Read the full stored bill text
Florida Senate
-
2026
CS for CS for SB 480
By
the Committee on Appropriations; the Appropriations Committee
on Agriculture, Environment, and General Government; and Senator
Harrell
576-02812-26 2026480c2
1 A bill to be entitled
2 An act relating to information technology; providing
3 for a type two transfer of the duties and functions of
4 the Florida Digital Service from the Department of
5 Management Services to the Division of Integrated
6 Government Innovation and Technology; creating s.
7 14.205, F.S.; creating the Division of Integrated
8 Government Innovation and Technology (DIGIT) within
9 the Executive Office of the Governor; providing that
10 the division is a separate budget entity and must
11 prepare and submit a budget in accordance with
12 specified provisions; requiring the division to be
13 responsible for all professional, technical, and
14 administrative support to carry out its assigned
15 duties; providing for a director of the division;
16 providing that the director also serves as the state
17 chief information officer; providing for the
18 appointment of the director; prohibiting the state
19 chief information officer from having certain
20 conflicts of interest; providing the qualifications
21 for the state chief information officer; providing
22 that the deputy director also serves as the deputy
23 chief information officer; providing that the director
24 will select a state chief information security
25 officer, state chief data officer, state chief
26 technology officer, and state chief technology
27 procurement officer; transferring the state chief
28 information officer of the Department of Management
29 Services to DIGIT until the Governor appoints a
30 permanent officer; requiring that such appointment
31 occur by a specified date; amending s. 20.055, F.S.;
32 requiring agency inspectors general to review and
33 report whether certain agency practices are consistent
34 with specified reporting requirements and standards;
35 requiring such inspectors general to prepare and
36 submit a certain compliance report to certain persons
37 by a specified date annually; requiring the chief
38 inspector general to review certain reports and
39 prepare a consolidated report; requiring that such
40 report be submitted to the Executive Office of the
41 Governor and the Legislature annually by a specified
42 date; requiring certain agency heads to submit certain
43 reports to the Executive Office of the Governor and
44 the Legislature annually by a specified date; amending
45 s. 97.0525, F.S.; requiring that the Division of
46 Elections comprehensive risk assessment comply with
47 the risk assessment methodology developed by DIGIT;
48 amending s. 112.22, F.S.; defining the term “DIGIT”;
49 deleting the term “department”; revising the
50 definition of the term “prohibited application”;
51 authorizing public employers to request a certain
52 waiver from DIGIT; requiring DIGIT to take specified
53 actions; deleting obsolete language; requiring DIGIT
54 to adopt rules; amending s. 119.0725, F.S.; requiring
55 that certain confidential and exempt information be
56 made available to DIGIT; amending s. 216.023, F.S.;
57 deleting a provision requiring state agencies and the
58 judicial branch to include a cumulative inventory and
59 a certain status report of specified projects as part
60 of a budget request; deleting provisions relating to
61 ongoing technology-related projects; conforming a
62 cross-reference; amending s. 282.0041, F.S.; deleting
63 and revising definitions; defining the terms “DIGIT”
64 and “technical debt”; amending s. 282.00515, F.S.;
65 authorizing the Department of Legal Affairs, the
66 Department of Financial Services, and the Department
67 of Agriculture and Consumer Services to adopt
68 alternative standards that must be based on specified
69 industry-recognized best practices and standards;
70 requiring the departments to evaluate the adoption of
71 such standards on a case-by-case basis; requiring the
72 departments to follow specified standards under
73 certain circumstances; requiring the departments to
74 conduct a certain full baseline needs assessment;
75 authorizing the departments to contract with DIGIT to
76 assist or complete such assessment; requiring the
77 departments to each produce certain phased roadmaps
78 that must be submitted annually with specified budget
79 requests; authorizing the departments to contract with
80 DIGIT to assist or complete such roadmaps; authorizing
81 the departments to contract with DIGIT for specified
82 services; requiring the departments to use certain
83 information technology reports and follow a specified
84 reporting process; requiring the departments to submit
85 a certain report annually by a specified date to the
86 Governor and the Legislature; revising applicability;
87 authorizing DIGIT to perform project oversight on
88 information technology projects of the departments
89 which have a specified project cost; requiring that
90 such projects comply with certain standards; requiring
91 DIGIT to report periodically to the Legislature high
92 risk information technology projects; specifying
93 report requirements; requiring state agencies to
94 consult with DIGIT and work cooperatively with certain
95 departments under specified circumstances; revising
96 cross-references; creating s. 282.006, F.S.; requiring
97 DIGIT to operate as the state enterprise organization
98 for information technology governance and as the lead
99 entity responsible for understanding needs and
100 environments, creating standards and strategy,
101 supporting state agency technology efforts, and
102 reporting on the state of information technology in
103 this state; providing legislative intent; requiring
104 DIGIT to establish the strategic direction of
105 information technology in the state; requiring DIGIT
106 to develop and publish an information technology
107 policy for a specified purpose; requiring that such
108 policy be updated as necessary to meet certain
109 requirements and reflect advancements in technology;
110 requiring DIGIT, in coordination with certain subject
111 matter experts, to develop, publish, and maintain
112 specified enterprise architecture; requiring DIGIT to
113 take specified actions related to oversight of the
114 state’s technology enterprise; requiring DIGIT to
115 develop open data standards and technologies for use
116 by state agencies; requiring DIGIT to develop certain
117 testing, best practices, and standards; specifying
118 such best practices and standards; requiring DIGIT to
119 produce specified reports and provide such reports to
120 the Governor and the Legislature by specified dates
121 and at specified intervals; specifying requirements
122 for such reports; requiring DIGIT to conduct a market
123 analysis at a certain interval beginning on a
124 specified date; specifying requirements for the market
125 analysis; requiring that each market analysis be used
126 to prepare a strategic plan for specified purposes;
127 requiring that the market analysis and strategic plan
128 be submitted by a specified date; requiring DIGIT to
129 develop, implement, and maintain a certain library;
130 specifying requirements for the library; requiring
131 DIGIT to establish procedures that ensure the
132 integrity, security, and availability of the library;
133 requiring DIGIT to regularly update documents and
134 materials in the library to reflect current state and
135 federal requirements, industry best practices, and
136 emerging technologies; requiring DIGIT to create
137 mechanisms for state agencies to submit feedback,
138 request clarification, and recommend updates;
139 requiring state agencies to actively participate and
140 collaborate with DIGIT to achieve certain objectives
141 and to reference and adhere to the policies,
142 standards, and guidelines of the library in specified
143 tasks; authorizing state agencies to request
144 exemptions to specific policies, standards, or
145 guidelines under specified circumstances; providing
146 the mechanism for a state agency to request such
147 exemptions; requiring DIGIT to review the request and
148 make a recommendation to the state chief information
149 officer; requiring the state chief information officer
150 to present the exemption to the chief information
151 officer workgroup; requiring that approval of the
152 exemption be by majority vote; requiring that state
153 agencies granted an exemption be reviewed periodically
154 to determine whether such exemption is necessary or
155 whether compliance can be achieved; authorizing DIGIT
156 to adopt rules; creating s. 282.0061, F.S.; providing
157 legislative intent; requiring DIGIT to complete a
158 certain full baseline needs assessment of state
159 agencies, develop a specified plan to conduct such
160 assessments, and submit such plan to the Governor and
161 the Legislature within a specified timeframe;
162 requiring DIGIT to support state agency strategic
163 planning efforts and assist agencies with production
164 of a certain phased roadmap; specifying requirements
165 for such roadmaps; requiring DIGIT to make
166 recommendations for standardizing data across state
167 agencies for a specified purpose, identify any
168 opportunities for standardization and consolidation of
169 information technology services across state agencies,
170 support specified functions, review all state agency
171 legislative budget requests for compliance, and
172 provide a certain review to the Office of Policy and
173 Budget in the Executive Office of the Governor;
174 requiring DIGIT to develop standards for use by state
175 agencies which support specified best practices for
176 data management at the state agency level; requiring
177 DIGIT to provide a certain report to the Governor and
178 the Legislature by a specified date; specifying
179 requirements for the report; providing the duties and
180 responsibilities of DIGIT related to state agency
181 technology projects; requiring DIGIT, in consultation
182 with state agencies, to create a methodology,
183 approach, and applicable templates and formats for
184 identifying and collecting information technology
185 expenditure data at the state agency level; requiring
186 DIGIT to continuously obtain, review, and maintain
187 records of the appropriations, expenditures, and
188 revenues for information technology for each state
189 agency; requiring DIGIT to prescribe the format for
190 state agencies to provide financial information to
191 DIGIT for inclusion in a certain annual report;
192 requiring state agencies to submit such information by
193 a specified date annually; requiring DIGIT to work
194 with state agencies to provide alternative standards,
195 policies, or requirements under specified
196 circumstances; creating s. 282.0062, F.S.;
197 establishing workgroups within DIGIT to facilitate
198 coordination with state agencies; providing for the
199 membership and duties of such workgroups; requiring
200 the appropriate staff of the Department of Legal
201 Affairs, the Department of Financial Services, and the
202 Department of Agriculture and Consumer Services to
203 participate in specified workgroups; authorizing such
204 staff to participate in specified workgroups and any
205 other workgroups as authorized by their respective
206 elected official; creating s. 282.0063, F.S.;
207 requiring DIGIT to perform specified actions to
208 develop and manage career paths, progressions, and
209 training programs for the benefit of state agency
210 personnel; requiring DIGIT to consult with specified
211 entities to implement specified provisions; creating
212 s. 282.0064, F.S.; requiring DIGIT, in coordination
213 with the Department of Management Services, to
214 establish a policy for all information technology
215 related solicitations, contracts, and procurements;
216 specifying requirements for the policy related to
217 state term contracts, all contracts, and information
218 technology projects that require oversight;
219 prohibiting entities providing independent
220 verification and validation from having certain
221 interests, responsibilities, or other participation in
222 the project; providing the primary objective of
223 independent verification and validation; requiring the
224 entity performing such verification and validation to
225 provide specified regular reports and assessments;
226 requiring the Division of State Purchasing within the
227 Department of Management Services to coordinate with
228 DIGIT on state term contract solicitations and
229 invitations to negotiate; specifying the scope of the
230 coordination; requiring DIGIT to evaluate vendor
231 responses and assist with answers to vendor questions
232 on such solicitations and invitations; authorizing the
233 Department of Legal Affairs, the Department of
234 Financial Services, and the Department of Agriculture
235 and Consumer Services to adopt alternative information
236 technology policy; providing requirements for adopting
237 such alternative policy; amending s. 282.318, F.S.;
238 providing that DIGIT is the lead entity responsible
239 for establishing enterprise technology and
240 cybersecurity standards and processes and security
241 measures that comply with specified standards;
242 requiring DIGIT to adopt specified rules; requiring
243 DIGIT to take specified actions; revising the
244 responsibilities of the state chief information
245 security officer; revising the guidelines and
246 processes for state agency cybersecurity governance
247 frameworks; requiring state agencies to report all
248 ransomware incidents to the state chief information
249 security officer instead of the Cybersecurity
250 Operations Center; requiring state agencies to also
251 notify the Northwest Regional Data Center of such
252 incidents under specified conditions; requiring the
253 state chief information security officer, instead of
254 the Cybersecurity Operations Center, to notify the
255 Legislature of certain incidents; requiring state
256 agencies to notify the state chief information
257 security officer within specified timeframes after the
258 discovery of a specified cybersecurity incident or
259 ransomware incident; requiring state agencies to also
260 notify the Northwest Regional Data Center of such
261 incidents under specified conditions; requiring the
262 state chief information security officer, instead of
263 the Cybersecurity Operations Center, to provide a
264 certain report on a quarterly basis to the
265 Legislature; revising the actions that state agency
266 heads are required to perform relating to
267 cybersecurity; revising the timeframe that the state
268 agency strategic cybersecurity plan must cover;
269 requiring that a specified comprehensive risk
270 assessment be completed biennially; authorizing such
271 assessment to be completed by an independent third
272 party; requiring the third party to attest to the
273 validity of the findings; specifying requirements for
274 the comprehensive risk assessment; providing that
275 confidential and exempt records be made available to
276 the state chief information security officer and
277 Legislature; conforming provisions to changes made by
278 the act; amending s. 282.3185, F.S.; requiring the
279 state chief information security officer to perform
280 specified actions relating to cybersecurity training
281 for state employees; deleting obsolete language;
282 requiring local governments to notify the state chief
283 information security officer of compliance with
284 specified provisions as soon as possible; requiring
285 local governments to notify the state chief
286 information security officer, instead of the
287 Cybersecurity Operations Center, of cybersecurity or
288 ransomware incidents; revising the timeframes in which
289 such notifications must be made; requiring the state
290 chief information security officer to notify the
291 Governor and the Legislature of certain incidents
292 within a specified timeframe; authorizing local
293 governments to report certain cybersecurity incidents
294 to the state chief information security officer
295 instead of the Cybersecurity Operations Center;
296 requiring the state chief information security officer
297 to provide a certain consolidated incident report
298 within a specified timeframe to the Legislature;
299 requiring the state chief information security officer
300 to establish certain guidelines and processes by a
301 specified date; conforming provisions to changes made
302 by the act; repealing s. 282.319, F.S., relating to
303 the Florida Cybersecurity Advisory Council; amending
304 s. 282.201, F.S.; establishing the state data center
305 within the Northwest Regional Data Center; requiring
306 the Northwest Regional Data Center to meet or exceed
307 specified information technology standards; revising
308 requirements of the state data center; abrogating the
309 scheduled repeal of the Division of Emergency
310 Management’s exemption from using the state data
311 center; deleting the Department of Management
312 Services’ responsibilities related to the state data
313 center; deleting provisions relating to contracting
314 with the Northwest Regional Data Center; creating s.
315 282.2011, F.S.; designating the Northwest Regional
316 Data Center as the state data center for all state
317 agencies; requiring the data center to engage in
318 specified actions; requiring the Department of Law
319 Enforcement to serve as the arbiter of certain
320 disputes in accordance with the federal criminal
321 justice information guidelines; prohibiting state
322 agencies from terminating services with the data
323 center without giving written notice within a
324 specified timeframe, procuring third-party cloud
325 computing services without evaluating the data
326 center’s cloud-computing services, and exceeding a
327 specified timeframe to remit payments for services
328 provided by the data center; specifying circumstances
329 under which the data center’s authorization to provide
330 services may be terminated; providing that the data
331 center has a specified timeframe to provide for the
332 transition of state agency customers to a qualified
333 alternative cloud-based data center that meets
334 specified standards; providing that the data center is
335 the lead entity responsible for creating, operating,
336 and managing the Florida Behavioral Health Care Data
337 Repository; providing the purpose of the repository;
338 requiring the data center, in collaboration with the
339 Data Analysis Committee of the Commission on Mental
340 Health and Substance Use Disorder, to develop a
341 specified plan; requiring, beginning on a specified
342 date, the data center to submit a certain report
343 annually to the Governor and the Legislature;
344 providing for a transition to an alternative cloud
345 based data center under specified circumstances;
346 revising the information the plan identifies and
347 documents; amending s. 282.206, F.S.; requiring state
348 agencies to submit a certain strategic plan to DIGIT
349 and the Northwest Regional Data Center annually by a
350 specified date; amending s. 1004.649, F.S.; creating
351 the Northwest Regional Data Center at Florida State
352 University; conforming provisions to changes made by
353 the act; creating s. 287.0583, F.S.; requiring that
354 contracts for information technology commodities and
355 services ensure extraction of data, certain
356 documentation, assistance and support, and anticipated
357 fees; amending s. 287.0591, F.S.; requiring the
358 Department of Management Services to coordinate with
359 DIGIT in specified solicitations; specifying the scope
360 of the coordination; requiring agencies to maintain
361 copies of certain documents when issuing a request for
362 quote for state term contracts within specified
363 threshold amounts; providing that agencies that issue
364 requests for quotes in excess of certain thresholds
365 are subject to specified public records requirements;
366 requiring such agencies to publish specified
367 information; requiring such agencies to maintain
368 copies of certain documentation for a specified
369 timeframe; providing that use of a request for quote
370 is not subject to certain protest provisions;
371 authorizing agencies to request certain services from
372 DIGIT; requiring the department to prequalify firms
373 and individuals who provide information technology
374 commodities; authorizing such firms and individuals to
375 submit responses to requests for quotes; amending s.
376 20.22, F.S.; conforming provisions to changes made by
377 the act; amending s. 282.802, F.S.; providing that the
378 Government Technology Modernization Council is located
379 within DIGIT; providing that the state chief
380 information officer, rather than the Secretary of
381 Management Services, is the ex officio head of the
382 council; conforming a cross-reference; amending s.
383 282.604, F.S.; conforming provisions to changes made
384 by the act; amending s. 443.1113, F.S.; conforming
385 provisions to changes made by the act; amending s.
386 943.0415, F.S.; requiring the state chief information
387 security officer, rather than the Florida Digital
388 Service, to consult with the Department of Law
389 Enforcement’s Cybercrime Office in the adoption of
390 certain rules; amending s. 1004.444, F.S.; revising
391 the list of who may request certain assistance from
392 the Florida Center for Cybersecurity; providing an
393 effective date.
394
395 Be It Enacted by the Legislature of the State of Florida:
396
397 Section 1.
All duties, functions, records, pending issues,
398
existing contracts, administrative authority, and administrative
399
rules relating to the Florida Digital Service are transferred by
400
a type two transfer, as
described
in s. 20.06, Florida Statutes,
401
to the
Division of Integrated Government Innovation and
402
Technology
as created by this act. Any unexpended balances of
403
appropriations, allocations, and other public funds
will
revert
404
or
will
be appropriate
d
or allocated as provided in the General
405
Appropriations Act or otherwise by law.
