Florida Senate - 2026 COMMITTEE AMENDMENT
Bill No. SB 480
Ì8160380Î816038
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
02/04/2026 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Appropriations Committee on Agriculture, Environment, and
General Government (Harrell) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. All duties, functions, records, pending issues,
6 existing contracts, administrative authority, and administrative
7 rules relating to the Florida Digital Service are transferred by
8 a type two transfer, as described in s. 20.06, Florida Statutes,
9 to the Division of Integrated Government Innovation and
10 Technology as created by this act. Any unexpended balances of
11 appropriations, allocations, and other public funds will revert
12 or will be appropriated or allocated as provided in the General
13 Appropriations Act or otherwise by law.
14 Section 2. Section 14.205, Florida Statutes, is created to
15 read:
16 14.205 Division of Integrated Government Innovation and
17 Technology.—
18 (1) The Division of Integrated Government Innovation and
19 Technology is established within the Executive Office of the
20 Governor. The division shall be a separate budget entity, as
21 provided in the General Appropriations Act, and shall prepare
22 and submit a budget request in accordance with chapter 216. The
23 division shall be responsible for all professional, technical,
24 and administrative support functions necessary to carry out its
25 responsibilities under chapter 282 and as otherwise provided in
26 law.
27 (2)(a) The director of the division shall serve as the
28 state chief information officer. The director shall be appointed
29 by the Governor, subject to confirmation by the Senate. The
30 state chief information officer is prohibited from having any
31 financial, personal, or business conflicts of interest related
32 to technology vendors, contractors, or other information
33 technology service providers doing business with the state.
34 (b) The state chief information officer must meet the
35 following qualifications:
36 1. Education requirements.—The state chief information
37 officer must meet one of the following criteria:
38 a. Hold a bachelor’s degree from an accredited institution
39 in information technology, computer science, business
40 administration, public administration, or a related field; or
41 b. Hold a master’s degree in any of the fields listed in
42 sub-subparagraph a., which may be substituted for a portion of
43 the professional experience requirements in subparagraph 2.
44 2. Professional experience requirements.—The state chief
45 information officer must have at least 10 years of progressively
46 responsible experience in information technology management,
47 digital transformation, cybersecurity, or information technology
48 governance, including:
49 a. A minimum of 5 years in an executive or senior
50 leadership role, overseeing information technology strategy,
51 operations, or enterprise technology management, in either the
52 public or private sector;
53 b. Managing large-scale information technology projects,
54 enterprise infrastructure, and implementation of emerging
55 technologies;
56 c. Budget planning, procurement oversight, and financial
57 management of information technology investments; and
58 d. Working with state and federal information technology
59 regulations, digital services, and cybersecurity compliance
60 frameworks.
61 3. Technical and policy expertise.—The state chief
62 information officer must have demonstrated expertise in:
63 a. Cybersecurity and data protection by demonstrating
64 knowledge of cybersecurity risk management, compliance with the
65 National Institute of Standards and Technology Cybersecurity
66 Framework, ISO 27001, and applicable federal and state security
67 regulations;
68 b. Cloud and digital services with experience in cloud
69 computing, enterprise systems modernization, digital
70 transformation, and emerging information technology trends;
71 c. Information technology governance and policy development
72 by demonstrating an understanding of statewide information
73 technology governance structures, digital services, and
74 information technology procurement policies; and
75 d. Public sector information technology management by
76 demonstrating familiarity with government information technology
77 funding models, procurement requirements, and legislative
78 processes affecting information technology strategy.
79 4. Leadership and administrative competencies.—The state
80 chief information officer must demonstrate:
81 a. Strategic vision and innovation by possessing the
82 capability to modernize information technology systems, drive
83 digital transformation, and align information technology
84 initiatives with state goals;
85 b. Collaboration and engagement with stakeholders by
86 working with legislators, state agency heads, local governments,
87 and private sector partners to implement information technology
88 initiatives;
89 c. Crisis management and cyber resilience by possessing the
90 capability to develop and lead cyber incident response, disaster
91 recovery, and information technology continuity plans; and
92 d. Fiscal management and budget expertise managing multi
93 million-dollar information technology budgets, cost-control
94 strategies, and financial oversight of information technology
95 projects.
96 (3) The deputy director of the division shall serve as the
97 deputy chief information officer.
98 (4) The director shall select separate individuals to serve
99 as the state chief information security officer, state chief
100 data officer, state chief technology officer, and state chief
101 technology procurement officer.
102 Section 3. Until a state chief information officer is
103 appointed pursuant to s. 14.205, Florida Statutes, the current
104 state chief information officer of the Department of Management
105 Services shall be transferred to the Division of Integrated
106 Government Innovation and Technology and serve as interim state
107 chief information officer. A state chief information officer for
108 the Division of Integrated Government Innovation and Technology
109 must be appointed by the Governor by June 30, 2027.
110 Section 4. Subsection (6) of section 20.055, Florida
111 Statutes, is amended to read:
112 20.055 Agency inspectors general.—
113 (6) In carrying out the auditing duties and
114 responsibilities of this act, each inspector general shall
115 review and evaluate internal controls necessary to ensure the
116 fiscal accountability of the state agency. The inspector general
117 shall conduct financial, compliance, electronic data processing,
118 and performance audits of the agency and prepare audit reports
119 of his or her findings. The scope and assignment of the audits
120 are shall be determined by the inspector general; however, the
121 agency head may at any time request the inspector general to
122 perform an audit of a special program, function, or
123 organizational unit. In addition to the duties prescribed in
124 this section, each inspector general annually shall review and
125 report on whether agency practices related to information
126 technology reporting, projects, contracts, and procurements are
127 consistent with the applicable reporting requirements and
128 standards published by the Division of Integrated Government
129 Innovation and Technology within the Executive Office of the
130 Governor. The inspector general shall prepare an annual agency
131 information technology compliance report that assesses the
132 adequacy of internal controls, documentation, and implementation
133 processes to ensure conformity with statewide information
134 technology governance, security, and performance standards. The
135 performance of the audits is audit shall be under the direction
136 of the inspector general, except that if the inspector general
137 does not possess the qualifications specified in subsection (4),
138 the director of auditing must shall perform the functions listed
139 in this subsection.
140 (a) Such audits must shall be conducted in accordance with
141 the current International Standards for the Professional
142 Practice of Internal Auditing as published by the Institute of
143 Internal Auditors, Inc., or, where appropriate, in accordance
144 with generally accepted governmental auditing standards. All
145 audit reports issued by internal audit staff must shall include
146 a statement that the audit was conducted pursuant to the
147 appropriate standards.
148 (b) Audit workpapers and reports are shall be public
149 records to the extent that they do not include information which
150 has been made confidential and exempt from the provisions of s.
151 119.07(1) pursuant to law. However, when the inspector general
152 or a member of the staff receives from an individual a complaint
153 or information that falls within the definition provided in s.
154 112.3187(5), the name or identity of the individual may not be
155 disclosed to anyone else without the written consent of the
156 individual, unless the inspector general determines that such
157 disclosure is unavoidable during the course of the audit or
158 investigation.
159 (c) The inspector general and the staff shall have access
160 to any records, data, and other information of the state agency
161 he or she deems necessary to carry out his or her duties. The
162 inspector general may also request such information or
163 assistance as may be necessary from the state agency or from any
164 federal, state, or local government entity.
165 (d) At the conclusion of each audit, the inspector general
166 shall submit preliminary findings and recommendations to the
167 person responsible for supervision of the program function or
168 operational unit who shall respond to any adverse findings
169 within 20 working days after receipt of the preliminary
170 findings. Such response and the inspector general’s rebuttal to
171 the response must shall be included in the final audit report.
172 (e) At the conclusion of an audit in which the subject of
173 the audit is a specific entity contracting with the state or an
174 individual substantially affected, if the audit is not
175 confidential or otherwise exempt from disclosure by law, the
176 inspector general must shall, consistent with s. 119.07(1),
177 submit the findings to the entity contracting with the state or
178 the individual substantially affected, who must shall be advised
179 in writing that they may submit a written response within 20
180 working days after receipt of the findings. The response and the
181 inspector general’s rebuttal to the response, if any, must be
182 included in the final audit report.
183 (f) The inspector general shall submit the final report to
184 the agency head, the Auditor General, and, for state agencies
185 under the jurisdiction of the Governor, the Chief Inspector
186 General.
187 1. The agency information technology compliance reports
188 must be submitted to the agency head, the Auditor General, and,
189 for state agencies under the jurisdiction of the Governor, the
190 Chief Inspector General by September 30 of each year.
191 2. The Chief Inspector General shall review the annual
192 agency information technology compliance reports submitted by
193 agency inspectors general under the jurisdiction of the Governor
194 and shall prepare a consolidated statewide information
195 technology compliance report summarizing agency performance,
196 findings, and recommendations for improvement. The consolidated
197 report must be submitted to the Executive Office of the
198 Governor, the President of the Senate, and the Speaker of the
199 House of Representatives by December 1 of each year.
200 3. Agency heads for agencies not under the jurisdiction of
201 the Governor shall submit the annual agency information
202 technology compliance reports to the Executive Office of the
203 Governor, the President of the Senate, and the Speaker of the
204 House of Representatives by December 1 of each year.
205 (g) The Auditor General, in connection with the independent
206 postaudit of the same agency pursuant to s. 11.45, shall give
207 appropriate consideration to internal audit reports and the
208 resolution of findings therein. The Legislative Auditing
209 Committee may inquire into the reasons or justifications for
210 failure of the agency head to correct the deficiencies reported
211 in internal audits that are also reported by the Auditor General
212 and shall take appropriate action.
213 (h) The inspector general shall monitor the implementation
214 of the state agency’s response to any report on the state agency
215 issued by the Auditor General or by the Office of Program Policy
216 Analysis and Government Accountability. No later than 6 months
217 after the Auditor General or the Office of Program Policy
218 Analysis and Government Accountability publishes a report on the
219 state agency, the inspector general shall provide a written
220 response to the agency head or, for state agencies under the
221 jurisdiction of the Governor, the Chief Inspector General on the
222 status of corrective actions taken. The inspector general shall
223 file a copy of such response with the Legislative Auditing
224 Committee.
225 (i) The inspector general shall develop long-term and
226 annual audit plans based on the findings of periodic risk
227 assessments. The plan, where appropriate, should include
228 postaudit samplings of payments and accounts. The plan must
229 shall show the individual audits to be conducted during each
230 year and related resources to be devoted to the respective
231 audits. The plan must shall include a specific cybersecurity
232 audit plan. The Chief Financial Officer, to assist in fulfilling
233 the responsibilities for examining, auditing, and settling
234 accounts, claims, and demands pursuant to s. 17.03(1), and
235 examining, auditing, adjusting, and settling accounts pursuant
236 to s. 17.04, may use audits performed by the inspectors general
237 and internal auditors. For state agencies under the jurisdiction
238 of the Governor, the audit plans must shall be submitted to the
239 Chief Inspector General. The plan must shall be submitted to the
240 agency head for approval. A copy of the approved plan must shall
241 be submitted to the Auditor General.
242 Section 5. Paragraph (b) of subsection (3) of section
243 97.0525, Florida Statutes, is amended to read:
244 97.0525 Online voter registration.—
245 (3)
246 (b) The division shall conduct a comprehensive risk
247 assessment of the online voter registration system every 2
248 years. The comprehensive risk assessment must comply with the
249 risk assessment methodology developed by the Division of
250 Integrated Government Innovation and Technology within the
251 Executive Office of the Governor Department of Management
252 Services for identifying security risks, determining the
253 magnitude of such risks, and identifying areas that require
254 safeguards. In addition, the comprehensive risk assessment must
255 incorporate all of the following:
256 1. Load testing and stress testing to ensure that the
257 online voter registration system has sufficient capacity to
258 accommodate foreseeable use, including during periods of high
259 volume of website users in the week immediately preceding the
260 book-closing deadline for an election.
261 2. Screening of computers and networks used to support the
262 online voter registration system for malware and other
263 vulnerabilities.
264 3. Evaluation of database infrastructure, including
265 software and operating systems, in order to fortify defenses
266 against cyberattacks.
267 4. Identification of any anticipated threats to the
268 security and integrity of data collected, maintained, received,
269 or transmitted by the online voter registration system.
270 Section 6. Paragraphs (a) and (f) of subsection (1),
271 paragraphs (b) and (c) of subsection (2), and subsections (3)
272 and (4) of section 112.22, Florida Statutes, are amended to
273 read:
274 112.22 Use of applications from foreign countries of
275 concern prohibited.—
276 (1) As used in this section, the term:
277 (a) “DIGIT” means the Division of Integrated Government
278 Innovation and Technology within the Executive Office of the
279 Governor “Department” means the Department of Management
280 Services.
281 (f) “Prohibited application” means an application that
282 meets the following criteria:
283 1. Any Internet application that is created, maintained, or
284 owned by a foreign principal and that participates in activities
285 that include, but are not limited to:
286 a. Collecting keystrokes or sensitive personal, financial,
287 proprietary, or other business data;
288 b. Compromising e-mail and acting as a vector for
289 ransomware deployment;
290 c. Conducting cyber-espionage against a public employer;
291 d. Conducting surveillance and tracking of individual
292 users; or
293 e. Using algorithmic modifications to conduct
294 disinformation or misinformation campaigns; or
295 2. Any Internet application that DIGIT the department deems
296 to present a security risk in the form of unauthorized access to
297 or temporary unavailability of the public employer’s records,
298 digital assets, systems, networks, servers, or information.
299 (2)
300 (b) A person, including an employee or officer of a public
301 employer, may not download or access any prohibited application
302 on any government-issued device.
303 1. This paragraph does not apply to a law enforcement
304 officer as defined in s. 943.10(1) if the use of the prohibited
305 application is necessary to protect the public safety or conduct
306 an investigation within the scope of his or her employment.
307 2. A public employer may request a waiver from DIGIT the
308 department to allow designated employees or officers to download
309 or access a prohibited application on a government-issued
310 device.
311 (c) Within 15 calendar days after DIGIT the department
312 issues or updates its list of prohibited applications pursuant
313 to paragraph (3)(a), an employee or officer of a public employer
314 who uses a government-issued device must remove, delete, or
315 uninstall any prohibited applications from his or her
316 government-issued device.
317 (3) DIGIT The department shall do all of the following:
318 (a) Compile and maintain a list of prohibited applications
319 and publish the list on its website. DIGIT The department shall
320 update this list quarterly and shall provide notice of any
321 update to public employers.
322 (b) Establish procedures for granting or denying requests
323 for waivers pursuant to subparagraph (2)(b)2. The request for a
324 waiver must include all of the following:
325 1. A description of the activity to be conducted and the
326 state interest furthered by the activity.
327 2. The maximum number of government-issued devices and
328 employees or officers to which the waiver will apply.
329 3. The length of time necessary for the waiver. Any waiver
330 granted pursuant to subparagraph (2)(b)2. must be limited to a
331 timeframe of no more than 1 year, but DIGIT the department may
332 approve an extension.
333 4. Risk mitigation actions that will be taken to prevent
334 access to sensitive data, including methods to ensure that the
335 activity does not connect to a state system, network, or server.
336 5. A description of the circumstances under which the
337 waiver applies.
338 (4)(a) Notwithstanding s. 120.74(4) and (5), the department
339 is authorized, and all conditions are deemed met, to adopt
340 emergency rules pursuant to s. 120.54(4) and to implement
341 paragraph (3)(a). Such rulemaking must occur initially by filing
342 emergency rules within 30 days after July 1, 2023.
343 (b) DIGIT The department shall adopt rules necessary to
344 administer this section.
345 Section 7. Paragraph (a) of subsection (5) of section
346 119.0725, Florida Statutes, is amended to read:
347 119.0725 Agency cybersecurity information; public records
348 exemption; public meetings exemption.—
349 (5)(a) Information made confidential and exempt pursuant to
350 this section must shall be made available to a law enforcement
351 agency, the Auditor General, the Cybercrime Office of the
352 Department of Law Enforcement, the Division of Integrated
353 Government Innovation and Technology within the Executive Office
354 of the Governor Florida Digital Service within the Department of
355 Management Services, and, for agencies under the jurisdiction of
356 the Governor, the Chief Inspector General.
357 Section 8. Paragraph (a) of subsection (4) and subsection
358 (7) of section 216.023, Florida Statutes, are amended to read:
359 216.023 Legislative budget requests to be furnished to
360 Legislature by agencies.—
361 (4)(a) The legislative budget request for each program must
362 contain:
363 1. The constitutional or statutory authority for a program,
364 a brief purpose statement, and approved program components.
365 2. Information on expenditures for 3 fiscal years (actual
366 prior-year expenditures, current-year estimated expenditures,
367 and agency budget requested expenditures for the next fiscal
368 year) by appropriation category.
369 3. Details on trust funds and fees.
