Florida Senate - 2025 SB 770
By Senator Harrell
31-00757A-25 2025770__
1 A bill to be entitled
2 An act relating to cybersecurity; amending s. 110.205,
3 F.S.; exempting the state chief technology officer
4 from the Career Service System; amending s. 282.0041,
5 F.S.; revising definitions of the terms “data” and
6 “open data”; defining the terms “enterprise digital
7 data”; amending s. 282.0051, F.S.; revising the
8 purpose of the Florida Digital Service; revising the
9 timeframes for the Florida Digital Service to issue
10 certain reports to the Governor and the Legislature;
11 requiring that, by a specified date, an annual report
12 on specified alternative standards be provided to the
13 Governor and the Legislature; requiring the Florida
14 Digital Service to support state agencies with the use
15 of electronic credentials in compliance with specified
16 standards; requiring the state chief information
17 officer, in consultation with the Secretary of
18 Management Services, to designate a state chief
19 technology officer; providing requirements for such
20 position; providing the responsibilities of the state
21 chief technology officer; amending s. 282.318, F.S.;
22 revising the standards and processes for assessing
23 state agency cybersecurity risks of the Department of
24 Management Services, acting through the Florida
25 Digital Service; requiring state agencies to report
26 all ransomware and cybersecurity incidents to the
27 Cybersecurity Operations Center and the Cybercrime
28 Office; requiring the Cybersecurity Operations Center
29 to notify the state chief information officer and the
30 state chief information security officer immediately
31 of a reported incident; requiring the state chief
32 information officer, in consultation with the state
33 chief information security officer, to notify the
34 Legislature of certain reported incidents within a
35 specified timeframe; revising the timeframe during
36 which the Cybersecurity Operations Center is required
37 to provide a consolidated incident report to the
38 Governor, the Legislature, and the Florida
39 Cybersecurity Advisory Council; revising the name of
40 an Emergency Support Function from ESF-Cyber to ESF
41 20; revising the specified date by which a state
42 agency head must designate an information security
43 manager; requiring that the agency strategic
44 cybersecurity plan take the statewide cybersecurity
45 strategic plan into consideration; requiring that such
46 agency operational cybersecurity program include a
47 certain set of measures for a specified purpose;
48 requiring agency heads to require that enterprise
49 digital data be maintained in accordance with
50 specified provisions; providing construction;
51 authorizing designated members of the Legislature and
52 designated members of legislative staff to attend
53 portions of meetings where material exempt from public
54 disclosure is discussed, under certain circumstances;
55 amending s. 282.3185, F.S.; revising the timeframes in
56 which a local government must report a discovery of
57 all ransomware incidents and certain cybersecurity
58 incidents; requiring the Cybersecurity Operations
59 Center to notify immediately the state chief
60 information officer and the state chief information
61 security officer of a reported incident; requiring the
62 state chief information officer, in consultation with
63 the state chief information security officer, to
64 notify the Legislature of incidents of certain
65 severity levels within a specified timeframe; revising
66 the timeframe during which the Cybersecurity
67 Operations Center is required to provide a quarterly
68 consolidated incident report to the Legislature and
69 the Florida Cybersecurity Advisory Council; amending
70 s. 282.319, F.S.; revising the membership of the
71 Florida Cybersecurity Advisory Council; providing an
72 effective date.
73
74 Be It Enacted by the Legislature of the State of Florida:
75
76 Section 1. Paragraph (e) of subsection (2) of section
77 110.205, Florida Statutes, is amended to read:
78 110.205 Career service; exemptions.—
79 (2) EXEMPT POSITIONS.—The exempt positions that are not
80 covered by this part include the following:
81 (e) The state chief information officer, the state chief
82 data officer, the state chief technology officer, and the state
83 chief information security officer. The Department of Management
84 Services shall set the salary and benefits of these positions in
85 accordance with the rules of the Senior Management Service.