406 Section 2. Section 14.205, Florida Statutes, is created to
407 read:
408
14.205
Division of Integrated Government Innovation and
409
Technology.—
410
(1)
The
Division of Integrated Government Innovation and
411
Technology is established within the Executive Office of the
412
Governor
.
The
division
shall be a separate budget entity, as
413
provided in the General Appropriations Act
,
and shall prepare
414
and submit a budget request in accordance with chapter 216. The
415
division
shall be responsible for all professional, technical,
416
and administrative support functions necessary to carry out its
417
responsibilities under chapter 282 and as otherwise provided in
418
law.
419
(2)(a) The director of the
division
shall serve as the
420
state chief information officer. The director shall be appointed
421
by the Governor, subject to confirmation by the Senate.
The
422
state chief information officer is prohibited from having any
423
financial, personal, or business conflicts of interest related
424
to technology vendors, contractors, or other information
425
technology service providers doing business with the state.
426
(b)
The state chief information officer must meet the
427
following qualifications:
428
1. Education requirements.—The state chief information
429
officer must meet one of the following criteria:
430
a. Hold a bachelor’s degree from an accredited institution
431
in information technology, computer science, business
432
administration, public administration, or a related field; or
433
b. Hold a master’s degree in any of the fields listed
in
434
sub-subparagraph a.
, which may be substituted for a portion of
435
the
professional
experience requirement
s in subparagraph 2.
436
2. Professional experience requirements.—The state chief
437
information officer must have at least 10 years of progressively
438
responsible experience in information technology management,
439
digital transformation, cybersecurity, or information technology
440
governance, including:
441
a. A minimum of 5 years in an executive or senior
442
leadership role, overseeing information technology strategy,
443
operations, or enterprise technology management
,
in either the
444
public or private sector;
445
b. Managing large-scale information technology projects,
446
enterprise infrastructure, and implementation of emerging
447
technologies;
448
c. Budget planning, procurement oversight, and financial
449
management of information technology investments; and
450
d. Working with state and federal information technology
451
regulations, digital services, and cybersecurity compliance
452
frameworks.
453
3. Technical and policy expertise.—The state chief
454
information officer must have demonstrated expertise in:
455
a. Cybersecurity and data protection by demonstrating
456
knowledge of cybersecurity risk management, compliance with
the
457
National Institute of Standards and Technology Cybersecurity
458
Framework, ISO 27001, and applicable federal and state security
459
regulations;
460
b. Cloud and digital services with experience
in
cloud
461
computing, enterprise systems modernization, digital
462
transformation, and emerging information technology trends;
463
c. Information technology governance and policy development
464
by demonstrating an understanding of statewide information
465
technology governance structures, digital services, and
466
information technology procurement policies; and
467
d. Public sector information technology management by
468
demonstrating familiarity with government information technology
469
funding models, procurement requirements, and legislative
470
processes affecting information technology strategy.
471
4. Leadership and administrative competencies.—The state
472
chief information officer must demonstrate:
473
a. Strategic vision and innovation by possessing the
474
capability to modernize information technology systems, drive
475
digital transformation, and align information technology
476
initiatives with state goals;
477
b. Collaboration and engagement with stakeholders by
478
working with legislators, state agency heads, local governments,
479
and private sector partners to implement information technology
480
initiatives;
481
c. Crisis management and cyber resilience by possessing the
482
capability to develop and lead cyber incident response, disaster
483
recovery, and information technology continuity plans; and
484
d. Fiscal management and budget expertise managing multi
485
million-dollar information technology budgets, cost-control
486
strategies, and financial oversight of information technology
487
projects.
488
(3)
The deputy director
of the division
shall serve as the
489
deputy chief information officer.
490
(4)
The
director
shall select separate
individuals to serve
491
as
the state chief information security officer
,
state chief
492
data officer
, state chief technology officer, and state chief
493
technology procurement officer
.
494 Section 3.
Until a state chief information officer is
495
appointed pursuant to s. 14.205, Florida Statutes, the current
496
state chief information officer of the Department of Management
497
Services shall be transferred to the
Division of Integrated
498
Government Innovation and Technology
and serve as interim state
499
chief information officer. A state chief information officer for
500
the
Division of Integrated Government Innovation and Technology
501
must
be appointed by the Governor by June 30, 2027.
502 Section 4. Subsection (6) of section 20.055, Florida
503 Statutes, is amended to read:
504 20.055 Agency inspectors general.—
505 (6) In carrying out the auditing duties and
506 responsibilities of this act, each inspector general shall
507 review and evaluate internal controls necessary to ensure the
508 fiscal accountability of the state agency. The inspector general
509 shall conduct financial, compliance, electronic data processing,
510 and performance audits of the agency and prepare audit reports
511 of his or her findings. The scope and assignment of the audits
512
are
shall be
determined by the inspector general; however, the
513 agency head may at any time request the inspector general to
514 perform an audit of a special program, function, or
515 organizational unit.
In addition to the duties
prescribed in
516
this section
, each inspector general
annually
shall
review and
517
report on whether agency practices related to
information
518
technology reporting
, projects, contracts, and procurements are
519
consistent with the applicable reporting requirements and
520
standards published
by the
Division of Integrated Government
521
Innovation and Technology
within the Executive Office of the
522
Governor
.
The inspector general shall prepare an annual agency
523
information technology compliance report that assesses the
524
adequacy of internal controls, documentation, and implementation
525
processes to ensure conformity with statewide information
526
technology governance, security, and performance standards.
The
527 performance of the
audits
is
audit shall be
under the direction
528 of the inspector general, except that if the inspector general
529 does not possess the qualifications specified in subsection (4),
530 the director of auditing
must
shall
perform the functions listed
531 in this subsection.
532 (a) Such audits
must
shall
be conducted in accordance with
533 the current International Standards for the Professional
534 Practice of Internal Auditing as published by the Institute of
535 Internal Auditors, Inc., or, where appropriate, in accordance
536 with generally accepted governmental auditing standards. All
537 audit reports issued by internal audit staff
must
shall
include
538 a statement that the audit was conducted pursuant to the
539 appropriate standards.
540 (b) Audit workpapers and reports
are
shall be
public
541 records to the extent that they do not include information which
542 has been made confidential and exempt from the provisions of s.
543 119.07(1) pursuant to law. However, when the inspector general
544 or a member of the staff receives from an individual a complaint
545 or information that falls within the definition provided in s.
546 112.3187(5), the name or identity of the individual may not be
547 disclosed to anyone else without the written consent of the
548 individual, unless the inspector general determines that such
549 disclosure is unavoidable during the course of the audit or
550 investigation.
551 (c) The inspector general and the staff shall have access
552 to any records, data, and other information of the state agency
553 he or she deems necessary to carry out his or her duties. The
554 inspector general may also request such information or
555 assistance as may be necessary from the state agency or from any
556 federal, state, or local government entity.
557 (d) At the conclusion of each audit, the inspector general
558 shall submit preliminary findings and recommendations to the
559 person responsible for supervision of the program function or
560 operational unit who shall respond to any adverse findings
561 within 20 working days after receipt of the preliminary
562 findings. Such response and the inspector general’s rebuttal to
563 the response
must
shall
be included in the final audit report.
564 (e) At the conclusion of an audit in which the subject of
565 the audit is a specific entity contracting with the state or an
566 individual substantially affected, if the audit is not
567 confidential or otherwise exempt from disclosure by law, the
568 inspector general
must
shall
, consistent with s. 119.07(1),
569 submit the findings to the entity contracting with the state or
570 the individual substantially affected, who
must
shall
be advised
571 in writing that they may submit a written response within 20
572 working days after receipt of the findings. The response and the
573 inspector general’s rebuttal to the response, if any, must be
574 included in the final audit report.
575 (f) The inspector general shall submit the final report to
576 the agency head, the Auditor General, and, for state agencies
577 under the jurisdiction of the Governor, the Chief Inspector
578 General.
579
1.
The
agency information technology compliance reports
580
must be submitted to the agency head, the Auditor General, and,
581
for state agencies under the jurisdiction of the Governor, the
582
Chief Inspector General by September 30 of each year.
583
2.
The Chief Inspector General shall review the annual
584
agency information technology compliance reports submitted by
585
agency inspectors general
under the jurisdiction of the
586
Governor
,
and shall prepare a consolidated statewide information
587
technology compliance report summarizing agency performance,
588
findings, and recommendations for improvement. The consolidated
589
report must be submitted to the Executive Office of the
590
Governor, the President of the Senate, and the Speaker of the
591
House of Representatives by December 1 of each year.
592
3.
Agency heads for agencies not under
the jurisdiction of
593
the Governor
shall submit the
annual agency information
594
technology compliance reports to the Executive Office of the
595
Governor, the President of the Senate, and the Speaker of the
596
House of Representatives by December 1 of each year.
597 (g) The Auditor General, in connection with the independent
598 postaudit of the same agency pursuant to s. 11.45, shall give
599 appropriate consideration to internal audit reports and the
600 resolution of findings therein. The Legislative Auditing
601 Committee may inquire into the reasons or justifications for
602 failure of the agency head to correct the deficiencies reported
603 in internal audits that are also reported by the Auditor General
604 and shall take appropriate action.
605 (h) The inspector general shall monitor the implementation
606 of the state agency’s response to any report on the state agency
607 issued by the Auditor General or by the Office of Program Policy
608 Analysis and Government Accountability. No later than 6 months
609 after the Auditor General or the Office of Program Policy
610 Analysis and Government Accountability publishes a report on the
611 state agency, the inspector general shall provide a written
612 response to the agency head or, for state agencies under the
613 jurisdiction of the Governor, the Chief Inspector General on the
614 status of corrective actions taken. The inspector general shall
615 file a copy of such response with the Legislative Auditing
616 Committee.
617 (i) The inspector general shall develop long-term and
618 annual audit plans based on the findings of periodic risk
619 assessments. The plan, where appropriate, should include
620 postaudit samplings of payments and accounts. The plan
must
621
shall
show the individual audits to be conducted during each
622 year and related resources to be devoted to the respective
623 audits. The plan
must
shall
include a specific cybersecurity
624 audit plan. The Chief Financial Officer, to assist in fulfilling
625 the responsibilities for examining, auditing, and settling
626 accounts, claims, and demands pursuant to s. 17.03(1), and
627 examining, auditing, adjusting, and settling accounts pursuant
628 to s. 17.04, may use audits performed by the inspectors general
629 and internal auditors. For state agencies under the jurisdiction
630 of the Governor, the audit plans
must
shall
be submitted to the
631 Chief Inspector General. The plan
must
shall
be submitted to the
632 agency head for approval. A copy of the approved plan
must
shall
633 be submitted to the Auditor General.
634 Section 5. Paragraph (b) of subsection (3) of section
635 97.0525, Florida Statutes, is amended to read:
636 97.0525 Online voter registration.—
637 (3)
638 (b) The division shall conduct a comprehensive risk
639 assessment of the online voter registration system every 2
640 years. The comprehensive risk assessment must comply with the
641 risk assessment methodology developed by the
Division of
642
Integrated Government Innovation and Technology
within the
643
Executive Office of the Governor
Department of Management
644
Services
for identifying security risks, determining the
645 magnitude of such risks, and identifying areas that require
646 safeguards. In addition, the comprehensive risk assessment must
647 incorporate all of the following:
648 1. Load testing and stress testing to ensure that the
649 online voter registration system has sufficient capacity to
650 accommodate foreseeable use, including during periods of high
651 volume of website users in the week immediately preceding the
652 book-closing deadline for an election.
653 2. Screening of computers and networks used to support the
654 online voter registration system for malware and other
655 vulnerabilities.
656 3. Evaluation of database infrastructure, including
657 software and operating systems, in order to fortify defenses
658 against cyberattacks.
659 4. Identification of any anticipated threats to the
660 security and integrity of data collected, maintained, received,
661 or transmitted by the online voter registration system.
662 Section 6. Paragraphs (a) and (f) of subsection (1),
663 paragraphs (b) and (c) of subsection (2), and subsections (3)
664 and (4) of section 112.22, Florida Statutes, are amended to
665 read:
666 112.22 Use of applications from foreign countries of
667 concern prohibited.—
668 (1) As used in this section, the term:
669 (a)
“
DIGIT
”
me
ans the
Division of Integrated Government
670
Innovation and Technology
within the Executive Office of the
671
Governor
“Department” means the Department of Management
672
Services
.
673 (f) “Prohibited application” means an application that
674 meets the following criteria:
675 1. Any Internet application that is created, maintained, or
676 owned by a foreign principal and that participates in activities
677 that include, but are not limited to:
678 a. Collecting keystrokes or sensitive personal, financial,
679 proprietary, or other business data;
680 b. Compromising e-mail and acting as a vector for
681 ransomware deployment;
682 c. Conducting cyber-espionage against a public employer;
683 d. Conducting surveillance and tracking of individual
684 users; or
685 e. Using algorithmic modifications to conduct
686 disinformation or misinformation campaigns; or
687 2. Any Internet application
that
DIGIT
the department
deems
688 to present a security risk in the form of unauthorized access to
689 or temporary unavailability of the public employer’s records,
690 digital assets, systems, networks, servers, or information.
691 (2)
692 (b) A person, including an employee or officer of a public
693 employer, may not download or access any prohibited application
694 on any government-issued device.
695 1. This paragraph does not apply to a law enforcement
696 officer as defined in s. 943.10(1) if the use of the prohibited
697 application is necessary to protect the public safety or conduct
698 an investigation within the scope of his or her employment.
699 2. A public employer may request a waiver from
DIGIT
the
700
department
to allow designated employees or officers to download
701 or access a prohibited application on a government-issued
702 device.
703 (c) Within 15 calendar days after
DIGIT
the department
704 issues or updates its list of prohibited applications pursuant
705 to paragraph (3)(a), an employee or officer of a public employer
706 who uses a government-issued device must remove, delete, or
707 uninstall any prohibited applications from his or her
708 government-issued device.
709 (3)
DIGIT
The department
shall do all of the following:
710 (a) Compile and maintain a list of prohibited applications
711 and publish the list on its website.
DIGIT
The department
shall
712 update this list quarterly and shall provide notice of any
713 update to public employers.
714 (b) Establish procedures for granting or denying requests
715 for waivers pursuant to subparagraph (2)(b)2. The request for a
716 waiver must include all of the following:
717 1. A description of the activity to be conducted and the
718 state interest furthered by the activity.
719 2. The maximum number of government-issued devices and
720 employees or officers to which the waiver will apply.
721 3. The length of time necessary for the waiver. Any waiver
722 granted pursuant to subparagraph (2)(b)2. must be limited to a
723 timeframe of no more than 1 year, but
DIGIT
the department
may
724 approve an extension.
725 4. Risk mitigation actions that will be taken to prevent
726 access to sensitive data, including methods to ensure that the
727 activity does not connect to a state system, network, or server.
728 5. A description of the circumstances under which the
729 waiver applies.
730 (4)
(a)
Notwithstanding
s.
120.74(4) and (5), the department
731
is authorized, and all conditions are deemed met, to adopt
732
emergency rules pursuant to s.
120.54(4) and to implement
733
paragraph (3)(a). Such rulemaking must occur initially by filing
734
emergency rules within 30 days after July 1, 2023.
735
(b)
DIGIT
The department
shall adopt rules necessary to
736 administer this section.
737 Section 7. Paragraph (a) of subsection (5) of section
738 119.0725, Florida Statutes, is amended to read:
739 119.0725 Agency cybersecurity information; public records
740 exemption; public meetings exemption.—
741 (5)(a) Information made confidential and exempt pursuant to
742 this section
must
shall
be made available to a law enforcement
743 agency, the Auditor General, the Cybercrime Office of the
744 Department of Law Enforcement, the
Division of Integrated
745
Government Innovation and Technology
within the Executive Office
746
of the Governor
Florida Digital Service within the Department of
747
Management Services
, and, for agencies under the jurisdiction of
748 the Governor, the Chief Inspector General.
749 Section 8. Paragraph (a) of subsection (4) and subsection
750 (7) of section 216.023, Florida Statutes, are amended to read:
751 216.023 Legislative budget requests to be furnished to
752 Legislature by agencies.—
753 (4)(a) The legislative budget request for each program must
754 contain:
755 1. The constitutional or statutory authority for a program,
756 a brief purpose statement, and approved program components.
757 2. Information on expenditures for 3 fiscal years (actual
758 prior-year expenditures, current-year estimated expenditures,
759 and agency budget requested expenditures for the next fiscal
760 year) by appropriation category.
761 3. Details on trust funds and fees.
762 4. The total number of positions (authorized, fixed, and
763 requested).
764 5. An issue narrative describing and justifying changes in
765 amounts and positions requested for current and proposed
766 programs for the next fiscal year.
767 6. Information resource requests.
768 7. Supporting information, including applicable cost
769 benefit analyses, business case analyses, performance
770 contracting procedures, service comparisons, and impacts on
771 performance standards for any request to outsource or privatize
772 agency functions. The cost-benefit and business case analyses
773 must include an assessment of the impact on each affected
774 activity from those identified in accordance with paragraph (b).
775 Performance standards must include standards for each affected
776 activity and be expressed in terms of the associated unit of
777 activity.
