Florida Senate - 2020 COMMITTEE AMENDMENT
Bill No. CS for SB 1870
Ì775314"Î775314
LEGISLATIVE ACTION
Senate . House
Comm: UNFAV .
02/19/2020 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Banking and Insurance (Taddeo) recommended the
following:
1 Senate Amendment to Amendment (142964) (with title
2 amendment)
3
4 Delete lines 82 - 577
5 and insert:
6 Services, and the Department of Financial Services, upon their
7 writing to the Secretary of Management Services that they have
8 elected to participate in the enterprise architecture.
9 (16) “Enterprise architecture” means a comprehensive
10 operational framework that contemplates the needs and assets of
11 the enterprise to support interoperability across state
12 government.
13 (17)(11) “Enterprise information technology service” means
14 an information technology service that is used in all agencies
15 or a subset of agencies and is established in law to be
16 designed, delivered, and managed at the enterprise level.
17 (18)(12) “Event” means an observable occurrence in a system
18 or network.
19 (19)(13) “Incident” means a violation or imminent threat of
20 violation, whether such violation is accidental or deliberate,
21 of information technology resources, security, policies, or
22 practices. An imminent threat of violation refers to a situation
23 in which the state agency has a factual basis for believing that
24 a specific incident is about to occur.
25 (20)(14) “Information technology” means equipment,
26 hardware, software, firmware, programs, systems, networks,
27 infrastructure, media, and related material used to
28 automatically, electronically, and wirelessly collect, receive,
29 access, transmit, display, store, record, retrieve, analyze,
30 evaluate, process, classify, manipulate, manage, assimilate,
31 control, communicate, exchange, convert, converge, interface,
32 switch, or disseminate information of any kind or form.
33 (21)(15) “Information technology policy” means a definite
34 course or method of action selected from among one or more
35 alternatives that guide and determine present and future
36 decisions.
37 (22)(16) “Information technology resources” has the same
38 meaning as provided in s. 119.011.
39 (23)(17) “Information technology security” means the
40 protection afforded to an automated information system in order
41 to attain the applicable objectives of preserving the integrity,
42 availability, and confidentiality of data, information, and
43 information technology resources.
44 (24) “Interoperability” means the technical ability to
45 share and use data across and throughout the enterprise.
46 (25)(18) “Open data” means data collected or created by a
47 state agency, which includes, upon their election to
48 participate, the Department of Legal Affairs, the Department of
49 Agriculture and Consumer Services, and the Department of
50 Financial Services, and structured in a way that enables the
51 data to be fully discoverable and usable by the public. The term
52 does not include data that are restricted from public disclosure
53 distribution based on federal or state privacy, confidentiality,
54 and security laws and regulations or data for which a state
55 agency is statutorily authorized to assess a fee for its
56 distribution.
57 (26)(19) “Performance metrics” means the measures of an
58 organization’s activities and performance.
59 (27)(20) “Project” means an endeavor that has a defined
60 start and end point; is undertaken to create or modify a unique
61 product, service, or result; and has specific objectives that,
62 when attained, signify completion.
63 (28)(21) “Project oversight” means an independent review
64 and analysis of an information technology project that provides
65 information on the project’s scope, completion timeframes, and
66 budget and that identifies and quantifies issues or risks
67 affecting the successful and timely completion of the project.
68 (29) “Qualified entity” means a public or private entity or
69 individual that enters into a binding agreement with the
70 department, meets usage criteria, agrees to terms and
71 conditions, and is subsequently and prescriptively authorized by
72 the department to access data under the terms of that agreement
73 as specified in s. 282.0051.
74 (30)(22) “Risk assessment” means the process of identifying
75 security risks, determining their magnitude, and identifying
76 areas needing safeguards.
77 (31)(23) “Service level” means the key performance
78 indicators (KPI) of an organization or service which must be
79 regularly performed, monitored, and achieved.
80 (32)(24) “Service-level agreement” means a written contract
81 between the Department of Management Services and a customer
82 entity which specifies the scope of services provided, service
83 level, the duration of the agreement, the responsible parties,
84 and service costs. A service-level agreement is not a rule
85 pursuant to chapter 120.
86 (33)(25) “Stakeholder” means a person, group, organization,
87 or state agency involved in or affected by a course of action.
88 (34)(26) “Standards” means required practices, controls,
89 components, or configurations established by an authority.