86 Section 2. Present subsections (17) through (38) of section
87 282.0041, Florida Statutes, are redesignated as subsections (18)
88 through (39), respectively, a new subsection (17) is added to
89 that section, and subsection (9) and present subsection (24) of
90 that section are amended, to read:
91 282.0041 Definitions.—As used in this chapter, the term:
92 (9) “Data” means information in a specific representation,
93 usually a sequence of symbols that have meaning. The term
94 includes, but is not limited to, numbers, text, images, audio,
95 and video. The term also includes raw material that is processed
96 and interpreted to gain insights and make decisions a subset of
97 structured information in a format that allows such information
98 to be electronically retrieved and transmitted.
99 (17) “Enterprise digital data” means information in
100 electronic form which is deemed to be data owned by a state
101 agency and held for state purposes by the state agency. For the
102 purposes of this subsection, the term “state agency” includes
103 the Department of Legal Affairs, the Department of Agriculture
104 and Consumer Services, and the Department of Financial Services.
105 (25)(24) “Open data” is a subset of “data” and means data
106 collected or created by a state agency, the Department of Legal
107 Affairs, the Department of Financial Services, and the
108 Department of Agriculture and Consumer Services, and structured
109 in a way that enables the data to be fully discoverable and
110 usable by the public. The term does not include data that are
111 restricted from public disclosure based on federal or state laws
112 and regulations, including, but not limited to, those related to
113 privacy, confidentiality, security, personal health, business or
114 trade secret information, and exemptions from state public
115 records laws; or data for which a state agency, the Department
116 of Legal Affairs, the Department of Financial Services, or the
117 Department of Agriculture and Consumer Services is statutorily
118 authorized to assess a fee for its distribution.
119 Section 3. Subsection (1) of section 282.0051, Florida
120 Statutes, is amended, and paragraph (c) is added to subsection
121 (2) of that section, to read:
122 282.0051 Department of Management Services; Florida Digital
123 Service; powers, duties, and functions.—
124 (1) The Florida Digital Service is established has been
125 created within the department to lead the creation of enterprise
126 information technology and cybersecurity standards, to propose
127 and evaluate innovative solutions that securely modernize state
128 government, including technology and information services, to
129 achieve value through digital transformation and
130 interoperability, and to fully support the cloud-first policy as
131 specified in s. 282.206. The department, through the Florida
132 Digital Service, shall have the following powers, duties, and
133 functions:
134 (a) Develop and publish information technology policy for
135 the management of the state’s information technology resources.
136 (b) Develop an enterprise architecture that:
137 1. Acknowledges the unique needs of the entities within the
138 enterprise in the development and publication of standards and
139 terminologies to facilitate digital interoperability;
140 2. Supports the cloud-first policy as specified in s.
141 282.206; and
142 3. Addresses how information technology infrastructure may
143 be modernized to achieve cloud-first objectives.
144 (c) Establish project management and oversight standards
145 with which state agencies must comply when implementing
146 information technology projects. The department, acting through
147 the Florida Digital Service, shall provide training
148 opportunities to state agencies to assist in the adoption of the
149 project management and oversight standards. To support data
150 driven decisionmaking, the standards must include, but are not
151 limited to:
152 1. Performance measurements and metrics that objectively
153 reflect the status of an information technology project based on
154 a defined and documented project scope, cost, and schedule.
155 2. Methodologies for calculating acceptable variances in
156 the projected versus actual scope, schedule, or cost of an
157 information technology project.
158 3. Reporting requirements, including requirements designed
159 to alert all defined stakeholders that an information technology
160 project has exceeded acceptable variances defined and documented
161 in a project plan.
162 4. Content, format, and frequency of project updates.
163 5. Technical standards to ensure an information technology
164 project complies with the enterprise architecture.
165 (d) Perform project oversight on all state agency
166 information technology projects that have total project costs of
167 $10 million or more and that are funded in the General
168 Appropriations Act or any other law. The department, acting
169 through the Florida Digital Service, shall report, by the 30th
170 day after the end of each quarter, at least quarterly to the
171 Executive Office of the Governor, the President of the Senate,
172 and the Speaker of the House of Representatives on any
173 information technology project that the department identifies as
174 high-risk due to the project exceeding acceptable variance
175 ranges defined and documented in a project plan. The report must
176 include a risk assessment, including fiscal risks, associated
177 with proceeding to the next stage of the project, and a
178 recommendation for corrective actions required, including
179 suspension or termination of the project.