778 8. An evaluation of major outsourcing and privatization
779 initiatives undertaken during the last 5 fiscal years having
780 aggregate expenditures exceeding $10 million during the term of
781 the contract. The evaluation must include an assessment of
782 contractor performance, a comparison of anticipated service
783 levels to actual service levels, and a comparison of estimated
784 savings to actual savings achieved. Consolidated reports issued
785 by the Department of Management Services may be used to satisfy
786 this requirement.
787 9. Supporting information for any proposed consolidated
788 financing of deferred-payment commodity contracts including
789 guaranteed energy performance savings contracts. Supporting
790 information must also include narrative describing and
791 justifying the need, baseline for current costs, estimated cost
792 savings, projected equipment purchases, estimated contract
793 costs, and return on investment calculation.
794 10. For projects that exceed $10 million in total cost, the
795 statutory reference of the existing policy or the proposed
796 substantive policy that establishes and defines the project’s
797 governance structure, planned scope, main business objectives
798 that must be achieved, and estimated completion timeframes. The
799 governance structure for information technology-related projects
800 must incorporate the applicable project management and oversight
801 standards established pursuant to
s. 282.0061
s. 282.0051
.
802 Information technology budget requests for the continuance of
803 existing hardware and software maintenance agreements, renewal
804 of existing software licensing agreements, or the replacement of
805 desktop units with new technology that is similar to the
806 technology currently in use are exempt from this requirement.
807
(7) As part of the legislative budget request, each state
808
agency and the judicial branch shall include an inventory of all
809
ongoing technology-related projects that have a cumulative
810
estimated or realized cost of more than $1 million. The
811
inventory must, at a minimum, contain all of the following
812
information:
813
(a) The name of the technology system.
814
(b) A brief description of the purpose and function of the
815
system.
816
(c) A brief description of the goals of the project.
817
(d) The initiation date of the project.
818
(e) The key performance indicators for the project.
819
(f) Any other metrics for the project evaluating the health
820
and status of the project.
821
(g) The original and current baseline estimated end dates
822
of the project.
823
(h) The original and current estimated costs of the
824
project.
825
(i) Total funds appropriated or allocated to the project
826
and the current realized cost for the project by fiscal year.
827
828
For purposes of this subsection, an ongoing technology-related
829
project is one which has been funded or has had or is expected
830
to have expenditures in more than one fiscal year. An ongoing
831
technology-related project does not include the continuance of
832
existing hardware and software maintenance agreements, the
833
renewal of existing software licensing agreements, or the
834
replacement of desktop units with new technology that is
835
substantially similar to the technology being replaced. This
836
subsection expires July 1, 2026.
837 Section 9. Present subsections (36), (37), and (38) of
838 section 282.0041, Florida Statutes, are redesignated as
839 subsections (37), (38), and (39), respectively, new subsections
840 (11) and (36) are added to that section, and subsection (1),
841 present subsection (7), and subsections (27) and (29) of that
842 section are amended, to read:
843 282.0041 Definitions.—As used in this chapter, the term:
844
(1) “Agency
assessment” means the amount each customer
845
entity must pay annually for services from the Department of
846
Management Services and includes administrative and data center
847
services costs
.
848
(6)
(7)
“Customer entity” means an entity that obtains
849 services from
DIGIT
the Department of Management Services
.
850
(11)
“DIGIT” means t
he Division of Integrated Government
851
Innovation and Technology
within the Executive Office of the
852
Governor
.
853 (27) “Project oversight” means an independent review and
854
assessment
analysis
of an information technology project that
855 provides information on the project’s scope, completion
856 timeframes, and budget and that identifies and quantifies issues
857 or risks affecting the successful and timely completion of the
858 project.
859 (29) “Risk assessment” means the process of identifying
860
operational risks and
security risks, determining their
861 magnitude, and identifying areas needing safeguards.
862
(3
6
)
“Technical
debt” means the accumulated cost and
863
operational impact resulting from the use of suboptimal,
864
expedient, or outdated technology solutions that require future
865
remediation, refactoring, or replacement to ensure
866
maintainability, security, efficiency, and compliance with
867
enterprise architecture standards.
868 Section 10. Section 282.00515, Florida Statutes, is amended
869 to read:
870 282.00515 Duties of Cabinet agencies.—
871 (1)
(a)
The Department of Legal Affairs, the Department of
872 Financial Services, and the Department of Agriculture and
873 Consumer Services shall adopt the standards
, b
est
practices,
874
processes, and methodologies
established in
s. 282.0061(4) and
875
(5)(b) and (d)
.
However, such department
s
may
s. 282.0051(1)(b),
876
(c), and (r) and (3)(e)
or
adopt alternative standards
, b
est
877
practices, and methodologies
that
must be
based on
industry
878
recognized
best practices and
industry
standards that
enable
879
allow for
open data
exchange,
interoperability
, and vendor
880
neutral integration
.
Such department
s
shall
evaluate the
881
adoption of alternative standards on a case-by-case basis for
882
each standard, project, or system and
reevaluate such
883
alternative standards
periodically.
884
(b) Notwithstanding paragraph (a), if an enterprise project
885
has a measurable impact on
,
or requires participation from
,
a
886
state
agency
and
the
Department of Legal Affairs, the Department
887
of Financial Services,
or
the Department of Agriculture and
888
Consumer Services
, then the
Department of Legal Affairs, the
889
Department of Financial Services,
or
the Department of
890
Agriculture and Consumer Services
, as applicable,
must follow
891
the standards established under this chapter.
892 (2) If the Department of Legal Affairs, the Department of
893 Financial Services, or the Department of Agriculture and
894 Consumer Services adopts alternative standards
, b
est
practices,
895
processes, and methodologies
in lieu of the
enterprise
896
architecture
standards
, b
est
practices, processes, and
897
methodologies
adopted pursuant to
s. 282.0061(4) and (5)(b) and
898
(d)
s. 282.0051
, such department must notify
DIGIT
,
the
899 Governor, the President of the Senate, and the Speaker of the
900 House of Representatives in writing of the adoption of the
901 alternative standards and provide a justification for adoption
902 of the alternative standards and explain
the manner in which
how
903 the agency will achieve
the
policy, standard, guideline, or
best
904
practice
while promoting
open data interoperability.
905 (3)
The Department of Legal Affairs, the Department of
906
Financial Services, and the Department of Agriculture and
907
Consumer Services shall
each
conduct a full baseline needs
908
assessment to document
their respective
technical environments,
909
existing technical debt, security risks, and compliance with
910
adopted information technology best practices, guidelines, and
911
standards
, similar to the assessments conducted by DIGIT
912
pursuant to
s. 282.0061(2)(a) and (b).
The
Department of Legal
913
Affairs, the Department of Financial Services, and the
914
Department of Agriculture and Consumer Services
may contract
915
with DIGIT to assist with or complete the assessments.
916
(4) The Department of Legal Affairs, the Department of
917
Financial Services, and the Department of Agriculture and
918
Consumer Services shall
each
produce a phased roadmap for
919
strategic planning to address known technology gaps and
920
deficiencies
,
similar to the assessments conducted by
DIGIT
921
pursuant to
s. 282.0061(2)(d)
. The phased roadmap
must be
922
submitted annually with legislative budget requests required
923
under s. 216.023.
The Department of Legal Affairs, the
924
Department of Financial Services, and the Department of
925
Agriculture and Consumer Services may contract with
DIGIT
to
926
assist with or complete the
phased roadmap
.
927
(5)
The Department of Legal Affairs, the Department of
928 Financial Services, and the Department of Agriculture and
929 Consumer Services may
, but
are not required to,
contract with
930
DIGIT
the department
to provide
procurement advisory and review
931
services for information technology projects as provided in s.
932
282.0061(5)(a)
or perform any of the services and functions
933
described in s.
282.0051
.
934
(6) The
Department of Legal Affairs, the Department of
935
Financial Services, and the Department of Agriculture and
936
Consumer Services
shall
use the information technology reports
937
developed by
DIGIT
pursuant to s. 282.0061(5)(
f
)
and
follow the
938
streamlined reporting
process
pursuant to s. 282.0061(5)(
i).
The
939
Department of Legal Affairs, the Department of Financial
940
Services, and the Department of Agriculture and Consumer
941
Services
shall report annually to the President of the Senate
942
and the Speaker of the House of Representatives by December 15
943
information related to the respective department similar to the
944
information required under s. 282.006(6)(a) and the
information
945
technology financial data methodology and reporting required by
946
s. 282.0061(6).
The
Department of Legal Affairs, the Department
947
of Financial Services, and the Department of Agriculture and
948
Consumer Services
may provide the report required under this
949
subsection collectively with DIGIT or shall report separately to
950
the Governor, the President of the Senate, and the Speaker of
951
the House of Representatives.
952
(
7
)(a)
(4)(a)
Nothing in this
chapter
section or in s.
953
282.0051
requires the Department of Legal Affairs, the
954 Department of Financial Services, or the Department of
955 Agriculture and Consumer Services to integrate with information
956 technology outside its own department or with
DIGIT
the Florida
957
Digital Service
.
958 (b)
DIGIT
The department, acting through the Florida
959
Digital Service,
may not retrieve or disclose any data without a
960 shared-data agreement in place between
DIGIT
the department
and
961 the Department of Legal Affairs, the Department of Financial
962 Services, or the Department of Agriculture and Consumer
963 Services.
964
(
8
)
Notwithstanding s. 282.0061(5)(
h
),
DIGIT
may perform
965
project oversight only on information technology projects of the
966
Department of Legal Affairs, the Department of Financial
967
Services, and the Department of Agriculture and Consumer
968
Services which have a project cost of $20 million or more. Such
969
information technology projects must also comply with the
970
applicable information technology architecture, project
971
management and oversight, and reporting standards established by
972
DIGIT
.
DIGIT
shall report by the 30th day after the end of each
973
quarter to the President of the Senate and the Speaker of the
974
House of Representatives on any information technology project
975
under this subsection which
DIGIT
identifies as high risk. The
976
report must include a risk assessment, including fiscal risks,
977
associated with proceeding to the next stage of the project, and
978
a recommendation for
any
corrective action required, including
979
suspension or termination of the project.
980
(
9
)
If an information technology project implemented by a
981
state agency must be connected to or otherwise accommodated by
982
an information technology system administered by the Department
983
of Legal Affairs, the Department of Financial Services, or the
984
Department of Agriculture and Consumer Services,
the state
985
agency must consult with
DIGIT
regarding the risks and other
986
effects of such project on the
information technology systems
of
987
the Department of Legal Affairs, the Department of Financial
988
Services, or the Department of Agriculture and Consumer
989
Services, as applicable,
and
must
work cooperatively with the
990
Department of Legal Affairs, the Department of Financial
991
Services, or the Department of Agriculture and Consumer
992
Services, as applicable,
regarding connections, interfaces,
993
timing, or accommodations required to implement such project.
994 Section 11. Section 282.006, Florida Statutes, is created
995 to read:
996
282.006
Division of Integrated Government Innovation and
997
Technology
; enterprise responsibilities; reporting.—
998
(1)
The
Division of Integrated Government Innovation and
999
Technology
established in s.
14
.
205
is
the state organization
1000
for information technology governance and is the lead entity
1001
responsible for understanding the unique state agency
1002
information technology needs and environments, creating
1003
technology standards and strategy, supporting state agency
1004
technology efforts, and reporting on the status of technology
1005
for
state agencies
.
1006
(2) The Legislature intends for
DIGIT
policy, standards,
1007
guidance, and oversight to allow for adaptability to emerging
1008
technology and organizational needs while maintaining compliance
1009
with industry best practices. All policies, standards, and
1010
guidelines established pursuant to this chapter must be
1011
technology-agnostic and may not prescribe specific tools,
1012
platforms, or vendors.
1013
(3)
DIGIT
shall establish the strategic direction of
1014
information technology
for state agencies
.
DIGIT
shall develop
1015
and publish information technology policy that aligns with
1016
industry best practices for the management of the state’s
1017
information technology resources. The policy must be updated as
1018
necessary to meet the requirements of this chapter and
1019
advancements in technology.
1020
(
4
)
DIGIT
shall
, i
n coordination with state agency
1021
technology subject matter experts, develop, publish, and
1022
maintain an enterprise architecture that:
1023
(a)
Acknowledges the unique needs of the entities within
1024
the enterprise in the development and publication of standards
1025
and terminologies to facilitate digital interoperability;
1026
(b)
Supports the cloud-first policy as specified in s.
1027
282.206;
1028
(c)
Addresses
the manner in which
information technology
1029
infrastructure may be modernized to achieve security,
1030
scalability, maintainability, interoperability, and improved
1031
cost-efficiency goals; and
1032
(d)
Includes, at a minimum, best practices, guidelines, and
1033
standards for:
1034
1
.
Data models and taxonomies.
1035
2
.
Master data management.
1036
3
.
Data integration and interoperability.
1037
4
.
Data security and encryption.
1038
5
.
Bot prevention and data protection.
1039
6
.
Data backup and recovery.
1040
7
.
Application portfolio and catalog requirements.
1041
8
.
Application architectural patterns and principles.
1042
9
.
Technology and platform standards.
1043
10
.
Secure coding practices.
1044
11
.
Performance and scalability.
1045
12
.
Cloud infrastructure and architecture.
1046
13
.
Networking, connectivity, and security protocols.
1047
14
.
Authentication, authorization, and access controls.
1048
15
.
Disaster recovery.
1049
16
.
Quality assurance.
1050
17
.
Testing methodologies and measurements.
1051
18
.
Logging and log retention.
1052
19
.
Application and use of artificial intelligence.
1053
(
5
)
DIGIT shall develop
open data technical standards and
1054
terminologies for use by
state agencies
.
DIGIT shall d
evelop
1055
enterprise technology testing and quality assurance best
1056
practices and standards to ensure the reliability, security, and
1057
performance of information technology systems. Such best
1058
practices and standards must include:
1059
(a)
Functional testing to ensure software or systems meet
1060
required specifications.
1061
(b)
Performance and load testing to ensure software and
1062
systems operate efficiently under various conditions.
1063
(c)
Security testing to protect software and systems from
1064
vulnerabilities and cyber threats.
1065
(d)
Compatibility and interoperability testing to ensure
1066
software and systems operate seamlessly across environments.
1067
(
6
)
DIGIT
shall produce
and provide
the following reports
1068
to the Governor, the President of the Senate, and the Speaker of
1069
the House of Representatives:
1070
(a) Annually by December 15, an enterprise analysis report
1071
for state agencies
which
includes all of the following:
1072
1.
Results of the state agency needs assessments, including
1073
any plan to address technical debt as required by s. 282.0061
1074
pursuant to the schedule adopted.
1075
2.
Alternative standards related to federal funding adopted
1076
pursuant to s. 282.0061.
1077
3. Information technology financial data for each state
1078
agency for the previous fiscal year. This portion of the annual
1079
report must include, at a minimum, the following recurring and
1080
nonrecurring information:
1081
a. Total number of full-time equivalent positions.
1082
b. Total amount of salary.
1083
c. Total amount of benefits.
1084
d. Total number of comparable full-time equivalent
1085
positions and total amount of expenditures for information
1086
technology staff augmentation.
1087
e. Total number of contracts and purchase orders and total
1088
amount of associated expenditures for information technology
1089
managed services.
1090
f. Total amount of expenditures by state term contract as
1091
defined in s. 287.012, contracts procured using alternative
1092
purchasing methods as authorized pursuant to s. 287.042(16), and
1093
state agency procurements through request for proposal,
1094
invitation to negotiate, invitation to bid, single source, and
1095
emergency purchases.
1096
g. Total amount of expenditures for hardware.
1097
h. Total amount of expenditures for non-cloud software.
1098
i. Total amount of expenditures for cloud software licenses
1099
and services with a separate amount for expenditures for state
1100
data center services.
1101
j. Total amount of expenditures for cloud data center
1102
services with a separate amount for expenditures for state data
1103
center services.
1104
k. Total amount of expenditures for administrative costs.
1105
4. Consolidated information for the previous fiscal year
1106
about state information technology projects, which must include,
1107
at a minimum, the following information:
1108
a. Anticipated funding requirements for information
1109
technology support over the next 5 years.
1110
b. An inventory of current information technology assets
1111
and major projects.
As used in this paragraph, t
he term “major
1112
project” includes projects costing more than $500,000 to
1113
implement.
1114
c. Significant unmet needs for information technology
1115
resources over the next 5 fiscal years, ranked in priority order
1116
according to their urgency.
1117
5.
A review and summary of whether the information
1118
technology contract policy established pursuant to s. 282.0064
1119
is included in all solicitations and contracts.
1120
(b) Biennially by December 15 of even-numbered years, a
1121
report on the strategic direction of information technology in
1122
the state which includes
recommendations for
all of the
1123
following:
1124
1.
S
tandardization and consolidation of information
1125
technology services that are identified as common across state
1126
agencies as required in s. 282.0061.
1127
2.
I
nformation technology services
needed to
be designed,
1128
delivered, and managed as
state agency
enterprise information
1129
technology services. Recommendations must include the
1130
identification of existing information technology resources
1131
associated with the services, if existing services must be
1132
transferred as a result of being delivered and managed as
1133
enterprise information technology services, and which entity is
1134
best suited to manage the service.
1135
(c)1.
When conducted as provided in this paragraph, a
1136
market analysis and accompanying strategic plan submitted by
1137
December 31 of each year that the market analysis is conducted.
1138
2.
No less frequently than every 3 years,
DIGIT
shall
1139
conduct
a
market analysis to determine whether the:
1140
a.
