Florida Senate - 2018 SB 448
By Senator Brandes
24-00700-18 2018448__
1 A bill to be entitled
2 An act relating to the Agency for State Technology;
3 amending s. 282.0041, F.S.; revising definitions of
4 the terms “breach” and “incident”; amending s.
5 282.0051, F.S.; revising certain powers, duties, and
6 functions of the agency in collaboration with the
7 Department of Management Services; amending s.
8 282.201, F.S.; authorizing the state data center
9 within the agency to extend, up to a specified
10 timeframe, certain service-level agreements; requiring
11 the state data center to submit a specified report to
12 the Executive Office of the Governor under certain
13 circumstances; deleting a requirement for a service
14 level agreement to provide a certain termination
15 notice to the agency; requiring the state data center
16 to plan, design, and conduct certain testing, if cost
17 effective; deleting obsolete provisions relating to
18 the schedule for consolidations of agency data
19 centers; conforming provisions to changes made by the
20 act; reenacting s. 943.0415(2) and (3), F.S., relating
21 to the Cybercrime Office within the Department of Law
22 Enforcement, to incorporate the amendment made to s.
23 282.0041, F.S., in references thereto; providing an
24 effective date.
25
26 Be It Enacted by the Legislature of the State of Florida:
27
28 Section 1. Subsections (2) and (10) of section 282.0041,
29 Florida Statutes, are amended to read:
30 282.0041 Definitions.—As used in this chapter, the term:
31 (2) “Breach” has the same meaning as provided in s.
32 501.171(1) means a confirmed event that compromises the
33 confidentiality, integrity, or availability of information or
34 data.
35 (10) “Incident” means a violation or imminent threat of
36 violation, whether such violation is accidental or deliberate,
37 of information technology resources, security policies,
38 acceptable use policies, or standard security practices. An
39 imminent threat of violation refers to a situation in which the
40 state agency has a factual basis for believing that a specific
41 incident is about to occur.
42 Section 2. Subsection (18) of section 282.0051, Florida
43 Statutes, is amended to read:
44 282.0051 Agency for State Technology; powers, duties, and
45 functions.—The Agency for State Technology shall have the
46 following powers, duties, and functions:
47 (18) In collaboration with the Department of Management
48 Services:
49 (a) Establish an information technology policy for all
50 information technology-related state contracts, including state
51 term contracts for information technology commodities,
52 consultant services, and staff augmentation services. The
53 information technology policy must include:
54 1. Identification of the information technology product and
55 service categories to be included in state term contracts.
56 2. Requirements to be included in solicitations for state
57 term contracts.
58 3. Evaluation criteria for the award of information
59 technology-related state term contracts.
60 4. The term of each information technology-related state
61 term contract.
62 5. The maximum number of vendors authorized on each state
63 term contract.
64 (b) Evaluate vendor responses for information technology
65 related state term contract solicitations and invitations to
66 negotiate.
67 (c) Answer vendor questions on information technology
68 related state term contract solicitations.
69 (d) Ensure that all information technology-related
70 solicitations by the department are procured and state contracts
71 are managed in accordance with the information technology policy
72 established under pursuant to paragraph (a) is included in all
73 solicitations and contracts which are administratively executed
74 by the department.
75 Section 3. Paragraph (d) of subsection (2) of section
76 282.201, Florida Statutes, is amended, paragraph (g) is added to
77 that subsection, and subsection (4) of that section is amended,
78 to read:
79 282.201 State data center.—The state data center is
80 established within the Agency for State Technology and shall
81 provide data center services that are hosted on premises or
82 externally through a third-party provider as an enterprise
83 information technology service. The provision of services must
84 comply with applicable state and federal laws, regulations, and
85 policies, including all applicable security, privacy, and
86 auditing requirements.
87 (2) STATE DATA CENTER DUTIES.–The state data center shall:
88 (d) Enter into a service-level agreement with each customer
89 entity to provide the required type and level of service or
90 services. If a customer entity fails to execute an agreement
91 within 60 days after commencement of a service, the state data
92 center may cease service. A service-level agreement may not have
93 an original a term exceeding 3 years, but the service-level
94 agreement may be extended for up to 6 months. If the state data
95 center and an existing customer entity either execute an
96 extension or fail to execute a new service-level agreement
97 before the expiration of an existing service-level agreement,
98 the state data center must submit a report to the Executive
99 Office of the Governor within 5 days after the date of the
100 executed extension or 15 days before the scheduled expiration
101 date of the service-level agreement, as applicable, to explain
102 the specific issues preventing execution of a new service-level
103 agreement and to describe the plan and schedule for resolving
104 those issues. A service-level agreement, and at a minimum, must:
105 1. Identify the parties and their roles, duties, and
106 responsibilities under the agreement.
107 2. State the duration of the contract term and specify the
108 conditions for renewal.
109 3. Identify the scope of work.
110 4. Identify the products or services to be delivered with
111 sufficient specificity to permit an external financial or
112 performance audit.