180 (e) Identify opportunities for standardization and
181 consolidation of information technology services that support
182 interoperability and the cloud-first policy, as specified in s.
183 282.206, and business functions and operations, including
184 administrative functions such as purchasing, accounting and
185 reporting, cash management, and personnel, and that are common
186 across state agencies. The department, acting through the
187 Florida Digital Service, shall biennially on January 31 1 of
188 each even-numbered year provide recommendations for
189 standardization and consolidation to the Executive Office of the
190 Governor, the President of the Senate, and the Speaker of the
191 House of Representatives.
192 (f) Establish best practices for the procurement of
193 information technology products and cloud-computing services in
194 order to reduce costs, increase the quality of data center
195 services, or improve government services.
196 (g) Develop standards for information technology reports
197 and updates, including, but not limited to, operational work
198 plans, project spend plans, and project status reports, for use
199 by state agencies.
200 (h) Upon request, assist state agencies in the development
201 of information technology-related legislative budget requests.
202 (i) Conduct annual assessments of state agencies to
203 determine compliance with all information technology standards
204 and guidelines developed and published by the department and
205 provide results of the assessments to the Executive Office of
206 the Governor, the President of the Senate, and the Speaker of
207 the House of Representatives.
208 (j) Conduct a market analysis not less frequently than
209 every 3 years beginning in 2021 to determine whether the
210 information technology resources within the enterprise are
211 utilized in the most cost-effective and cost-efficient manner,
212 while recognizing that the replacement of certain legacy
213 information technology systems within the enterprise may be cost
214 prohibitive or cost inefficient due to the remaining useful life
215 of those resources; whether the enterprise is complying with the
216 cloud-first policy specified in s. 282.206; and whether the
217 enterprise is utilizing best practices with respect to
218 information technology, information services, and the
219 acquisition of emerging technologies and information services.
220 Each market analysis shall be used to prepare a strategic plan
221 for continued and future information technology and information
222 services for the enterprise, including, but not limited to,
223 proposed acquisition of new services or technologies and
224 approaches to the implementation of any new services or
225 technologies. Copies of each market analysis and accompanying
226 strategic plan must be submitted to the Executive Office of the
227 Governor, the President of the Senate, and the Speaker of the
228 House of Representatives not later than December 31 of each year
229 that a market analysis is conducted.
230 (k) Recommend other information technology services that
231 should be designed, delivered, and managed as enterprise
232 information technology services. Recommendations must include
233 the identification of existing information technology resources
234 associated with the services, if existing services must be
235 transferred as a result of being delivered and managed as
236 enterprise information technology services.
237 (l) In consultation with state agencies, propose a
238 methodology and approach for identifying and collecting both
239 current and planned information technology expenditure data at
240 the state agency level.
241 (m)1. Notwithstanding any other law, provide project
242 oversight on any information technology project of the
243 Department of Financial Services, the Department of Legal
244 Affairs, and the Department of Agriculture and Consumer Services
245 which has a total project cost of $20 million or more. Such
246 information technology projects must also comply with the
247 applicable information technology architecture, project
248 management and oversight, and reporting standards established by
249 the department, acting through the Florida Digital Service.
250 2. When performing the project oversight function specified
251 in subparagraph 1., report, by the 30th day after the end of
252 each quarter, at least quarterly to the Executive Office of the
253 Governor, the President of the Senate, and the Speaker of the
254 House of Representatives on any information technology project
255 that the department, acting through the Florida Digital Service,
256 identifies as high-risk due to the project exceeding acceptable
257 variance ranges defined and documented in the project plan. The
258 report shall include a risk assessment, including fiscal risks,
259 associated with proceeding to the next stage of the project and
260 a recommendation for corrective actions required, including
261 suspension or termination of the project.