Information technology resources
across state agencies
1141
are used in the most cost-effective and cost-efficient manner,
1142
while recognizing that the replacement of certain legacy
1143
information technology systems within the enterprise may be cost
1144
prohibitive or cost inefficient due to the remaining useful life
1145
of those resources; and
1146
b.
State agencies are
using best practices with respect to
1147
information technology, information services, and the
1148
acquisition of emerging technologies and information services.
1149
3.
Each market analysis must be used to prepare a strategic
1150
plan for continued and future information technology and
1151
information services, including, but not limited to, proposed
1152
acquisition
s
of new services or technologies and approaches to
1153
the implementation of any new services or technologies.
1154
(
7
)
(a)
DIGIT
shall develop, implement, and maintain a
1155
library to serve as the official repository for all enterprise
1156
information technology policies, standards, guidelines, and best
1157
practices applicable to state agencies. The
online
library must
1158
be accessible
and searchable
by all state agencies
and
the
1159
Department of Legal Affairs, the Department of Financial
1160
Services
, and
the Department of Agriculture and Consumer
1161
Services
through a secure authentication system.
T
he library
1162
must include standardized checklists organized by technical
1163
subject areas to assist state agencies in measuring compliance
1164
with the information technology policies, standards, guidelines,
1165
and best practices.
1166
(
b
)
DIGIT
shall establish procedures to ensure the
1167
integrity, security, and availability of the library, including
1168
appropriate access controls, encryption, and disaster recovery
1169
measures.
DIGIT
shall
regularly update documents and materials
1170
in
the library to reflect current state and federal
1171
requirements, industry best practices, and emerging technologies
1172
and shall
maintain version control and revision history for all
1173
published documents.
DIGIT
shall create mechanisms for state
1174
agencies to submit feedback, request clarifications, and
1175
recommend updates.
1176
(
8
)
(a)
Each s
tate
agency
shall
a
ctively participate and
1177
collaborate
with
DIGIT
to achieve the objectives set forth in
1178
this chapter.
Each state agency shall also a
dhere to
the
1179
policies, standards, guidelines, and best practices
established
1180
by
DIGIT
in information technology planning, procurement,
1181
implementation, and operations
as required by this chapter.
1182
(b)1.
A state agency may request an exemption to a specific
1183
policy, standard, or guideline when compliance is not
1184
technically feasible, would cause undue hardship, or conflicts
1185
with
any
agency
-
specific statutory requirement. The state agency
1186
requesting an
exemption
must submit a formal justification to
1187
DIGIT
detailing all of the following:
1188
a.
The specific requirement for which an exemption is
1189
sought.
1190
b.
The reason compliance is not feasible or practical.
1191
c.
Any compensating control or alternative measure the
1192
state agency will implement to mitigate associated risks.
1193
d.
The anticipated duration of the exemption.
1194
2.
DIGIT
shall review all exemption requests and provide a
1195
recommendation to the state chief information officer
,
who shall
1196
present the compliance exemption requests to the chief
1197
information officer workgroup. Approval of exemption requests
1198
must be made by a majority vote of the workgroup. Approved
1199
exemptions must be documented
and include
conditions and
1200
expiration dates.
1201
3.
A state agency with an approved exemption
shall
undergo
1202
periodic review to determine whether the exemption remains
1203
necessary or
whether
compliance can be achieved.
1204
(
9
)
DIGIT
may adopt rules to implement this chapter.
1205 Section 12. Section 282.0061, Florida Statutes, is created
1206 to read:
1207
282.0061
DIGIT
support of state agencies; information
1208
technology procurement and projects.—
1209
(1) LEGISLATIVE INTENT.—The Legislature intends for
DIGIT
1210
to support state agencies in their information technology
1211
efforts through the adoption of policies, standards, and
1212
guidance and by providing oversight that recognizes unique state
1213
agency information technology needs, environments, and goals.
1214
DIGIT
assistance and support must allow for adaptability to
1215
emerging technologies and organizational needs while maintaining
1216
compliance with industry best practices.
DIGIT
may not prescribe
1217
specific tools, platforms, or vendors.
1218
(2)
NEEDS ASSESSMENTS.—
1219
(a)
By January 1, 202
9
,
DIGIT
shall conduct full baseline
1220
needs assessments of state agencies to document their
respective
1221
technical environments, existing technical debt, security risks,
1222
and compliance with all information technology standards and
1223
guidelines developed and published by
DIGIT
. The needs
1224
assessment must use the latest version of the Capability
1225
Maturity Model Integration to evaluate each state agency’s
1226
information technology capabilities, providing a maturity level
1227
rating for each assessed domain. After completion of the
initial
1228
full baseline needs assessment, such assessments must be
1229
maintained and updated on a regular schedule adopted by
DIGIT
.
1230
(b)
In assessing the existing technical debt portion of the
1231
needs assessment,
DIGIT
shall analyze the state’s legacy
1232
information technology systems and develop a plan to document
1233
the needs and costs for replacement systems. The plan must
1234
include an inventory of legacy applications and infrastructure;
1235
the required capabilities not available with the legacy system;
1236
the estimated process, timeline, and cost to migrate from legacy
1237
environments; and any other information necessary for fiscal or
1238
technology planning. The plan must determine and document the
1239
estimated timeframe during which the state agency can continue
1240
to efficiently use legacy information technology systems,
1241
resources, security, and data management to support operations.
1242
State agencies shall provide all necessary documentation to
1243
enable accurate reporting on legacy systems.
1244
(c)
DIGIT
shall develop a plan and schedule to conduct the
1245
initial full baseline needs assessments. By October 1, 202
7
,
1246
DIGIT
shall submit the plan to the Governor, the President of
1247
the Senate, and the Speaker of the House of Representatives.
1248
(d)
DIGIT
shall support state agency strategic planning
1249
efforts and assist state agencies with the production of a
1250
phased roadmap to address known technology gaps and deficiencies
1251
as identified in the needs assessments. The roadmaps must
1252
include specific strategies and initiatives aimed at advancing
1253
the state agency’s maturity level in accordance with the latest
1254
version of the Capability Maturity Model Integration. State
1255
agencies shall create, maintain, and submit the roadmap on an
1256
annual basis with their legislative budget requests required
1257
under s. 216.023.
1258
(3)
STANDARDIZATION.—
DIGIT
shall:
1259
(a) Recommend in its annual
enterprise analysis report for
1260
state agencies
required under s. 282.006 any potential method
1261
for standardizing data across state agencies which will promote
1262
interoperability and reduce the collection of duplicative data.
1263
(b) Identify any opportunities in
such
enterprise analysis
1264
report for state agencies
for standardization and consolidation
1265
of information technology services that are common across all
1266
state agencies and that support:
1267
1.
Improved interoperability, security, scalability,
1268
maintainability, and cost efficiency; and
1269
2.
Business functions and operations, including
1270
administrative functions such as purchasing, accounting and
1271
reporting, cash management, and personnel.
1272
(c)
Review all state agency information technology
1273
legislative budget requests for compliance with the enterprise
1274
architecture, project planning standards, and cybersecurity, and
1275
provide a report of the findings to the Executive Office of the
1276
Governor’s Office of Policy and Budget for consideration for
1277
funding decisions in the Governor’s recommended budget.
1278
(4)
DATA MANAGEMENT.—
1279
(a)
DIGIT
shall develop standards for use by state agencies
1280
which support best practices for master data management at the
1281
state agency level to facilitate enterprise data sharing and
1282
interoperability.
1283
(b)
DIGIT
shall establish a methodology and strategy for
1284
implementing statewide master data management and submit a
1285
report to the Governor, the President of the Senate, and the
1286
Speaker of the House of Representatives by December 1, 202
9
. The
1287
report must include the vision, goals, and benefits of
1288
implementing a statewide master data management initiative, an
1289
analysis of the current state of data management, and the
1290
recommended strategy, methodology, and estimated timeline and
1291
resources needed at a state agency and enterprise level to
1292
accomplish the initiative.
1293
(5) INFORMATION TECHNOLOGY PROJECTS.—
DIGIT
has the
1294
following duties and responsibilities related to state agency
1295
technology projects:
1296
(a) Provide procurement advisory and review services for
1297
information technology projects to all state agencies, including
1298
procurement and contract development assistance to meet the
1299
information technology contract policy established pursuant to
1300
s. 282.0064.
1301
(b) Establish best practices and procurement processes
,
and
1302
develop metrics to support these processes for the procurement
1303
of information technology products and services in order to
1304
reduce costs or improve the provision of government services.
1305
(c)
Upon request, assist state agencies in the development
1306
of information technology-related legislative budget requests.
1307
(d)
Develop standards and accountability measures for
1308
information technology project
planning and implementation
,
1309
including criteria for effective project management and
1310
oversight. State agencies
shall
satisfy these standards and
1311
measures when implementing information technology projects. To
1312
support data-driven decisionmaking, the standards and measures
1313
must include, but are not limited to:
1314
1. Performance measurements and metrics that objectively
1315
assess
the
progress and risks
of an information technology
1316
project based on a defined and documented project scope, to
1317
include the
number
of impacted stakeholders, cost, and schedule
,
1318
to determine whether the project is performing as planned and
1319
delivering the intended outcomes
.
1320
2. Methodologies for calculating and defining acceptable
1321
variances
between the planned and ac
tual scope
of a technology
1322
project which provide clear thresholds for guiding corrective
1323
actions. Such methodologies must account for project complexity
1324
and scale
, schedule,
performance, quality, and the
cost of an
1325
information technology project.
1326
3. Reporting requirements
that ensure timely notifications
1327
to all defined stakeholders
when
an information technology
1328
project exceed
s
acceptable variances defined and documented in a
1329
project plan
, including
any variance that
results in
a schedule
1330
delay of 1 month or more
,
or a cost increase of $1 million or
1331
more
, and that establish procedures for escalating critical
1332
issues to appropriate individuals
.
1333
4. Technical
reporting metrics
to
determine if
an
1334
information technology project complies with the enterprise
1335
architecture standards.
1336
5.
Minimum requirements for engaging stakeholders
1337
throughout a project’s life cycle.
1338
(e)
Develop a framework that provides processes,
1339
activities, and deliverables state agencies must comply with
1340
when planning an information technology project. The processes,
1341
activities, and deliverables must include, but are not limited
1342
to, all of the following:
1343
1.
Business case development, including the information
1344
required by s. 287.0571(4), full life cycle cost estimates,
1345
governance structure, system interoperability goals, data
1346
management plans, scalability approach, evaluation of
1347
cybersecurity and data privacy risks, and technology-specific
1348
performance metrics and service levels.
1349
2.
Market research, including the use of a request for
1350
information as defined in s. 287.012.
1351
3.
Planning and scheduling.
1352
4.
Stakeholder engagement.
1353
5.
Risk assessment.
1354
6.
Procurement strategy.
1355
7.
Project governance definition.
1356
8.
System design and requirements.
1357
9.
Change management.
1358
10.
Monitoring and reporting.
1359
11.
Postimplementation review and planning.
1360
12.
Solicitation documentation.
1361
(f)
Develop information technology project reports for use
1362
by state agencies, including, but not limited to, operational
1363
work plans, project spending plans, and project status reports.
1364
Reporting standards must include content, format, and frequency
1365
of project updates.
1366
(g)
Develop and provide training specific to information
1367
technology project management and oversight which supplements
1368
and enhances the training offered by the department and the
1369
Chief Financial Officer under s. 287.057(15)(b). DIGIT shall
1370
evaluate such training every 2 years to assess its effectiveness
1371
and update the training curriculum. The training must address
1372
the unique requirements and risk profiles of state information
1373
technology projects, procurements, contract management, and
1374
vendor management.
1375
(h)
Perform project oversight on all state agency
1376
information technology projects that have total project costs of
1377
$10 million or more.
DIGIT
shall report by the 30th day after
1378
the end of each quarter to the Executive Office of the Governor,
1379
the President of the Senate, and the Speaker of the House of
1380
Representatives on any information technology project that
DIGIT
1381
identifies as high-risk
due to the project exceeding the
1382
acceptable project variance thresholds provided in the project
1383
management and oversight standards
. The report must include a
1384
risk assessment, including fiscal risks associated with
1385
proceeding to the next stage of the project,
a list of all
1386
projects with a performance deficiency, reported pursuant to s.
1387
287.057(26)(d)1., which has not been corrected as of the end of
1388
the reporting period,
and a recommendation for corrective
1389
actions required, including suspension or termination of the
1390
project.
1391
(
i
)
Establish a streamlined reporting process with clear
1392
timelines and escalation procedures for notifying a state agency
1393
of noncompliance with the standards developed and adopted by
1394
DIGIT
.
1395
(
j
)
Develop and maintain standards, performance metrics,
1396
and evaluation tools to measure the performance of information
1397
technology vendors that provide information technology
1398
commodities or services to the state. The standards, metrics,
1399
and tools must:
1400
1.
Be organized by vendor category, reflecting the
1401
differ
ent
roles, services, and risk profiles of information
1402
technology vendors, including, but not limited to, software,
1403
cloud services, infrastructure, cybersecurity, systems
1404
integration, and professional services.
1405
2.
Include objective, measurable criteria to assess vendor
1406
performance, which
criteria
may include timeliness, quality of
1407
deliverables, cost control, compliance with contract
1408
requirements, security and privacy practices, responsiveness,
1409
and customer satisfaction.
1410
3.
Provide for the collection and analysis of performance
1411
data across state agencies to support consistent and comparable
1412
evaluations.
1413
4.
Support a scoring mechanism that may be used in
1414
procurement and contract management processes, including the
1415
identification of vendors eligible for inclusion on a preferred
1416
vendors list established by DIGIT.
1417
5.
Provide for the public availability of the preferred
1418
vendors list, including vendor rankings by category, in a manner
1419
determined by DIGIT.
1420
6.
Require that, to the extent permitted by law, priority
1421
consideration in future procurements be given to vendors on the
1422
preferred vendors list based on performance ranking and cost, as
1423
applicable to the procurement method used.
1424
7.
Be periodically reviewed and updated to reflect evolving
1425
technology, market conditions, and state needs.
1426
(6) INFORMATION TECHNOLOGY FINANCIAL DATA.—
1427
(a)
In consultation with state agencies,
DIGIT
shall create
1428
a methodology, an approach, and applicable templates and formats
1429
for identifying and collecting both current and planned
1430
information technology expenditure data at the state agency
1431
level.
DIGIT
shall continuously obtain, review, and maintain
1432
records of the appropriations, expenditures, and revenues for
1433
information technology for each state agency.
1434
(b)
DIGIT
shall prescribe the format for state agencies to
1435
provide all necessary financial information to
DIGIT
for
1436
inclusion in the annual report required under s. 282.006. State
1437
agencies
shall
provide the information to
DIGIT
by October 1 for
1438
the previous fiscal year.
1439
(7) FEDERAL CONFLICTS.—
DIGIT
must
work with state agencies
1440
to provide alternative standards, policies, or requirements that
1441
do not conflict with federal regulations or requirements if
1442
adherence to standards or policies adopted by or established
1443
pursuant to this section conflict with federal regulations or
1444
requirements imposed on an entity within the enterprise and
1445
results in, or is expected to result in, adverse action against
1446
any
state agenc
y
or loss of federal funding.
1447 Section 13. Section 282.0062, Florida Statutes, is created
1448 to read:
1449
282.0062
DIGIT
workgroups.—The following workgroups are
1450
established within
DIGIT
to facilitate coordination with state
1451
agencies:
1452
(1)
CHIEF INFORMATION OFFICER WORKGROUP.—
1453
(a) The chief information officer workgroup, composed of
1454
all state agency chief information officers, shall consider and
1455
make recommendations to the state chief information officer and
1456
the state chief information architect on such matters as
1457
enterprise information technology policies, standards, services,
1458
and architecture. The workgroup may also identify and recommend
1459
opportunities for the establishment of public-private
1460
partnerships when considering technology infrastructure and
1461
services in order to accelerate project delivery and provide a
1462
source of new or increased project funding.
1463
(b) At a minimum, the state chief information officer shall
1464
consult with the workgroup on a quarterly basis with regard to
1465
executing the duties and responsibilities of the state agencies
1466
related to statewide information technology strategic planning
1467
and policy.
1468
(2)
ENTERPRISE DATA AND INTEROPERABILITY WORKGROUP.—
1469
(a) The enterprise data and interoperability workgroup,
1470
composed of chief data officer representatives from all state
1471
agencies, shall consider and make recommendations to the state
1472
chief data officer on such matters as enterprise data policies,
1473
standards, services, and architecture that promote data
1474
consistency, accessibility, and seamless integration across the
1475
enterprise.
1476
(b) At a minimum, the state chief data officer shall
1477
consult with the workgroup on a quarterly basis with regard to
1478
executing the duties and responsibilities of the state agencies
1479
related to statewide data governance planning and policy.
1480
(3)
ENTERPRISE SECURITY WORKGROUP.—
1481
(a) The enterprise security workgroup, composed of chief
1482
information security officer representatives from all state
1483
agencies, shall consider and make recommendations to the state
1484
chief information security officer on such matters as
1485
cybersecurity policies, standards, services, and architecture
1486
that promote the protection of state assets.
1487
(b) At a minimum, the state chief information security
1488
officer shall consult with the workgroup on a quarterly basis
1489
with regard to executing the duties and responsibilities of the
1490
state agencies related to cybersecurity governance and policy
1491
development.