90 (35)(27) “State agency” means any official, officer,
91 commission, board, authority, council, committee, or department
92 of the executive branch of state government; the Justice
93 Administrative Commission; and the Public Service Commission.
94 The term does not include university boards of trustees or state
95 universities. As used in part I of this chapter, except as
96 otherwise specifically provided, the term does not include the
97 Department of Legal Affairs, the Department of Agriculture and
98 Consumer Services, or the Department of Financial Services.
99 (36)(28) “SUNCOM Network” means the state enterprise
100 telecommunications system that provides all methods of
101 electronic or optical telecommunications beyond a single
102 building or contiguous building complex and used by entities
103 authorized as network users under this part.
104 (37)(29) “Telecommunications” means the science and
105 technology of communication at a distance, including electronic
106 systems used in the transmission or reception of information.
107 (38)(30) “Threat” means any circumstance or event that has
108 the potential to adversely impact a state agency’s operations or
109 assets through an information system via unauthorized access,
110 destruction, disclosure, or modification of information or
111 denial of service.
112 (39)(31) “Variance” means a calculated value that
113 illustrates how far positive or negative a projection has
114 deviated when measured against documented estimates within a
115 project plan.
116 Section 3. Section 282.0051, Florida Statutes, is amended
117 to read:
118 282.0051 Florida Digital Service Department of Management
119 Services; powers, duties, and functions.—There is established
120 the Florida Digital Service within the department to create
121 innovative solutions that securely modernize state government,
122 achieve value through digital transformation and
123 interoperability, and fully support the cloud-first policy as
124 specified in s. 282.206.
125 (1) The Florida Digital Service department shall have the
126 following powers, duties, and functions:
127 (a)(1) Develop and publish information technology policy
128 for the management of the state’s information technology
129 resources.
130 (b)(2) Develop an enterprise architecture that:
131 1. Acknowledges the unique needs of those included within
132 the enterprise, resulting in the publication of standards,
133 terminologies, and procurement guidelines to facilitate digital
134 interoperability;
135 2. Supports the cloud-first policy as specified in s.
136 282.206; and
137 3. Addresses how information technology infrastructure may
138 be modernized to achieve cloud-first objectives Establish and
139 publish information technology architecture standards to provide
140 for the most efficient use of the state’s information technology
141 resources and to ensure compatibility and alignment with the
142 needs of state agencies. The department shall assist state
143 agencies in complying with the standards.
144 (c)(3) Establish project management and oversight standards
145 with which state agencies must comply when implementing projects
146 that have an information technology component projects. The
147 Florida Digital Service department shall provide training
148 opportunities to state agencies to assist in the adoption of the
149 project management and oversight standards. To support data
150 driven decisionmaking, the standards must include, but are not
151 limited to:
152 1.(a) Performance measurements and metrics that objectively
153 reflect the status of a project with an information technology
154 component project based on a defined and documented project
155 scope, cost, and schedule.
156 2.(b) Methodologies for calculating acceptable variances in
157 the projected versus actual scope, schedule, or cost of a
158 project with an information technology component project.
159 3.(c) Reporting requirements, including requirements
160 designed to alert all defined stakeholders that a project with
161 an information technology component project has exceeded
162 acceptable variances defined and documented in a project plan.
163 4.(d) Content, format, and frequency of project updates.
164 (d)(4) Perform project oversight on all state agency
165 information technology projects that have an information
166 technology component with a total project cost costs of $10
167 million or more and that are funded in the General
168 Appropriations Act or any other law. The Florida Digital Service
169 department shall report at least quarterly to the Executive
170 Office of the Governor, the President of the Senate, and the
171 Speaker of the House of Representatives on any project with an
172 information technology component project that the Florida
173 Digital Service department identifies as high-risk due to the
174 project exceeding acceptable variance ranges defined and
175 documented in a project plan. The report must include a risk
176 assessment, including fiscal risks, associated with proceeding
177 to the next stage of the project, and a recommendation for
178 corrective actions required, including suspension or termination
179 of the project. The Florida Digital Service shall establish a
180 process for state agencies to apply for an exception to the
181 requirements of this paragraph for a specific project with an
182 information technology component.
183 (e)(5) Identify opportunities for standardization and
184 consolidation of information technology services that support
185 interoperability and the cloud-first policy as specified in s.