262 (n) If an information technology project implemented by a
263 state agency must be connected to or otherwise accommodated by
264 an information technology system administered by the Department
265 of Financial Services, the Department of Legal Affairs, or the
266 Department of Agriculture and Consumer Services, consult with
267 these departments regarding the risks and other effects of such
268 projects on their information technology systems and work
269 cooperatively with these departments regarding the connections,
270 interfaces, timing, or accommodations required to implement such
271 projects.
272 (o) If adherence to standards or policies adopted by or
273 established pursuant to this section causes conflict with
274 federal regulations or requirements imposed on an entity within
275 the enterprise and results in adverse action against an entity
276 or federal funding, work with the entity to provide alternative
277 standards, policies, or requirements that do not conflict with
278 the federal regulation or requirement. The department, acting
279 through the Florida Digital Service, shall annually report, by
280 January 31, such alternative standards to the Executive Office
281 of the Governor, the President of the Senate, and the Speaker of
282 the House of Representatives.
283 (p)1. Establish an information technology policy for all
284 information technology-related state contracts, including state
285 term contracts for information technology commodities,
286 consultant services, and staff augmentation services. The
287 information technology policy must include:
288 a. Identification of the information technology product and
289 service categories to be included in state term contracts.
290 b. Requirements to be included in solicitations for state
291 term contracts.
292 c. Evaluation criteria for the award of information
293 technology-related state term contracts.
294 d. The term of each information technology-related state
295 term contract.
296 e. The maximum number of vendors authorized on each state
297 term contract.
298 f. At a minimum, a requirement that any contract for
299 information technology commodities or services meet the National
300 Institute of Standards and Technology Cybersecurity Framework.
301 g. For an information technology project wherein project
302 oversight is required pursuant to paragraph (d) or paragraph
303 (m), a requirement that independent verification and validation
304 be employed throughout the project life cycle with the primary
305 objective of independent verification and validation being to
306 provide an objective assessment of products and processes
307 throughout the project life cycle. An entity providing
308 independent verification and validation may not have technical,
309 managerial, or financial interest in the project and may not
310 have responsibility for, or participate in, any other aspect of
311 the project.
312 2. Evaluate vendor responses for information technology
313 related state term contract solicitations and invitations to
314 negotiate.
315 3. Answer vendor questions on information technology
316 related state term contract solicitations.
317 4. Ensure that the information technology policy
318 established pursuant to subparagraph 1. is included in all
319 solicitations and contracts that are administratively executed
320 by the department.
321 (q) Recommend potential methods for standardizing data
322 across state agencies which will promote interoperability and
323 reduce the collection of duplicative data.
324 (r) Recommend open data technical standards and
325 terminologies for use by the enterprise.
326 (s) Support state agencies with the use of Ensure that
327 enterprise information technology solutions are capable of
328 utilizing an electronic credentials in compliance credential and
329 comply with the enterprise architecture standards.
330 (2)
331 (c) The state chief information officer, in consultation
332 with the Secretary of Management Services, shall designate a
333 state chief technology officer who must have significant and
334 substantive experience in information technology, operational
335 technology, technology-related projects, and enterprise
336 architecture. The state chief technology officer is responsible
337 for all of the following:
338 1. Conducting comprehensive evaluations of potential
339 technological solutions and cultivating strategic partnerships
340 with state enterprise agencies and to leverage the state’s
341 technological capabilities.
342 2. Supporting program management of enterprise information
343 technology initiatives; providing advisory support for
344 technology-related projects; and continuously identifying and
345 recommending best practices to optimize outcomes of technology
346 projects and enhance the enterprise’s technological efficiency
347 and effectiveness.