370 4. The total number of positions (authorized, fixed, and
371 requested).
372 5. An issue narrative describing and justifying changes in
373 amounts and positions requested for current and proposed
374 programs for the next fiscal year.
375 6. Information resource requests.
376 7. Supporting information, including applicable cost
377 benefit analyses, business case analyses, performance
378 contracting procedures, service comparisons, and impacts on
379 performance standards for any request to outsource or privatize
380 agency functions. The cost-benefit and business case analyses
381 must include an assessment of the impact on each affected
382 activity from those identified in accordance with paragraph (b).
383 Performance standards must include standards for each affected
384 activity and be expressed in terms of the associated unit of
385 activity.
386 8. An evaluation of major outsourcing and privatization
387 initiatives undertaken during the last 5 fiscal years having
388 aggregate expenditures exceeding $10 million during the term of
389 the contract. The evaluation must include an assessment of
390 contractor performance, a comparison of anticipated service
391 levels to actual service levels, and a comparison of estimated
392 savings to actual savings achieved. Consolidated reports issued
393 by the Department of Management Services may be used to satisfy
394 this requirement.
395 9. Supporting information for any proposed consolidated
396 financing of deferred-payment commodity contracts including
397 guaranteed energy performance savings contracts. Supporting
398 information must also include narrative describing and
399 justifying the need, baseline for current costs, estimated cost
400 savings, projected equipment purchases, estimated contract
401 costs, and return on investment calculation.
402 10. For projects that exceed $10 million in total cost, the
403 statutory reference of the existing policy or the proposed
404 substantive policy that establishes and defines the project’s
405 governance structure, planned scope, main business objectives
406 that must be achieved, and estimated completion timeframes. The
407 governance structure for information technology-related projects
408 must incorporate the applicable project management and oversight
409 standards established pursuant to s. 282.0061 s. 282.0051.
410 Information technology budget requests for the continuance of
411 existing hardware and software maintenance agreements, renewal
412 of existing software licensing agreements, or the replacement of
413 desktop units with new technology that is similar to the
414 technology currently in use are exempt from this requirement.
415 (7) As part of the legislative budget request, each state
416 agency and the judicial branch shall include an inventory of all
417 ongoing technology-related projects that have a cumulative
418 estimated or realized cost of more than $1 million. The
419 inventory must, at a minimum, contain all of the following
420 information:
421 (a) The name of the technology system.
422 (b) A brief description of the purpose and function of the
423 system.
424 (c) A brief description of the goals of the project.
425 (d) The initiation date of the project.
426 (e) The key performance indicators for the project.
427 (f) Any other metrics for the project evaluating the health
428 and status of the project.
429 (g) The original and current baseline estimated end dates
430 of the project.
431 (h) The original and current estimated costs of the
432 project.
433 (i) Total funds appropriated or allocated to the project
434 and the current realized cost for the project by fiscal year.
435
436 For purposes of this subsection, an ongoing technology-related
437 project is one which has been funded or has had or is expected
438 to have expenditures in more than one fiscal year. An ongoing
439 technology-related project does not include the continuance of
440 existing hardware and software maintenance agreements, the
441 renewal of existing software licensing agreements, or the
442 replacement of desktop units with new technology that is
443 substantially similar to the technology being replaced. This
444 subsection expires July 1, 2026.
445 Section 9. Present subsections (36), (37), and (38) of
446 section 282.0041, Florida Statutes, are redesignated as
447 subsections (37), (38), and (39), respectively, new subsections
448 (11) and (36) are added to that section, and subsection (1),
449 present subsection (7), and subsections (27) and (29) of that
450 section are amended, to read:
451 282.0041 Definitions.—As used in this chapter, the term:
452 (1) “Agency assessment” means the amount each customer
453 entity must pay annually for services from the Department of
454 Management Services and includes administrative and data center
455 services costs.
456 (6)(7) “Customer entity” means an entity that obtains
457 services from DIGIT the Department of Management Services.
458 (11) “DIGIT” means the Division of Integrated Government
459 Innovation and Technology within the Executive Office of the
460 Governor.
461 (27) “Project oversight” means an independent review and
462 assessment analysis of an information technology project that
463 provides information on the project’s scope, completion
464 timeframes, and budget and that identifies and quantifies issues
465 or risks affecting the successful and timely completion of the
466 project.
467 (29) “Risk assessment” means the process of identifying
468 operational risks and security risks, determining their
469 magnitude, and identifying areas needing safeguards.
470 (36) “Technical debt” means the accumulated cost and
471 operational impact resulting from the use of suboptimal,
472 expedient, or outdated technology solutions that require future
473 remediation, refactoring, or replacement to ensure
474 maintainability, security, efficiency, and compliance with
475 enterprise architecture standards.
476 Section 10. Section 282.00515, Florida Statutes, is amended
477 to read:
478 282.00515 Duties of Cabinet agencies.—
479 (1)(a) The Department of Legal Affairs, the Department of
480 Financial Services, and the Department of Agriculture and
481 Consumer Services shall adopt the standards, best practices,
482 processes, and methodologies established in s. 282.0061(4) and
483 (5)(b) and (d). However, such departments may s. 282.0051(1)(b),
484 (c), and (r) and (3)(e) or adopt alternative standards, best
485 practices, and methodologies that must be based on industry
486 recognized best practices and industry standards that enable
487 allow for open data exchange, interoperability, and vendor
488 neutral integration. Such departments shall evaluate the
489 adoption of alternative standards on a case-by-case basis for
490 each standard, project, or system and reevaluate such
491 alternative standards periodically.
492 (b) Notwithstanding paragraph (a), if an enterprise project
493 has a measurable impact on, or requires participation from, a
494 state agency and the Department of Legal Affairs, the Department
495 of Financial Services, or the Department of Agriculture and
496 Consumer Services, then the Department of Legal Affairs, the
497 Department of Financial Services, or the Department of
498 Agriculture and Consumer Services, as applicable, must follow
499 the standards established under this chapter.
500 (2) If the Department of Legal Affairs, the Department of
501 Financial Services, or the Department of Agriculture and
502 Consumer Services adopts alternative standards, best practices,
503 processes, and methodologies in lieu of the enterprise
504 architecture standards, best practices, processes, and
505 methodologies adopted pursuant to s. 282.0061(4) and (5)(b) and
506 (d) s. 282.0051, such department must notify DIGIT, the
507 Governor, the President of the Senate, and the Speaker of the
508 House of Representatives in writing of the adoption of the
509 alternative standards and provide a justification for adoption
510 of the alternative standards and explain the manner in which how
511 the agency will achieve the policy, standard, guideline, or best
512 practice while promoting open data interoperability.
513 (3) The Department of Legal Affairs, the Department of
514 Financial Services, and the Department of Agriculture and
515 Consumer Services shall each conduct a full baseline needs
516 assessment to document their respective technical environments,
517 existing technical debt, security risks, and compliance with
518 adopted information technology best practices, guidelines, and
519 standards, similar to the assessments conducted by DIGIT
520 pursuant to s. 282.0061(2)(a) and (b). The Department of Legal
521 Affairs, the Department of Financial Services, and the
522 Department of Agriculture and Consumer Services may contract
523 with DIGIT to assist with or complete the assessments.
524 (4) The Department of Legal Affairs, the Department of
525 Financial Services, and the Department of Agriculture and
526 Consumer Services shall each produce a phased roadmap for
527 strategic planning to address known technology gaps and
528 deficiencies, similar to the assessments conducted by DIGIT
529 pursuant to s. 282.0061(2)(d). The phased roadmap must be
530 submitted annually with legislative budget requests required
531 under s. 216.023. The Department of Legal Affairs, the
532 Department of Financial Services, and the Department of
533 Agriculture and Consumer Services may contract with DIGIT to
534 assist with or complete the phased roadmap.
535 (5) The Department of Legal Affairs, the Department of
536 Financial Services, and the Department of Agriculture and
537 Consumer Services may, but are not required to, contract with
538 DIGIT the department to provide procurement advisory and review
539 services for information technology projects as provided in s.
540 282.0061(5)(a) or perform any of the services and functions
541 described in s. 282.0051.
542 (6) The Department of Legal Affairs, the Department of
543 Financial Services, and the Department of Agriculture and
544 Consumer Services shall use the information technology reports
545 developed by DIGIT pursuant to s. 282.0061(5)(f) and follow the
546 streamlined reporting process pursuant to s. 282.0061(5)(i). The
547 Department of Legal Affairs, the Department of Financial
548 Services, and the Department of Agriculture and Consumer
549 Services shall report annually to the President of the Senate
550 and the Speaker of the House of Representatives by December 15
551 information related to the respective department similar to the
552 information required under s. 282.006(6)(a) and the information
553 technology financial data methodology and reporting required by
554 s. 282.0061(6). The Department of Legal Affairs, the Department
555 of Financial Services, and the Department of Agriculture and
556 Consumer Services may provide the report required under this
557 subsection collectively with DIGIT or shall report separately to
558 the Governor, the President of the Senate, and the Speaker of
559 the House of Representatives.
560 (7)(a)(4)(a) Nothing in this chapter section or in s.
561 282.0051 requires the Department of Legal Affairs, the
562 Department of Financial Services, or the Department of
563 Agriculture and Consumer Services to integrate with information
564 technology outside its own department or with DIGIT the Florida
565 Digital Service.
566 (b) DIGIT The department, acting through the Florida
567 Digital Service, may not retrieve or disclose any data without a
568 shared-data agreement in place between DIGIT the department and
569 the Department of Legal Affairs, the Department of Financial
570 Services, or the Department of Agriculture and Consumer
571 Services.
572 (8) Notwithstanding s. 282.0061(5)(h), DIGIT may perform
573 project oversight only on information technology projects of the
574 Department of Legal Affairs, the Department of Financial
575 Services, and the Department of Agriculture and Consumer
576 Services which have a project cost of $20 million or more. Such
577 information technology projects must also comply with the
578 applicable information technology architecture, project
579 management and oversight, and reporting standards established by
580 DIGIT. DIGIT shall report by the 30th day after the end of each
581 quarter to the President of the Senate and the Speaker of the
582 House of Representatives on any information technology project
583 under this subsection which DIGIT identifies as high risk. The
584 report must include a risk assessment, including fiscal risks,
585 associated with proceeding to the next stage of the project, and
586 a recommendation for any corrective action required, including
587 suspension or termination of the project.
588 (9) If an information technology project implemented by a
589 state agency must be connected to or otherwise accommodated by
590 an information technology system administered by the Department
591 of Legal Affairs, the Department of Financial Services, or the
592 Department of Agriculture and Consumer Services, the state
593 agency must consult with DIGIT regarding the risks and other
594 effects of such project on the information technology systems of
595 the Department of Legal Affairs, the Department of Financial
596 Services, or the Department of Agriculture and Consumer
597 Services, as applicable, and must work cooperatively with the
598 Department of Legal Affairs, the Department of Financial
599 Services, or the Department of Agriculture and Consumer
600 Services, as applicable, regarding connections, interfaces,
601 timing, or accommodations required to implement such project.
602 Section 11. Section 282.006, Florida Statutes, is created
603 to read:
604 282.006 Division of Integrated Government Innovation and
605 Technology; enterprise responsibilities; reporting.—
606 (1) The Division of Integrated Government Innovation and
607 Technology established in s. 14.205 is the state organization
608 for information technology governance and is the lead entity
609 responsible for understanding the unique state agency
610 information technology needs and environments, creating
611 technology standards and strategy, supporting state agency
612 technology efforts, and reporting on the status of technology
613 for state agencies.
614 (2) The Legislature intends for DIGIT policy, standards,
615 guidance, and oversight to allow for adaptability to emerging
616 technology and organizational needs while maintaining compliance
617 with industry best practices. All policies, standards, and
618 guidelines established pursuant to this chapter must be
619 technology-agnostic and may not prescribe specific tools,
620 platforms, or vendors.
621 (3) DIGIT shall establish the strategic direction of
622 information technology for state agencies. DIGIT shall develop
623 and publish information technology policy that aligns with
624 industry best practices for the management of the state’s
625 information technology resources. The policy must be updated as
626 necessary to meet the requirements of this chapter and
627 advancements in technology.
628 (4) DIGIT shall, in coordination with state agency
629 technology subject matter experts, develop, publish, and
630 maintain an enterprise architecture that:
631 (a) Acknowledges the unique needs of the entities within
632 the enterprise in the development and publication of standards
633 and terminologies to facilitate digital interoperability;
634 (b) Supports the cloud-first policy as specified in s.
635 282.206;
636 (c) Addresses the manner in which information technology
637 infrastructure may be modernized to achieve security,
638 scalability, maintainability, interoperability, and improved
639 cost-efficiency goals; and
640 (d) Includes, at a minimum, best practices, guidelines, and
641 standards for:
642 1. Data models and taxonomies.
643 2. Master data management.
644 3. Data integration and interoperability.
645 4. Data security and encryption.
646 5. Bot prevention and data protection.
647 6. Data backup and recovery.
648 7. Application portfolio and catalog requirements.
649 8. Application architectural patterns and principles.
650 9. Technology and platform standards.
651 10. Secure coding practices.
652 11. Performance and scalability.
653 12. Cloud infrastructure and architecture.
654 13. Networking, connectivity, and security protocols.
655 14. Authentication, authorization, and access controls.
656 15. Disaster recovery.
657 16. Quality assurance.
658 17. Testing methodologies and measurements.
659 18. Logging and log retention.
660 19. Application and use of artificial intelligence.
661 (5) DIGIT shall develop open data technical standards and
662 terminologies for use by state agencies. DIGIT shall develop
663 enterprise technology testing and quality assurance best
664 practices and standards to ensure the reliability, security, and
665 performance of information technology systems. Such best
666 practices and standards must include:
667 (a) Functional testing to ensure software or systems meet
668 required specifications.
669 (b) Performance and load testing to ensure software and
670 systems operate efficiently under various conditions.
671 (c) Security testing to protect software and systems from
672 vulnerabilities and cyber threats.
673 (d) Compatibility and interoperability testing to ensure
674 software and systems operate seamlessly across environments.
675 (6) DIGIT shall produce and provide the following reports
676 to the Governor, the President of the Senate, and the Speaker of
677 the House of Representatives:
678 (a) Annually by December 15, an enterprise analysis report
679 for state agencies which includes all of the following:
680 1. Results of the state agency needs assessments, including
681 any plan to address technical debt as required by s. 282.0061
682 pursuant to the schedule adopted.
683 2. Alternative standards related to federal funding adopted
684 pursuant to s. 282.0061.
685 3. Information technology financial data for each state
686 agency for the previous fiscal year. This portion of the annual
687 report must include, at a minimum, the following recurring and
688 nonrecurring information:
689 a. Total number of full-time equivalent positions.
690 b. Total amount of salary.
691 c. Total amount of benefits.
692 d. Total number of comparable full-time equivalent
693 positions and total amount of expenditures for information
694 technology staff augmentation.
695 e. Total number of contracts and purchase orders and total
696 amount of associated expenditures for information technology
697 managed services.
698 f. Total amount of expenditures by state term contract as
699 defined in s. 287.012, contracts procured using alternative
700 purchasing methods as authorized pursuant to s. 287.042(16), and
701 state agency procurements through request for proposal,
702 invitation to negotiate, invitation to bid, single source, and
703 emergency purchases.
704 g. Total amount of expenditures for hardware.
705 h. Total amount of expenditures for non-cloud software.
706 i. Total amount of expenditures for cloud software licenses
707 and services with a separate amount for expenditures for state
708 data center services.
709 j. Total amount of expenditures for cloud data center
710 services with a separate amount for expenditures for state data
711 center services.
712 k. Total amount of expenditures for administrative costs.
713 4. Consolidated information for the previous fiscal year
714 about state information technology projects, which must include,
715 at a minimum, the following information:
716 a. Anticipated funding requirements for information
717 technology support over the next 5 years.
718 b. An inventory of current information technology assets
719 and major projects. As used in this paragraph, the term “major
720 project” includes projects costing more than $500,000 to
721 implement.
722 c. Significant unmet needs for information technology
723 resources over the next 5 fiscal years, ranked in priority order
724 according to their urgency.
725 5. A review and summary of whether the information
726 technology contract policy established pursuant to s. 282.0064
727 is included in all solicitations and contracts.
728 (b) Biennially by December 15 of even-numbered years, a
729 report on the strategic direction of information technology in
730 the state which includes recommendations for all of the
731 following:
732 1. Standardization and consolidation of information
733 technology services that are identified as common across state
734 agencies as required in s. 282.0061.
735 2. Information technology services needed to be designed,
736 delivered, and managed as state agency enterprise information
737 technology services. Recommendations must include the
738 identification of existing information technology resources
739 associated with the services, if existing services must be
740 transferred as a result of being delivered and managed as
741 enterprise information technology services, and which entity is
742 best suited to manage the service.
