2021 Florida Statutes (Including 2021B Session)
SECTION 0051
Department of Management Services; Florida Digital Service; powers, duties, and functions.
Department of Management Services; Florida Digital Service; powers, duties, and functions.
282.0051 Department of Management Services; Florida Digital Service; powers, duties, and functions.—
(1) The Florida Digital Service has been created within the department to propose innovative solutions that securely modernize state government, including technology and information services, to achieve value through digital transformation and interoperability, and to fully support the cloud-first policy as specified in s. 282.206. The department, through the Florida Digital Service, shall have the following powers, duties, and functions:
(a) Develop and publish information technology policy for the management of the state’s information technology resources.
(b) Develop an enterprise architecture that:
1. Acknowledges the unique needs of the entities within the enterprise in the development and publication of standards and terminologies to facilitate digital interoperability;
2. Supports the cloud-first policy as specified in s. 282.206; and
3. Addresses how information technology infrastructure may be modernized to achieve cloud-first objectives.
(c) Establish project management and oversight standards with which state agencies must comply when implementing information technology projects. The department, acting through the Florida Digital Service, shall provide training opportunities to state agencies to assist in the adoption of the project management and oversight standards. To support data-driven decisionmaking, the standards must include, but are not limited to:
1. Performance measurements and metrics that objectively reflect the status of an information technology project based on a defined and documented project scope, cost, and schedule.
2. Methodologies for calculating acceptable variances in the projected versus actual scope, schedule, or cost of an information technology project.
3. Reporting requirements, including requirements designed to alert all defined stakeholders that an information technology project has exceeded acceptable variances defined and documented in a project plan.
4. Content, format, and frequency of project updates.
5. Technical standards to ensure an information technology project complies with the enterprise architecture.
(d) Perform project oversight on all state agency information technology projects that have total project costs of $10 million or more and that are funded in the General Appropriations Act or any other law. The department, acting through the Florida Digital Service, shall report at least quarterly to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives on any information technology project that the department identifies as high-risk due to the project exceeding acceptable variance ranges defined and documented in a project plan. The report must include a risk assessment, including fiscal risks, associated with proceeding to the next stage of the project, and a recommendation for corrective actions required, including suspension or termination of the project.
(e) Identify opportunities for standardization and consolidation of information technology services that support interoperability and the cloud-first policy, as specified in s. 282.206, and business functions and operations, including administrative functions such as purchasing, accounting and reporting, cash management, and personnel, and that are common across state agencies. The department, acting through the Florida Digital Service, shall biennially on January 1 of each even-numbered year provide recommendations for standardization and consolidation to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives.
(f) Establish best practices for the procurement of information technology products and cloud-computing services in order to reduce costs, increase the quality of data center services, or improve government services.
(g) Develop standards for information technology reports and updates, including, but not limited to, operational work plans, project spend plans, and project status reports, for use by state agencies.
(h) Upon request, assist state agencies in the development of information technology-related legislative budget requests.
(i) Conduct annual assessments of state agencies to determine compliance with all information technology standards and guidelines developed and published by the department and provide results of the assessments to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives.
(j) Provide operational management and oversight of the state data center established pursuant to s. 282.201, which includes:
1. Implementing industry standards and best practices for the state data center’s facilities, operations, maintenance, planning, and management processes.
2. Developing and implementing cost-recovery mechanisms that recover the full direct and indirect cost of services through charges to applicable customer entities. Such cost-recovery mechanisms must comply with applicable state and federal regulations concerning distribution and use of funds and must ensure that, for any fiscal year, no service or customer entity subsidizes another service or customer entity. The Florida Digital Service may recommend other payment mechanisms to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives. Such mechanism may be implemented only if specifically authorized by the Legislature.