348 Section 4. Subsection (3), paragraphs (a) and (c) of
349 subsection (4), and subsection (6) of section 282.318, Florida
350 Statutes, are amended, and paragraph (j) is added to subsection
351 (4) of that section, to read:
352 282.318 Cybersecurity.—
353 (3) The department, acting through the Florida Digital
354 Service, is the lead entity responsible for establishing
355 standards and processes for assessing state agency cybersecurity
356 risks, including threats to enterprise digital data, and
357 determining appropriate security measures that comply with all
358 national and state data compliance security standards. Such
359 standards and processes must be consistent with generally
360 accepted technology best practices, including the National
361 Institute for Standards and Technology Cybersecurity Framework,
362 for cybersecurity. The department, acting through the Florida
363 Digital Service, shall adopt rules that mitigate risks;
364 safeguard state agency digital assets, data, information, and
365 information technology resources to ensure availability,
366 confidentiality, and integrity; and support a security
367 governance framework. The department, acting through the Florida
368 Digital Service, shall also:
369 (a) Designate an employee of the Florida Digital Service as
370 the state chief information security officer. The state chief
371 information security officer must have experience and expertise
372 in security and risk management for communications and
373 information technology resources. The state chief information
374 security officer is responsible for the development, operation,
375 and oversight of cybersecurity for state technology systems. The
376 state chief information security officer shall be notified of
377 all confirmed or suspected incidents or threats of state agency
378 information technology resources and must report such incidents
379 or threats to the state chief information officer and the
380 Governor.
381 (b) Develop, and annually update by February 1, a statewide
382 cybersecurity strategic plan that includes security goals and
383 objectives for cybersecurity, including the identification and
384 mitigation of risk, proactive protections against threats,
385 tactical risk detection, threat reporting, and response and
386 recovery protocols for a cyber incident.
387 (c) Develop and publish for use by state agencies a
388 cybersecurity governance framework that, at a minimum, includes
389 guidelines and processes for:
390 1. Establishing asset management procedures to ensure that
391 an agency’s information technology resources are identified and
392 managed consistent with their relative importance to the
393 agency’s business objectives.
394 2. Using a standard risk assessment methodology that
395 includes the identification of an agency’s priorities,
396 constraints, risk tolerances, and assumptions necessary to
397 support operational risk decisions.
398 3. Completing comprehensive risk assessments and
399 cybersecurity audits, which may be completed by a private sector
400 vendor, and submitting completed assessments and audits to the
401 department.
402 4. Identifying protection procedures to manage the
403 protection of an agency’s information, data, and information
404 technology resources.
405 5. Establishing procedures for accessing information and
406 data to ensure the confidentiality, integrity, and availability
407 of such information and data.
408 6. Detecting threats through proactive monitoring of
409 events, continuous security monitoring, and defined detection
410 processes.
411 7. Establishing agency cybersecurity incident response
412 teams and describing their responsibilities for responding to
413 cybersecurity incidents, including breaches of personal
414 information containing confidential or exempt data.
415 8. Recovering information and data in response to a
416 cybersecurity incident. The recovery may include recommended
417 improvements to the agency processes, policies, or guidelines.
418 9. Establishing a cybersecurity incident reporting process
419 that includes procedures for notifying the department and the
420 Department of Law Enforcement of cybersecurity incidents.
421 a. The level of severity of the cybersecurity incident is
422 defined by the National Cyber Incident Response Plan of the
423 United States Department of Homeland Security as follows:
424 (I) Level 5 is an emergency-level incident within the
425 specified jurisdiction that poses an imminent threat to the
426 provision of wide-scale critical infrastructure services;
427 national, state, or local government security; or the lives of
428 the country’s, state’s, or local government’s residents.
429 (II) Level 4 is a severe-level incident that is likely to
430 result in a significant impact in the affected jurisdiction to
431 public health or safety; national, state, or local security;
432 economic security; or civil liberties.
433 (III) Level 3 is a high-level incident that is likely to
434 result in a demonstrable impact in the affected jurisdiction to
435 public health or safety; national, state, or local security;
436 economic security; civil liberties; or public confidence.
437 (IV) Level 2 is a medium-level incident that may impact
438 public health or safety; national, state, or local security;
439 economic security; civil liberties; or public confidence.
440 (V) Level 1 is a low-level incident that is unlikely to
441 impact public health or safety; national, state, or local
442 security; economic security; civil liberties; or public
443 confidence.
