 the department to carry out its duties and responsibilities
2765 relating to the state data center, the secretary of the
2766 department shall contract by July 1, 2022, with the Northwest
2767 Regional Data Center pursuant to s. 287.057(11). The contract
2768 shall provide that the Northwest Regional Data Center will
2769 manage the operations of the state data center and provide data
2770 center services to state agencies.
2771 (a) The department shall provide contract oversight,
2772 including, but not limited to, reviewing invoices provided by
2773 the Northwest Regional Data Center for services provided to
2774 state agency customers.
2775 (b) The department shall approve or request updates to
2776 invoices within 10 business days after receipt. If the
2777 department does not respond to the Northwest Regional Data
2778 Center, the invoice will be approved by default. The Northwest
2779 Regional Data Center must submit approved invoices directly to
2780 state agency customers.
2781 Section 25. Section 1004.649, Florida Statutes, is
2782 transferred, renumbered as section 282.0211, Florida Statutes,
2783 and amended to read:
2784 282.0211 1004.649 Northwest Regional Data Center.—
2785 (1) For the purpose of providing data center services to
2786 its state agency customers, the Northwest Regional Data Center
2787 is designated as a state data center for all state agencies and
2788 shall:
2789 (a) Operate under a governance structure that represents
2790 its customers proportionally.
2791 (b) Maintain an appropriate cost-allocation methodology
2792 that accurately bills state agency customers based solely on the
2793 actual direct and indirect costs of the services provided to
2794 state agency customers and ensures that, for any fiscal year,
2795 state agency customers are not subsidizing other customers of
2796 the data center. Such cost-allocation methodology must comply
2797 with applicable state and federal regulations concerning the
2798 distribution and use of state and federal funds.
2799 (c) Enter into a service-level agreement with each state
2800 agency customer to provide services as defined and approved by
2801 the governing board of the center. At a minimum, such service
2802 level agreements must:
2803 1. Identify the parties and their roles, duties, and
2804 responsibilities under the agreement;
2805 2. State the duration of the agreement term, which may not
2806 exceed 3 years, and specify the conditions for up to two
2807 optional 1-year renewals of the agreement before execution of a
2808 new agreement;
2809 3. Identify the scope of work;
2810 4. Establish the services to be provided, the business
2811 standards that must be met for each service, the cost of each
2812 service, and the process by which the business standards for
2813 each service are to be objectively measured and reported;
2814 5. Provide a timely billing methodology for recovering the
2815 cost of services provided pursuant to s. 215.422;
2816 6. Provide a procedure for modifying the service-level
2817 agreement to address any changes in projected costs of service;
2818 7. Include a right-to-audit clause to ensure that the
2819 parties to the agreement have access to records for audit
2820 purposes during the term of the service-level agreement;
2821 8. Identify the products or services to be delivered with
2822 sufficient specificity to permit an external financial or
2823 performance audit;
2824 9. Provide that the service-level agreement may be
2825 terminated by either party for cause only after giving the other
2826 party notice in writing of the cause for termination and an
2827 opportunity for the other party to resolve the identified cause
2828 within a reasonable period; and
2829 10. Provide state agency customer entities with access to
2830 applications, servers, network components, and other devices
2831 necessary for entities to perform business activities and
2832 functions and as defined and documented in a service-level
2833 agreement.
2834 (d) In its procurement process, show preference for cloud
2835 computing solutions that minimize or do not require the
2836 purchasing or financing of state data center infrastructure,
2837 that meet the needs of state agency customer entities, that
2838 reduce costs, and that meet or exceed the applicable state and
2839 federal laws, regulations, and standards for cybersecurity.
2840 (e) Assist state agency customer entities in transitioning
2841 from state data center services to other third-party cloud
2842 computing services procured by a customer entity or by the
2843 Northwest Regional Data Center on behalf of the customer entity.
2844 (f) Provide to the Board of Governors the total annual
2845 budget by major expenditure category, including, but not limited
2846 to, salaries, expenses, operating capital outlay, contracted
2847 services, or other personnel services by July 30 each fiscal
2848 year.