113 5. Establish the services to be provided, the business
114 standards that must be met for each service, the cost of each
115 service, and the metrics and processes by which the business
116 standards for each service are to be objectively measured and
117 reported.
118 6. Provide a timely billing methodology to recover the cost
119 of services provided to the customer entity pursuant to s.
120 215.422.
121 7. Provide a procedure for modifying the service-level
122 agreement based on changes in the type, level, and cost of a
123 service.
124 8. Include a right-to-audit clause to ensure that the
125 parties to the agreement have access to records for audit
126 purposes during the term of the service-level agreement.
127 9. Provide that a service-level agreement may be terminated
128 by either party for cause only after giving the other party and
129 the Agency for State Technology notice in writing of the cause
130 for termination and an opportunity for the other party to
131 resolve the identified cause within a reasonable period.
132 10. Provide for mediation of disputes by the Division of
133 Administrative Hearings pursuant to s. 120.573.
134 (g) Plan, design, and conduct testing with information
135 technology resources to implement services within the scope of
136 the services provided by the state data center, if cost
137 effective.
138 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
139 (a) Consolidations of agency data centers and computing
140 facilities into the state data center shall be made by the dates
141 specified in this section and in accordance with budget
142 adjustments contained in the General Appropriations Act.
143 (b) During the 2013-2014 fiscal year, the following state
144 agencies shall be consolidated by the specified date:
145 1. By October 31, 2013, the Department of Economic
146 Opportunity.
147 2. By December 31, 2013, the Executive Office of the
148 Governor, to include the Division of Emergency Management except
149 for the Emergency Operation Center’s management system in
150 Tallahassee and the Camp Blanding Emergency Operations Center in
151 Starke.
152 3. By March 31, 2014, the Department of Elderly Affairs.
153 4. By October 30, 2013, the Fish and Wildlife Conservation
154 Commission, except for the commission’s Fish and Wildlife
155 Research Institute in St. Petersburg.
156 (a)(c) The following agency data centers are exempt from
157 state data center consolidation under this section: the
158 Department of Law Enforcement, the Department of the Lottery’s
159 Gaming System, Systems Design and Development in the Office of
160 Policy and Budget, the regional traffic management centers as
161 described in s. 335.14(2) and the Office of Toll Operations of
162 the Department of Transportation, the State Board of
163 Administration, state attorneys, public defenders, criminal
164 conflict and civil regional counsel, capital collateral regional
165 counsel, and the Florida Housing Finance Corporation.
166 (b)(d) A state agency that is consolidating its agency data
167 center or computing facility into the state data center must
168 execute a new or update an existing service-level agreement
169 within 60 days after the commencement of the service. If a state
170 agency and the state data center are unable to execute a
171 service-level agreement by that date, the agency shall submit a
172 report to the Executive Office of the Governor within 5 working
173 days after that date which explains the specific issues
174 preventing execution and describing the plan and schedule for
175 resolving those issues.
176 (c)(e) Each state agency consolidating scheduled for
177 consolidation into the state data center shall submit a
178 transition plan to the Agency for State Technology by July 1 of
179 the fiscal year before the fiscal year in which the scheduled
180 consolidation will occur. Transition plans must shall be
181 developed in consultation with the state data center and must
182 include:
183 1. An inventory of the agency data center’s resources being
184 consolidated, including all hardware and its associated life
185 cycle replacement schedule, software, staff, contracted
186 services, and facility resources performing data center
187 management and operations, security, backup and recovery,
188 disaster recovery, system administration, database
189 administration, system programming, job control, production
190 control, print, storage, technical support, help desk, and
191 managed services, but excluding application development, and the
192 agency’s costs supporting these resources.
193 2. A list of contracts in effect, including, but not
194 limited to, contracts for hardware, software, and maintenance,
195 which identifies the expiration date, the contract parties, and
196 the cost of each contract.
197 3. A detailed description of the level of services needed
198 to meet the technical and operational requirements of the
199 platforms being consolidated.
200 4. A timetable with significant milestones for the
201 completion of the consolidation.
202 (d)(f) Each state agency consolidating scheduled for
203 consolidation into the state data center shall submit with its
204 respective legislative budget request the specific recurring and
205 nonrecurring budget adjustments of resources by appropriation
206 category into the appropriate data processing category pursuant
207 to the legislative budget request instructions in s. 216.023.
208 Section 4. For the purpose of incorporating the amendment
209 made by this act to section 282.0041, Florida Statutes, in
210 references thereto, subsections (2) and (3) of section 943.0415,
211 Florida Statutes, are reenacted to read:
212 943.0415 Cybercrime Office.—There is created within the
213 Department of Law Enforcement the Cybercrime Office. The office
214 may:
215 (2) Monitor state information technology resources and
216 provide analysis on information technology security incidents,
217 threats, and breaches as defined in s. 282.0041.
218 (3) Investigate violations of state law pertaining to
219 information technology security incidents pursuant to s.
220 282.0041 and assist in incident response and recovery.
221 Section 5. This act shall take effect July 1, 2018.