444 b. The cybersecurity incident reporting process must
445 specify the information that must be reported by a state agency
446 following a cybersecurity incident or ransomware incident,
447 which, at a minimum, must include the following:
448 (I) A summary of the facts surrounding the cybersecurity
449 incident or ransomware incident.
450 (II) The date on which the state agency most recently
451 backed up its data; the physical location of the backup, if the
452 backup was affected; and if the backup was created using cloud
453 computing.
454 (III) The types of data compromised by the cybersecurity
455 incident or ransomware incident.
456 (IV) The estimated fiscal impact of the cybersecurity
457 incident or ransomware incident.
458 (V) In the case of a ransomware incident, the details of
459 the ransom demanded.
460 c.(I) A state agency shall report all ransomware incidents
461 and any cybersecurity incidents incident determined by the state
462 agency to be of severity level 3, 4, or 5 to the Cybersecurity
463 Operations Center and the Cybercrime Office of the Department of
464 Law Enforcement as soon as possible but no later than 48 hours
465 after discovery of the cybersecurity incident and no later than
466 12 hours after discovery of the ransomware incident. The report
467 must contain the information required in sub-subparagraph b.
468 (II) The Cybersecurity Operations Center shall immediately
469 notify the state chief information officer and the state chief
470 information security officer of a reported incident. The state
471 chief information officer, in consultation with the state chief
472 information security officer, shall notify the President of the
473 Senate and the Speaker of the House of Representatives of any
474 severity level 3, 4, or 5 incident as soon as possible but no
475 later than 12 hours after receiving a state agency’s incident
476 report. The notification must include a high-level description
477 of the incident and the likely effects.
478 d. A state agency shall report a cybersecurity incident
479 determined by the state agency to be of severity level 1 or 2 to
480 the Cybersecurity Operations Center and the Cybercrime Office of
481 the Department of Law Enforcement as soon as possible. The
482 report must contain the information required in sub-subparagraph
483 b.
484 e. The Cybersecurity Operations Center shall provide a
485 consolidated incident report by the 30th day after the end of
486 each quarter to the Governor, on a quarterly basis to the
487 President of the Senate, the Speaker of the House of
488 Representatives, and the Florida Cybersecurity Advisory Council.
489 The report provided to the Florida Cybersecurity Advisory
490 Council may not contain the name of any agency, network
491 information, or system identifying information but must contain
492 sufficient relevant information to allow the Florida
493 Cybersecurity Advisory Council to fulfill its responsibilities
494 as required in s. 282.319(9).
495 10. Incorporating information obtained through detection
496 and response activities into the agency’s cybersecurity incident
497 response plans.
498 11. Developing agency strategic and operational
499 cybersecurity plans required pursuant to this section.
500 12. Establishing the managerial, operational, and technical
501 safeguards for protecting state government data and information
502 technology resources that align with the state agency risk
503 management strategy and that protect the confidentiality,
504 integrity, and availability of information and data.
505 13. Establishing procedures for procuring information
506 technology commodities and services that require the commodity
507 or service to meet the National Institute of Standards and
508 Technology Cybersecurity Framework.
509 14. Submitting after-action reports following a
510 cybersecurity incident or ransomware incident. Such guidelines
511 and processes for submitting after-action reports must be
512 developed and published by December 1, 2022.
513 (d) Assist state agencies in complying with this section.
514 (e) In collaboration with the Cybercrime Office of the
515 Department of Law Enforcement, annually provide training for
516 state agency information security managers and computer security
517 incident response team members that contains training on
518 cybersecurity, including cybersecurity threats, trends, and best
519 practices.
520 (f) Annually review the strategic and operational
521 cybersecurity plans of state agencies.
522 (g) Annually provide cybersecurity training to all state
523 agency technology professionals and employees with access to
524 highly sensitive information which develops, assesses, and
525 documents competencies by role and skill level. The
526 cybersecurity training curriculum must include training on the
527 identification of each cybersecurity incident severity level
528 referenced in sub-subparagraph (c)9.a. The training may be
529 provided in collaboration with the Cybercrime Office of the
530 Department of Law Enforcement, a private sector entity, or an
531 institution of the State University System.