186 282.206, business functions and operations, including
187 administrative functions such as purchasing, accounting and
188 reporting, cash management, and personnel, and that are common
189 across state agencies. The Florida Digital Service department
190 shall biennially on April 1 provide recommendations for
191 standardization and consolidation to the Executive Office of the
192 Governor, the President of the Senate, and the Speaker of the
193 House of Representatives.
194 (f)(6) Establish best practices for the procurement of
195 information technology products and cloud-computing services in
196 order to reduce costs, increase the quality of data center
197 services, or improve government services.
198 (g)(7) Develop standards for information technology reports
199 and updates, including, but not limited to, operational work
200 plans, project spend plans, and project status reports, for use
201 by state agencies.
202 (h)(8) Upon request, assist state agencies in the
203 development of information technology-related legislative budget
204 requests.
205 (i)(9) Conduct annual assessments of state agencies to
206 determine compliance with all information technology standards
207 and guidelines developed and published by the Florida Digital
208 Service department and provide results of the assessments to the
209 Executive Office of the Governor, the President of the Senate,
210 and the Speaker of the House of Representatives.
211 (j)(10) Provide operational management and oversight of the
212 state data center established pursuant to s. 282.201, which
213 includes:
214 1.(a) Implementing industry standards and best practices
215 for the state data center’s facilities, operations, maintenance,
216 planning, and management processes.
217 2.(b) Developing and implementing cost-recovery or other
218 payment mechanisms that recover the full direct and indirect
219 cost of services through charges to applicable customer
220 entities. Such cost-recovery or other payment mechanisms must
221 comply with applicable state and federal regulations concerning
222 distribution and use of funds and must ensure that, for any
223 fiscal year, no service or customer entity subsidizes another
224 service or customer entity.
225 3.(c) Developing and implementing appropriate operating
226 guidelines and procedures necessary for the state data center to
227 perform its duties pursuant to s. 282.201. The guidelines and
228 procedures must comply with applicable state and federal laws,
229 regulations, and policies and conform to generally accepted
230 governmental accounting and auditing standards. The guidelines
231 and procedures must include, but need not be limited to:
232 a.1. Implementing a consolidated administrative support
233 structure responsible for providing financial management,
234 procurement, transactions involving real or personal property,
235 human resources, and operational support.
236 b.2. Implementing an annual reconciliation process to
237 ensure that each customer entity is paying for the full direct
238 and indirect cost of each service as determined by the customer
239 entity’s use of each service.
240 c.3. Providing rebates that may be credited against future
241 billings to customer entities when revenues exceed costs.
242 d.4. Requiring customer entities to validate that
243 sufficient funds exist in the appropriate data processing
244 appropriation category or will be transferred into the
245 appropriate data processing appropriation category before
246 implementation of a customer entity’s request for a change in
247 the type or level of service provided, if such change results in
248 a net increase to the customer entity’s cost for that fiscal
249 year.
250 e.5. By November 15 of each year, providing to the Office
251 of Policy and Budget in the Executive Office of the Governor and
252 to the chairs of the legislative appropriations committees the
253 projected costs of providing data center services for the
254 following fiscal year.
255 f.6. Providing a plan for consideration by the Legislative
256 Budget Commission if the cost of a service is increased for a
257 reason other than a customer entity’s request made pursuant to
258 sub-subparagraph d. subparagraph 4. Such a plan is required only
259 if the service cost increase results in a net increase to a
260 customer entity for that fiscal year.
261 g.7. Standardizing and consolidating procurement and
262 contracting practices.
263 4.(d) In collaboration with the Department of Law
264 Enforcement, developing and implementing a process for
265 detecting, reporting, and responding to information technology
266 security incidents, breaches, and threats.
267 5.(e) Adopting rules relating to the operation of the state
268 data center, including, but not limited to, budgeting and
269 accounting procedures, cost-recovery or other payment
270 methodologies, and operating procedures.
271 (f) Conducting an annual market analysis to determine
272 whether the state’s approach to the provision of data center
273 services is the most effective and cost-efficient manner by
274 which its customer entities can acquire such services, based on
275 federal, state, and local government trends; best practices in
276 service provision; and the acquisition of new and emerging
277 technologies. The results of the market analysis shall assist
278 the state data center in making adjustments to its data center
279 service offerings.