743 (c)1. When conducted as provided in this paragraph, a
744 market analysis and accompanying strategic plan submitted by
745 December 31 of each year that the market analysis is conducted.
746 2. No less frequently than every 3 years, DIGIT shall
747 conduct a market analysis to determine whether the:
748 a. Information technology resources across state agencies
749 are used in the most cost-effective and cost-efficient manner,
750 while recognizing that the replacement of certain legacy
751 information technology systems within the enterprise may be cost
752 prohibitive or cost inefficient due to the remaining useful life
753 of those resources; and
754 b. State agencies are using best practices with respect to
755 information technology, information services, and the
756 acquisition of emerging technologies and information services.
757 3. Each market analysis must be used to prepare a strategic
758 plan for continued and future information technology and
759 information services, including, but not limited to, proposed
760 acquisition of new services or technologies and approaches to
761 the implementation of any new services or technologies.
762 (7)(a) DIGIT shall develop, implement, and maintain a
763 library to serve as the official repository for all enterprise
764 information technology policies, standards, guidelines, and best
765 practices applicable to state agencies. The online library must
766 be accessible and searchable by all state agencies and the
767 Department of Legal Affairs, the Department of Financial
768 Services, and the Department of Agriculture and Consumer
769 Services through a secure authentication system. The library
770 must include standardized checklists organized by technical
771 subject areas to assist state agencies in measuring compliance
772 with the information technology policies, standards, guidelines,
773 and best practices.
774 (b) DIGIT shall establish procedures to ensure the
775 integrity, security, and availability of the library, including
776 appropriate access controls, encryption, and disaster recovery
777 measures. DIGIT shall regularly update documents and materials
778 in the library to reflect current state and federal
779 requirements, industry best practices, and emerging technologies
780 and shall maintain version control and revision history for all
781 published documents. DIGIT shall create mechanisms for state
782 agencies to submit feedback, request clarifications, and
783 recommend updates.
784 (8)(a) Each state agency shall actively participate and
785 collaborate with DIGIT to achieve the objectives set forth in
786 this chapter. Each state agency shall also adhere to the
787 policies, standards, guidelines, and best practices established
788 by DIGIT in information technology planning, procurement,
789 implementation, and operations as required by this chapter.
790 (b)1. A state agency may request an exemption to a specific
791 policy, standard, or guideline when compliance is not
792 technically feasible, would cause undue hardship, or conflicts
793 with any agency-specific statutory requirement. The state agency
794 requesting an exception must submit a formal justification to
795 DIGIT detailing all of the following:
796 a. The specific requirement for which an exemption is
797 sought.
798 b. The reason compliance is not feasible or practical.
799 c. Any compensating control or alternative measure the
800 state agency will implement to mitigate associated risks.
801 d. The anticipated duration of the exemption.
802 2. DIGIT shall review all exemption requests and provide a
803 recommendation to the state chief information officer, who shall
804 present the compliance exemption requests to the chief
805 information officer workgroup. Approval of exemption requests
806 must be made by a majority vote of the workgroup. Approved
807 exemptions must be documented and include conditions and
808 expiration dates.
809 3. A state agency with an approved exemption shall undergo
810 periodic review to determine whether the exemption remains
811 necessary or whether compliance can be achieved.
812 (9) DIGIT may adopt rules to implement this chapter.
813 Section 12. Section 282.0061, Florida Statutes, is created
814 to read:
815 282.0061 DIGIT support of state agencies; information
816 technology procurement and projects.—
817 (1) LEGISLATIVE INTENT.—The Legislature intends for DIGIT
818 to support state agencies in their information technology
819 efforts through the adoption of policies, standards, and
820 guidance and by providing oversight that recognizes unique state
821 agency information technology needs, environments, and goals.
822 DIGIT assistance and support must allow for adaptability to
823 emerging technologies and organizational needs while maintaining
824 compliance with industry best practices. DIGIT may not prescribe
825 specific tools, platforms, or vendors.
826 (2) NEEDS ASSESSMENTS.—
827 (a) By January 1, 2029, DIGIT shall conduct full baseline
828 needs assessments of state agencies to document their respective
829 technical environments, existing technical debt, security risks,
830 and compliance with all information technology standards and
831 guidelines developed and published by DIGIT. The needs
832 assessment must use the latest version of the Capability
833 Maturity Model Integration to evaluate each state agency’s
834 information technology capabilities, providing a maturity level
835 rating for each assessed domain. After completion of the initial
836 full baseline needs assessment, such assessments must be
837 maintained and updated on a regular schedule adopted by DIGIT.
838 (b) In assessing the existing technical debt portion of the
839 needs assessment, DIGIT shall analyze the state’s legacy
840 information technology systems and develop a plan to document
841 the needs and costs for replacement systems. The plan must
842 include an inventory of legacy applications and infrastructure;
843 the required capabilities not available with the legacy system;
844 the estimated process, timeline, and cost to migrate from legacy
845 environments; and any other information necessary for fiscal or
846 technology planning. The plan must determine and document the
847 estimated timeframe during which the state agency can continue
848 to efficiently use legacy information technology systems,
849 resources, security, and data management to support operations.
850 State agencies shall provide all necessary documentation to
851 enable accurate reporting on legacy systems.
852 (c) DIGIT shall develop a plan and schedule to conduct the
853 initial full baseline needs assessments. By October 1, 2027,
854 DIGIT shall submit the plan to the Governor, the President of
855 the Senate, and the Speaker of the House of Representatives.
856 (d) DIGIT shall support state agency strategic planning
857 efforts and assist state agencies with the production of a
858 phased roadmap to address known technology gaps and deficiencies
859 as identified in the needs assessments. The roadmaps must
860 include specific strategies and initiatives aimed at advancing
861 the state agency’s maturity level in accordance with the latest
862 version of the Capability Maturity Model Integration. State
863 agencies shall create, maintain, and submit the roadmap on an
864 annual basis with their legislative budget requests required
865 under s. 216.023.
866 (3) STANDARDIZATION.—DIGIT shall:
867 (a) Recommend in its annual enterprise analysis report for
868 state agencies required under s. 282.006 any potential method
869 for standardizing data across state agencies which will promote
870 interoperability and reduce the collection of duplicative data.
871 (b) Identify any opportunities in such enterprise analysis
872 report for state agencies for standardization and consolidation
873 of information technology services that are common across all
874 state agencies and that support:
875 1. Improved interoperability, security, scalability,
876 maintainability, and cost efficiency; and
877 2. Business functions and operations, including
878 administrative functions such as purchasing, accounting and
879 reporting, cash management, and personnel.
880 (c) Review all state agency information technology
881 legislative budget requests for compliance with the enterprise
882 architecture, project planning standards, and cybersecurity and
883 provide a report of the findings to the Executive Office of the
884 Governor’s Office of Policy and Budget for consideration for
885 funding decisions in the Governor’s recommended budget.
886 (4) DATA MANAGEMENT.—
887 (a) DIGIT shall develop standards for use by state agencies
888 which support best practices for master data management at the
889 state agency level to facilitate enterprise data sharing and
890 interoperability.
891 (b) DIGIT shall establish a methodology and strategy for
892 implementing statewide master data management and submit a
893 report to the Governor, the President of the Senate, and the
894 Speaker of the House of Representatives by December 1, 2029. The
895 report must include the vision, goals, and benefits of
896 implementing a statewide master data management initiative, an
897 analysis of the current state of data management, and the
898 recommended strategy, methodology, and estimated timeline and
899 resources needed at a state agency and enterprise level to
900 accomplish the initiative.
901 (5) INFORMATION TECHNOLOGY PROJECTS.—DIGIT has the
902 following duties and responsibilities related to state agency
903 technology projects:
904 (a) Provide procurement advisory and review services for
905 information technology projects to all state agencies, including
906 procurement and contract development assistance to meet the
907 information technology contract policy established pursuant to
908 s. 282.0064.
909 (b) Establish best practices and procurement processes and
910 develop metrics to support these processes for the procurement
911 of information technology products and services in order to
912 reduce costs or improve the provision of government services.
913 (c) Upon request, assist state agencies in the development
914 of information technology-related legislative budget requests.
915 (d) Develop standards and accountability measures for
916 information technology project planning and implementation,
917 including criteria for effective project management and
918 oversight. State agencies shall satisfy these standards and
919 measures when implementing information technology projects. To
920 support data-driven decisionmaking, the standards and measures
921 must include, but are not limited to:
922 1. Performance measurements and metrics that objectively
923 assess the progress and risks of an information technology
924 project based on a defined and documented project scope, to
925 include the number of impacted stakeholders, cost, and schedule,
926 to determine whether the project is performing as planned and
927 delivering the intended outcomes.
928 2. Methodologies for calculating and defining acceptable
929 variances between the planned and actual scope of a technology
930 project which provide clear thresholds for guiding corrective
931 actions. Such methodologies must account for project complexity
932 and scale, schedule, performance, quality, and the cost of an
933 information technology project.
934 3. Reporting requirements that ensure timely notifications
935 to all defined stakeholders when an information technology
936 project exceeds acceptable variances defined and documented in a
937 project plan, including any variance that results in a schedule
938 delay of 1 month or more or a cost increase of $1 million or
939 more, and that establish procedures for escalating critical
940 issues to appropriate individuals.
941 4. Technical reporting metrics to determine if an
942 information technology project complies with the enterprise
943 architecture standards.
944 5. Minimum requirements for engaging stakeholders
945 throughout a project’s life cycle.
946 (e) Develop a framework that provides processes,
947 activities, and deliverables state agencies must comply with
948 when planning an information technology project. The processes,
949 activities, and deliverables must include, but are not limited
950 to, all of the following:
951 1. Business case development, including the information
952 required by s. 287.0571(4), full life cycle cost estimates,
953 governance structure, system interoperability goals, data
954 management plans, scalability approach, evaluation of
955 cybersecurity and data privacy risks, and technology-specific
956 performance metrics and service levels.
957 2. Market research, including the use of a request for
958 information as defined in s. 287.012.
959 3. Planning and scheduling.
960 4. Stakeholder engagement.
961 5. Risk assessment.
962 6. Procurement strategy.
963 7. Project governance definition.
964 8. System design and requirements.
965 9. Change management.
966 10. Monitoring and reporting.
967 11. Postimplementation review and planning.
968 12. Solicitation documentation.
969 (f) Develop information technology project reports for use
970 by state agencies, including, but not limited to, operational
971 work plans, project spending plans, and project status reports.
972 Reporting standards must include content, format, and frequency
973 of project updates.
974 (g) Develop and provide training specific to information
975 technology project management and oversight which supplements
976 and enhances the training offered by the department and the
977 Chief Financial Officer under s. 287.057(15)(b). DIGIT shall
978 evaluate such training every 2 years to assess its effectiveness
979 and update the training curriculum. The training must address
980 the unique requirements and risk profiles of state information
981 technology projects, procurements, contract management, and
982 vendor management.
983 (h) Perform project oversight on all state agency
984 information technology projects that have total project costs of
985 $10 million or more. DIGIT shall report by the 30th day after
986 the end of each quarter to the Executive Office of the Governor,
987 the President of the Senate, and the Speaker of the House of
988 Representatives on any information technology project that DIGIT
989 identifies as high-risk due to the project exceeding the
990 acceptable project variance thresholds provided in the project
991 management and oversight standards. The report must include a
992 risk assessment, including fiscal risks associated with
993 proceeding to the next stage of the project, a list of all
994 projects with a performance deficiency, reported pursuant to s.
995 287.057(26)(d)1., which has not been corrected as of the end of
996 the reporting period, and a recommendation for corrective
997 actions required, including suspension or termination of the
998 project.
999 (i) Establish a streamlined reporting process with clear
1000 timelines and escalation procedures for notifying a state agency
1001 of noncompliance with the standards developed and adopted by
1002 DIGIT.
1003 (6) INFORMATION TECHNOLOGY FINANCIAL DATA.—
1004 (a) In consultation with state agencies, DIGIT shall create
1005 a methodology, an approach, and applicable templates and formats
1006 for identifying and collecting both current and planned
1007 information technology expenditure data at the state agency
1008 level. DIGIT shall continuously obtain, review, and maintain
1009 records of the appropriations, expenditures, and revenues for
1010 information technology for each state agency.
1011 (b) DIGIT shall prescribe the format for state agencies to
1012 provide all necessary financial information to DIGIT for
1013 inclusion in the annual report required under s. 282.006. State
1014 agencies shall provide the information to DIGIT by October 1 for
1015 the previous fiscal year.
1016 (7) FEDERAL CONFLICTS.—DIGIT must work with state agencies
1017 to provide alternative standards, policies, or requirements that
1018 do not conflict with federal regulations or requirements if
1019 adherence to standards or policies adopted by or established
1020 pursuant to this section conflict with federal regulations or
1021 requirements imposed on an entity within the enterprise and
1022 results in, or is expected to result in, adverse action against
1023 any state agency or loss of federal funding.
1024 Section 13. Section 282.0062, Florida Statutes, is created
1025 to read:
1026 282.0062 DIGIT workgroups.—The following workgroups are
1027 established within DIGIT to facilitate coordination with state
1028 agencies:
1029 (1) CHIEF INFORMATION OFFICER WORKGROUP.—
1030 (a) The chief information officer workgroup, composed of
1031 all state agency chief information officers, shall consider and
1032 make recommendations to the state chief information officer and
1033 the state chief information architect on such matters as
1034 enterprise information technology policies, standards, services,
1035 and architecture. The workgroup may also identify and recommend
1036 opportunities for the establishment of public-private
1037 partnerships when considering technology infrastructure and
1038 services in order to accelerate project delivery and provide a
1039 source of new or increased project funding.
1040 (b) At a minimum, the state chief information officer shall
1041 consult with the workgroup on a quarterly basis with regard to
1042 executing the duties and responsibilities of the state agencies
1043 related to statewide information technology strategic planning
1044 and policy.
1045 (2) ENTERPRISE DATA AND INTEROPERABILITY WORKGROUP.—
1046 (a) The enterprise data and interoperability workgroup,
1047 composed of chief data officer representatives from all state
1048 agencies, shall consider and make recommendations to the state
1049 chief data officer on such matters as enterprise data policies,
1050 standards, services, and architecture that promote data
1051 consistency, accessibility, and seamless integration across the
1052 enterprise.
1053 (b) At a minimum, the state chief data officer shall
1054 consult with the workgroup on a quarterly basis with regard to
1055 executing the duties and responsibilities of the state agencies
1056 related to statewide data governance planning and policy.
1057 (3) ENTERPRISE SECURITY WORKGROUP.—
1058 (a) The enterprise security workgroup, composed of chief
1059 information security officer representatives from all state
1060 agencies, shall consider and make recommendations to the state
1061 chief information security officer on such matters as
1062 cybersecurity policies, standards, services, and architecture
1063 that promote the protection of state assets.
1064 (b) At a minimum, the state chief information security
1065 officer shall consult with the workgroup on a quarterly basis
1066 with regard to executing the duties and responsibilities of the
1067 state agencies related to cybersecurity governance and policy
1068 development.
1069 (4) ENTERPRISE INFORMATION TECHNOLOGY QUALITY ASSURANCE
1070 WORKGROUP.—
1071 (a) The enterprise information technology quality assurance
1072 workgroup, composed of testing and quality assurance
1073 representatives from all state agencies, shall consider and make
1074 recommendations to the state chief technology officer on such
1075 matters as testing methodologies, tools, and best practices to
1076 reduce risks related to software defects, cybersecurity threats,
1077 and operational failures.
1078 (b) At a minimum, the state chief information officer shall
1079 consult with the workgroup on a quarterly basis with regard to
1080 executing the duties and responsibilities of the state agencies
1081 related to enterprise software testing and quality assurance
1082 standards.
1083 (5) ENTERPRISE INFORMATION TECHNOLOGY PROJECT MANAGEMENT
1084 WORKGROUP.—
1085 (a) The enterprise information technology project
1086 management workgroup, composed of information technology project
1087 manager representatives from all state agencies, shall consider
1088 and make recommendations to the state chief technology officer
1089 on such matters as information technology project management
1090 policies, standards, accountability measures, and services that
1091 promote project governance and standardization across the
1092 enterprise.
1093 (b) At a minimum, the state chief information officer shall
1094 consult with the workgroup on a quarterly basis with regard to
1095 executing the duties and responsibilities of the state agencies
1096 related to project management and oversight.
1097 (6) ENTERPRISE INFORMATION TECHNOLOGY PURCHASING
1098 WORKGROUP.—
1099 (a) The enterprise information technology purchasing
1100 workgroup, composed of information technology procurement
1101 representatives from all state agencies, shall consider and make
1102 recommendations to the state chief technology procurement
1103 officer on such matters as information technology procurement
1104 policies, standards, and purchasing strategy and optimization
1105 that promote best practices for contract negotiation,
1106 consolidation, and effective service-level agreement
1107 implementation across the enterprise.