1492
(
4
) ENTERPRISE INFORMATION TECHNOLOGY QUALITY ASSURANCE
1493
WORKGROUP.—
1494
(a) The enterprise information technology quality assurance
1495
workgroup, composed of testing and quality assurance
1496
representatives from all state agencies, shall consider and make
1497
recommendations to the state chief technology officer on such
1498
matters as testing methodologies, tools, and best practices to
1499
reduce risks related to software defects, cybersecurity threats,
1500
and operational failures.
1501
(b)
At a minimum, the state chief
information
officer shall
1502
consult with the workgroup on a quarterly basis with regard to
1503
executing the duties and responsibilities of the state agencies
1504
related to enterprise software testing and quality assurance
1505
standards.
1506
(
5
)
ENTERPRISE INFORMATION TECHNOLOGY PROJECT MANAGEMENT
1507
WORKGROUP.—
1508
(a)
The enterprise information technology project
1509
management workgroup, composed of information technology project
1510
manager representatives from all state agencies, shall consider
1511
and make recommendations to the state chief technology officer
1512
on such matters as information technology project management
1513
policies, standards, accountability measures, and services that
1514
promote project governance and standardization across the
1515
enterprise.
1516
(b)
At a minimum, the state chief
information
officer shall
1517
consult with the workgroup on a quarterly basis with regard to
1518
executing the duties and responsibilities of the state agencies
1519
related to project management and oversight.
1520
(
6
)
ENTERPRISE INFORMATION TECHNOLOGY PURCHASING
1521
WORKGROUP.—
1522
(a)
The enterprise information technology purchasing
1523
workgroup, composed of information technology procurement
1524
representatives from all state agencies, shall consider and make
1525
recommendations to the state chief technology procurement
1526
officer on such matters as information technology procurement
1527
policies, standards, and purchasing strategy and optimization
1528
that promote best practices for contract negotiation,
1529
consolidation, and effective service-level agreement
1530
implementation across the enterprise.
1531
(b)
At a minimum, the state chief information officer shall
1532
consult with the workgroup on a quarterly basis with regard to
1533
executing the duties and responsibilities of the state agencies
1534
related to technology evaluation, purchasing, and cost savings.
1535
(
7
)
DEPARTMENT OF LEGAL AFFAIRS, DEPARTMENT OF FINANCIAL
1536
SERVICES, AND DEPARTMENT OF AGRICULTURE AND CONSUMER SERVICES
1537
INFORMATION TECHNOLOGY STAFF.—
Appropriate information technology
1538
staff of
the Department of Legal Affairs, the Department of
1539
Financial Services, and the Department of Agriculture and
1540
Consumer Services
shall participate in the workgroups created
1541
under subsections (1), (2), and (3) and may participate in any
1542
other workgroups as authorized by their respective elected
1543
official.
1544 Section 14. Section 282.0063, Florida Statutes, is created
1545 to read:
1546
282.0063
State information technology professionals career
1547
paths and training
.—
1548
(1)
DIGIT shall d
evelop
standardized frameworks for,
and
1549
career
paths,
progressions
,
and training programs
for, the
1550
benefit of state agency information technology personnel. To
1551
meet that goal, DIGIT shall:
1552
(a)
Assess current and future
information technology
1553
workforce needs across state agencies, identify skill gaps
,
and
1554
develop strategies to address them.
1555
(b) D
evelop and establish
a
training program for state
1556
agencies to support the understanding and implementation of
each
1557
element of
the enterprise architecture.
1558
(c)
Establish training programs, certifications, and
1559
continuing education opportunities to enhance
information
1560
technology
competencies, including cybersecurity, cloud
1561
computing, and emerging technologies.
1562
(
d
) Support initiatives to
provide
existing employees
with
1563
training or other opportunities to develop skills
in emerging
1564
technologies and automation, ensuring
that state
agencies remain
1565
competitive and innovative.
1566
(e) Develop strategies to recruit and retain information
1567
technology professionals, including internship programs,
1568
apprenticeships, partnerships with educational institutions,
1569
scholarships for service, and initiatives to attract diverse
1570
talent.
1571
(2)
DIGIT shall consult with CareerSource Florida, Inc.,
1572
the Department of Commerce, and the Department of Education in
1573
the implementation of this section.
1574 Section 15. Section 282.0064, Florida Statutes, is created
1575 to read:
1576
282.0064 Information technology contract policy.—
1577
(1) In coordination with the Department of Management
1578
Services,
DIGIT
shall establish a policy for all information
1579
technology-related solicitations and contracts, including state
1580
term contracts; contracts sourced using alternative purchasing
1581
methods as authorized pursuant to s. 287.042(16); sole source
1582
and emergency procurements; and contracts for commodities,
1583
consultant services, and staff augmentation services.
1584
(2) Related to state term contracts, the information
1585
technology policy must include:
1586
(a) Identification of the information technology product
1587
and service categories to be included in state term contracts.
1588
(b) The term of each information technology-related state
1589
term contract.
1590
(c) The maximum number of vendors authorized on each state
1591
term contract.
1592
(3) For all contracts, the information technology policy
1593
must include:
1594
(a) Evaluation criteria for the award of information
1595
technology-related contracts.
1596
(b) Requirements to be included in solicitations.
1597
(c) At a minimum, a requirement that any contract for
1598
information technology commodities or services meet the
1599
requirements of the enterprise architecture and National
1600
Institute of Standards and Technology Cybersecurity Framework.
1601
(4) The policy must include the following requirements for
1602
any information technology project that requires project
1603
oversight through independent verification and validation:
1604
(a) An entity providing independent verification and
1605
validation may not have any:
1606
1. Technical, managerial, or financial interest in the
1607
project; or
1608
2. Responsibility for or participation in any other aspect
1609
of the project.
1610
(b)
The primary objective of independent verification and
1611
validation must be to provide an objective assessment throughout
1612
the entire project life cycle, reporting directly to all
1613
relevant stakeholders. An independent verification and
1614
validation entity shall independently verify and validate
1615
whether:
1616
1. The project is being built and implemented in accordance
1617
with defined technical architecture, specifications, and
1618
requirements.
1619
2. The project is adhering to established project
1620
management processes.
1621
3. The procurement of products, tools, and services and
1622
resulting contracts align
s
with current statutory and regulatory
1623
requirements.
1624
4. The value of services delivered is commensurate with
1625
project costs.
1626
5. The completed project meets the actual needs of the
1627
intended users.
1628
(c) The entity performing independent verification and
1629
validation shall provide regular reports and assessments
1630
directly to the designated oversight body, identifying risks,
1631
deficiencies, and recommendations for corrective actions to
1632
ensure project success and compliance with statutory
1633
requirements.
1634
(5)
The Division of State Purchasing in the Department of
1635
Management Services shall coordinate with
DIGIT
on state term
1636
contract solicitations and invitations to negotiate related to
1637
information technology.
Such coordination must include reviewing
1638
the solicitation specifications to verify compliance with
1639
enterprise architecture and cybersecurity standards, evaluating
1640
vendor responses under established criteria, answering vendor
1641
questions, and providing any other technical expertise
1642
necessary
.
1643
(6) The Department of Legal Affairs, the Department of
1644
Financial Services, and the Department of Agriculture and
1645
Consumer Services may adopt alternatives to the information
1646
technology policy established by
DIGIT
pursuant to this section.
1647
If alternatives to the policy are adopted, such department must
1648
notify
DIGIT
,
the Governor,
the President of the Senate, and the
1649
Speaker of the House of Representatives in writing of the
1650
adoption of the alternative
s
and provide a justification for
1651
adoption of the alternative
s, including whether the alternatives
1652
were
necessary to meet alternatives adopted pursuant to s.
1653
282.00515
,
and explain
the manner in which
the
department
will
1654
achieve the information technology policy.
1655 Section 16. Subsections (3), (4), (7), and (10) of section
1656 282.318, Florida Statutes, are amended to read:
1657 282.318 Cybersecurity.—
1658 (3)
DIGIT
The department, acting through the Florida
1659
Digital Service,
is the lead entity responsible for establishing
1660 standards and processes for assessing state agency cybersecurity
1661 risks and determining appropriate security measures
that comply
1662
with
the latest
national and state data compliance security
1663
standards
. Such standards and processes must be consistent with
1664 generally accepted technology best practices, including the
1665 National Institute for Standards and Technology Cybersecurity
1666 Framework, for cybersecurity.
DIGIT
The department, acting
1667
through the Florida Digital Service,
shall adopt rules that
1668 mitigate risks; safeguard state agency digital assets, data,
1669 information, and information technology resources to ensure
1670 availability, confidentiality, and integrity; and support a
1671 security governance framework.
DIGIT
The department, acting
1672
through the Florida Digital Service,
shall also:
1673 (a) Designate an employee
of the Florida Digital Service
as
1674 the state chief information security officer. The state chief
1675 information security officer must have experience and expertise
1676 in security and risk management for communications and
1677 information technology resources. The state chief information
1678 security officer is responsible for the development
of
1679
enterprise cybersecurity policy, standards
,
operation,
and
1680
security architecture
oversight
of cybersecurity
for state
1681 technology systems. The state chief information security officer
1682
must
shall
be notified of all confirmed or suspected incidents
1683 or threats of state agency information technology resources and
1684 must report such incidents or threats to the state chief
1685 information officer
and the Governor
.
1686 (b) Develop, and annually update by February 1, a statewide
1687 cybersecurity strategic plan that includes security goals and
1688 objectives for cybersecurity, including the identification and
1689 mitigation of risk, proactive protections against threats,
1690 tactical risk detection, threat reporting, and response and
1691 recovery protocols for a cyber incident.
1692 (c) Develop and publish for use by state agencies a
1693 cybersecurity governance framework that, at a minimum, includes
1694 guidelines and processes for:
1695 1. Establishing asset management procedures to ensure that
1696 an agency’s information technology resources are identified and
1697 managed consistent with their relative importance to the
1698 agency’s business objectives.
1699 2. Using a standard risk assessment methodology that
1700 includes the identification of an agency’s priorities,
1701 constraints, risk tolerances, and assumptions necessary to
1702 support operational risk decisions
and that is aligned with
1703
generally accepted technology best practices, including the
1704
National Institute for Standards and Technology Cybersecurity
1705
Framework
.
1706 3. Completing comprehensive risk assessments and
1707 cybersecurity audits, which may be completed by
an independent
1708
third party
a private sector vendor
, and submitting completed
1709 assessments and audits to
DIGIT
the department
.
1710 4. Identifying protection procedures to manage the
1711 protection of an agency’s information, data, and information
1712 technology resources.
1713 5. Establishing procedures for accessing information and
1714 data to ensure the confidentiality, integrity, and availability
1715 of such information and data.
1716 6. Detecting threats through proactive monitoring of
1717 events, continuous security monitoring, and defined detection
1718 processes.
1719 7. Establishing agency cybersecurity incident response
1720 teams and describing their responsibilities for responding to
1721 cybersecurity incidents, including breaches of personal
1722 information containing confidential or exempt data.
1723 8. Recovering information and data in response to a
1724 cybersecurity incident. The recovery may include recommended
1725 improvements to the agency processes, policies, or guidelines.
1726 9. Establishing a cybersecurity incident reporting process
1727 that includes procedures for notifying
DIGIT
the department
and
1728 the Department of Law Enforcement of cybersecurity incidents.
1729 a. The level of severity of the cybersecurity incident is
1730 defined by the National Cyber Incident Response Plan of the
1731 United States Department of Homeland Security as follows:
1732 (I) Level 5 is an emergency-level incident within the
1733 specified jurisdiction that poses an imminent threat to the
1734 provision of wide-scale critical infrastructure services;
1735 national, state, or local government security; or the lives of
1736 the country’s, state’s, or local government’s residents.
1737 (II) Level 4 is a severe-level incident that is likely to
1738 result in a significant impact in the affected jurisdiction to
1739 public health or safety; national, state, or local security;
1740 economic security; or civil liberties.
1741 (III) Level 3 is a high-level incident that is likely to
1742 result in a demonstrable impact in the affected jurisdiction to
1743 public health or safety; national, state, or local security;
1744 economic security; civil liberties; or public confidence.
1745 (IV) Level 2 is a medium-level incident that may impact
1746 public health or safety; national, state, or local security;
1747 economic security; civil liberties; or public confidence.
1748 (V) Level 1 is a low-level incident that is unlikely to
1749 impact public health or safety; national, state, or local
1750 security; economic security; civil liberties; or public
1751 confidence.
1752 b. The cybersecurity incident reporting process must
1753 specify the information that must be reported by a state agency
1754 following a cybersecurity incident or ransomware incident,
1755 which, at a minimum, must include the following:
1756 (I) A summary of the facts surrounding the cybersecurity
1757 incident or ransomware incident.
1758 (II) The date on which the state agency most recently
1759 backed up its data; the physical location of the backup, if the
1760 backup was affected; and if the backup was created using cloud
1761 computing.
1762 (III) The types of data compromised by the cybersecurity
1763 incident or ransomware incident.
1764 (IV) The estimated fiscal impact of the cybersecurity
1765 incident or ransomware incident.
1766 (V) In the case of a ransomware incident, the details of
1767 the ransom demanded.
1768 c.(I) A state agency shall report all ransomware incidents
1769 and any cybersecurity incident determined by the state agency to
1770 be of severity level 3, 4, or 5 to the
state chief information
1771
security officer
Cybersecurity Operations Center
and the
1772 Cybercrime Office of the Department of Law Enforcement as soon
1773 as possible but no later than 48 hours after discovery of the
1774 cybersecurity incident and no later than 12 hours after
1775 discovery of the ransomware incident. The report must contain
1776 the information required in sub-subparagraph b.
If the event
1777
involves services housed or procured through the Northwest
1778
Regional Data Center, the state agency
must
also notify the
1779
Northwest Regional Data Center.
1780 (II) The
state chief information security officer
1781
Cybersecurity Operations Center
shall notify the President of
1782 the Senate and the Speaker of the House of Representatives of
1783 any severity level 3, 4, or 5 incident as soon as possible but
1784 no later than 12 hours after receiving a state agency’s incident
1785 report. The notification must include a high-level description
1786 of the incident and the likely effects.
1787 d. A state agency shall report a cybersecurity incident
1788 determined by the state agency to be of severity level 1 or 2 to
1789 the
state chief information security officer
Cybersecurity
1790
Operations Center
and the Cybercrime Office of the Department of
1791 Law Enforcement as soon as possible
, but no later than 96 hours
1792
after the discovery of the cybersecurity incident and no later
1793
than 72 hours after the discovery of the ransomware incident
.
1794 The report must contain the information required in sub
1795 subparagraph b.
If the event involves services housed or
1796
procured through the Northwest Regional Data Center, the state
1797
agency
must
also notify the Northwest Regional Data Center.
1798 e. The
state chief information security officer
1799
Cybersecurity Operations Center
shall provide a consolidated
1800 incident report on a quarterly basis to the President of the
1801 Senate
and
,
the Speaker of the House of Representatives
, and the
1802
Florida Cybersecurity Advisory Council. The report provided to
1803
the Florida Cybersecurity Advisory Council may not contain the
1804
name of any agency, network information, or system identifying
1805
information but must contain sufficient relevant information to
1806
allow the Florida Cybersecurity Advisory Council to fulfill its
1807
responsibilities as required in s. 282.319(9)
.
1808 10. Incorporating information obtained through detection
1809 and response activities into the agency’s cybersecurity incident
1810 response plans.
1811 11. Developing agency strategic and operational
1812 cybersecurity plans required pursuant to this section.
1813 12. Establishing the managerial, operational, and technical
1814 safeguards for protecting state government data and information
1815 technology resources that align with the state agency risk
1816 management strategy and that protect the confidentiality,
1817 integrity, and availability of information and data.
1818 13. Establishing procedures for procuring information
1819 technology commodities and services that require the commodity
1820 or service to meet the National Institute of Standards and
1821 Technology Cybersecurity Framework.
1822 14. Submitting after-action reports following a
1823 cybersecurity incident or ransomware incident.
Such guidelines
1824
and processes for submitting after-action reports must be
1825
developed and published by December 1, 2022.
1826 (d) Assist state agencies in complying with this section.
1827 (e) In collaboration with the Cybercrime Office of the
1828 Department of Law Enforcement, annually provide training for
1829 state agency information security managers and computer security
1830 incident response team members that contains training on
1831 cybersecurity, including cybersecurity threats, trends, and best
1832 practices.
1833 (f) Annually review the strategic and operational
1834 cybersecurity plans of state agencies.
1835 (g) Annually provide cybersecurity training to all state
1836 agency technology professionals and employees with access to
1837 highly sensitive information which develops, assesses, and
1838 documents competencies by role and skill level. The
1839 cybersecurity training curriculum must include training on the
1840 identification of each cybersecurity incident severity level
1841 referenced in sub-subparagraph (c)9.a. The training may be
1842 provided in collaboration with the Cybercrime Office of the
1843 Department of Law Enforcement, a private sector entity, or an
1844 institution of the State University System.
1845
(h) Operate and maintain a Cybersecurity Operations Center
1846
led by the state chief information security officer, which must
1847
be primarily virtual and staffed with tactical detection and
1848
incident response personnel. The Cybersecurity Operations Center
1849
shall serve as a clearinghouse for threat information and
1850
coordinate with the Department of Law Enforcement to support
1851
state agencies and their response to any confirmed or suspected
1852
cybersecurity incident.
1853
(i) Lead an Emergency Support Function, ESF CYBER, under
1854
the state comprehensive emergency management plan as described
1855
in s. 252.35.
1856 (4) Each state agency head shall, at a minimum:
1857 (a) Designate an information security manager to administer
1858 the cybersecurity program of the state agency. This designation
1859 must be provided annually in writing to
DIGIT
the department
by
1860 January 1. A state agency’s information security manager, for
1861 purposes of these information security duties, shall report
1862 directly to the agency head.