2849 (g) Provide to each state agency customer its projected
2850 annual cost for providing the agreed-upon data center services
2851 by September 1 each fiscal year.
2852 (h) By November 15 of each year, provide to the Office of
2853 Policy and Budget in the Executive Office of the Governor and to
2854 the chairs of the legislative appropriations committees the
2855 projected costs of providing data center services for the
2856 following fiscal year.
2857 (i)(h) Provide a plan for consideration by the Legislative
2858 Budget Commission if the governing body of the center approves
2859 the use of a billing rate schedule after the start of the fiscal
2860 year that increases any state agency customer’s costs for that
2861 fiscal year.
2862 (j)(i) Provide data center services that comply with
2863 applicable state and federal laws, regulations, and policies,
2864 including all applicable security, privacy, and auditing
2865 requirements.
2866 (k)(j) Maintain performance of the data center facilities
2867 by ensuring proper data backup; data backup recovery; disaster
2868 recovery; and appropriate security, power, cooling, fire
2869 suppression, and capacity.
2870 (l)(k) Prepare and submit state agency customer invoices to
2871 the Department of Management Services for approval. Upon
2872 approval or by default pursuant to s. 282.201(5), Submit
2873 invoices to state agency customers.
2874 (m)(l) As funded in the General Appropriations Act, provide
2875 data center services to state agencies from multiple facilities.
2876 (2) Unless exempt from the requirement to use the state
2877 data center pursuant to s. 282.201(1) s. 282.201(2) or as
2878 authorized by the Legislature, a state agency may not do any of
2879 the following:
2880 (a) Terminate services with the Northwest Regional Data
2881 Center without giving written notice of intent to terminate
2882 services 180 days before such termination.
2883 (b) Procure third-party cloud-computing services without
2884 evaluating the cloud-computing services provided by the
2885 Northwest Regional Data Center.
2886 (c) Exceed 30 days from receipt of approved invoices to
2887 remit payment for state data center services provided by the
2888 Northwest Regional Data Center.
2889 (3) The Northwest Regional Data Center’s authority to
2890 provide data center services to its state agency customers may
2891 be terminated if:
2892 (a) The center requests such termination to the Board of
2893 Governors, the President of the Senate, and the Speaker of the
2894 House of Representatives; or
2895 (b) The center fails to comply with the provisions of this
2896 section.
2897 (4) If such authority is terminated, the center has 1 year
2898 to provide for the transition of its state agency customers to a
2899 qualified alternative cloud-based data center that meets the
2900 enterprise architecture standards established by the Florida
2901 Digital Service.
2902 Section 26. Effective July 1, 2026, subsection (2) of
2903 section 20.22, Florida Statutes, is amended to read:
2904 20.22 Department of Management Services.—There is created a
2905 Department of Management Services.
2906 (2) The following divisions, programs, and services within
2907 the Department of Management Services are established:
2908 (a) Facilities Program.
2909 (b) The Florida Digital Service.
2910 (c) Workforce Program.
2911 (c)1.(d)1. Support Program.
2912 2. Federal Property Assistance Program.
2913 (d)(e) Administration Program.
2914 (e)(f) Division of Administrative Hearings.
2915 (f)(g) Division of Retirement.
2916 (g)(h) Division of State Group Insurance.
2917 (h)(i) Division of Telecommunications.
2918 Section 27. Effective July 1, 2026, subsections (1), (5),
2919 (7), and (8) of section 282.802, Florida Statutes, are amended
2920 to read:
2921 282.802 Government Technology Modernization Council.—
2922 (1) The Government Technology Modernization Council, an
2923 advisory council as defined in s. 20.03(7), is located created
2924 within ASSET the department. Except as otherwise provided in
2925 this section, the advisory council shall operate in a manner
2926 consistent with s. 20.052.