1108 (b) At a minimum, the state chief information officer shall
1109 consult with the workgroup on a quarterly basis with regard to
1110 executing the duties and responsibilities of the state agencies
1111 related to technology evaluation, purchasing, and cost savings.
1112 (7) DEPARTMENT OF LEGAL AFFAIRS, DEPARTMENT OF FINANCIAL
1113 SERVICES, AND DEPARTMENT OF AGRICULTURE AND CONSUMER SERVICES
1114 INFORMATION TECHNOLOGY STAFF.—Appropriate information technology
1115 staff of the Department of Legal Affairs, the Department of
1116 Financial Services, and the Department of Agriculture and
1117 Consumer Services shall participate in the workgroups created
1118 under subsections (1), (2), and (3) and may participate in any
1119 other workgroups as authorized by their respective elected
1120 official.
1121 Section 14. Section 282.0063, Florida Statutes, is created
1122 to read:
1123 282.0063 State information technology professionals career
1124 paths and training.—
1125 (1) DIGIT shall develop standardized frameworks for, and
1126 career paths, progressions, and training programs for, the
1127 benefit of state agency information technology personnel. To
1128 meet that goal, DIGIT shall:
1129 (a) Assess current and future information technology
1130 workforce needs across state agencies, identify skill gaps, and
1131 develop strategies to address them.
1132 (b) Develop and establish a training program for state
1133 agencies to support the understanding and implementation of each
1134 element of the enterprise architecture.
1135 (c) Establish training programs, certifications, and
1136 continuing education opportunities to enhance information
1137 technology competencies, including cybersecurity, cloud
1138 computing, and emerging technologies.
1139 (d) Support initiatives to provide existing employees with
1140 training or other opportunities to develop skills in emerging
1141 technologies and automation, ensuring that state agencies remain
1142 competitive and innovative.
1143 (e) Develop strategies to recruit and retain information
1144 technology professionals, including internship programs,
1145 apprenticeships, partnerships with educational institutions,
1146 scholarships for service, and initiatives to attract diverse
1147 talent.
1148 (2) DIGIT shall consult with CareerSource Florida, Inc.,
1149 the Department of Commerce, and the Department of Education in
1150 the implementation of this section.
1151 Section 15. Section 282.0064, Florida Statutes, is created
1152 to read:
1153 282.0064 Information technology contract policy.—
1154 (1) In coordination with the Department of Management
1155 Services, DIGIT shall establish a policy for all information
1156 technology-related solicitations and contracts, including state
1157 term contracts; contracts sourced using alternative purchasing
1158 methods as authorized pursuant to s. 287.042(16); sole source
1159 and emergency procurements; and contracts for commodities,
1160 consultant services, and staff augmentation services.
1161 (2) Related to state term contracts, the information
1162 technology policy must include:
1163 (a) Identification of the information technology product
1164 and service categories to be included in state term contracts.
1165 (b) The term of each information technology-related state
1166 term contract.
1167 (c) The maximum number of vendors authorized on each state
1168 term contract.
1169 (3) For all contracts, the information technology policy
1170 must include:
1171 (a) Evaluation criteria for the award of information
1172 technology-related contracts.
1173 (b) Requirements to be included in solicitations.
1174 (c) At a minimum, a requirement that any contract for
1175 information technology commodities or services meet the
1176 requirements of the enterprise architecture and National
1177 Institute of Standards and Technology Cybersecurity Framework.
1178 (4) The policy must include the following requirements for
1179 any information technology project that requires project
1180 oversight through independent verification and validation:
1181 (a) An entity providing independent verification and
1182 validation may not have any:
1183 1. Technical, managerial, or financial interest in the
1184 project; or
1185 2. Responsibility for or participation in any other aspect
1186 of the project.
1187 (b) The primary objective of independent verification and
1188 validation must be to provide an objective assessment throughout
1189 the entire project life cycle, reporting directly to all
1190 relevant stakeholders. An independent verification and
1191 validation entity shall independently verify and validate
1192 whether:
1193 1. The project is being built and implemented in accordance
1194 with defined technical architecture, specifications, and
1195 requirements.
1196 2. The project is adhering to established project
1197 management processes.
1198 3. The procurement of products, tools, and services and
1199 resulting contracts aligns with current statutory and regulatory
1200 requirements.
1201 4. The value of services delivered is commensurate with
1202 project costs.
1203 5. The completed project meets the actual needs of the
1204 intended users.
1205 (c) The entity performing independent verification and
1206 validation shall provide regular reports and assessments
1207 directly to the designated oversight body, identifying risks,
1208 deficiencies, and recommendations for corrective actions to
1209 ensure project success and compliance with statutory
1210 requirements.
1211 (5) The Division of State Purchasing in the Department of
1212 Management Services shall coordinate with DIGIT on state term
1213 contract solicitations and invitations to negotiate related to
1214 information technology. Such coordination must include reviewing
1215 the solicitation specifications to verify compliance with
1216 enterprise architecture and cybersecurity standards, evaluating
1217 vendor responses under established criteria, answering vendor
1218 questions, and providing any other technical expertise
1219 necessary.
1220 (6) The Department of Legal Affairs, the Department of
1221 Financial Services, and the Department of Agriculture and
1222 Consumer Services may adopt alternatives to the information
1223 technology policy established by DIGIT pursuant to this section.
1224 If alternatives to the policy are adopted, such department must
1225 notify DIGIT, the Governor, the President of the Senate, and the
1226 Speaker of the House of Representatives in writing of the
1227 adoption of the alternatives and provide a justification for
1228 adoption of the alternatives, including whether the alternatives
1229 were necessary to meet alternatives adopted pursuant to s.
1230 282.00515, and explain the manner in which the department will
1231 achieve the information technology policy.
1232 Section 16. Subsections (3), (4), (7), and (10) of section
1233 282.318, Florida Statutes, are amended to read:
1234 282.318 Cybersecurity.—
1235 (3) DIGIT The department, acting through the Florida
1236 Digital Service, is the lead entity responsible for establishing
1237 standards and processes for assessing state agency cybersecurity
1238 risks and determining appropriate security measures that comply
1239 with the latest national and state data compliance security
1240 standards. Such standards and processes must be consistent with
1241 generally accepted technology best practices, including the
1242 National Institute for Standards and Technology Cybersecurity
1243 Framework, for cybersecurity. DIGIT The department, acting
1244 through the Florida Digital Service, shall adopt rules that
1245 mitigate risks; safeguard state agency digital assets, data,
1246 information, and information technology resources to ensure
1247 availability, confidentiality, and integrity; and support a
1248 security governance framework. DIGIT The department, acting
1249 through the Florida Digital Service, shall also:
1250 (a) Designate an employee of the Florida Digital Service as
1251 the state chief information security officer. The state chief
1252 information security officer must have experience and expertise
1253 in security and risk management for communications and
1254 information technology resources. The state chief information
1255 security officer is responsible for the development of
1256 enterprise cybersecurity policy, standards, operation, and
1257 security architecture oversight of cybersecurity for state
1258 technology systems. The state chief information security officer
1259 must shall be notified of all confirmed or suspected incidents
1260 or threats of state agency information technology resources and
1261 must report such incidents or threats to the state chief
1262 information officer and the Governor.
1263 (b) Develop, and annually update by February 1, a statewide
1264 cybersecurity strategic plan that includes security goals and
1265 objectives for cybersecurity, including the identification and
1266 mitigation of risk, proactive protections against threats,
1267 tactical risk detection, threat reporting, and response and
1268 recovery protocols for a cyber incident.
1269 (c) Develop and publish for use by state agencies a
1270 cybersecurity governance framework that, at a minimum, includes
1271 guidelines and processes for:
1272 1. Establishing asset management procedures to ensure that
1273 an agency’s information technology resources are identified and
1274 managed consistent with their relative importance to the
1275 agency’s business objectives.
1276 2. Using a standard risk assessment methodology that
1277 includes the identification of an agency’s priorities,
1278 constraints, risk tolerances, and assumptions necessary to
1279 support operational risk decisions and that is aligned with
1280 generally accepted technology best practices, including the
1281 National Institute for Standards and Technology Cybersecurity
1282 Framework.
1283 3. Completing comprehensive risk assessments and
1284 cybersecurity audits, which may be completed by an independent
1285 third party a private sector vendor, and submitting completed
1286 assessments and audits to DIGIT the department.
1287 4. Identifying protection procedures to manage the
1288 protection of an agency’s information, data, and information
1289 technology resources.
1290 5. Establishing procedures for accessing information and
1291 data to ensure the confidentiality, integrity, and availability
1292 of such information and data.
1293 6. Detecting threats through proactive monitoring of
1294 events, continuous security monitoring, and defined detection
1295 processes.
1296 7. Establishing agency cybersecurity incident response
1297 teams and describing their responsibilities for responding to
1298 cybersecurity incidents, including breaches of personal
1299 information containing confidential or exempt data.
1300 8. Recovering information and data in response to a
1301 cybersecurity incident. The recovery may include recommended
1302 improvements to the agency processes, policies, or guidelines.
1303 9. Establishing a cybersecurity incident reporting process
1304 that includes procedures for notifying DIGIT the department and
1305 the Department of Law Enforcement of cybersecurity incidents.
1306 a. The level of severity of the cybersecurity incident is
1307 defined by the National Cyber Incident Response Plan of the
1308 United States Department of Homeland Security as follows:
1309 (I) Level 5 is an emergency-level incident within the
1310 specified jurisdiction that poses an imminent threat to the
1311 provision of wide-scale critical infrastructure services;
1312 national, state, or local government security; or the lives of
1313 the country’s, state’s, or local government’s residents.
1314 (II) Level 4 is a severe-level incident that is likely to
1315 result in a significant impact in the affected jurisdiction to
1316 public health or safety; national, state, or local security;
1317 economic security; or civil liberties.
1318 (III) Level 3 is a high-level incident that is likely to
1319 result in a demonstrable impact in the affected jurisdiction to
1320 public health or safety; national, state, or local security;
1321 economic security; civil liberties; or public confidence.
1322 (IV) Level 2 is a medium-level incident that may impact
1323 public health or safety; national, state, or local security;
1324 economic security; civil liberties; or public confidence.
1325 (V) Level 1 is a low-level incident that is unlikely to
1326 impact public health or safety; national, state, or local
1327 security; economic security; civil liberties; or public
1328 confidence.
1329 b. The cybersecurity incident reporting process must
1330 specify the information that must be reported by a state agency
1331 following a cybersecurity incident or ransomware incident,
1332 which, at a minimum, must include the following:
1333 (I) A summary of the facts surrounding the cybersecurity
1334 incident or ransomware incident.
1335 (II) The date on which the state agency most recently
1336 backed up its data; the physical location of the backup, if the
1337 backup was affected; and if the backup was created using cloud
1338 computing.
1339 (III) The types of data compromised by the cybersecurity
1340 incident or ransomware incident.
1341 (IV) The estimated fiscal impact of the cybersecurity
1342 incident or ransomware incident.
1343 (V) In the case of a ransomware incident, the details of
1344 the ransom demanded.
1345 c.(I) A state agency shall report all ransomware incidents
1346 and any cybersecurity incident determined by the state agency to
1347 be of severity level 3, 4, or 5 to the state chief information
1348 security officer Cybersecurity Operations Center and the
1349 Cybercrime Office of the Department of Law Enforcement as soon
1350 as possible but no later than 48 hours after discovery of the
1351 cybersecurity incident and no later than 12 hours after
1352 discovery of the ransomware incident. The report must contain
1353 the information required in sub-subparagraph b. If the event
1354 involves services housed or procured through the Northwest
1355 Regional Data Center, the state agency must also notify the
1356 Northwest Regional Data Center.
1357 (II) The state chief information security officer
1358 Cybersecurity Operations Center shall notify the President of
1359 the Senate and the Speaker of the House of Representatives of
1360 any severity level 3, 4, or 5 incident as soon as possible but
1361 no later than 12 hours after receiving a state agency’s incident
1362 report. The notification must include a high-level description
1363 of the incident and the likely effects.
1364 d. A state agency shall report a cybersecurity incident
1365 determined by the state agency to be of severity level 1 or 2 to
1366 the state chief information security officer Cybersecurity
1367 Operations Center and the Cybercrime Office of the Department of
1368 Law Enforcement as soon as possible, but no later than 96 hours
1369 after the discovery of the cybersecurity incident and no later
1370 than 72 hours after the discovery of the ransomware incident.
1371 The report must contain the information required in sub
1372 subparagraph b. If the event involves services housed or
1373 procured through the Northwest Regional Data Center, the state
1374 agency must also notify the Northwest Regional Data Center.
1375 e. The state chief information security officer
1376 Cybersecurity Operations Center shall provide a consolidated
1377 incident report on a quarterly basis to the President of the
1378 Senate and, the Speaker of the House of Representatives, and the
1379 Florida Cybersecurity Advisory Council. The report provided to
1380 the Florida Cybersecurity Advisory Council may not contain the
1381 name of any agency, network information, or system identifying
1382 information but must contain sufficient relevant information to
1383 allow the Florida Cybersecurity Advisory Council to fulfill its
1384 responsibilities as required in s. 282.319(9).
1385 10. Incorporating information obtained through detection
1386 and response activities into the agency’s cybersecurity incident
1387 response plans.
1388 11. Developing agency strategic and operational
1389 cybersecurity plans required pursuant to this section.
1390 12. Establishing the managerial, operational, and technical
1391 safeguards for protecting state government data and information
1392 technology resources that align with the state agency risk
1393 management strategy and that protect the confidentiality,
1394 integrity, and availability of information and data.
1395 13. Establishing procedures for procuring information
1396 technology commodities and services that require the commodity
1397 or service to meet the National Institute of Standards and
1398 Technology Cybersecurity Framework.
1399 14. Submitting after-action reports following a
1400 cybersecurity incident or ransomware incident. Such guidelines
1401 and processes for submitting after-action reports must be
1402 developed and published by December 1, 2022.
1403 (d) Assist state agencies in complying with this section.
1404 (e) In collaboration with the Cybercrime Office of the
1405 Department of Law Enforcement, annually provide training for
1406 state agency information security managers and computer security
1407 incident response team members that contains training on
1408 cybersecurity, including cybersecurity threats, trends, and best
1409 practices.
1410 (f) Annually review the strategic and operational
1411 cybersecurity plans of state agencies.
1412 (g) Annually provide cybersecurity training to all state
1413 agency technology professionals and employees with access to
1414 highly sensitive information which develops, assesses, and
1415 documents competencies by role and skill level. The
1416 cybersecurity training curriculum must include training on the
1417 identification of each cybersecurity incident severity level
1418 referenced in sub-subparagraph (c)9.a. The training may be
1419 provided in collaboration with the Cybercrime Office of the
1420 Department of Law Enforcement, a private sector entity, or an
1421 institution of the State University System.
1422 (h) Operate and maintain a Cybersecurity Operations Center
1423 led by the state chief information security officer, which must
1424 be primarily virtual and staffed with tactical detection and
1425 incident response personnel. The Cybersecurity Operations Center
1426 shall serve as a clearinghouse for threat information and
1427 coordinate with the Department of Law Enforcement to support
1428 state agencies and their response to any confirmed or suspected
1429 cybersecurity incident.
1430 (i) Lead an Emergency Support Function, ESF CYBER, under
1431 the state comprehensive emergency management plan as described
1432 in s. 252.35.
1433 (4) Each state agency head shall, at a minimum:
1434 (a) Designate an information security manager to administer
1435 the cybersecurity program of the state agency. This designation
1436 must be provided annually in writing to DIGIT the department by
1437 January 1. A state agency’s information security manager, for
1438 purposes of these information security duties, shall report
1439 directly to the agency head.
1440 (b) In consultation with the state chief information
1441 security officer department, through the Florida Digital
1442 Service, and the Cybercrime Office of the Department of Law
1443 Enforcement, establish an agency cybersecurity response team to
1444 respond to a cybersecurity incident. The agency cybersecurity
1445 response team shall convene upon notification of a cybersecurity
1446 incident and shall must immediately report all confirmed or
1447 suspected incidents to the state chief information security
1448 officer, or his or her designee, and comply with all applicable
1449 guidelines and processes established pursuant to paragraph
1450 (3)(c).
1451 (c) Submit to the state chief information security officer
1452 department annually by July 31, the state agency’s strategic and
1453 operational cybersecurity plans developed pursuant to rules and
1454 guidelines established by the state chief information security
1455 officer department, through the Florida Digital Service.
1456 1. The state agency strategic cybersecurity plan must cover
1457 a 2-year 3-year period and, at a minimum, define security goals,
1458 intermediate objectives, and projected agency costs for the
1459 strategic issues of agency information security policy, risk
1460 management, security training, security incident response, and
1461 disaster recovery. The plan must be based on the statewide
1462 cybersecurity strategic plan created by the state chief
1463 information security officer department and include performance
1464 metrics that can be objectively measured to reflect the status
1465 of the state agency’s progress in meeting security goals and
1466 objectives identified in the agency’s strategic information
1467 security plan.