3. Developing and implementing appropriate operating guidelines and procedures necessary for the state data center to perform its duties pursuant to s. 282.201. The guidelines and procedures must comply with applicable state and federal laws, regulations, and policies and conform to generally accepted governmental accounting and auditing standards. The guidelines and procedures must include, but need not be limited to:
a. Implementing a consolidated administrative support structure responsible for providing financial management, procurement, transactions involving real or personal property, human resources, and operational support.
b. Implementing an annual reconciliation process to ensure that each customer entity is paying for the full direct and indirect cost of each service as determined by the customer entity’s use of each service.
c. Providing rebates that may be credited against future billings to customer entities when revenues exceed costs.
d. Requiring customer entities to validate that sufficient funds exist in the appropriate data processing appropriation category or will be transferred into the appropriate data processing appropriation category before implementation of a customer entity’s request for a change in the type or level of service provided, if such change results in a net increase to the customer entity’s cost for that fiscal year.
e. By November 15 of each year, providing to the Office of Policy and Budget in the Executive Office of the Governor and to the chairs of the legislative appropriations committees the projected costs of providing data center services for the following fiscal year.
f. Providing a plan for consideration by the Legislative Budget Commission if the cost of a service is increased for a reason other than a customer entity’s request made pursuant to sub-subparagraph d. Such a plan is required only if the service cost increase results in a net increase to a customer entity for that fiscal year.
g. Standardizing and consolidating procurement and contracting practices.
4. In collaboration with the Department of Law Enforcement, developing and implementing a process for detecting, reporting, and responding to cybersecurity incidents, breaches, and threats.
5. Adopting rules relating to the operation of the state data center, including, but not limited to, budgeting and accounting procedures, cost-recovery methodologies, and operating procedures.
(k) Conduct a market analysis not less frequently than every 3 years beginning in 2021 to determine whether the information technology resources within the enterprise are utilized in the most cost-effective and cost-efficient manner, while recognizing that the replacement of certain legacy information technology systems within the enterprise may be cost prohibitive or cost inefficient due to the remaining useful life of those resources; whether the enterprise is complying with the cloud-first policy specified in s. 282.206; and whether the enterprise is utilizing best practices with respect to information technology, information services, and the acquisition of emerging technologies and information services. Each market analysis shall be used to prepare a strategic plan for continued and future information technology and information services for the enterprise, including, but not limited to, proposed acquisition of new services or technologies and approaches to the implementation of any new services or technologies. Copies of each market analysis and accompanying strategic plan must be submitted to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives not later than December 31 of each year that a market analysis is conducted.
(l) Recommend other information technology services that should be designed, delivered, and managed as enterprise information technology services. Recommendations must include the identification of existing information technology resources associated with the services, if existing services must be transferred as a result of being delivered and managed as enterprise information technology services.
(m) In consultation with state agencies, propose a methodology and approach for identifying and collecting both current and planned information technology expenditure data at the state agency level.
(n)1. Notwithstanding any other law, provide project oversight on any information technology project of the Department of Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer Services which has a total project cost of $20 million or more. Such information technology projects must also comply with the applicable information technology architecture, project management and oversight, and reporting standards established by the department, acting through the Florida Digital Service.
2. When performing the project oversight function specified in subparagraph 1., report at least quarterly to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives on any information technology project that the department, acting through the Florida Digital Service, identifies as high-risk due to the project exceeding acceptable variance ranges defined and documented in the project plan. The report shall include a risk assessment, including fiscal risks, associated with proceeding to the next stage of the project and a recommendation for corrective actions required, including suspension or termination of the project.
(o) If an information technology project implemented by a state agency must be connected to or otherwise accommodated by an information technology system administered by the Department of Financial Services, the Department of Legal Affairs, or the Department of Agriculture and Consumer Services, consult with these departments regarding the risks and other effects of such projects on their information technology systems and work cooperatively with these departments regarding the connections, interfaces, timing, or accommodations required to implement such projects.
(p) If adherence to standards or policies adopted by or established pursuant to this section causes conflict with federal regulations or requirements imposed on an entity within the enterprise and results in adverse action against an entity or federal funding, work with the entity to provide alternative standards, policies, or requirements that do not conflict with the federal regulation or requirement. The department, acting through the Florida Digital Service, shall annually report such alternative standards to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives.