2927 (5) The state chief information officer Secretary of
2928 Management Services, or his or her designee, shall serve as the
2929 ex officio, nonvoting executive director of the council.
2930 (7)(a) The council shall meet at least quarterly to:
2931 (a)1. Recommend legislative and administrative actions that
2932 the Legislature and state agencies as defined in s. 282.0041 s.
2933 282.318(2) may take to promote the development of data
2934 modernization in this state.
2935 (b)2. Assess and provide guidance on necessary legislative
2936 reforms and the creation of a state code of ethics for
2937 artificial intelligence systems in state government.
2938 (c)3. Assess the effect of automated decision systems or
2939 identity management on constitutional and other legal rights,
2940 duties, and privileges of residents of this state.
2941 (d)4. Evaluate common standards for artificial intelligence
2942 safety and security measures, including the benefits of
2943 requiring disclosure of the digital provenance for all images
2944 and audio created using generative artificial intelligence as a
2945 means of revealing the origin and edit of the image or audio, as
2946 well as the best methods for such disclosure.
2947 (e)5. Assess the manner in which governmental entities and
2948 the private sector are using artificial intelligence with a
2949 focus on opportunity areas for deployments in systems across
2950 this state.
2951 (f)6. Determine the manner in which artificial intelligence
2952 is being exploited by bad actors, including foreign countries of
2953 concern as defined in s. 287.138(1).
2954 (g)7. Evaluate the need for curriculum to prepare school
2955 age audiences with the digital media and visual literacy skills
2956 needed to navigate the digital information landscape.
2957 (b) At least one quarterly meeting of the council must be a
2958 joint meeting with the Florida Cybersecurity Advisory Council.
2959 (8) By December 31, 2024, and Each December 31 thereafter,
2960 the council shall submit to the Governor, the Commissioner of
2961 Agriculture, the Chief Financial Officer, the Attorney General,
2962 the President of the Senate, and the Speaker of the House of
2963 Representatives any legislative recommendations considered
2964 necessary by the council to modernize government technology,
2965 including:
2966 (a) Recommendations for policies necessary to:
2967 1. Accelerate adoption of technologies that will increase
2968 productivity of state enterprise information technology systems,
2969 improve customer service levels of government, and reduce
2970 administrative or operating costs.
2971 2. Promote the development and deployment of artificial
2972 intelligence systems, financial technology, education
2973 technology, or other enterprise management software in this
2974 state.
2975 3. Protect Floridians from bad actors who use artificial
2976 intelligence.
2977 (b) Any other information the council considers relevant.
2978 Section 28. Effective July 1, 2026, section 282.604,
2979 Florida Statutes, is amended to read:
2980 282.604 Adoption of rules.—ASSET The Department of
2981 Management Services shall, with input from stakeholders, adopt
2982 rules pursuant to ss. 120.536(1) and 120.54 for the development,
2983 procurement, maintenance, and use of accessible electronic
2984 information technology by governmental units.
2985 Section 29. Subsection (4) of section 287.0591, Florida
2986 Statutes, is amended to read:
2987 287.0591 Information technology; vendor disqualification.—
2988 (4) If the department issues a competitive solicitation for
2989 information technology commodities, consultant services, or
2990 staff augmentation contractual services, the state chief
2991 information officer must Florida Digital Service within the
2992 department shall participate in such solicitations.
2993 Section 30. Subsection (4) of section 288.012, Florida
2994 Statutes, is amended to read:
2995 288.012 State of Florida international offices; direct
2996 support organization.—The Legislature finds that the expansion
2997 of international trade and tourism is vital to the overall
2998 health and growth of the economy of this state. This expansion
2999 is hampered by the lack of technical and business assistance,
3000 financial assistance, and information services for businesses in
3001 this state. The Legislature finds that these businesses could be
3002 assisted by providing these services at State of Florida
3003 international offices. The Legislature further finds that the
3004 accessibility and provision of services at these offices can be
3005 enhanced through cooperative agreements or strategic alliances
3006 between private businesses and state, local, and international
3007 governmental entities.