280 (k)(11) Recommend other information technology services
281 that should be designed, delivered, and managed as enterprise
282 information technology services. Recommendations must include
283 the identification of existing information technology resources
284 associated with the services, if existing services must be
285 transferred as a result of being delivered and managed as
286 enterprise information technology services.
287 (l)(12) In consultation with state agencies, propose a
288 methodology and approach for identifying and collecting both
289 current and planned information technology expenditure data at
290 the state agency level.
291 (m)1.(13)(a) Notwithstanding any other law, provide project
292 oversight on any project with an information technology
293 component project of the Department of Financial Services, the
294 Department of Legal Affairs, and the Department of Agriculture
295 and Consumer Services which has a total project cost of $25
296 million or more and which impacts one or more other agencies.
297 Such projects with an information technology component projects
298 must also comply with the applicable information technology
299 architecture, project management and oversight, and reporting
300 standards established by the Florida Digital Service department.
301 The Florida Digital Service shall establish a process for the
302 Department of Financial Services, the Department of Legal
303 Affairs, and the Department of Agriculture and Consumer Services
304 to apply for an exception to the requirements of this paragraph
305 for a specific project with an information technology component.
306 2.(b) When performing the project oversight function
307 specified in subparagraph 1. paragraph (a), report at least
308 quarterly to the Executive Office of the Governor, the President
309 of the Senate, and the Speaker of the House of Representatives
310 on any project with an information technology component project
311 that the Florida Digital Service department identifies as high
312 risk due to the project exceeding acceptable variance ranges
313 defined and documented in the project plan. The report shall
314 include a risk assessment, including fiscal risks, associated
315 with proceeding to the next stage of the project and a
316 recommendation for corrective actions required, including
317 suspension or termination of the project.
318 (n)(14) If a project with an information technology
319 component project implemented by a state agency must be
320 connected to or otherwise accommodated by an information
321 technology system administered by the Department of Financial
322 Services, the Department of Legal Affairs, or the Department of
323 Agriculture and Consumer Services, consult with these
324 departments regarding the risks and other effects of such
325 projects on their information technology systems and work
326 cooperatively with these departments regarding the connections,
327 interfaces, timing, or accommodations required to implement such
328 projects.
329 (o)(15) If adherence to standards or policies adopted by or
330 established pursuant to this section causes conflict with
331 federal regulations or requirements imposed on a state agency
332 and results in adverse action against the state agency or
333 federal funding, work with the state agency to provide
334 alternative standards, policies, or requirements that do not
335 conflict with the federal regulation or requirement. The Florida
336 Digital Service department shall annually report such
337 alternative standards to the Governor, the President of the
338 Senate, and the Speaker of the House of Representatives.
339 (p)1.(16)(a) Establish an information technology policy for
340 all information technology-related state contracts, including
341 state term contracts for information technology commodities,
342 consultant services, and staff augmentation services. The
343 information technology policy must include:
344 a.1. Identification of the information technology product
345 and service categories to be included in state term contracts.
346 b.2. Requirements to be included in solicitations for state
347 term contracts.
348 c.3. Evaluation criteria for the award of information
349 technology-related state term contracts.
350 d.4. The term of each information technology-related state
351 term contract.
352 e.5. The maximum number of vendors authorized on each state
353 term contract.
354 2.(b) Evaluate vendor responses for information technology
355 related state term contract solicitations and invitations to
356 negotiate.
357 3.(c) Answer vendor questions on information technology
358 related state term contract solicitations.
359 4.(d) Ensure that the information technology policy
360 established pursuant to subparagraph 1. paragraph (a) is
361 included in all solicitations and contracts that are
362 administratively executed by the department.
363 (q)(17) Recommend potential methods for standardizing data
364 across state agencies which will promote interoperability and
365 reduce the collection of duplicative data.
366 (r)(18) Recommend open data technical standards and
367 terminologies for use by the enterprise state agencies.
368 (2)(a) The Secretary of Management Services shall designate
369 a state chief information officer, who shall administer the
370 Florida Digital Service and is included in the Senior Management
371 Service.
372 (b) The state chief information officer shall designate a
373 chief data officer, who shall report to the state chief
374 information officer and is included in the Senior Management
375 Service.
376 (3) The Florida Digital Service shall, pursuant to
377 legislative appropriation:
378 (a) Create and maintain a comprehensive indexed data
379 catalog that lists what data elements are housed within the
380 enterprise and in which legacy system or application these data
381 elements are located.