1468 2. The state agency operational cybersecurity plan must
1469 include a set of measures that objectively assess the
1470 performance of the agency’s cybersecurity program in accordance
1471 with its risk management plan progress report that objectively
1472 measures progress made towards the prior operational
1473 cybersecurity plan and a project plan that includes activities,
1474 timelines, and deliverables for security objectives that the
1475 state agency will implement during the current fiscal year.
1476 (d) Conduct, and update every 2 3 years, a comprehensive
1477 risk assessment, which may be completed by an independent third
1478 party a private sector vendor, to determine the security threats
1479 to the data, information, and information technology resources,
1480 including mobile devices and print environments, of the agency.
1481 The risk assessment must comply with the risk assessment
1482 methodology developed by the state chief information security
1483 officer department and is confidential and exempt from s.
1484 119.07(1), except that such information shall be available to
1485 the Auditor General, the state chief information security
1486 officer Florida Digital Service within the department, the
1487 Cybercrime Office of the Department of Law Enforcement, and, for
1488 state agencies under the jurisdiction of the Governor, the Chief
1489 Inspector General. If an independent third party a private
1490 sector vendor is used to complete a comprehensive risk
1491 assessment, it must attest to the validity of the risk
1492 assessment findings. The comprehensive risk assessment must
1493 include all of the following:
1494 1. The results of vulnerability and penetration tests on
1495 any Internet website or mobile application that processes any
1496 sensitive personal information or confidential information and a
1497 plan to address any vulnerability identified in the tests.
1498 2. A written acknowledgment that the executive director or
1499 the secretary of the agency, the chief financial officer of the
1500 agency, and each executive manager as designated by the state
1501 agency have been made aware of the risks revealed during the
1502 preparation of the agency’s operations cybersecurity plan and
1503 the comprehensive risk assessment.
1504 (e) Develop, and periodically update, written internal
1505 policies and procedures, which include procedures for reporting
1506 cybersecurity incidents and breaches to the Cybercrime Office of
1507 the Department of Law Enforcement and the state chief
1508 information security officer Florida Digital Service within the
1509 department. Such policies and procedures must be consistent with
1510 the rules, guidelines, and processes established by DIGIT the
1511 department to ensure the security of the data, information, and
1512 information technology resources of the agency. The internal
1513 policies and procedures that, if disclosed, could facilitate the
1514 unauthorized modification, disclosure, or destruction of data or
1515 information technology resources are confidential information
1516 and exempt from s. 119.07(1), except that such information must
1517 shall be available to the Auditor General, the Cybercrime Office
1518 of the Department of Law Enforcement, the state chief
1519 information security officer the Florida Digital Service within
1520 the department, and, for state agencies under the jurisdiction
1521 of the Governor, the Chief Inspector General.
1522 (f) Implement managerial, operational, and technical
1523 safeguards and risk assessment remediation plans recommended by
1524 DIGIT the department to address identified risks to the data,
1525 information, and information technology resources of the agency.
1526 The state chief information security officer department, through
1527 the Florida Digital Service, shall track implementation by state
1528 agencies upon development of such remediation plans in
1529 coordination with agency inspectors general.
1530 (g) Ensure that periodic internal audits and evaluations of
1531 the agency’s cybersecurity program for the data, information,
1532 and information technology resources of the agency are
1533 conducted. The results of such audits and evaluations are
1534 confidential information and exempt from s. 119.07(1), except
1535 that such information must shall be available to the Auditor
1536 General, the Cybercrime Office of the Department of Law
1537 Enforcement, the state chief information security officer
1538 Florida Digital Service within the department, and, for agencies
1539 under the jurisdiction of the Governor, the Chief Inspector
1540 General.
1541 (h) Ensure that the cybersecurity requirements in the
1542 written specifications for the solicitation, contracts, and
1543 service-level agreement of information technology and
1544 information technology resources and services meet or exceed the
1545 applicable state and federal laws, regulations, and standards
1546 for cybersecurity, including the National Institute of Standards
1547 and Technology Cybersecurity Framework. Service-level agreements
1548 must identify service provider and state agency responsibilities
1549 for privacy and security, protection of government data,
1550 personnel background screening, and security deliverables with
1551 associated frequencies.
1552 (i) Provide cybersecurity awareness training to all state
1553 agency employees within 30 days after commencing employment, and
1554 annually thereafter, concerning cybersecurity risks and the
1555 responsibility of employees to comply with policies, standards,
1556 guidelines, and operating procedures adopted by the state agency
1557 to reduce those risks. The training may be provided in
1558 collaboration with the Cybercrime Office of the Department of
1559 Law Enforcement, a private sector entity, or an institution of
1560 the State University System.
1561 (j) Develop a process for detecting, reporting, and
1562 responding to threats, breaches, or cybersecurity incidents
1563 which is consistent with the security rules, guidelines, and
1564 processes established by DIGIT the department through the state
1565 chief information security officer Florida Digital Service.
1566 1. All cybersecurity incidents and ransomware incidents
1567 must be reported by state agencies. Such reports must comply
1568 with the notification procedures and reporting timeframes
1569 established pursuant to paragraph (3)(c).
1570 2. For cybersecurity breaches, state agencies shall provide
1571 notice in accordance with s. 501.171.
1572 (k) Submit to the state chief information security officer
1573 Florida Digital Service, within 1 week after the remediation of
1574 a cybersecurity incident or ransomware incident, an after-action
1575 report that summarizes the incident, the incident’s resolution,
1576 and any insights gained as a result of the incident.
1577 (7) The portions of records made confidential and exempt in
1578 subsections (5) and (6) must shall be available to the Auditor
1579 General, the Cybercrime Office of the Department of Law
1580 Enforcement, the state chief information security officer, the
1581 Legislature Florida Digital Service within the department, and,
1582 for agencies under the jurisdiction of the Governor, the Chief
1583 Inspector General. Such portions of records may be made
1584 available to a local government, another state agency, or a
1585 federal agency for cybersecurity purposes or in furtherance of
1586 the state agency’s official duties.
1587 (10) DIGIT The department shall adopt rules relating to
1588 cybersecurity and to administer this section.
1589 Section 17. Subsections (3) through (6) of section
1590 282.3185, Florida Statutes, are amended to read:
1591 282.3185 Local government cybersecurity.—
1592 (3) CYBERSECURITY TRAINING.—
1593 (a) The state chief information security officer Florida
1594 Digital Service shall:
1595 1. Develop a basic cybersecurity training curriculum for
1596 local government employees. All local government employees with
1597 access to the local government’s network must complete the basic
1598 cybersecurity training within 30 days after commencing
1599 employment and annually thereafter.
1600 2. Develop an advanced cybersecurity training curriculum
1601 for local governments which is consistent with the cybersecurity
1602 training required under s. 282.318(3)(g). All local government
1603 technology professionals and employees with access to highly
1604 sensitive information must complete the advanced cybersecurity
1605 training within 30 days after commencing employment and annually
1606 thereafter.
1607 (b) The state chief information security officer Florida
1608 Digital Service may provide the cybersecurity training required
1609 by this subsection in collaboration with the Cybercrime Office
1610 of the Department of Law Enforcement, a private sector entity,
1611 or an institution of the State University System.
1612 (4) CYBERSECURITY STANDARDS.—
1613 (a) Each local government shall adopt cybersecurity
1614 standards that safeguard its data, information technology, and
1615 information technology resources to ensure availability,
1616 confidentiality, and integrity. The cybersecurity standards must
1617 be consistent with generally accepted best practices for
1618 cybersecurity, including the National Institute of Standards and
1619 Technology Cybersecurity Framework.
1620 (b) Each county with a population of 75,000 or more must
1621 adopt the cybersecurity standards required by this subsection by
1622 January 1, 2024. Each county with a population of less than
1623 75,000 must adopt the cybersecurity standards required by this
1624 subsection by January 1, 2025.
1625 (c) Each municipality with a population of 25,000 or more
1626 must adopt the cybersecurity standards required by this
1627 subsection by January 1, 2024. Each municipality with a
1628 population of less than 25,000 must adopt the cybersecurity
1629 standards required by this subsection by January 1, 2025.
1630 (d) Each local government shall notify the state chief
1631 information security officer Florida Digital Service of its
1632 compliance with this subsection as soon as possible.
1633 (5) INCIDENT NOTIFICATION.—
1634 (a) A local government shall provide notification of a
1635 cybersecurity incident or ransomware incident to the state chief
1636 information security officer Cybersecurity Operations Center,
1637 the Cybercrime Office of the Department of Law Enforcement, and
1638 the sheriff who has jurisdiction over the local government in
1639 accordance with paragraph (b). The notification must include, at
1640 a minimum, the following information:
1641 1. A summary of the facts surrounding the cybersecurity
1642 incident or ransomware incident.
1643 2. The date on which the local government most recently
1644 backed up its data; the physical location of the backup, if the
1645 backup was affected; and if the backup was created using cloud
1646 computing.
1647 3. The types of data compromised by the cybersecurity
1648 incident or ransomware incident.
1649 4. The estimated fiscal impact of the cybersecurity
1650 incident or ransomware incident.
1651 5. In the case of a ransomware incident, the details of the
1652 ransom demanded.
1653 6. A statement requesting or declining assistance from the
1654 Cybersecurity Operations Center, the Cybercrime Office of the
1655 Department of Law Enforcement, or the sheriff who has
1656 jurisdiction over the local government.
1657 (b)1. A local government shall report all ransomware
1658 incidents and any cybersecurity incident determined by the local
1659 government to be of severity level 3, 4, or 5 as provided in s.
1660 282.318(3)(c) to the state chief information security officer
1661 Cybersecurity Operations Center, the Cybercrime Office of the
1662 Department of Law Enforcement, and the sheriff who has
1663 jurisdiction over the local government as soon as possible but
1664 no later than 12 48 hours after discovery of the cybersecurity
1665 incident and no later than 6 12 hours after discovery of the
1666 ransomware incident. The report must contain the information
1667 required in paragraph (a).
1668 2. The state chief information security officer
1669 Cybersecurity Operations Center shall notify the President of
1670 the Senate and the Speaker of the House of Representatives of
1671 any severity level 3, 4, or 5 incident as soon as possible but
1672 no later than 12 hours after receiving a local government’s
1673 incident report. The notification must include a high-level
1674 description of the incident and the likely effects.
1675 (c) A local government may report a cybersecurity incident
1676 determined by the local government to be of severity level 1 or
1677 2 as provided in s. 282.318(3)(c) to the state chief information
1678 security officer Cybersecurity Operations Center, the Cybercrime
1679 Office of the Department of Law Enforcement, and the sheriff who
1680 has jurisdiction over the local government. The report must
1681 shall contain the information required in paragraph (a).
1682 (d) The state chief information security officer
1683 Cybersecurity Operations Center shall provide a consolidated
1684 incident report by the 30th day after the end of each quarter on
1685 a quarterly basis to the President of the Senate and, the
1686 Speaker of the House of Representatives, and the Florida
1687 Cybersecurity Advisory Council. The report provided to the
1688 Florida Cybersecurity Advisory Council may not contain the name
1689 of any local government, network information, or system
1690 identifying information but must contain sufficient relevant
1691 information to allow the Florida Cybersecurity Advisory Council
1692 to fulfill its responsibilities as required in s. 282.319(9).
1693 (6) AFTER-ACTION REPORT.—A local government shall must
1694 submit to the state chief information security officer Florida
1695 Digital Service, within 1 week after the remediation of a
1696 cybersecurity incident or ransomware incident, an after-action
1697 report that summarizes the incident, the incident’s resolution,
1698 and any insights gained as a result of the incident. By December
1699 1, 2022, the Florida Digital Service shall establish guidelines
1700 and processes for submitting an after-action report.
1701 Section 18. Section 282.319, Florida Statutes, is repealed.
1702 Section 19. Section 282.201, Florida Statutes, is amended
1703 to read:
1704 282.201 State data center.—The state data center is
1705 established within the Northwest Regional Data Center pursuant
1706 to s. 282.2011 and shall meet or exceed the information
1707 technology standards specified in ss. 282.006 and 282.318 the
1708 department. The provision of data center services must comply
1709 with applicable state and federal laws, regulations, and
1710 policies, including all applicable security, privacy, and
1711 auditing requirements. The department shall appoint a director
1712 of the state data center who has experience in leading data
1713 center facilities and has expertise in cloud-computing
1714 management.
1715 (1) STATE DATA CENTER DUTIES.—The state data center shall:
1716 (a) Offer, develop, and support the services and
1717 applications defined in service-level agreements executed with
1718 its customer entities.
1719 (b) Maintain performance of the state data center by
1720 ensuring proper data backup; data backup recovery; disaster
1721 recovery; and appropriate security, power, cooling, fire
1722 suppression, and capacity.
1723 (c) Develop and implement business continuity and disaster
1724 recovery plans, and annually conduct a live exercise of each
1725 plan.
1726 (d) Enter into a service-level agreement with each customer
1727 entity to provide the required type and level of service or
1728 services. If a customer entity fails to execute an agreement
1729 within 60 days after commencement of a service, the state data
1730 center may cease service. A service-level agreement may not have
1731 a term exceeding 3 years and at a minimum must:
1732 1. Identify the parties and their roles, duties, and
1733 responsibilities under the agreement.
1734 2. State the duration of the contract term and specify the
1735 conditions for renewal.
1736 3. Identify the scope of work.
1737 4. Identify the products or services to be delivered with
1738 sufficient specificity to permit an external financial or
1739 performance audit.
1740 5. Establish the services to be provided, the business
1741 standards that must be met for each service, the cost of each
1742 service by agency application, and the metrics and processes by
1743 which the business standards for each service are to be
1744 objectively measured and reported.
1745 6. Provide a timely billing methodology to recover the
1746 costs of services provided to the customer entity pursuant to s.
1747 215.422.
1748 7. Provide a procedure for modifying the service-level
1749 agreement based on changes in the type, level, and cost of a
1750 service.
1751 8. Include a right-to-audit clause to ensure that the
1752 parties to the agreement have access to records for audit
1753 purposes during the term of the service-level agreement.
1754 9. Provide that a service-level agreement may be terminated
1755 by either party for cause only after giving the other party and
1756 the department notice in writing of the cause for termination
1757 and an opportunity for the other party to resolve the identified
1758 cause within a reasonable period.
1759 10. Provide for mediation of disputes by the Division of
1760 Administrative Hearings pursuant to s. 120.573.
1761 (e) For purposes of chapter 273, be the custodian of
1762 resources and equipment located in and operated, supported, and
1763 managed by the state data center.
1764 (f) Assume administrative access rights to resources and
1765 equipment, including servers, network components, and other
1766 devices, consolidated into the state data center.
1767 1. Upon consolidation, a state agency shall relinquish
1768 administrative rights to consolidated resources and equipment.
1769 State agencies required to comply with federal and state
1770 criminal justice information security rules and policies shall
1771 retain administrative access rights sufficient to comply with
1772 the management control provisions of those rules and policies;
1773 however, the state data center shall have the appropriate type
1774 or level of rights to allow the center to comply with its duties
1775 pursuant to this section. The Department of Law Enforcement
1776 shall serve as the arbiter of disputes pertaining to the
1777 appropriate type and level of administrative access rights
1778 pertaining to the provision of management control in accordance
1779 with the federal criminal justice information guidelines.
1780 2. The state data center shall provide customer entities
1781 with access to applications, servers, network components, and
1782 other devices necessary for entities to perform business
1783 activities and functions, and as defined and documented in a
1784 service-level agreement.
1785 (g) In its procurement process, show preference for cloud
1786 computing solutions that minimize or do not require the
1787 purchasing, financing, or leasing of state data center
1788 infrastructure, and that meet the needs of customer agencies,
1789 that reduce costs, and that meet or exceed the applicable state
1790 and federal laws, regulations, and standards for cybersecurity.
1791 (h) Assist customer entities in transitioning from state
1792 data center services to the Northwest Regional Data Center or
1793 other third-party cloud-computing services procured by a
1794 customer entity or by the Northwest Regional Data Center on
1795 behalf of a customer entity.
1796 (1)(2) USE OF THE STATE DATA CENTER.—
1797 (a) The following are exempt from the use of the state data
1798 center: the Department of Law Enforcement, the Department of the
1799 Lottery’s Gaming System, Systems Design and Development in the
1800 Office of Policy and Budget, the regional traffic management
1801 centers as described in s. 335.14(2) and the Office of Toll
1802 Operations of the Department of Transportation, the State Board
1803 of Administration, state attorneys, public defenders, criminal
1804 conflict and civil regional counsel, capital collateral regional
1805 counsel, and the Florida Housing Finance Corporation, and the
1806 Division of Emergency Management within the Executive Office of
1807 the Governor.