3008 (4) The Department of Commerce, in connection with the
3009 establishment, operation, and management of any of its offices
3010 located in another country, is exempt from the provisions of ss.
3011 255.21, 255.25, and 255.254 relating to leasing of buildings;
3012 ss. 283.33 and 283.35 relating to bids for printing; ss.
3013 287.001-287.20 relating to purchasing and motor vehicles; and
3014 ss. 282.0051 and 282.702-282.7101 ss. 282.003-282.00515 and
3015 282.702-282.7101 relating to communications, and from all
3016 statutory provisions relating to state employment.
3017 (a) The department may exercise such exemptions only upon
3018 prior approval of the Governor.
3019 (b) If approval for an exemption under this section is
3020 granted as an integral part of a plan of operation for a
3021 specified international office, such action shall constitute
3022 continuing authority for the department to exercise the
3023 exemption, but only in the context and upon the terms originally
3024 granted. Any modification of the approved plan of operation with
3025 respect to an exemption contained therein must be resubmitted to
3026 the Governor for his or her approval. An approval granted to
3027 exercise an exemption in any other context shall be restricted
3028 to the specific instance for which the exemption is to be
3029 exercised.
3030 (c) As used in this subsection, the term “plan of
3031 operation” means the plan developed pursuant to subsection (2).
3032 (d) Upon final action by the Governor with respect to a
3033 request to exercise the exemption authorized in this subsection,
3034 the department shall report such action, along with the original
3035 request and any modifications thereto, to the President of the
3036 Senate and the Speaker of the House of Representatives within 30
3037 days.
3038 Section 31. Effective July 1, 2026, paragraph (b) of
3039 subsection (4) of section 443.1113, Florida Statutes, is amended
3040 to read:
3041 443.1113 Reemployment Assistance Claims and Benefits
3042 Information System.—
3043 (4)
3044 (b) The department shall seek input on recommended
3045 enhancements from, at a minimum, the following entities:
3046 1. The Agency for State Systems and Enterprise Technology
3047 Florida Digital Service within the Department of Management
3048 Services.
3049 2. The General Tax Administration Program Office within the
3050 Department of Revenue.
3051 3. The Division of Accounting and Auditing within the
3052 Department of Financial Services.
3053 Section 32. Effective July 1, 2026, subsection (5) of
3054 section 943.0415, Florida Statutes, is amended to read:
3055 943.0415 Cybercrime Office.—There is created within the
3056 Department of Law Enforcement the Cybercrime Office. The office
3057 may:
3058 (5) Consult with the state chief information security
3059 officer of the Agency for State Systems and Enterprise
3060 Technology Florida Digital Service within the Department of
3061 Management Services in the adoption of rules relating to the
3062 information technology security provisions in s. 282.318.
3063 Section 33. Effective July 1, 2026, subsection (3) of
3064 section 1004.444, Florida Statutes, is amended to read:
3065 1004.444 Florida Center for Cybersecurity.—
3066 (3) Upon receiving a request for assistance from a the
3067 Department of Management Services, the Florida Digital Service,
3068 or another state agency, the center is authorized, but may not
3069 be compelled by the agency, to conduct, consult on, or otherwise
3070 assist any state-funded initiatives related to:
3071 (a) Cybersecurity training, professional development, and
3072 education for state and local government employees, including
3073 school districts and the judicial branch; and
3074 (b) Increasing the cybersecurity effectiveness of the
3075 state’s and local governments’ technology platforms and
3076 infrastructure, including school districts and the judicial
3077 branch.
3078 Section 34. Except as otherwise provided in this act, this
3079 act shall take effect July 1, 2025.