1863 (b) In consultation with the
state chief information
1864
security officer
department, through the Florida Digital
1865
Service,
and the Cybercrime Office of the Department of Law
1866 Enforcement, establish an agency cybersecurity response team to
1867 respond to a cybersecurity incident. The agency cybersecurity
1868 response team shall convene upon notification of a cybersecurity
1869 incident and
shall
must
immediately report all confirmed or
1870 suspected incidents to the state chief information security
1871 officer, or his or her designee, and comply with all applicable
1872 guidelines and processes established pursuant to paragraph
1873 (3)(c).
1874 (c) Submit to the
state chief information security officer
1875
department
annually by July 31, the state agency’s strategic and
1876 operational cybersecurity plans developed pursuant to rules and
1877 guidelines established by the
state chief information security
1878
officer
department, through the Florida Digital Service
.
1879 1. The state agency strategic cybersecurity plan must cover
1880 a
2-year
3-year
period and, at a minimum, define security goals,
1881 intermediate objectives, and projected agency costs for the
1882 strategic issues of agency information security policy, risk
1883 management, security training, security incident response, and
1884 disaster recovery. The plan must be based on the statewide
1885 cybersecurity strategic plan created by the
state chief
1886
information security officer
department
and include performance
1887 metrics that can be objectively measured to reflect the status
1888 of the state agency’s progress in meeting security goals and
1889 objectives identified in the agency’s strategic information
1890 security plan.
1891 2. The state agency operational cybersecurity plan must
1892 include a
set of measures that objectively assess the
1893
performance of the agency’s cybersecurity program in accordance
1894
with its risk management plan
progress report that objectively
1895
measures progress made towards the prior operational
1896
cybersecurity plan and a project plan that includes activities,
1897
timelines, and deliverables for security objectives that the
1898
state agency will implement during the current fiscal year
.
1899 (d) Conduct, and update every
2
3
years, a comprehensive
1900 risk assessment, which may be completed by
an independent third
1901
party
a private sector vendor
, to determine the security threats
1902 to the data, information, and information technology resources,
1903 including mobile devices and print environments, of the agency.
1904 The risk assessment must comply with the risk assessment
1905 methodology developed by the
state chief information security
1906
officer
department
and is confidential and exempt from s.
1907 119.07(1), except that such information shall be available to
1908 the Auditor General, the
state chief information security
1909
officer
Florida Digital Service within the department
, the
1910 Cybercrime Office of the Department of Law Enforcement, and, for
1911 state agencies under the jurisdiction of the Governor, the Chief
1912 Inspector General. If
an independent third party
a private
1913
sector vendor
is used to complete a comprehensive risk
1914 assessment, it must attest to the validity of the risk
1915 assessment findings.
The comprehensive risk assessment must
1916
include all of the following:
1917
1.
The results of vulnerability and penetration tests on
1918
any Internet website or mobile application that processes any
1919
sensitive personal information or confidential information
,
and
1920
a plan to address any vulnerability identified in the tests.
1921
2.
A written acknowledgment that the executive director or
1922
the secretary of the agency, the chief financial officer of the
1923
agency, and each executive manager as designated by the state
1924
agency
,
have been made aware of the risks revealed during the
1925
preparation of the agency’s operations cybersecurity plan and
1926
the comprehensive risk assessment.
1927 (e) Develop, and periodically update, written internal
1928 policies and procedures, which include procedures for reporting
1929 cybersecurity incidents and breaches to the Cybercrime Office of
1930 the Department of Law Enforcement and the
state chief
1931
information security officer
Florida Digital Service within the
1932
department
. Such policies and procedures must be consistent with
1933 the rules, guidelines, and processes established by
DIGIT
the
1934
department
to ensure the security of the data, information, and
1935 information technology resources of the agency. The internal
1936 policies and procedures that, if disclosed, could facilitate the
1937 unauthorized modification, disclosure, or destruction of data or
1938 information technology resources are confidential information
1939 and exempt from s. 119.07(1), except that such information
must
1940
shall
be available to the Auditor General, the Cybercrime Office
1941 of the Department of Law Enforcement,
the state chief
1942
information security officer
the Florida Digital Service within
1943
the
department
, and, for state agencies under the jurisdiction
1944 of the Governor, the Chief Inspector General.
1945 (f) Implement managerial, operational, and technical
1946 safeguards and risk assessment remediation plans recommended by
1947
DIGIT
the department
to address identified risks to the data,
1948 information, and information technology resources of the agency.
1949 The
state chief information security officer
department, through
1950
the Florida Digital Service,
shall track implementation by state
1951 agencies upon development of such remediation plans in
1952 coordination with agency inspectors general.
1953 (g) Ensure that periodic internal audits and evaluations of
1954 the agency’s cybersecurity program for the data, information,
1955 and information technology resources of the agency are
1956 conducted. The results of such audits and evaluations are
1957 confidential information and exempt from s. 119.07(1), except
1958 that such information
must
shall
be available to the Auditor
1959 General, the Cybercrime Office of the Department of Law
1960 Enforcement, the
state chief information security officer
1961
Florida Digital Service within the department
, and, for agencies
1962 under the jurisdiction of the Governor, the Chief Inspector
1963 General.
1964 (h) Ensure that the cybersecurity requirements in the
1965 written specifications for the solicitation, contracts, and
1966 service-level agreement of information technology and
1967 information technology resources and services meet or exceed the
1968 applicable state and federal laws, regulations, and standards
1969 for cybersecurity, including the National Institute of Standards
1970 and Technology Cybersecurity Framework. Service-level agreements
1971 must identify service provider and state agency responsibilities
1972 for privacy and security, protection of government data,
1973 personnel background screening, and security deliverables with
1974 associated frequencies.
1975 (i) Provide cybersecurity awareness training to all state
1976 agency employees within 30 days after commencing employment, and
1977 annually thereafter, concerning cybersecurity risks and the
1978 responsibility of employees to comply with policies, standards,
1979 guidelines, and operating procedures adopted by the state agency
1980 to reduce those risks. The training may be provided in
1981 collaboration with the Cybercrime Office of the Department of
1982 Law Enforcement, a private sector entity, or an institution of
1983 the State University System.
1984 (j) Develop a process for detecting, reporting, and
1985 responding to threats, breaches, or cybersecurity incidents
1986 which is consistent with the security rules, guidelines, and
1987 processes established by
DIGIT
the department
through the
state
1988
chief information security officer
Florida Digital Service
.
1989 1. All cybersecurity incidents and ransomware incidents
1990 must be reported by state agencies. Such reports must comply
1991 with the notification procedures and reporting timeframes
1992 established pursuant to paragraph (3)(c).
1993 2. For cybersecurity breaches, state agencies shall provide
1994 notice in accordance with s. 501.171.
1995 (k) Submit to the
state chief information security officer
1996
Florida Digital Service
, within 1 week after the remediation of
1997 a cybersecurity incident or ransomware incident, an after-action
1998 report that summarizes the incident, the incident’s resolution,
1999 and any insights gained as a result of the incident.
2000 (7) The portions of records made confidential and exempt in
2001 subsections (5) and (6)
must
shall
be available to the Auditor
2002 General, the Cybercrime Office of the Department of Law
2003 Enforcement, the
state chief information security officer, the
2004
Legislature
Florida Digital Service within the department
, and,
2005 for agencies under the jurisdiction of the Governor, the Chief
2006 Inspector General. Such portions of records may be made
2007 available to a local government, another state agency, or a
2008 federal agency for cybersecurity purposes or in furtherance of
2009 the state agency’s official duties.
2010 (10)
DIGIT
The department
shall adopt rules relating to
2011 cybersecurity and to administer this section.
2012 Section 17. Subsections (3) through (6) of section
2013 282.3185, Florida Statutes, are amended to read:
2014 282.3185 Local government cybersecurity.—
2015 (3) CYBERSECURITY TRAINING.—
2016 (a) The
state chief information security officer
Florida
2017
Digital Service
shall:
2018 1. Develop a basic cybersecurity training curriculum for
2019 local government employees. All local government employees with
2020 access to the local government’s network must complete the basic
2021 cybersecurity training within 30 days after commencing
2022 employment and annually thereafter.
2023 2. Develop an advanced cybersecurity training curriculum
2024 for local governments which is consistent with the cybersecurity
2025 training required under s. 282.318(3)(g). All local government
2026 technology professionals and employees with access to highly
2027 sensitive information must complete the advanced cybersecurity
2028 training within 30 days after commencing employment and annually
2029 thereafter.
2030 (b) The
state chief information security officer
Florida
2031
Digital Service
may provide the cybersecurity training required
2032 by this subsection in collaboration with the Cybercrime Office
2033 of the Department of Law Enforcement, a private sector entity,
2034 or an institution of the State University System.
2035 (4) CYBERSECURITY STANDARDS.—
2036 (a) Each local government shall adopt cybersecurity
2037 standards that safeguard its data, information technology, and
2038 information technology resources to ensure availability,
2039 confidentiality, and integrity. The cybersecurity standards must
2040 be consistent with generally accepted best practices for
2041 cybersecurity, including the National Institute of Standards and
2042 Technology Cybersecurity Framework.
2043 (b)
Each county with a population of 75,000 or more must
2044
adopt the cybersecurity standards required by this subsection by
2045
January 1, 2024. Each county with a population of less than
2046
75,000 must adopt the cybersecurity standards required by this
2047
subsection by January 1, 2025.
2048
(c) Each municipality with a population of 25,000 or more
2049
must adopt the cybersecurity standards required by this
2050
subsection by January 1, 2024. Each municipality with a
2051
population of less than 25,000 must adopt the cybersecurity
2052
standards required by this subsection by January 1, 2025.
2053
(d)
Each local government shall notify the
state chief
2054
information security officer
Florida Digital Service
of its
2055 compliance with this subsection as soon as possible.
2056 (5) INCIDENT NOTIFICATION.—
2057 (a) A local government shall provide notification of a
2058 cybersecurity incident or ransomware incident to the
state chief
2059
information security officer
Cybersecurity Operations Center
,
2060
the
Cybercrime Office of the Department of Law Enforcement, and
2061
the
sheriff who has jurisdiction over the local government in
2062 accordance with paragraph (b). The notification must include, at
2063 a minimum, the following information:
2064 1. A summary of the facts surrounding the cybersecurity
2065 incident or ransomware incident.
2066 2. The date on which the local government most recently
2067 backed up its data; the physical location of the backup, if the
2068 backup was affected; and if the backup was created using cloud
2069 computing.
2070 3. The types of data compromised by the cybersecurity
2071 incident or ransomware incident.
2072 4. The estimated fiscal impact of the cybersecurity
2073 incident or ransomware incident.
2074 5. In the case of a ransomware incident, the details of the
2075 ransom demanded.
2076 6. A statement requesting or declining assistance from
the
2077
Cybersecurity Operations Center,
the Cybercrime Office of the
2078 Department of Law Enforcement
,
or the sheriff who has
2079 jurisdiction over the local government.
2080 (b)1. A local government shall report all ransomware
2081 incidents and any cybersecurity incident determined by the local
2082 government to be of severity level 3, 4, or 5 as provided in s.
2083 282.318(3)(c) to the
state chief information security officer
2084
Cybersecurity Operations Center
, the Cybercrime Office of the
2085 Department of Law Enforcement, and the sheriff who has
2086 jurisdiction over the local government as soon as possible but
2087 no later than
12
48
hours after discovery of the cybersecurity
2088 incident and no later than
6
12
hours after discovery of the
2089 ransomware incident. The report must contain the information
2090 required in paragraph (a).
2091 2. The
state chief information security officer
2092
Cybersecurity Operations Center
shall notify the President of
2093 the Senate and the Speaker of the House of Representatives of
2094 any severity level 3, 4, or 5 incident as soon as possible but
2095 no later than 12 hours after receiving a local government’s
2096 incident report. The notification must include a high-level
2097 description of the incident and the likely effects.
2098 (c) A local government may report a cybersecurity incident
2099 determined by the local government to be of severity level 1 or
2100 2 as provided in s. 282.318(3)(c) to the
state chief information
2101
security officer
Cybersecurity Operations Center
, the Cybercrime
2102 Office of the Department of Law Enforcement, and the sheriff who
2103 has jurisdiction over the local government. The report
must
2104
shall
contain the information required in paragraph (a).
2105 (d) The
state chief information security officer
2106
Cybersecurity Operations Center
shall provide a consolidated
2107 incident report
by the 30th day after the end of each quarter
on
2108
a quarterly basis
to the President of the Senate
and
,
the
2109 Speaker of the House of Representatives
, and the Florida
2110
Cybersecurity Advisory Council. The report provided to the
2111
Florida Cybersecurity Advisory Council may not contain the name
2112
of any local government, network information, or system
2113
identifying information but must contain sufficient relevant
2114
information to allow the Florida Cybersecurity Advisory Council
2115
to fulfill its responsibilities as required in s. 282.319(9)
.
2116 (6) AFTER-ACTION REPORT.—A local government
shall
must
2117 submit to the
state chief information security officer
Florida
2118
Digital Service
, within 1 week after the remediation of a
2119 cybersecurity incident or ransomware incident, an after-action
2120 report that summarizes the incident, the incident’s resolution,
2121 and any insights gained as a result of the incident.
By December
2122
1, 2022, the Florida Digital Service shall establish guidelines
2123
and processes for submitting an after-action report.
2124 Section 18.
Section 282.319, Florida Statutes, is repealed.
2125 Section 19. Section 282.201, Florida Statutes, is amended
2126 to read:
2127 282.201 State data center.—The state data center is
2128 established within
the Northwest Regional Data Center pursuant
2129
to s. 282.2011 and shall meet or exceed the information
2130
technology standards specified in ss. 282.006 and 282.318
the
2131
department
.
The provision of data center services must comply
2132
with applicable state and federal laws, regulations, and
2133
policies, including all applicable security, privacy, and
2134
auditing requirements. The department shall appoint a director
2135
of the state data center who has experience in leading data
2136
center facilities and has expertise in cloud-computing
2137
management.
2138
(1) STATE DATA CENTER DUTIES.—The state data center shall:
2139
(a) Offer, develop, and support the services and
2140
applications defined in service-level agreements executed with
2141
its customer entities.
2142
(b) Maintain performance of the state data center by
2143
ensuring proper data backup; data backup recovery; disaster
2144
recovery; and appropriate security, power, cooling, fire
2145
suppression, and capacity.
2146
(c) Develop and implement business continuity and disaster
2147
recovery plans, and annually conduct a live exercise of each
2148
plan.
2149
(d) Enter into a service-level agreement with each customer
2150
entity to provide the required type and level of service or
2151
services. If a customer entity fails to execute an agreement
2152
within 60 days after commencement of a service, the state data
2153
center may cease service. A service-level agreement may not have
2154
a term exceeding 3 years and at a minimum must:
2155
1. Identify the parties and their roles, duties, and
2156
responsibilities under the agreement.
2157
2. State the duration of the contract term and specify the
2158
conditions for renewal.
2159
3. Identify the scope of work.
2160
4. Identify the products or services to be delivered with
2161
sufficient specificity to permit an external financial or
2162
performance audit.
2163
5. Establish the services to be provided, the business
2164
standards that must be met for each service, the cost of each
2165
service by agency application, and the metrics and processes by
2166
which the business standards for each service are to be
2167
objectively measured and reported.
2168
6. Provide a timely billing methodology to recover the
2169
costs of services provided to the customer entity pursuant to s.
2170
215.422.
2171
7. Provide a procedure for modifying the service-level
2172
agreement based on changes in the type, level, and cost of a
2173
service.
2174
8. Include a right-to-audit clause to ensure that the
2175
parties to the agreement have access to records for audit
2176
purposes during the term of the service-level agreement.
2177
9. Provide that a service-level agreement may be terminated
2178
by either party for cause only after giving the other party and
2179
the department notice in writing of the cause for termination
2180
and an opportunity for the other party to resolve the identified
2181
cause within a reasonable period.
2182
10. Provide for mediation of disputes by the Division of
2183
Administrative Hearings pursuant to s. 120.573.
2184
(e) For purposes of chapter 273, be the custodian of
2185
resources and equipment located in and operated, supported, and
2186
managed by the state data center.
2187
(f) Assume administrative access rights to resources and
2188
equipment, including servers, network components, and other
2189
devices, consolidated into the state data center.
2190
1. Upon consolidation, a state agency shall relinquish
2191
administrative rights to consolidated resources and equipment.
2192
State agencies required to comply with federal and state
2193
criminal justice information security rules and policies shall
2194
retain administrative access rights sufficient to comply with
2195
the management control provisions of those rules and policies;
2196
however, the state data center shall have the appropriate type
2197
or level of rights to allow the center to comply with its duties
2198
pursuant to this section. The Department of Law Enforcement
2199
shall serve as the arbiter of disputes pertaining to the
2200
appropriate type and level of administrative access rights
2201
pertaining to the provision of management control in accordance
2202
with the federal criminal justice information guidelines.
2203
2. The state data center shall provide customer entities
2204
with access to applications, servers, network components, and
2205
other devices necessary for entities to perform business
2206
activities and functions, and as defined and documented in a
2207
service-level agreement.
2208
(g) In its procurement process, show preference for cloud
2209
computing solutions that minimize or do not require the
2210
purchasing, financing, or leasing of state data center
2211
infrastructure, and that meet the needs of customer agencies,
2212
that reduce costs, and that meet or exceed the applicable state
2213
and federal laws, regulations, and standards for cybersecurity.