1808 (b) The Division of Emergency Management is exempt from the
1809 use of the state data center. This paragraph expires July 1,
1810 2026.
1811 (2)(3) AGENCY LIMITATIONS.—Unless exempt from the use of
1812 the state data center pursuant to this section or authorized by
1813 the Legislature, a state agency may not:
1814 (a) Create a new agency computing facility or data center,
1815 or expand the capability to support additional computer
1816 equipment in an existing agency computing facility or data
1817 center; or
1818 (b) Terminate services with the state data center without
1819 giving written notice of intent to terminate services 180 days
1820 before such termination.
1821 (4) DEPARTMENT RESPONSIBILITIES.—The department shall
1822 provide operational management and oversight of the state data
1823 center, which includes:
1824 (a) Implementing industry standards and best practices for
1825 the state data center’s facilities, operations, maintenance,
1826 planning, and management processes.
1827 (b) Developing and implementing cost-recovery mechanisms
1828 that recover the full direct and indirect cost of services
1829 through charges to applicable customer entities. Such cost
1830 recovery mechanisms must comply with applicable state and
1831 federal regulations concerning distribution and use of funds and
1832 must ensure that, for any fiscal year, no service or customer
1833 entity subsidizes another service or customer entity. The
1834 department may recommend other payment mechanisms to the
1835 Executive Office of the Governor, the President of the Senate,
1836 and the Speaker of the House of Representatives. Such mechanisms
1837 may be implemented only if specifically authorized by the
1838 Legislature.
1839 (c) Developing and implementing appropriate operating
1840 guidelines and procedures necessary for the state data center to
1841 perform its duties pursuant to subsection (1). The guidelines
1842 and procedures must comply with applicable state and federal
1843 laws, regulations, and policies and conform to generally
1844 accepted governmental accounting and auditing standards. The
1845 guidelines and procedures must include, but need not be limited
1846 to:
1847 1. Implementing a consolidated administrative support
1848 structure responsible for providing financial management,
1849 procurement, transactions involving real or personal property,
1850 human resources, and operational support.
1851 2. Implementing an annual reconciliation process to ensure
1852 that each customer entity is paying for the full direct and
1853 indirect cost of each service as determined by the customer
1854 entity’s use of each service.
1855 3. Providing rebates that may be credited against future
1856 billings to customer entities when revenues exceed costs.
1857 4. Requiring customer entities to validate that sufficient
1858 funds exist before implementation of a customer entity’s request
1859 for a change in the type or level of service provided, if such
1860 change results in a net increase to the customer entity’s cost
1861 for that fiscal year.
1862 5. By November 15 of each year, providing to the Office of
1863 Policy and Budget in the Executive Office of the Governor and to
1864 the chairs of the legislative appropriations committees the
1865 projected costs of providing data center services for the
1866 following fiscal year.
1867 6. Providing a plan for consideration by the Legislative
1868 Budget Commission if the cost of a service is increased for a
1869 reason other than a customer entity’s request made pursuant to
1870 subparagraph 4. Such a plan is required only if the service cost
1871 increase results in a net increase to a customer entity for that
1872 fiscal year.
1873 7. Standardizing and consolidating procurement and
1874 contracting practices.
1875 (d) In collaboration with the Department of Law Enforcement
1876 and the Florida Digital Service, developing and implementing a
1877 process for detecting, reporting, and responding to
1878 cybersecurity incidents, breaches, and threats.
1879 (e) Adopting rules relating to the operation of the state
1880 data center, including, but not limited to, budgeting and
1881 accounting procedures, cost-recovery methodologies, and
1882 operating procedures.
1883 (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
1884 the department to carry out its duties and responsibilities
1885 relating to the state data center, the secretary of the
1886 department shall contract by July 1, 2022, with the Northwest
1887 Regional Data Center pursuant to s. 287.057(11). The contract
1888 shall provide that the Northwest Regional Data Center will
1889 manage the operations of the state data center and provide data
1890 center services to state agencies.
1891 (a) The department shall provide contract oversight,
1892 including, but not limited to, reviewing invoices provided by
1893 the Northwest Regional Data Center for services provided to
1894 state agency customers.
1895 (b) The department shall approve or request updates to
1896 invoices within 10 business days after receipt. If the
1897 department does not respond to the Northwest Regional Data
1898 Center, the invoice will be approved by default. The Northwest
1899 Regional Data Center must submit approved invoices directly to
1900 state agency customers.
1901 Section 20. Section 282.2011, Florida Statutes, is created
1902 to read:
1903 282.2011 Northwest Regional Data Center.—
1904 (1) For the purpose of providing data center services to
1905 its state agency customers, the Northwest Regional Data Center
1906 is designated as the state data center for all state agencies,
1907 except as otherwise provided by law, and shall:
1908 (a) Operate under a governance structure that represents
1909 its customers proportionally.
1910 (b) Maintain an appropriate cost-allocation methodology
1911 that accurately bills state agency customers based solely on the
1912 actual direct and indirect costs of the services provided to
1913 state agency customers and ensures that, for any fiscal year,
1914 state agency customers are not subsidizing other customers of
1915 the data center. Such cost-allocation methodology must comply
1916 with applicable state and federal regulations concerning the
1917 distribution and use of state and federal funds.
1918 (c) Enter into a service-level agreement with each state
1919 agency customer to provide services as defined and approved by
1920 the governing board of the center. At a minimum, such service
1921 level agreements must:
1922 1. Identify the parties and their roles, duties, and
1923 responsibilities under the agreement;
1924 2. State the duration of the agreement term, which may not
1925 exceed 3 years, and specify the conditions for up to two
1926 optional 1-year renewals of the agreement before execution of a
1927 new agreement;
1928 3. Identify the scope of work;
1929 4. Establish the services to be provided, the business
1930 standards that must be met for each service, the cost of each
1931 service, and the process by which the business standards for
1932 each service are to be objectively measured and reported;
1933 5. Provide a timely billing methodology for recovering the
1934 cost of services provided pursuant to s. 215.422;
1935 6. Provide a procedure for modifying the service-level
1936 agreement to address any changes in projected costs of service;
1937 7. Include a right-to-audit clause to ensure that the
1938 parties to the agreement have access to records for audit
1939 purposes during the term of the service-level agreement;
1940 8. Identify the products or services to be delivered with
1941 sufficient specificity to permit an external financial or
1942 performance audit;
1943 9. Provide that the service-level agreement may be
1944 terminated by either party for cause only after giving the other
1945 party notice in writing of the cause for termination and an
1946 opportunity for the other party to resolve the identified cause
1947 within a reasonable period; and
1948 10. Provide state agency customer entities with access to
1949 applications, servers, network components, and other devices
1950 necessary for entities to perform business activities and
1951 functions and as defined and documented in a service-level
1952 agreement.
1953 (d) In its procurement process, show preference for cloud
1954 computing solutions that minimize or do not require the
1955 purchasing or financing of state data center infrastructure,
1956 that meet the needs of state agency customer entities, that
1957 reduce costs, and that meet or exceed the applicable state and
1958 federal laws, regulations, and standards for cybersecurity.
1959 (e) Assist state agency customer entities in transitioning
1960 from state data center services to other third-party cloud
1961 computing services procured by a customer entity or by the
1962 Northwest Regional Data Center on behalf of the customer entity.
1963 (f) Provide to the Board of Governors the total annual
1964 budget by major expenditure category, including, but not limited
1965 to, salaries, expenses, operating capital outlay, contracted
1966 services, or other personnel services, by July 30 each fiscal
1967 year.
1968 (g) Provide to each state agency customer its projected
1969 annual cost for providing the agreed-upon data center services
1970 by September 1 each fiscal year.
1971 (h) By November 15 of each year, provide to the Office of
1972 Policy and Budget in the Executive Office of the Governor and to
1973 the chairs of the legislative appropriations committees the
1974 projected costs of providing data center services for the
1975 following fiscal year for each state agency customer. The
1976 projections must include prior-year comparisons, identification
1977 of new services, and documentation of changes to billing
1978 methodologies or service cost allocation.
1979 (i) Provide a plan for consideration by the Legislative
1980 Budget Commission if the governing body of the center approves
1981 the use of a billing rate schedule after the start of the fiscal
1982 year which increases any state agency customer’s costs for that
1983 fiscal year.
1984 (j) Provide data center services that comply with
1985 applicable state and federal laws, regulations, and policies,
1986 including all applicable security, privacy, and auditing
1987 requirements.
1988 (k) Maintain performance of the data center facilities by
1989 ensuring proper data backup; data backup recovery; disaster
1990 recovery; and appropriate security, power, cooling, fire
1991 suppression, and capacity.
1992 (l) Submit invoices to state agency customers.
1993 (m) As funded in the General Appropriations Act, provide
1994 data center services to state agencies from multiple facilities.
1995 (2) Unless exempt from the requirement to use the state
1996 data center pursuant to s. 282.201(1) or as authorized by the
1997 Legislature, a state agency may not do any of the following:
1998 (a) Terminate services with the Northwest Regional Data
1999 Center without giving written notice of intent to terminate
2000 services 180 days before such termination.
2001 (b) Procure third-party cloud-computing services without
2002 evaluating the cloud-computing services provided by the
2003 Northwest Regional Data Center.
2004 (c) Exceed 30 days from receipt of approved invoices to
2005 remit payment for state data center services provided by the
2006 Northwest Regional Data Center.
2007 (3) The Northwest Regional Data Center’s authority to
2008 provide data center services to its state agency customers may
2009 be terminated if:
2010 (a) The center requests such termination to the Board of
2011 Governors, the President of the Senate, and the Speaker of the
2012 House of Representatives; or
2013 (b) The center fails to comply with the provisions of this
2014 section.
2015 (4) The Northwest Regional Data Center is the lead entity
2016 responsible for creating, operating, and managing, including the
2017 research conducted by, the Florida Behavioral Health Care Data
2018 Repository as established by this subsection.
2019 (a) The purpose of the data repository is to create a
2020 centralized system for:
2021 1. Collecting and analyzing existing statewide behavioral
2022 health care data to:
2023 a. Better understand the scope of and trends in behavioral
2024 health services, spending, and outcomes to improve patient care
2025 and enhance the efficiency and effectiveness of behavioral
2026 health services;
2027 b. Better understand the scope of, trends in, and
2028 relationship between behavioral health, criminal justice,
2029 incarceration, and the use of behavioral health services as a
2030 diversion from incarceration for individuals with mental
2031 illness; and
2032 c. Enhance the collection and coordination of treatment and
2033 outcome information as an ongoing evidence base for research and
2034 education related to behavioral health.
2035 2. Developing useful data analytics, economic metrics, and
2036 visual representations of such analytics and metrics to inform
2037 relevant state agencies and the Legislature of data and trends
2038 in behavioral health.
2039 (b) The Northwest Regional Data Center shall develop, in
2040 collaboration with the Data Analysis Committee of the Commission
2041 on Mental Health and Substance Use Disorder created under s.
2042 394.9086 and with relevant stakeholders, a plan that includes
2043 all of the following:
2044 1. A project plan that describes the technology,
2045 methodology, timeline, cost, and resources necessary to create a
2046 centralized, integrated, and coordinated data system.
2047 2. A proposed governance structure to oversee the
2048 implementation and operations of the repository.
2049 3. An integration strategy to incorporate existing data
2050 from relevant state agencies, including, but not limited to, the
2051 Agency for Health Care Administration, the Department of
2052 Children and Families, the Department of Juvenile Justice, the
2053 Office of the State Courts Administrator, and the Department of
2054 Corrections.
2055 4. Identification of relevant data and metrics to support
2056 actionable information and ensure the efficient and responsible
2057 use of taxpayer dollars within behavioral health systems of
2058 care.
2059 5. Data security requirements for the repository.
2060 6. The structure and process that will be used to create an
2061 annual analysis and report that gives state agencies and the
2062 Legislature a better general understanding of trends and issues
2063 in the state’s behavioral health systems of care and the trends
2064 and issues in behavioral health systems related to criminal
2065 justice treatment, diversion, and incarceration.
2066 (c) Beginning December 1, 2026, and annually thereafter,
2067 the Northwest Regional Data Center shall submit the developed
2068 trends and issues report under subparagraph (b)6. to the
2069 Governor, the President of the Senate, and the Speaker of the
2070 House of Representatives.
2071 (5) If such authority is terminated, the center has 1 year
2072 to provide for the transition of its state agency customers to a
2073 qualified alternative cloud-based data center that meets the
2074 enterprise architecture standards established pursuant to this
2075 chapter.
2076 Section 21. Subsection (4) of section 282.206, Florida
2077 Statutes, is amended to read:
2078 282.206 Cloud-first policy in state agencies.—
2079 (4) Each state agency shall develop a strategic plan to be
2080 updated annually to address its inventory of applications
2081 located at the state data center. Each agency shall submit the
2082 plan by October 15 of each year to DIGIT, the Office of Policy
2083 and Budget in the Executive Office of the Governor, and the
2084 chairs of the legislative appropriations committees, and the
2085 Northwest Regional Data Center. For each application, the plan
2086 must identify and document the feasibility, appropriateness,
2087 readiness, appropriate strategy, and high-level timeline for
2088 transition to a cloud-computing service based on the
2089 application’s quality, cost, and resource requirements. This
2090 information must be used to assist the state data center in
2091 making adjustments to its service offerings.
2092 Section 22. Section 1004.649, Florida Statutes, is amended
2093 to read:
2094 1004.649 Northwest Regional Data Center.—There is created
2095 at Florida State University the Northwest Regional Data Center.
2096 The data center shall serve as the state data center as
2097 designated in s. 282.201
2098 (1) For the purpose of providing data center services to
2099 its state agency customers, the Northwest Regional Data Center
2100 is designated as a state data center for all state agencies and
2101 shall:
2102 (a) Operate under a governance structure that represents
2103 its customers proportionally.
2104 (b) Maintain an appropriate cost-allocation methodology
2105 that accurately bills state agency customers based solely on the
2106 actual direct and indirect costs of the services provided to
2107 state agency customers and ensures that, for any fiscal year,
2108 state agency customers are not subsidizing other customers of
2109 the data center. Such cost-allocation methodology must comply
2110 with applicable state and federal regulations concerning the
2111 distribution and use of state and federal funds.
2112 (c) Enter into a service-level agreement with each state
2113 agency customer to provide services as defined and approved by
2114 the governing board of the center. At a minimum, such service
2115 level agreements must:
2116 1. Identify the parties and their roles, duties, and
2117 responsibilities under the agreement;
2118 2. State the duration of the agreement term, which may not
2119 exceed 3 years, and specify the conditions for up to two
2120 optional 1-year renewals of the agreement before execution of a
2121 new agreement;
2122 3. Identify the scope of work;
2123 4. Establish the services to be provided, the business
2124 standards that must be met for each service, the cost of each
2125 service, and the process by which the business standards for
2126 each service are to be objectively measured and reported;
2127 5. Provide a timely billing methodology for recovering the
2128 cost of services provided pursuant to s. 215.422;
2129 6. Provide a procedure for modifying the service-level
2130 agreement to address any changes in projected costs of service;
2131 7. Include a right-to-audit clause to ensure that the
2132 parties to the agreement have access to records for audit
2133 purposes during the term of the service-level agreement;
2134 8. Identify the products or services to be delivered with
2135 sufficient specificity to permit an external financial or
2136 performance audit;
2137 9. Provide that the service-level agreement may be
2138 terminated by either party for cause only after giving the other
2139 party notice in writing of the cause for termination and an
2140 opportunity for the other party to resolve the identified cause
2141 within a reasonable period; and
2142 10. Provide state agency customer entities with access to
2143 applications, servers, network components, and other devices
2144 necessary for entities to perform business activities and
2145 functions and as defined and documented in a service-level
2146 agreement.
2147 (d) In its procurement process, show preference for cloud
2148 computing solutions that minimize or do not require the
2149 purchasing or financing of state data center infrastructure,
2150 that meet the needs of state agency customer entities, that
2151 reduce costs, and that meet or exceed the applicable state and
2152 federal laws, regulations, and standards for cybersecurity.
2153 (e) Assist state agency customer entities in transitioning
2154 from state data center services to other third-party cloud
2155 computing services procured by a customer entity or by the
2156 Northwest Regional Data Center on behalf of the customer entity.
2157 (f) Provide to the Board of Governors the total annual
2158 budget by major expenditure category, including, but not limited
2159 to, salaries, expenses, operating capital outlay, contracted
2160 services, or other personnel services by July 30 each fiscal
2161 year.
2162 (g) Provide to each state agency customer its projected
2163 annual cost for providing the agreed-upon data center services
2164 by September 1 each fiscal year.
2165 (h) Provide a plan for consideration by the Legislative
2166 Budget Commission if the governing body of the center approves
2167 the use of a billing rate schedule after the start of the fiscal
2168 year that increases any state agency customer’s costs for that
2169 fiscal year.