532 (h) Operate and maintain a Cybersecurity Operations Center
533 led by the state chief information security officer, which must
534 be primarily virtual and staffed with tactical detection and
535 incident response personnel. The Cybersecurity Operations Center
536 shall serve as a clearinghouse for threat information and
537 coordinate with the Department of Law Enforcement to support
538 state agencies and their response to any confirmed or suspected
539 cybersecurity incident.
540 (i) Lead an Emergency Support Function, ESF-20 ESF CYBER,
541 under the state comprehensive emergency management plan as
542 described in s. 252.35.
543 (4) Each state agency head shall, at a minimum:
544 (a) Designate an information security manager to administer
545 the cybersecurity program of the state agency. This designation
546 must be provided annually in writing to the department by
547 January 31 1. A state agency’s information security manager, for
548 purposes of these information security duties, shall report
549 directly to the agency head.
550 (c) Submit to the department annually by July 31, the state
551 agency’s strategic and operational cybersecurity plans developed
552 pursuant to rules and guidelines established by the department,
553 through the Florida Digital Service.
554 1. The state agency strategic cybersecurity plan must cover
555 a 3-year period and, at a minimum, define security goals,
556 intermediate objectives, and projected agency costs for the
557 strategic issues of agency information security policy, risk
558 management, security training, security incident response, and
559 disaster recovery. The plan must take be based on the statewide
560 cybersecurity strategic plan created by the department into
561 consideration and include performance metrics that can be
562 objectively measured to reflect the status of the state agency’s
563 progress in meeting security goals and objectives identified in
564 the agency’s strategic information security plan.
565 2. The state agency operational cybersecurity plan must
566 include a set of measures that objectively assess the
567 performance of the agency’s cybersecurity program in accordance
568 with its risk management plan progress report that objectively
569 measures progress made towards the prior operational
570 cybersecurity plan and a project plan that includes activities,
571 timelines, and deliverables for security objectives that the
572 state agency will implement during the current fiscal year.
573 (j) Require that enterprise digital data be maintained in
574 accordance with chapter 119. This paragraph may not be construed
575 to create, modify, abrogate, or expand an exemption from public
576 records requirements under s. 119.07(1) or s. 24(a), Art. I of
577 the State Constitution.
578 (6)(a) Those portions of a public meeting as specified in
579 s. 286.011 which would reveal records which are confidential and
580 exempt under subsection (5) are exempt from s. 286.011 and s.
581 24(b), Art. I of the State Constitution. No exempt portion of an
582 exempt meeting may be off the record. All exempt portions of
583 such meeting shall be recorded and transcribed. Such recordings
584 and transcripts are confidential and exempt from disclosure
585 under s. 119.07(1) and s. 24(a), Art. I of the State
586 Constitution unless a court of competent jurisdiction, after an
587 in camera review, determines that the meeting was not restricted
588 to the discussion of data and information made confidential and
589 exempt by this section. In the event of such a judicial
590 determination, only that portion of the recording and transcript
591 which reveals nonexempt data and information may be disclosed to
592 a third party.
593 (b) If authorized in writing by the President of the Senate
594 or the Speaker of the House of Representatives, as applicable,
595 designated members of the Legislature and legislative staff may
596 attend those portions of a meeting which are exempt under
597 paragraph (a).
598 Section 5. Subsection (5) of section 282.3185, Florida
599 Statutes, is amended to read:
600 282.3185 Local government cybersecurity.—
601 (5) INCIDENT NOTIFICATION.—
602 (a) A local government shall provide notification of a
603 cybersecurity incident or ransomware incident to the
604 Cybersecurity Operations Center, Cybercrime Office of the
605 Department of Law Enforcement, and sheriff who has jurisdiction
606 over the local government in accordance with paragraph (b). The
607 notification must include, at a minimum, the following
608 information:
609 1. A summary of the facts surrounding the cybersecurity
610 incident or ransomware incident.
611 2. The date on which the local government most recently
612 backed up its data; the physical location of the backup, if the
613 backup was affected; and if the backup was created using cloud
614 computing.