2214
(h) Assist customer entities in transitioning from state
2215
data center services to the Northwest Regional Data Center or
2216
other third-party cloud-computing services procured by a
2217
customer entity or by the Northwest Regional Data Center on
2218
behalf of a customer entity.
2219
(1)
(2)
USE OF THE STATE DATA CENTER.—
2220
(a)
The following are exempt from the use of the state data
2221 center: the Department of Law Enforcement, the Department of the
2222 Lottery’s Gaming System, Systems Design and Development in the
2223 Office of Policy and Budget, the regional traffic management
2224 centers as described in s. 335.14(2) and the Office of Toll
2225 Operations of the Department of Transportation, the State Board
2226 of Administration, state attorneys, public defenders, criminal
2227 conflict and civil regional counsel, capital collateral regional
2228 counsel,
and
the Florida Housing Finance Corporation
, and the
2229
Division of Emergency Management within the Executive Office of
2230
the Governor
.
2231
(b) The Division of Emergency Management is exempt from the
2232
use of the state data center. This paragraph expires July 1,
2233
2026.
2234
(2)
(3)
AGENCY LIMITATIONS.—Unless exempt from the use of
2235 the state data center pursuant to this section or authorized by
2236 the Legislature, a state agency may not:
2237 (a) Create a new agency computing facility or data center,
2238 or expand the capability to support additional computer
2239 equipment in an existing agency computing facility or data
2240 center; or
2241 (b) Terminate services with the state data center without
2242 giving written notice of intent to terminate services 180 days
2243 before such termination.
2244
(4) DEPARTMENT RESPONSIBILITIES.—The department shall
2245
provide operational management and oversight of the state data
2246
center, which includes:
2247
(a) Implementing industry standards and best practices for
2248
the state data center’s facilities, operations, maintenance,
2249
planning, and management processes.
2250
(b) Developing and implementing cost-recovery mechanisms
2251
that recover the full direct and indirect cost of services
2252
through charges to applicable customer entities. Such cost
2253
recovery mechanisms must comply with applicable state and
2254
federal regulations concerning distribution and use of funds and
2255
must ensure that, for any fiscal year, no service or customer
2256
entity subsidizes another service or customer entity. The
2257
department may recommend other payment mechanisms to the
2258
Executive Office of the Governor, the President of the Senate,
2259
and the Speaker of the House of Representatives. Such mechanisms
2260
may be implemented only if specifically authorized by the
2261
Legislature.
2262
(c) Developing and implementing appropriate operating
2263
guidelines and procedures necessary for the state data center to
2264
perform its duties pursuant to subsection (1). The guidelines
2265
and procedures must comply with applicable state and federal
2266
laws, regulations, and policies and conform to generally
2267
accepted governmental accounting and auditing standards. The
2268
guidelines and procedures must include, but need not be limited
2269
to:
2270
1. Implementing a consolidated administrative support
2271
structure responsible for providing financial management,
2272
procurement, transactions involving real or personal property,
2273
human resources, and operational support.
2274
2. Implementing an annual reconciliation process to ensure
2275
that each customer entity is paying for the full direct and
2276
indirect cost of each service as determined by the customer
2277
entity’s use of each service.
2278
3. Providing rebates that may be credited against future
2279
billings to customer entities when revenues exceed costs.
2280
4. Requiring customer entities to validate that sufficient
2281
funds exist before implementation of a customer entity’s request
2282
for a change in the type or level of service provided, if such
2283
change results in a net increase to the customer entity’s cost
2284
for that fiscal year.
2285
5. By November 15 of each year, providing to the Office of
2286
Policy and Budget in the Executive Office of the Governor and to
2287
the chairs of the legislative appropriations committees the
2288
projected costs of providing data center services for the
2289
following fiscal year.
2290
6. Providing a plan for consideration by the Legislative
2291
Budget Commission if the cost of a service is increased for a
2292
reason other than a customer entity’s request made pursuant to
2293
subparagraph 4. Such a plan is required only if the service cost
2294
increase results in a net increase to a customer entity for that
2295
fiscal year.
2296
7. Standardizing and consolidating procurement and
2297
contracting practices.
2298
(d) In collaboration with the Department of Law Enforcement
2299
and the Florida Digital Service, developing and implementing a
2300
process for detecting, reporting, and responding to
2301
cybersecurity incidents, breaches, and threats.
2302
(e) Adopting rules relating to the operation of the state
2303
data center, including, but not limited to, budgeting and
2304
accounting procedures, cost-recovery methodologies, and
2305
operating procedures.
2306
(5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for
2307
the department to carry out its duties and responsibilities
2308
relating to the state data center, the secretary of the
2309
department shall contract by July 1, 2022, with the Northwest
2310
Regional Data Center pursuant to s. 287.057(11). The contract
2311
shall provide that the Northwest Regional Data Center will
2312
manage the operations of the state data center and provide data
2313
center services to state agencies.
2314
(a) The department shall provide contract oversight,
2315
including, but not limited to, reviewing invoices provided by
2316
the Northwest Regional Data Center for services provided to
2317
state agency customers.
2318
(b) The department shall approve or request updates to
2319
invoices within 10 business days after receipt. If the
2320
department does not respond to the Northwest Regional Data
2321
Center, the invoice will be approved by default. The Northwest
2322
Regional Data Center must submit approved invoices directly to
2323
state agency customers.
2324 Section 20. Section 282.2011, Florida Statutes, is created
2325 to read:
2326
282.2011
Northwest Regional Data Center.—
2327
(1) For the purpose of providing data center services to
2328
its state agency customers, the Northwest Regional Data Center
2329
is designated as the state data center for all state agencies,
2330
except as otherwise provided by law, and shall:
2331
(a) Operate under a governance structure that represents
2332
its customers proportionally.
2333
(b) Maintain an appropriate cost-allocation methodology
2334
that accurately bills state agency customers based solely on the
2335
actual direct and indirect costs of the services provided to
2336
state agency customers and ensures that, for any fiscal year,
2337
state agency customers are not subsidizing other customers of
2338
the data center. Such cost-allocation methodology must comply
2339
with applicable state and federal regulations concerning the
2340
distribution and use of state and federal funds.
2341
(c) Enter into a service-level agreement with each state
2342
agency customer to provide services as defined and approved by
2343
the governing board of the center. At a minimum, such service
2344
level agreements must:
2345
1. Identify the parties and their roles, duties, and
2346
responsibilities under the agreement;
2347
2. State the duration of the agreement term, which may not
2348
exceed 3 years, and specify the conditions for up to two
2349
optional 1-year renewals of the agreement before execution of a
2350
new agreement;
2351
3. Identify the scope of work;
2352
4. Establish the services to be provided, the business
2353
standards that must be met for each service, the cost of each
2354
service, and the process by which the business standards for
2355
each service are to be objectively measured and reported;
2356
5. Provide a timely billing methodology for recovering the
2357
cost of services provided pursuant to s. 215.422;
2358
6. Provide a procedure for modifying the service-level
2359
agreement to address any changes in projected costs of service;
2360
7. Include a right-to-audit clause to ensure that the
2361
parties to the agreement have access to records for audit
2362
purposes during the term of the service-level agreement;
2363
8. Identify the products or services to be delivered with
2364
sufficient specificity to permit an external financial or
2365
performance audit;
2366
9. Provide that the service-level agreement may be
2367
terminated by either party for cause only after giving the other
2368
party notice in writing of the cause for termination and an
2369
opportunity for the other party to resolve the identified cause
2370
within a reasonable period; and
2371
10. Provide state agency customer entities with access to
2372
applications, servers, network components, and other devices
2373
necessary for entities to perform business activities and
2374
functions and as defined and documented in a service-level
2375
agreement.
2376
(d) For purposes of chapter 273, be the custodian of
2377
resources and equipment located in and operated, supported, and
2378
managed by the state data center.
2379
(e) Assume administrative access rights to resources and
2380
equipment, including servers, network components, and other
2381
devices, consolidated into the state data center.
2382
1. Upon consolidation, a state agency shall relinquish
2383
administrative rights to consolidated resources and equipment.
2384
State agencies required to comply with federal and state
2385
criminal justice information security rules and policies shall
2386
retain administrative access rights sufficient to comply with
2387
the management control provisions of those rules and policies;
2388
however, the state data center shall have the appropriate type
2389
or level of rights to allow the center to comply with its duties
2390
pursuant to this section. The Department of Law Enforcement
2391
shall serve as the arbiter of disputes pertaining to the
2392
appropriate type and level of administrative access rights
2393
pertaining to the provision of management control in accordance
2394
with the federal criminal justice information guidelines.
2395
2. The state data center shall provide customer entities
2396
with access to applications, servers, network components, and
2397
other devices necessary for entities to perform business
2398
activities and functions, and as defined and documented in a
2399
service-level agreement.
2400
(f) In its procurement process, show preference for cloud
2401
computing solutions that minimize or do not require the
2402
purchasing or financing of state data center infrastructure,
2403
that meet the needs of state agency customer entities, that
2404
reduce costs, and that meet or exceed the applicable state and
2405
federal laws, regulations, and standards for cybersecurity.
2406
(g) Assist state agency customer entities in transitioning
2407
from state data center services to other third-party cloud
2408
computing services procured by a customer entity or by the
2409
Northwest Regional Data Center on behalf of the customer entity.
2410
(h) Provide to the Board of Governors the total annual
2411
budget by major expenditure category, including, but not limited
2412
to, salaries, expenses, operating capital outlay, contracted
2413
services, or other personnel services, by July 30 each fiscal
2414
year.
2415
(i) Provide to each state agency customer its projected
2416
annual cost for providing the agreed-upon data center services
2417
by September 1 each fiscal year.
2418
(j) By November 15 of each year, provide to the Office of
2419
Policy and Budget in the Executive Office of the Governor and to
2420
the chairs of the legislative appropriations committees the
2421
projected costs of providing data center services for the
2422
following fiscal year for each state agency customer. The
2423
projections must include prior-year comparisons, identification
2424
of new services, and documentation of changes to billing
2425
methodologies or service cost allocation.
2426
(k) Provide a plan for consideration by the Legislative
2427
Budget Commission if the governing body of the center approves
2428
the use of a billing rate schedule after the start of the fiscal
2429
year which increases any state agency customer’s costs for that
2430
fiscal year.
2431
(l) Provide data center services that comply with
2432
applicable state and federal laws, regulations, and policies,
2433
including all applicable security, privacy, and auditing
2434
requirements.
2435
(m) Maintain performance of the data center facilities by
2436
ensuring proper data backup; data backup recovery; disaster
2437
recovery; and appropriate security, power, cooling, fire
2438
suppression, and capacity.
2439
(n)
Submit invoices to state agency customers.
2440
(o) As funded in the General Appropriations Act, provide
2441
data center services to state agencies from multiple facilities.
2442
(2) Unless exempt from the requirement to use the state
2443
data center pursuant to s. 282.201(1) or as authorized by the
2444
Legislature, a state agency may not do any of the following:
2445
(a) Terminate services with the Northwest Regional Data
2446
Center without giving written notice of intent to terminate
2447
services 180 days before such termination.
2448
(b) Procure third-party cloud-computing services without
2449
evaluating the cloud-computing services provided by the
2450
Northwest Regional Data Center.
2451
(c) Exceed 30 days from receipt of approved invoices to
2452
remit payment for state data center services provided by the
2453
Northwest Regional Data Center.
2454
(3) The Northwest Regional Data Center’s authority to
2455
provide data center services to its state agency customers may
2456
be terminated if:
2457
(a) The center requests such termination to the Board of
2458
Governors, the President of the Senate, and the Speaker of the
2459
House of Representatives; or
2460
(b) The center fails to comply with the provisions of this
2461
section.
2462
(4) The Northwest Regional Data Center is the lead entity
2463
responsible for creating, operating, and managing, including the
2464
research conducted by, the Florida Behavioral Health Care Data
2465
Repository as established by this subsection.
2466
(a) The purpose of the data repository is to create a
2467
centralized system for:
2468
1. Collecting and analyzing existing statewide behavioral
2469
health care data to:
2470
a. Better understand the scope of and trends in behavioral
2471
health services, spending, and outcomes to improve patient care
2472
and enhance the efficiency and effectiveness of behavioral
2473
health services;
2474
b. Better understand the scope of, trends in, and
2475
relationship between behavioral health, criminal justice,
2476
incarceration, and the use of behavioral health services as a
2477
diversion from incarceration for individuals with mental
2478
illness; and
2479
c. Enhance the collection and coordination of treatment and
2480
outcome information as an ongoing evidence base for research and
2481
education related to behavioral health.
2482
2. Developing useful data analytics, economic metrics, and
2483
visual representations of such analytics and metrics to inform
2484
relevant state agencies and the Legislature of data and trends
2485
in behavioral health.
2486
(b) The Northwest Regional Data Center shall develop, in
2487
collaboration with the Data Analysis Committee of the Commission
2488
on Mental Health and Substance Use Disorder created under s.
2489
394.9086 and with relevant stakeholders, a plan that includes
2490
all of the following:
2491
1. A project plan that describes the technology,
2492
methodology, timeline, cost, and resources necessary to create a
2493
centralized, integrated, and coordinated data system.
2494
2. A proposed governance structure to oversee the
2495
implementation and operations of the repository.
2496
3. An integration strategy to incorporate existing data
2497
from relevant state agencies, including, but not limited to, the
2498
Agency for Health Care Administration, the Department of
2499
Children and Families, the Department of Juvenile Justice, the
2500
Office of the State Courts Administrator, and the Department of
2501
Corrections.
2502
4. Identification of relevant data and metrics to support
2503
actionable information and ensure the efficient and responsible
2504
use of taxpayer dollars within behavioral health systems of
2505
care.
2506
5. Data security requirements for the repository.
2507
6. The structure and process that will be used to create an
2508
annual analysis and report that gives state agencies and the
2509
Legislature a better general understanding of trends and issues
2510
in the state’s behavioral health systems of care and the trends
2511
and issues in behavioral health systems related to criminal
2512
justice treatment, diversion, and incarceration.
2513
(c) Beginning December 1, 2026, and annually thereafter,
2514
the Northwest Regional Data Center shall submit the developed
2515
trends and issues report under subparagraph (b)6. to the
2516
Governor, the President of the Senate, and the Speaker of the
2517
House of Representatives.
2518
(5) If such authority is terminated, the center has 1 year
2519
to provide for the transition of its state agency customers to a
2520
qualified alternative cloud-based data center that meets the
2521
enterprise architecture standards established pursuant to this
2522
chapter.
2523 Section 21. Subsection (4) of section 282.206, Florida
2524 Statutes, is amended to read:
2525 282.206 Cloud-first policy in state agencies.—
2526 (4) Each state agency shall develop a strategic plan to be
2527 updated annually to address its inventory of applications
2528 located at the state data center. Each agency shall submit the
2529 plan by October 15 of each year to
DIGIT
,
the Office of Policy
2530 and Budget in the Executive Office of the Governor
,
and
the
2531 chairs of the legislative appropriations committees
, and the
2532
Northwest Regional Data Center
. For each application, the plan
2533 must identify and document the
feasibility,
appropriateness,
2534 readiness,
appropriate
strategy, and high-level timeline for
2535 transition to a cloud-computing service based on the
2536 application’s quality, cost, and resource requirements. This
2537 information must be used to assist the state data center in
2538 making adjustments to its service offerings.
2539 Section 22. Section 1004.649, Florida Statutes, is amended
2540 to read:
2541 1004.649 Northwest Regional Data Center.—
There is created
2542
at Florida State University the Northwest Regional Data Center.
2543
The data center shall serve as the state data center as
2544
designated in s. 282.201
2545
(1) For the purpose of providing data center services to
2546
its state agency customers, the Northwest Regional Data Center
2547
is designated as a state data center for all state agencies and
2548
shall:
2549
(a) Operate under a governance structure that represents
2550
its customers proportionally
.
2551
(b) Maintain an appropriate cost-allocation methodology
2552
that accurately bills state agency customers based solely on the
2553
actual direct and indirect costs of the services provided to
2554
state agency customers and ensures that, for any fiscal year,
2555
state agency customers are not subsidizing other customers of
2556
the data center. Such cost-allocation methodology must comply
2557
with applicable state and federal regulations concerning the
2558
distribution and use of state and federal funds.
2559
(c) Enter into a service-level agreement with each state
2560
agency customer to provide services as defined and approved by
2561
the governing board of the center. At a minimum, such service
2562
level agreements must:
2563
1. Identify the parties and their roles, duties, and
2564
responsibilities under the agreement;
2565
2. State the duration of the agreement term, which may not
2566
exceed 3 years, and specify the conditions for up to two
2567
optional 1-year renewals of the agreement before execution of a
2568
new agreement;
2569
3. Identify the scope of work;
2570
4. Establish the services to be provided, the business
2571
standards that must be met for each service, the cost of each
2572
service, and the process by which the business standards for
2573
each service are to be objectively measured and reported;
2574
5. Provide a timely billing methodology for recovering the
2575
cost of services provided pursuant to s. 215.422;
2576
6. Provide a procedure for modifying the service-level
2577
agreement to address any changes in projected costs of service;
2578
7. Include a right-to-audit clause to ensure that the
2579
parties to the agreement have access to records for audit
2580
purposes during the term of the service-level agreement;
2581
8. Identify the products or services to be delivered with
2582
sufficient specificity to permit an external financial or
2583
performance audit;
2584
9. Provide that the service-level agreement may be
2585
terminated by either party for cause only after giving the other
2586
party notice in writing of the cause for termination and an
2587
opportunity for the other party to resolve the identified cause
2588
within a reasonable period; and
2589
10. Provide state agency customer entities with access to
2590
applications, servers, network components, and other devices
2591
necessary for entities to perform business activities and
2592
functions and as defined and documented in a service-level
2593
agreement.