(q)1. Establish an information technology policy for all information technology-related state contracts, including state term contracts for information technology commodities, consultant services, and staff augmentation services. The information technology policy must include:
a. Identification of the information technology product and service categories to be included in state term contracts.
b. Requirements to be included in solicitations for state term contracts.
c. Evaluation criteria for the award of information technology-related state term contracts.
d. The term of each information technology-related state term contract.
e. The maximum number of vendors authorized on each state term contract.
f. At a minimum, a requirement that any contract for information technology commodities or services meet the National Institute of Standards and Technology Cybersecurity Framework.
g. For an information technology project wherein project oversight is required pursuant to paragraph (d) or paragraph (n), a requirement that independent verification and validation be employed throughout the project life cycle with the primary objective of independent verification and validation being to provide an objective assessment of products and processes throughout the project life cycle. An entity providing independent verification and validation may not have technical, managerial, or financial interest in the project and may not have responsibility for, or participate in, any other aspect of the project.
2. Evaluate vendor responses for information technology-related state term contract solicitations and invitations to negotiate.
3. Answer vendor questions on information technology-related state term contract solicitations.
4. Ensure that the information technology policy established pursuant to subparagraph 1. is included in all solicitations and contracts that are administratively executed by the department.
(r) Recommend potential methods for standardizing data across state agencies which will promote interoperability and reduce the collection of duplicative data.
(s) Recommend open data technical standards and terminologies for use by the enterprise.
(t) Ensure that enterprise information technology solutions are capable of utilizing an electronic credential and comply with the enterprise architecture standards.
(2)(a) The Secretary of Management Services shall designate a state chief information officer, who shall administer the Florida Digital Service. The state chief information officer, prior to appointment, must have at least 5 years of experience in the development of information system strategic planning and development or information technology policy, and, preferably, have leadership-level experience in the design, development, and deployment of interoperable software and data solutions.
(b) The state chief information officer, in consultation with the Secretary of Management Services, shall designate a state chief data officer. The chief data officer must be a proven and effective administrator who must have significant and substantive experience in data management, data governance, interoperability, and security.
(3) The department, acting through the Florida Digital Service and from funds appropriated to the Florida Digital Service, shall:
(a) Create, not later than October 1, 2021, and maintain a comprehensive indexed data catalog in collaboration with the enterprise that lists the data elements housed within the enterprise and the legacy system or application in which these data elements are located. The data catalog must, at a minimum, specifically identify all data that is restricted from public disclosure based on federal or state laws and regulations and require that all such information be protected in accordance with s. 282.318.
(b) Develop and publish, not later than October 1, 2021, in collaboration with the enterprise, a data dictionary for each agency that reflects the nomenclature in the comprehensive indexed data catalog.
(c) Adopt, by rule, standards that support the creation and deployment of an application programming interface to facilitate integration throughout the enterprise.
(d) Adopt, by rule, standards necessary to facilitate a secure ecosystem of data interoperability that is compliant with the enterprise architecture.
(e) Adopt, by rule, standards that facilitate the deployment of applications or solutions to the existing enterprise system in a controlled and phased approach.
(f) After submission of documented use cases developed in conjunction with the affected agencies, assist the affected agencies with the deployment, contingent upon a specific appropriation therefor, of new interoperable applications and solutions:
1. For the Department of Health, the Agency for Health Care Administration, the Agency for Persons with Disabilities, the Department of Education, the Department of Elderly Affairs, and the Department of Children and Families.
2. To support military members, veterans, and their families.
(4) For information technology projects that have a total project cost of $10 million or more:
(a) State agencies must provide the Florida Digital Service with written notice of any planned procurement of an information technology project.
(b) The Florida Digital Service must participate in the development of specifications and recommend modifications to any planned procurement of an information technology project by state agencies so that the procurement complies with the enterprise architecture.
(c) The Florida Digital Service must participate in post-award contract monitoring.
(5) The department, acting through the Florida Digital Service, may not retrieve or disclose any data without a shared-data agreement in place between the department and the enterprise entity that has primary custodial responsibility of, or data-sharing responsibility for, that data.
(6) The department, acting through the Florida Digital Service, shall adopt rules to administer this section.
History.—s. 10, ch. 2014-221; s. 3, ch. 2016-138; ss. 59, 61, ch. 2018-10; ss. 79, 81, 82, 115, ch. 2019-116; s. 9, ch. 2019-118; s. 4, ch. 2020-161; s. 1, ch. 2021-227; s. 3, ch. 2021-234.