2170 (i) Provide data center services that comply with
2171 applicable state and federal laws, regulations, and policies,
2172 including all applicable security, privacy, and auditing
2173 requirements.
2174 (j) Maintain performance of the data center facilities by
2175 ensuring proper data backup; data backup recovery; disaster
2176 recovery; and appropriate security, power, cooling, fire
2177 suppression, and capacity.
2178 (k) Prepare and submit state agency customer invoices to
2179 the Department of Management Services for approval. Upon
2180 approval or by default pursuant to s. 282.201(5), submit
2181 invoices to state agency customers.
2182 (l) As funded in the General Appropriations Act, provide
2183 data center services to state agencies from multiple facilities.
2184 (2) Unless exempt from the requirement to use the state
2185 data center pursuant to s. 282.201(2) or as authorized by the
2186 Legislature, a state agency may not do any of the following:
2187 (a) Terminate services with the Northwest Regional Data
2188 Center without giving written notice of intent to terminate
2189 services 180 days before such termination.
2190 (b) Procure third-party cloud-computing services without
2191 evaluating the cloud-computing services provided by the
2192 Northwest Regional Data Center.
2193 (c) Exceed 30 days from receipt of approved invoices to
2194 remit payment for state data center services provided by the
2195 Northwest Regional Data Center.
2196 (3) The Northwest Regional Data Center’s authority to
2197 provide data center services to its state agency customers may
2198 be terminated if:
2199 (a) The center requests such termination to the Board of
2200 Governors, the President of the Senate, and the Speaker of the
2201 House of Representatives; or
2202 (b) The center fails to comply with the provisions of this
2203 section.
2204 (4) The Northwest Regional Data Center is the lead entity
2205 responsible for creating, operating, and managing, including the
2206 research conducted by, the Florida Behavioral Health Care Data
2207 Repository as established by this subsection.
2208 (a) The purpose of the data repository is to create a
2209 centralized system for:
2210 1. Collecting and analyzing existing statewide behavioral
2211 health care data to:
2212 a. Better understand the scope of and trends in behavioral
2213 health services, spending, and outcomes to improve patient care
2214 and enhance the efficiency and effectiveness of behavioral
2215 health services;
2216 b. Better understand the scope of, trends in, and
2217 relationship between behavioral health, criminal justice,
2218 incarceration, and the use of behavioral health services as a
2219 diversion from incarceration for individuals with mental
2220 illness; and
2221 c. Enhance the collection and coordination of treatment and
2222 outcome information as an ongoing evidence base for research and
2223 education related to behavioral health.
2224 2. Developing useful data analytics, economic metrics, and
2225 visual representations of such analytics and metrics to inform
2226 relevant state agencies and the Legislature of data and trends
2227 in behavioral health.
2228 (b) The Northwest Regional Data Center shall develop, in
2229 collaboration with the Data Analysis Committee of the Commission
2230 on Mental Health and Substance Use Disorder created under s.
2231 394.9086 and with relevant stakeholders, a plan that includes
2232 all of the following:
2233 1. A project plan that describes the technology,
2234 methodology, timeline, cost, and resources necessary to create a
2235 centralized, integrated, and coordinated data system.
2236 2. A proposed governance structure to oversee the
2237 implementation and operations of the repository.
2238 3. An integration strategy to incorporate existing data
2239 from relevant state agencies, including, but not limited to, the
2240 Agency for Health Care Administration, the Department of
2241 Children and Families, the Department of Juvenile Justice, the
2242 Office of the State Courts Administrator, and the Department of
2243 Corrections.
2244 4. Identification of relevant data and metrics to support
2245 actionable information and ensure the efficient and responsible
2246 use of taxpayer dollars within behavioral health systems of
2247 care.
2248 5. Data security requirements for the repository.
2249 6. The structure and process that will be used to create an
2250 annual analysis and report that gives state agencies and the
2251 Legislature a better general understanding of trends and issues
2252 in the state’s behavioral health systems of care and the trends
2253 and issues in behavioral health systems related to criminal
2254 justice treatment, diversion, and incarceration.
2255 (c) By December 1, 2025, the Northwest Regional Data
2256 Center, in collaboration with the Data Analysis Committee of the
2257 Commission on Mental Health and Substance Use Disorder, shall
2258 submit the developed plan for implementation and ongoing
2259 operation with a proposed budget to the Governor, the President
2260 of the Senate, and the Speaker of the House of Representatives
2261 for review.
2262 (d) Beginning December 1, 2026, and annually thereafter,
2263 the Northwest Regional Data Center shall submit the developed
2264 trends and issues report under subparagraph (b)6. to the
2265 Governor, the President of the Senate, and the Speaker of the
2266 House of Representatives.
2267 (5) If such authority is terminated, the center has 1 year
2268 to provide for the transition of its state agency customers to a
2269 qualified alternative cloud-based data center that meets the
2270 enterprise architecture standards established by the Florida
2271 Digital Service.
2272 Section 23. Section 287.0583, Florida Statutes, is created
2273 to read:
2274 287.0583 Contract requirements for information technology
2275 commodities or services.—A contract for information technology
2276 commodities or services involving the development,
2277 customization, implementation, integration, support, or
2278 maintenance of software systems, applications, platforms, or
2279 related services must include provisions ensuring all of the
2280 following:
2281 (1) Any data created, processed, or maintained under the
2282 contract is portable and can be extracted in a machine-readable
2283 format upon request.
2284 (2) The vendor will provide, upon request, comprehensive
2285 operational documentation sufficient to allow continued
2286 operation and maintenance by the agency or a new vendor.
2287 (3) The vendor will provide, upon request, reasonable
2288 assistance and support during a transition to the agency or to a
2289 new vendor.
2290 (4) All anticipated software license fees, license renewal
2291 fees, and operation and maintenance costs are documented in
2292 detail. If exact figures are not feasible, the vendor must
2293 provide a reasonable cost range.
2294 Section 24. Section 287.0591, Florida Statutes, is amended
2295 to read:
2296 287.0591 Information technology; vendor disqualification.—
2297 (1)(a) Any competitive solicitation issued by the
2298 department for a state term contract for information technology
2299 commodities must include a term that does not exceed 48 months.
2300 (b)(2) Any competitive solicitation issued by the
2301 department for a state term contract for information technology
2302 consultant services or information technology staff augmentation
2303 contractual services must include a term that does not exceed 48
2304 months.
2305 (c)(3) The department may execute a state term contract for
2306 information technology commodities, consultant services, or
2307 staff augmentation contractual services that exceeds the 48
2308 month requirement if the Secretary of Management Services and
2309 the state chief information officer certify in writing to the
2310 Executive Office of the Governor that a longer contract term is
2311 in the best interest of the state.
2312 (2)(4) If the department issues a competitive solicitation
2313 for information technology commodities, consultant services, or
2314 staff augmentation contractual services, the department shall
2315 coordinate with the Division of Integrated Government Innovation
2316 and Technology within the Executive Office of the Governor
2317 Florida Digital Service within the department shall participate
2318 in such solicitations. Such coordination must include reviewing
2319 the solicitation specifications to verify compliance with
2320 enterprise architecture and cybersecurity standards, evaluating
2321 vendor responses under established criteria, answering vendor
2322 questions, and providing any other technical expertise
2323 necessary.
2324 (3)(a)(5) If an agency issues a request for quote to
2325 purchase information technology commodities, information
2326 technology consultant services, or information technology staff
2327 augmentation contractual services from the state term contract
2328 which meets the CATEGORY TWO threshold amount, but is less than
2329 the CATEGORY FOUR threshold amount:,
2330 1. For any contract with 25 approved vendors or fewer, the
2331 agency must issue a request for quote to all vendors approved to
2332 provide such commodity or service.
2333 2. For any contract with more than 25 approved vendors, the
2334 agency must issue a request for quote to at least 25 of the
2335 vendors approved to provide such commodity or contractual
2336 service.
2337 (b) The agency shall maintain a copy of the request for
2338 quote, the identity of the vendors that were sent the request
2339 for quote, and any vendor response to the request for quote for
2340 2 years after the date of issuance of the purchase order.
2341 (c) Use of a request for quote does not constitute a
2342 decision or intended decision that is subject to protest under
2343 s. 120.57(3).
2344 (4)(a) An agency issuing a request for quote to purchase
2345 information technology commodities, information technology
2346 consultant services, or information technology staff
2347 augmentation contractual services from the state term contract
2348 which exceeds the CATEGORY FOUR threshold amount is subject to
2349 public records requirements pursuant to s. 287.057.
2350 Additionally, an agency shall publish:
2351 1. The request for quote for a minimum of 10 days before
2352 executing the purchase order; and
2353 2. The name of the vendor awarded the purchase order.
2354 (b) The agency shall maintain a copy of the request for
2355 quote, the identity of the vendors that were sent the request
2356 for quote, and all vendor responses to the request for quote for
2357 2 years after the date of issuance of the purchase order.
2358 (c) Use of a request for quote does not constitute a
2359 decision or intended decision that is subject to protest under
2360 s. 120.57(3).
2361 (5) A state agency may request the Division of Integrated
2362 Government Innovation and Technology within the Executive Office
2363 of the Governor for procurement advisory and review services
2364 pursuant to s. 282.0061.
2365 (6)(a) Beginning October 1, 2021, and Each October 1
2366 thereafter, the department shall prequalify firms and
2367 individuals to provide information technology staff augmentation
2368 contractual services and information technology commodities on
2369 state term contract.
2370 (b) In order to prequalify a firm or individual for
2371 participation on the state term contract, the department must
2372 consider, at a minimum, the capability, experience, and past
2373 performance record of the firm or individual.
2374 (c) A firm or individual removed from the source of supply
2375 pursuant to s. 287.042(1)(b) or placed on a disqualified vendor
2376 list pursuant to s. 287.133 or s. 287.134 is immediately
2377 disqualified from state term contract eligibility.
2378 (d) Once a firm or individual has been prequalified to
2379 provide information technology staff augmentation contractual
2380 services or information technology commodities on state term
2381 contract, the firm or individual may respond to requests for
2382 quotes from an agency to provide such services.
2383 Section 25. Subsection (2) of section 20.22, Florida
2384 Statutes, is amended to read:
2385 20.22 Department of Management Services.—There is created a
2386 Department of Management Services.
2387 (2) The following divisions, programs, and services within
2388 the Department of Management Services are established:
2389 (a) Facilities Program.
2390 (b) The Florida Digital Service.
2391 (c) Workforce Program.
2392 (c)1.(d)1. Support Program.
2393 2. Federal Property Assistance Program.
2394 (d)(e) Administration Program.
2395 (e)(f) Division of Administrative Hearings.
2396 (f)(g) Division of Retirement.
2397 (g)(h) Division of State Group Insurance.
2398 (h)(i) Division of Telecommunications.
2399 Section 26. Subsections (1), (5), (7), and (8) of section
2400 282.802, Florida Statutes, are amended to read:
2401 282.802 Government Technology Modernization Council.—
2402 (1) The Government Technology Modernization Council, an
2403 advisory council as defined in s. 20.03(7), is located created
2404 within DIGIT the department. Except as otherwise provided in
2405 this section, the advisory council shall operate in a manner
2406 consistent with s. 20.052.
2407 (5) The state chief information officer Secretary of
2408 Management Services, or his or her designee, shall serve as the
2409 ex officio, nonvoting executive director of the council.
2410 (7)(a) The council shall meet at least quarterly to:
2411 (a)1. Recommend legislative and administrative actions that
2412 the Legislature and state agencies as defined in s. 282.0041 s.
2413 282.318(2) may take to promote the development of data
2414 modernization in this state.
2415 (b)2. Assess and provide guidance on necessary legislative
2416 reforms and the creation of a state code of ethics for
2417 artificial intelligence systems in state government.
2418 (c)3. Assess the effect of automated decision systems or
2419 identity management on constitutional and other legal rights,
2420 duties, and privileges of residents of this state.
2421 (d)4. Evaluate common standards for artificial intelligence
2422 safety and security measures, including the benefits of
2423 requiring disclosure of the digital provenance for all images
2424 and audio created using generative artificial intelligence as a
2425 means of revealing the origin and edit of the image or audio, as
2426 well as the best methods for such disclosure.
2427 (e)5. Assess the manner in which governmental entities and
2428 the private sector are using artificial intelligence with a
2429 focus on opportunity areas for deployments in systems across
2430 this state.
2431 (f)6. Determine the manner in which artificial intelligence
2432 is being exploited by bad actors, including foreign countries of
2433 concern as defined in s. 287.138(1).
2434 (g)7. Evaluate the need for curriculum to prepare school
2435 age audiences with the digital media and visual literacy skills
2436 needed to navigate the digital information landscape.
2437 (b) At least one quarterly meeting of the council must be a
2438 joint meeting with the Florida Cybersecurity Advisory Council.
2439 (8) By December 31, 2024, and Each December 31 thereafter,
2440 the council shall submit to the Governor, the President of the
2441 Senate, and the Speaker of the House of Representatives any
2442 legislative recommendations considered necessary by the council
2443 to modernize government technology, including:
2444 (a) Recommendations for policies necessary to:
2445 1. Accelerate adoption of technologies that will increase
2446 productivity of state enterprise information technology systems,
2447 improve customer service levels of government, and reduce
2448 administrative or operating costs.
2449 2. Promote the development and deployment of artificial
2450 intelligence systems, financial technology, education
2451 technology, or other enterprise management software in this
2452 state.
2453 3. Protect Floridians from bad actors who use artificial
2454 intelligence.
2455 (b) Any other information the council considers relevant.
2456 Section 27. Section 282.604, Florida Statutes, is amended
2457 to read:
2458 282.604 Adoption of rules.—DIGIT The Department of
2459 Management Services shall, with input from stakeholders, adopt
2460 rules pursuant to ss. 120.536(1) and 120.54 for the development,
2461 procurement, maintenance, and use of accessible electronic
2462 information technology by governmental units.
2463 Section 28. Paragraph (b) of subsection (4) of section
2464 443.1113, Florida Statutes, is amended to read:
2465 443.1113 Reemployment Assistance Claims and Benefits
2466 Information System.—
2467 (4)
2468 (b) The department shall seek input on recommended
2469 enhancements from, at a minimum, the following entities:
2470 1. The Division of Integrated Government Innovation and
2471 Technology within the Executive Office of the Governor Florida
2472 Digital Service within the Department of Management Services.
2473 2. The General Tax Administration Program Office within the
2474 Department of Revenue.
2475 3. The Division of Accounting and Auditing within the
2476 Department of Financial Services.
2477 Section 29. Subsection (5) of section 943.0415, Florida
2478 Statutes, is amended to read:
2479 943.0415 Cybercrime Office.—There is created within the
2480 Department of Law Enforcement the Cybercrime Office. The office
2481 may:
2482 (5) Consult with the state chief information security
2483 officer of the Division of Integrated Government Innovation and
2484 Technology within the Executive Office of the Governor Florida
2485 Digital Service within the Department of Management Services in
2486 the adoption of rules relating to the information technology
2487 security provisions in s. 282.318.
2488 Section 30. Subsection (3) of section 1004.444, Florida
2489 Statutes, is amended to read:
2490 1004.444 Florida Center for Cybersecurity.—
2491 (3) Upon receiving a request for assistance from a the
2492 Department of Management Services, the Florida Digital Service,
2493 or another state agency, the center is authorized, but may not
2494 be compelled by the agency, to conduct, consult on, or otherwise
2495 assist any state-funded initiatives related to:
2496 (a) Cybersecurity training, professional development, and
2497 education for state and local government employees, including
2498 school districts and the judicial branch; and
2499 (b) Increasing the cybersecurity effectiveness of the
2500 state’s and local governments’ technology platforms and
2501 infrastructure, including school districts and the judicial
2502 branch.