2594
(d) In its procurement process, show preference for cloud
2595
computing solutions that minimize or do not require the
2596
purchasing or financing of state data center infrastructure,
2597
that meet the needs of state agency customer entities, that
2598
reduce costs, and that meet or exceed the applicable state and
2599
federal laws, regulations, and standards for cybersecurity.
2600
(e) Assist state agency customer entities in transitioning
2601
from state data center services to other third-party cloud
2602
computing services procured by a customer entity or by the
2603
Northwest Regional Data Center on behalf of the customer entity.
2604
(f) Provide to the Board of Governors the total annual
2605
budget by major expenditure category, including, but not limited
2606
to, salaries, expenses, operating capital outlay, contracted
2607
services, or other personnel services by July 30 each fiscal
2608
year.
2609
(g) Provide to each state agency customer its projected
2610
annual cost for providing the agreed-upon data center services
2611
by September 1 each fiscal year.
2612
(h) Provide a plan for consideration by the Legislative
2613
Budget Commission if the governing body of the center approves
2614
the use of a billing rate schedule after the start of the fiscal
2615
year that increases any state agency customer’s costs for that
2616
fiscal year.
2617
(i) Provide data center services that comply with
2618
applicable state and federal laws, regulations, and policies,
2619
including all applicable security, privacy, and auditing
2620
requirements.
2621
(j) Maintain performance of the data center facilities by
2622
ensuring proper data backup; data backup recovery; disaster
2623
recovery; and appropriate security, power, cooling, fire
2624
suppression, and capacity.
2625
(k) Prepare and submit state agency customer invoices to
2626
the Department of Management Services for approval. Upon
2627
approval or by default pursuant to s. 282.201(5), submit
2628
invoices to state agency customers.
2629
(l) As funded in the General Appropriations Act, provide
2630
data center services to state agencies from multiple facilities.
2631
(2) Unless exempt from the requirement to use the state
2632
data center pursuant to s. 282.201(2) or as authorized by the
2633
Legislature, a state agency may not do any of the following:
2634
(a) Terminate services with the Northwest Regional Data
2635
Center without giving written notice of intent to terminate
2636
services 180 days before such termination.
2637
(b) Procure third-party cloud-computing services without
2638
evaluating the cloud-computing services provided by the
2639
Northwest Regional Data Center.
2640
(c) Exceed 30 days from receipt of approved invoices to
2641
remit payment for state data center services provided by the
2642
Northwest Regional Data Center.
2643
(3) The Northwest Regional Data Center’s authority to
2644
provide data center services to its state agency customers may
2645
be terminated if:
2646
(a) The center requests such termination to the Board of
2647
Governors, the President of the Senate, and the Speaker of the
2648
House of Representatives; or
2649
(b) The center fails to comply with the provisions of this
2650
section.
2651
(4) The Northwest Regional Data Center is the lead entity
2652
responsible for creating, operating, and managing, including the
2653
research conducted by, the Florida Behavioral Health Care Data
2654
Repository as established by this subsection.
2655
(a) The purpose of the data repository is to create a
2656
centralized system for:
2657
1. Collecting and analyzing existing statewide behavioral
2658
health care data to:
2659
a. Better understand the scope of and trends in behavioral
2660
health services, spending, and outcomes to improve patient care
2661
and enhance the efficiency and effectiveness of behavioral
2662
health services;
2663
b. Better understand the scope of, trends in, and
2664
relationship between behavioral health, criminal justice,
2665
incarceration, and the use of behavioral health services as a
2666
diversion from incarceration for individuals with mental
2667
illness; and
2668
c. Enhance the collection and coordination of treatment and
2669
outcome information as an ongoing evidence base for research and
2670
education related to behavioral health.
2671
2. Developing useful data analytics, economic metrics, and
2672
visual representations of such analytics and metrics to inform
2673
relevant state agencies and the Legislature of data and trends
2674
in behavioral health.
2675
(b) The Northwest Regional Data Center shall develop, in
2676
collaboration with the Data Analysis Committee of the Commission
2677
on Mental Health and Substance Use Disorder created under s.
2678
394.9086 and with relevant stakeholders, a plan that includes
2679
all of the following:
2680
1. A project plan that describes the technology,
2681
methodology, timeline, cost, and resources necessary to create a
2682
centralized, integrated, and coordinated data system.
2683
2. A proposed governance structure to oversee the
2684
implementation and operations of the repository.
2685
3. An integration strategy to incorporate existing data
2686
from relevant state agencies, including, but not limited to, the
2687
Agency for Health Care Administration, the Department of
2688
Children and Families, the Department of Juvenile Justice, the
2689
Office of the State Courts Administrator, and the Department of
2690
Corrections.
2691
4. Identification of relevant data and metrics to support
2692
actionable information and ensure the efficient and responsible
2693
use of taxpayer dollars within behavioral health systems of
2694
care.
2695
5. Data security requirements for the repository.
2696
6. The structure and process that will be used to create an
2697
annual analysis and report that gives state agencies and the
2698
Legislature a better general understanding of trends and issues
2699
in the state’s behavioral health systems of care and the trends
2700
and issues in behavioral health systems related to criminal
2701
justice treatment, diversion, and incarceration.
2702
(c) By December 1, 2025, the Northwest Regional Data
2703
Center, in collaboration with the Data Analysis Committee of the
2704
Commission on Mental Health and Substance Use Disorder, shall
2705
submit the developed plan for implementation and ongoing
2706
operation with a proposed budget to the Governor, the President
2707
of the Senate, and the Speaker of the House of Representatives
2708
for review.
2709
(d) Beginning December 1, 2026, and annually thereafter,
2710
the Northwest Regional Data Center shall submit the developed
2711
trends and issues report under subparagraph (b)6. to the
2712
Governor, the President of the Senate, and the Speaker of the
2713
House of Representatives.
2714
(
5
) If such authority is terminated, the center has 1 year
2715
to provide for the transition of its state agency customers to a
2716
qualified alternative cloud-based data center that meets the
2717
enterprise architecture standards established by the Florida
2718
Digital Service.
2719 Section 23. Section 287.0583, Florida Statutes, is created
2720 to read:
2721
287.0583
Contract requirements for information technology
2722
commodities or services
.—
A contract for information technology
2723
commodities or services involving the development,
2724
customization, implementation, integration, support, or
2725
maintenance of software systems, applications, platforms, or
2726
related services must include provisions ensuring all of the
2727
following:
2728
(1)
Any data created, processed, or maintained under the
2729
contract is portable and can be extracted in a machine-readable
2730
format upon request.
2731
(2)
The vendor will provide, upon request, comprehensive
2732
operational documentation sufficient to allow continued
2733
operation and maintenance by the agency or a new vendor.
2734
(3)
The vendor will provide, upon request, reasonable
2735
assistance and support during a transition to the agency or to a
2736
new vendor.
2737
(4)
All anticipated software license fees, license renewal
2738
fees, and operation and maintenance costs are documented in
2739
detail. If exact figures are not feasible, the vendor must
2740
provide a reasonable cost range.
2741 Section 24. Section 287.0591, Florida Statutes, is amended
2742 to read:
2743 287.0591 Information technology; vendor disqualification.—
2744 (1)
(a)
Any competitive solicitation issued by the
2745 department for a state term contract for information technology
2746 commodities must include a term that does not exceed 48 months.
2747
(b)
(2)
Any competitive solicitation issued by the
2748 department for a state term contract for information technology
2749 consultant services or information technology staff augmentation
2750 contractual services must include a term that does not exceed 48
2751 months.
2752
(c)
(3)
The department may execute a state term contract for
2753 information technology commodities, consultant services, or
2754 staff augmentation contractual services that exceeds the 48
2755 month requirement if the Secretary of Management Services and
2756 the state chief information officer certify in writing to the
2757 Executive Office of the Governor that a longer contract term is
2758 in the best interest of the state.
2759
(2)
(4)
If the department issues a competitive solicitation
2760 for information technology commodities, consultant services, or
2761 staff augmentation contractual services, the
department shall
2762
coordinate with the Division of Integrated Government Innovation
2763
and Technology within the Executive Office of the Governor
2764
Florida Digital Service within the department shall participate
2765 in such solicitations.
Such coordination must include reviewing
2766
the solicitation specifications to verify compliance with
2767
enterprise architecture and cybersecurity standards, evaluating
2768
vendor responses under established criteria, answering vendor
2769
questions, and providing any other technical expertise
2770
necessary.
2771
(3)(a)
(5)
If an agency issues a request for quote to
2772 purchase information technology commodities, information
2773 technology consultant services, or information technology staff
2774 augmentation contractual services from the state term contract
2775
which meets the CATEGORY TWO threshold amount, but is less than
2776
the CATEGORY FOUR threshold amount:
,
2777
1.
For any contract with 25 approved vendors or fewer, the
2778 agency must issue a request for quote to all vendors approved to
2779 provide such commodity or service.
2780
2.
For any contract with more than 25 approved vendors, the
2781 agency must issue a request for quote to at least 25 of the
2782 vendors approved to provide such commodity or contractual
2783 service.
2784
(b)
The agency shall maintain a copy of the request for
2785
quote, the identity of the vendors that were sent the request
2786
for quote, and any vendor response to the request for quote for
2787
2 years after the date of issuance of the purchase order.
2788
(c)
Use of a request for quote does not constitute a
2789 decision or intended decision that is subject to protest under
2790 s. 120.57(3).
2791
(4)(a)
An agency issuing a request for quote to purchase
2792
information technology commodities, information technology
2793
consultant services, or information technology staff
2794
augmentation contractual services from the state term contract
2795
which exceeds the CATEGORY FOUR threshold amount is subject to
2796
public records requirements pursuant to s. 287.057.
2797
Additionally, an agency shall publish:
2798
1.
The request for quote for a minimum of 10 days before
2799
executing the purchase order; and
2800
2.
The name of the vendor awarded the purchase order.
2801
(b)
The agency shall maintain a copy of the request for
2802
quote, the identity of the vendors that were sent the request
2803
for quote, and all vendor responses to the request for quote for
2804
2 years after the date of issuance of the purchase order.
2805
(c)
Use of a request for quote does not constitute a
2806
decision or intended decision that is subject to protest under
2807
s. 120.57(3).
2808
(5)
A state agency may request the Division of Integrated
2809
Government Innovation and Technology within the Executive Office
2810
of the Governor for procurement advisory and review services
2811
pursuant to s. 282.0061.
2812 (6)
(a)
Beginning October 1, 2021, and
Each October 1
2813
thereafter
, the department shall prequalify firms and
2814 individuals to provide information technology staff augmentation
2815 contractual services
and information technology commodities
on
2816 state term contract.
2817
(b)
In order to prequalify a firm or individual for
2818 participation on the state term contract, the department must
2819 consider, at a minimum, the capability, experience, and past
2820 performance record of the firm or individual.
2821
(c)
A firm or individual removed from the source of supply
2822 pursuant to s. 287.042(1)(b) or placed on a disqualified vendor
2823 list pursuant to s. 287.133 or s. 287.134 is immediately
2824 disqualified from state term contract eligibility.
2825
(d)
Once a firm or individual has been prequalified to
2826 provide information technology staff augmentation contractual
2827 services
or information technology commodities
on state term
2828 contract, the firm or individual may respond to requests for
2829 quotes from an agency to provide such services.
2830 Section 25. Subsection (2) of section 20.22, Florida
2831 Statutes, is amended to read:
2832 20.22 Department of Management Services.—There is created a
2833 Department of Management Services.
2834 (2) The following divisions, programs, and services within
2835 the Department of Management Services are established:
2836 (a) Facilities Program.
2837 (b)
The Florida Digital Service.
2838
(c)
Workforce Program.
2839
(c)1.
(d)1.
Support Program.
2840 2. Federal Property Assistance Program.
2841
(d)
(e)
Administration Program.
2842
(e)
(f)
Division of Administrative Hearings.
2843
(f)
(g)
Division of Retirement.
2844
(g)
(h)
Division of State Group Insurance.
2845
(h)
(i)
Division of Telecommunications.
2846 Section 26. Subsections (1), (5), (7), and (8) of section
2847 282.802, Florida Statutes, are amended to read:
2848 282.802 Government Technology Modernization Council.—
2849 (1) The Government Technology Modernization Council, an
2850 advisory council as defined in s. 20.03(7), is
located
created
2851 within
DIGIT
the department
. Except as otherwise provided in
2852 this section, the advisory council shall operate in a manner
2853 consistent with s. 20.052.
2854 (5) The
state chief information officer
Secretary of
2855
Management Services
, or his or her designee, shall serve as the
2856 ex officio, nonvoting executive director of the council.
2857 (7)
(a)
The council shall meet at least quarterly to:
2858
(a)
1.
Recommend legislative and administrative actions that
2859 the Legislature and state agencies as defined in
s. 282.0041
s.
2860
282.318(2)
may take to promote the development of data
2861 modernization in this state.
2862
(b)
2.
Assess and provide guidance on necessary legislative
2863 reforms and the creation of a state code of ethics for
2864 artificial intelligence systems in state government.
2865
(c)
3.
Assess the effect of automated decision systems or
2866 identity management on constitutional and other legal rights,
2867 duties, and privileges of residents of this state.
2868
(d)
4.
Evaluate common standards for artificial intelligence
2869 safety and security measures, including the benefits of
2870 requiring disclosure of the digital provenance for all images
2871 and audio created using generative artificial intelligence as a
2872 means of revealing the origin and edit of the image or audio, as
2873 well as the best methods for such disclosure.
2874
(e)
5.
Assess the manner in which governmental entities and
2875 the private sector are using artificial intelligence with a
2876 focus on opportunity areas for deployments in systems across
2877 this state.
2878
(f)
6.
Determine the manner in which artificial intelligence
2879 is being exploited by bad actors, including foreign countries of
2880 concern as defined in s. 287.138(1).
2881
(g)
7.
Evaluate the need for curriculum to prepare school
2882 age audiences with the digital media and visual literacy skills
2883 needed to navigate the digital information landscape.
2884
(b) At least one quarterly meeting of the council must be a
2885
joint meeting with the Florida Cybersecurity Advisory Council.
2886 (8)
By December 31, 2024, and
Each December 31
thereafter
,
2887 the council shall submit to the Governor, the President of the
2888 Senate, and the Speaker of the House of Representatives any
2889 legislative recommendations considered necessary by the council
2890 to modernize government technology, including:
2891 (a) Recommendations for policies necessary to:
2892 1. Accelerate adoption of technologies that will increase
2893 productivity of state enterprise information technology systems,
2894 improve customer service levels of government, and reduce
2895 administrative or operating costs.
2896 2. Promote the development and deployment of artificial
2897 intelligence systems, financial technology, education
2898 technology, or other enterprise management software in this
2899 state.
2900 3. Protect Floridians from bad actors who use artificial
2901 intelligence.
2902 (b) Any other information the council considers relevant.
2903 Section 27. Section 282.604, Florida Statutes, is amended
2904 to read:
2905 282.604 Adoption of rules.—
DIGIT
The Department of
2906
Management Services
shall, with input from stakeholders, adopt
2907 rules pursuant to ss. 120.536(1) and 120.54 for the development,
2908 procurement, maintenance, and use of accessible electronic
2909 information technology by governmental units.
2910 Section 28. Paragraph (b) of subsection (4) of section
2911 443.1113, Florida Statutes, is amended to read:
2912 443.1113 Reemployment Assistance Claims and Benefits
2913 Information System.—
2914 (4)
2915 (b) The department shall seek input on recommended
2916 enhancements from, at a minimum, the following entities:
2917 1. The
Division of Integrated Government Innovation and
2918
Technology
within the Executive Office of the Governor
Florida
2919
Digital Service within the Department of Management Services
.
2920 2. The General Tax Administration Program Office within the
2921 Department of Revenue.
2922 3. The Division of Accounting and Auditing within the
2923 Department of Financial Services.
2924 Section 29. Subsection (5) of section 943.0415, Florida
2925 Statutes, is amended to read:
2926 943.0415 Cybercrime Office.—There is created within the
2927 Department of Law Enforcement the Cybercrime Office. The office
2928 may:
2929 (5) Consult with the
state chief information security
2930
officer of the
Division of Integrated Government Innovation and
2931
Technology
within the Executive Office of the Governor
Florida
2932
Digital Service within the Department of Management Services
in
2933 the adoption of rules relating to the information technology
2934 security provisions in s. 282.318.
2935 Section 30. Subsection (3) of section 1004.444, Florida
2936 Statutes, is amended to read:
2937 1004.444 Florida Center for Cybersecurity.—
2938 (3) Upon receiving a request for assistance from
a
the
2939
Department of Management Services, the Florida Digital Service,
2940
or
a
nother
state agency, the center is authorized, but may not
2941 be compelled by the agency, to conduct, consult on, or otherwise
2942 assist any state-funded initiatives related to:
2943 (a) Cybersecurity training, professional development, and
2944 education for state and local government employees, including
2945 school districts and the judicial branch; and
2946 (b) Increasing the cybersecurity effectiveness of the
2947 state’s and local governments’ technology platforms and
2948 infrastructure, including school districts and the judicial
2949 branch.
2950 Section 31. This act shall take effect January 5, 2027.