615 3. The types of data compromised by the cybersecurity
616 incident or ransomware incident.
617 4. The estimated fiscal impact of the cybersecurity
618 incident or ransomware incident.
619 5. In the case of a ransomware incident, the details of the
620 ransom demanded.
621 6. A statement requesting or declining assistance from the
622 Cybersecurity Operations Center, the Cybercrime Office of the
623 Department of Law Enforcement, or the sheriff who has
624 jurisdiction over the local government.
625 (b)1. A local government shall report all ransomware
626 incidents and any cybersecurity incident determined by the local
627 government to be of severity level 3, 4, or 5 as provided in s.
628 282.318(3)(c) to the Cybersecurity Operations Center, the
629 Cybercrime Office of the Department of Law Enforcement, and the
630 sheriff who has jurisdiction over the local government as soon
631 as possible but no later than 12 48 hours after discovery of the
632 cybersecurity incident and no later than 6 12 hours after
633 discovery of the ransomware incident. The report must contain
634 the information required in paragraph (a).
635 2. The Cybersecurity Operations Center shall immediately
636 notify the state chief information officer and state chief
637 information security officer of a reported incident. The state
638 chief information officer, in consultation with the state chief
639 information security officer, shall notify the President of the
640 Senate and the Speaker of the House of Representatives of any
641 severity level 3, 4, or 5 incident as soon as possible but no
642 later than 12 hours after receiving a local government’s
643 incident report. The notification must include a high-level
644 description of the incident and the likely effects.
645 (c) A local government may report a cybersecurity incident
646 determined by the local government to be of severity level 1 or
647 2 as provided in s. 282.318(3)(c) to the Cybersecurity
648 Operations Center, the Cybercrime Office of the Department of
649 Law Enforcement, and the sheriff who has jurisdiction over the
650 local government. The report must shall contain the information
651 required in paragraph (a).
652 (d) The Cybersecurity Operations Center shall provide a
653 consolidated incident report by the 30th day after the end of
654 each quarter on a quarterly basis to the President of the
655 Senate, the Speaker of the House of Representatives, and the
656 Florida Cybersecurity Advisory Council. The report provided to
657 the Florida Cybersecurity Advisory Council may not contain the
658 name of any local government, network information, or system
659 identifying information but must contain sufficient relevant
660 information to allow the Florida Cybersecurity Advisory Council
661 to fulfill its responsibilities as required in s. 282.319(9).
662 Section 6. Subsection (4) of section 282.319, Florida
663 Statutes, is amended to read:
664 282.319 Florida Cybersecurity Advisory Council.—
665 (4) The council shall be composed comprised of the
666 following members:
667 (a) The Lieutenant Governor, or his or her designee.
668 (b) The state chief information officer.
669 (c) The state chief information security officer.
670 (d) The director of the Division of Emergency Management,
671 or his or her designee.
672 (e) A representative of the computer crime center of the
673 Department of Law Enforcement, appointed by the executive
674 director of the Department of Law Enforcement.
675 (f) A representative of the Florida Fusion Center of the
676 Department of Law Enforcement, appointed by the executive
677 director of the Department of Law Enforcement.
678 (g) No more than two representatives from local government,
679 appointed by the Governor The Chief Inspector General.
680 (h) A representative from the Public Service Commission.
681 (i) No more than Up to two representatives from
682 institutions of higher education located in this state,
683 appointed by the Governor.
684 (j) Three representatives from critical infrastructure
685 sectors, one of whom must be from a water treatment facility,
686 appointed by the Governor.
687 (k) Four representatives of the private sector with senior
688 level experience in cybersecurity or software engineering from
689 within the finance, energy, health care, and transportation
690 sectors, appointed by the Governor.
691 (l) Two representatives with expertise on emerging
692 technology, with one appointed by the President of the Senate
693 and one appointed by the Speaker of the House of
694 Representatives.
695 (m) The Chief Inspector General, who shall serve as an ex
696 officio, nonvoting member of the council.
697 Section 7. This act shall take effect July 1, 2025.