2503 Section 31. This act shall take effect January 5, 2027.
2504
2505 ================= T I T L E A M E N D M E N T ================
2506 And the title is amended as follows:
2507 Delete everything before the enacting clause
2508 and insert:
2509 A bill to be entitled
2510 An act relating to information technology; providing
2511 for a type two transfer of the duties and functions of
2512 the Florida Digital Service from the Department of
2513 Management Services to the Division of Integrated
2514 Government Innovation and Technology; creating s.
2515 14.205, F.S.; creating the Division of Integrated
2516 Government Innovation and Technology (DIGIT) within
2517 the Executive Office of the Governor; providing that
2518 the division is a separate budget entity and must
2519 prepare and submit a budget in accordance with
2520 specified provisions; requiring the division to be
2521 responsible for all professional, technical, and
2522 administrative support to carry out its assigned
2523 duties; providing for a director of the division;
2524 providing that the director also serves as the state
2525 chief information officer; providing for the
2526 appointment of the director; prohibiting the state
2527 chief information officer from having certain
2528 conflicts of interest; providing the qualifications
2529 for the state chief information officer; providing
2530 that the deputy director also serves as the deputy
2531 chief information officer; providing that the director
2532 will select a state chief information security
2533 officer, state chief data officer, state chief
2534 technology officer, and state chief technology
2535 procurement officer; transferring the state chief
2536 information officer of the Department of Management
2537 Services to DIGIT until the Governor appoints a
2538 permanent officer; requiring that such appointment
2539 occur by a specified date; amending s. 20.055, F.S.;
2540 requiring agency inspectors general to review and
2541 report whether certain agency practices are consistent
2542 with specified reporting requirements and standards;
2543 requiring such inspectors general to prepare and
2544 submit a certain compliance report to certain persons
2545 by a specified date annually; requiring the chief
2546 inspector general to review certain reports and
2547 prepare a consolidated report; requiring that such
2548 report be submitted to the Executive Office of the
2549 Governor and the Legislature annually by a specified
2550 date; requiring certain agency heads to submit certain
2551 reports to the Executive Office of the Governor and
2552 the Legislature annually by a specified date; amending
2553 s. 97.0525, F.S.; requiring that the Division of
2554 Elections comprehensive risk assessment comply with
2555 the risk assessment methodology developed by DIGIT;
2556 amending s. 112.22, F.S.; defining the term “DIGIT”;
2557 deleting the term “department”; revising the
2558 definition of the term “prohibited application”;
2559 authorizing public employers to request a certain
2560 waiver from DIGIT; requiring DIGIT to take specified
2561 actions; deleting obsolete language; requiring DIGIT
2562 to adopt rules; amending s. 119.0725, F.S.; requiring
2563 that certain confidential and exempt information be
2564 made available to DIGIT; amending s. 216.023, F.S.;
2565 deleting a provision requiring state agencies and the
2566 judicial branch to include a cumulative inventory and
2567 a certain status report of specified projects as part
2568 of a budget request; deleting provisions relating to
2569 ongoing technology-related projects; conforming a
2570 cross-reference; amending s. 282.0041, F.S.; deleting
2571 and revising definitions; defining the terms “DIGIT”
2572 and “technical debt”; amending s. 282.00515, F.S.;
2573 authorizing the Department of Legal Affairs, the
2574 Department of Financial Services, and the Department
2575 of Agriculture and Consumer Services to adopt
2576 alternative standards that must be based on specified
2577 industry-recognized best practices and standards;
2578 requiring the departments to evaluate the adoption of
2579 such standards on a case-by-case basis; requiring the
2580 departments to follow specified standards under
2581 certain circumstances; requiring the departments to
2582 conduct a certain full baseline needs assessment;
2583 authorizing the departments to contract with DIGIT to
2584 assist or complete such assessment; requiring the
2585 departments to each produce certain phased roadmaps
2586 that must be submitted annually with specified budget
2587 requests; authorizing the departments to contract with
2588 DIGIT to assist or complete such roadmaps; authorizing
2589 the departments to contract with DIGIT for specified
2590 services; requiring the departments to use certain
2591 information technology reports and follow a specified
2592 reporting process; requiring the departments to submit
2593 a certain report annually by a specified date to the
2594 Governor and the Legislature; revising applicability;
2595 authorizing DIGIT to perform project oversight on
2596 information technology projects of the departments
2597 which have a specified project cost; requiring that
2598 such projects comply with certain standards; requiring
2599 DIGIT to report periodically to the Legislature high
2600 risk information technology projects; specifying
2601 report requirements; requiring state agencies to
2602 consult with DIGIT and work cooperatively with certain
2603 departments under specified circumstances; revising
2604 cross-references; creating s. 282.006, F.S.; requiring
2605 DIGIT to operate as the state enterprise organization
2606 for information technology governance and as the lead
2607 entity responsible for understanding needs and
2608 environments, creating standards and strategy,
2609 supporting state agency technology efforts, and
2610 reporting on the state of information technology in
2611 this state; providing legislative intent; requiring
2612 DIGIT to establish the strategic direction of
2613 information technology in the state; requiring DIGIT
2614 to develop and publish an information technology
2615 policy for a specified purpose; requiring that such
2616 policy be updated as necessary to meet certain
2617 requirements and reflect advancements in technology;
2618 requiring DIGIT, in coordination with certain subject
2619 matter experts, to develop, publish, and maintain
2620 specified enterprise architecture; requiring DIGIT to
2621 take specified actions related to oversight of the
2622 state’s technology enterprise; requiring DIGIT to
2623 develop open data standards and technologies for use
2624 by state agencies; requiring DIGIT to develop certain
2625 testing, best practices, and standards; specifying
2626 such best practices and standards; requiring DIGIT to
2627 produce specified reports and provide the reports to
2628 the Governor and the Legislature by specified dates
2629 and at specified intervals; specifying requirements
2630 for such reports; requiring DIGIT to conduct a market
2631 analysis at a certain interval beginning on a
2632 specified date; specifying requirements for the market
2633 analysis; requiring that each market analysis be used
2634 to prepare a strategic plan for specified purposes;
2635 requiring that the market analysis and strategic plan
2636 be submitted by a specified date; requiring DIGIT to
2637 develop, implement, and maintain a certain library;
2638 specifying requirements for the library; requiring
2639 DIGIT to establish procedures that ensure the
2640 integrity, security, and availability of the library;
2641 requiring DIGIT to regularly update documents and
2642 materials in the library to reflect current state and
2643 federal requirements, industry best practices, and
2644 emerging technologies; requiring DIGIT to create
2645 mechanisms for state agencies to submit feedback,
2646 request clarification, and recommend updates;
2647 requiring state agencies to actively participate and
2648 collaborate with DIGIT to achieve certain objectives
2649 and to reference and adhere to the policies,
2650 standards, and guidelines of the library in specified
2651 tasks; authorizing state agencies to request
2652 exemptions to specific policies, standards, or
2653 guidelines under specified circumstances; providing
2654 the mechanism for a state agency to request such
2655 exemption; requiring DIGIT to review the request and
2656 make a recommendation to the state chief information
2657 officer; requiring the state chief information officer
2658 to present the exemption to the chief information
2659 officer workgroup; requiring that approval of the
2660 exemption be by majority vote; requiring that state
2661 agencies granted an exemption be reviewed periodically
2662 to determine whether such exemption is necessary or
2663 whether compliance can be achieved; authorizing DIGIT
2664 to adopt rules; creating s. 282.0061, F.S.; providing
2665 legislative intent; requiring DIGIT to complete a
2666 certain full baseline needs assessment of state
2667 agencies, develop a specified plan to conduct such
2668 assessments, and submit the plan to the Governor and
2669 the Legislature within a specified timeframe;
2670 requiring DIGIT to support state agency strategic
2671 planning efforts and assist agencies with production
2672 of a certain phased roadmap; specifying requirements
2673 for such roadmaps; requiring DIGIT to make
2674 recommendations for standardizing data across state
2675 agencies for a specified purpose, identify any
2676 opportunities for standardization and consolidation of
2677 information technology services across state agencies,
2678 support specified functions, review all state agency
2679 legislative budget requests for compliance, and
2680 provide a certain review to the Office of Policy and
2681 Budget in the Executive Office of the Governor;
2682 requiring DIGIT to develop standards for use by state
2683 agencies which support specified best practices for
2684 data management at the state agency level; requiring
2685 DIGIT to provide a certain report to the Governor and
2686 the Legislature by a specified date; specifying
2687 requirements for the report; providing the duties and
2688 responsibilities of DIGIT related to state agency
2689 technology projects; requiring DIGIT, in consultation
2690 with state agencies, to create a methodology,
2691 approach, and applicable templates and formats for
2692 identifying and collecting information technology
2693 expenditure data at the state agency level; requiring
2694 DIGIT to continuously obtain, review, and maintain
2695 records of the appropriations, expenditures, and
2696 revenues for information technology for each state
2697 agency; requiring DIGIT to prescribe the format for
2698 state agencies to provide financial information to
2699 DIGIT for inclusion in a certain annual report;
2700 requiring state agencies to submit such information by
2701 a specified date annually; requiring DIGIT to work
2702 with state agencies to provide alternative standards,
2703 policies, or requirements under specified
2704 circumstances; creating s. 282.0062, F.S.;
2705 establishing workgroups within DIGIT to facilitate
2706 coordination with state agencies; providing for the
2707 membership and duties of such workgroups; requiring
2708 the appropriate staff of the Department of Legal
2709 Affairs, the Department of Financial Services, and the
2710 Department of Agriculture and Consumer Services to
2711 participate in specified workgroups; authorizing such
2712 staff to participate in specified workgroups and any
2713 other workgroups as authorized by their respective
2714 elected official; creating s. 282.0063, F.S.;
2715 requiring DIGIT to perform specified actions to
2716 develop and manage career paths, progressions, and
2717 training programs for the benefit of state agency
2718 personnel; requiring DIGIT to consult with specified
2719 entities to implement specified provisions; creating
2720 s. 282.0064, F.S.; requiring DIGIT, in coordination
2721 with the Department of Management Services, to
2722 establish a policy for all information technology
2723 related solicitations, contracts, and procurements;
2724 specifying requirements for the policy related to
2725 state term contracts, all contracts, and information
2726 technology projects that require oversight;
2727 prohibiting entities providing independent
2728 verification and validation from having certain
2729 interests, responsibilities, or other participation in
2730 the project; providing the primary objective of
2731 independent verification and validation; requiring the
2732 entity performing such verification and validation to
2733 provide specified regular reports and assessments;
2734 requiring the Division of State Purchasing within the
2735 Department of Management Services to coordinate with
2736 DIGIT on state term contract solicitations and
2737 invitations to negotiate; specifying the scope of the
2738 coordination; requiring DIGIT to evaluate vendor
2739 responses and assist with answers to vendor questions
2740 on such solicitations and invitations; authorizing the
2741 Department of Legal Affairs, the Department of
2742 Financial Services, and the Department of Agriculture
2743 and Consumer Services to adopt alternative information
2744 technology policy; providing requirements for adopting
2745 such alternative policy; amending s. 282.318, F.S.;
2746 providing that DIGIT is the lead entity responsible
2747 for establishing enterprise technology and
2748 cybersecurity standards and processes and security
2749 measures that comply with specified standards;
2750 requiring DIGIT to adopt specified rules; requiring
2751 DIGIT to take specified actions; revising the
2752 responsibilities of the state chief information
2753 security officer; revising the guidelines and
2754 processes for state agency cybersecurity governance
2755 frameworks; requiring state agencies to report all
2756 ransomware incidents to the state chief information
2757 security officer instead of the Cybersecurity
2758 Operations Center; requiring state agencies to also
2759 notify the Northwest Regional Data Center of such
2760 incidents under specified conditions; requiring the
2761 state chief information security officer, instead of
2762 the Cybersecurity Operations Center, to notify the
2763 Legislature of certain incidents; requiring state
2764 agencies to notify the state chief information
2765 security officer within specified timeframes after the
2766 discovery of a specified cybersecurity incident or
2767 ransomware incident; requiring state agencies to also
2768 notify the Northwest Regional Data Center of such
2769 incidents under specified conditions; requiring the
2770 state chief information security officer, instead of
2771 the Cybersecurity Operations Center, to provide a
2772 certain report on a quarterly basis to the
2773 Legislature; revising the actions that state agency
2774 heads are required to perform relating to
2775 cybersecurity; revising the timeframe that the state
2776 agency strategic cybersecurity plan must cover;
2777 requiring that a specified comprehensive risk
2778 assessment be completed biennially; authorizing such
2779 assessment to be completed by an independent third
2780 party; requiring the third party to attest to the
2781 validity of the findings; specifying requirements for
2782 the comprehensive risk assessment; providing that
2783 confidential and exempt records be made available to
2784 the state chief information security officer and
2785 Legislature; conforming provisions to changes made by
2786 the act; amending s. 282.3185, F.S.; requiring the
2787 state chief information security officer to perform
2788 specified actions relating to cybersecurity training
2789 for state employees; deleting obsolete language;
2790 requiring local governments to notify the state chief
2791 information security officer of compliance with
2792 specified provisions as soon as possible; requiring
2793 local governments to notify the state chief
2794 information security officer, instead of the
2795 Cybersecurity Operations Center, of cybersecurity or
2796 ransomware incidents; revising the timeframes in which
2797 such notifications must be made; requiring the state
2798 chief information security officer to notify the
2799 Governor and the Legislature of certain incidents
2800 within a specified timeframe; authorizing local
2801 governments to report certain cybersecurity incidents
2802 to the state chief information security officer
2803 instead of the Cybersecurity Operations Center;
2804 requiring the state chief information security officer
2805 to provide a certain consolidated incident report
2806 within a specified timeframe to the Legislature;
2807 requiring the state chief information security officer
2808 to establish certain guidelines and processes by a
2809 specified date; conforming provisions to changes made
2810 by the act; repealing s. 282.319, F.S., relating to
2811 the Florida Cybersecurity Advisory Council; amending
2812 s. 282.201, F.S.; establishing the state data center
2813 within the Northwest Regional Data Center; requiring
2814 the Northwest Regional Data Center to meet or exceed
2815 specified information technology standards; revising
2816 requirements of the state data center; abrogating the
2817 scheduled repeal of the Division of Emergency
2818 Management’s exemption from using the state data
2819 center; deleting the Department of Management
2820 Services’ responsibilities related to the state data
2821 center; deleting provisions relating to contracting
2822 with the Northwest Regional Data Center; creating s.
2823 282.2011, F.S.; designating the Northwest Regional
2824 Data Center as the state data center for all state
2825 agencies; requiring the data center to engage in
2826 specified actions; prohibiting state agencies from
2827 terminating services with the data center without
2828 giving written notice within a specified timeframe,
2829 procuring third-party cloud-computing services without
2830 evaluating the data center’s cloud-computing services,
2831 and exceeding a specified timeframe to remit payments
2832 for services provided by the data center; specifying
2833 circumstances under which the data center’s
2834 authorization to provide services may be terminated;
2835 providing that the data center has a specified
2836 timeframe to provide for the transition of state
2837 agency customers to a qualified alternative cloud
2838 based data center that meets specified standards;
2839 providing that the data center is the lead entity
2840 responsible for creating, operating, and managing the
2841 Florida Behavioral Health Care Data Repository;
2842 providing the purpose of the repository; requiring the
2843 data center, in collaboration with the Data Analysis
2844 Committee of the Commission on Mental Health and
2845 Substance Use Disorder, to develop a specified plan;
2846 requiring, beginning on a specified date, the data
2847 center to submit a certain report annually to the
2848 Governor and the Legislature; providing for a
2849 transition to an alternative cloud-based data center
2850 under specified circumstances; revising the
2851 information the plan identifies and documents;
2852 amending s. 282.206, F.S.; requiring state agencies to
2853 submit a certain strategic plan to DIGIT and the
2854 Northwest Regional Data Center annually by a specified
2855 date; amending s. 1004.649, F.S.; creating the
2856 Northwest Regional Data Center at Florida State
2857 University; conforming provisions to changes made by
2858 the act; creating s. 287.0583, F.S.; requiring that
2859 contracts for information technology commodities and
2860 services ensure extraction of data, certain
2861 documentation, assistance and support, and anticipated
2862 fees; amending s. 287.0591, F.S.; requiring the
2863 Department of Management Services to coordinate with
2864 DIGIT in specified solicitations; specifying the scope
2865 of the coordination; requiring agencies to maintain
2866 copies of certain documents when issuing a request for
2867 quote for state term contracts within specified
2868 threshold amounts; providing that agencies that issue
2869 requests for quotes in excess of certain thresholds
2870 are subject to specified public records requirements;
2871 requiring such agencies to publish specified
2872 information; requiring such agencies to maintain
2873 copies of certain documentation for a specified
2874 timeframe; providing that use of a request for quote
2875 is not subject to certain protest provisions;
2876 authorizing agencies to request certain services from
2877 DIGIT; requiring the department to prequalify firms
2878 and individuals who provide information technology
2879 commodities; authorizing such firms and individuals to
2880 submit responses to requests for quotes; amending s.
2881 20.22, F.S.; conforming provisions to changes made by
2882 the act; amending s. 282.802, F.S.; providing that the
2883 Government Technology Modernization Council is located
2884 within DIGIT; providing that the state chief
2885 information officer, rather than the Secretary of
2886 Management Services, is the ex officio head of the
2887 council; conforming a cross-reference; amending s.
2888 282.604, F.S.; conforming provisions to changes made
2889 by the act; amending s. 443.1113, F.S.; conforming
2890 provisions to changes made by the act; amending s.
2891 943.0415, F.S.; requiring the state chief information
2892 security officer, rather than the Florida Digital
2893 Service, to consult with the Department of Law
2894 Enforcement’s Cybercrime Office in the adoption of
2895 certain rules; amending s. 1004.444, F.S.; revising
2896 the list of who may request certain assistance from
2897 the Florida Center for Cybersecurity; providing an
2898 effective date.