382 (b) Develop and publish, in collaboration with the
383 enterprise, a data dictionary for each agency which reflects the
384 nomenclature in the comprehensive indexed data catalog.
385 (c) Review and document use cases across the enterprise
386 architecture.
387 (d) Develop and publish standards that support the creation
388 and deployment of application programming interfaces to
389 facilitate integration throughout the enterprise.
390 (e) Publish standards necessary to facilitate a secure
391 ecosystem of data interoperability which is compliant with the
392 enterprise architecture and allows for a qualified entity to
393 access the enterprise’s data under the terms of the agreements
394 with the department. However, enterprise data do not include
395 data that are restricted from public distribution based on
396 federal or state privacy, confidentiality, or security laws and
397 regulations.
398 (f) Publish standards that facilitate the deployment of
399 applications or solutions to existing enterprise obligations in
400 a controlled and phased approach, including, but not limited to:
401 1. Electronic credentials, including digital proofs of a
402 driver license as specified in s. 322.032.
403 2. Interoperability that enables supervisors of elections
404 to authenticate voter eligibility in real time at the point of
405 service.
406 3. The criminal justice database.
407 4. Motor vehicle insurance cancellation integration between
408 insurers and the Department of Highway Safety and Motor
409 Vehicles.
410 5. Interoperability solutions between agencies, including,
411 but not limited to, the Department of Health, the Agency for
412 Health Care Administration, the Agency for Persons with
413 Disabilities, the Department of Education, the Department of
414 Elderly Affairs, and the Department of Children and Families.
415 6. Interoperability solutions to support military members,
416 veterans, and their families.
417 (4) Pursuant to legislative authorization and subject to
418 appropriation:
419 (a) The department may procure a credential service
420 provider through a competitive process pursuant to s. 287.057.
421 The terms of the contract developed from such procurement must
422 pay for the value on a per-data-call or subscription basis, and
423 there shall be no cost to the enterprise or law enforcement for
424 using the services provided by the credential service provider.
425 (b) The department may enter into agreements with qualified
426 entities that have the technological capabilities necessary to
427 integrate with the credential service provider; ensure secure
428 validation and authentication of data; meet usage criteria; and
429 agree to terms and conditions, privacy policies, and uniform
430 remittance terms relating to the consumption of enterprise data.
431 Enterprise data do not include data that are restricted from
432 public disclosure based on federal or state privacy,
433 confidentiality, or security laws and regulations. These
434 agreements must include clear, enforceable, and significant
435 penalties for violations of the agreements.
436 (c) The terms of the agreements between the department and
437 the credential service provider and between the department and
438 the qualified entities must be based on the per-data-call or
439 subscription charges to validate and authenticate an electronic
440 credential and allow the department to recover any state costs
441 for implementing and administering an electronic credential
442 solution. Credential service provider and qualifying entity
443 revenues may not be derived from any other transactions that
444 generate revenue for the enterprise outside of the per-data-call
445 or subscription charges.
446 (d) All revenues generated from the agreements with the
447 credential service provider and qualified entities shall be
448 remitted to the department, and the department shall deposit
449 these revenues into the Department of Management Services
450 Operating Trust Fund for distribution pursuant to a legislative
451 appropriation and department agreements with the credential
452 service provider and qualified entities.
453 (e) Upon the signing of the agreement and the enterprise
454 architecture terms of service and privacy policies with a
455 qualified entity, the department shall facilitate authorized
456 integrations between the qualified entity and the credential
457 service provider.
458 (5) Upon the adoption of the enterprise architecture, the
459 Florida Digital Service may develop a process to:
460 (a) Receive written notice from the enterprise of any
461 procurement of an information technology project that is subject
462 to enterprise architecture standards.
463 (b) Participate in the development of specifications and
464 recommend modifications of any procurement by state agencies so
465 that the procurement complies with the enterprise architecture.
466 (6)(19) The Florida Digital Service may adopt rules to
467 administer this section.
468 Section 4. Section 282.00515, Florida Statutes, is amended
469 to read:
470 282.00515 Duties of Cabinet agencies.—
471 (1) The Department of Legal Affairs, the Department of
472 Financial Services, and the Department of Agriculture and
473 Consumer Services shall adopt the standards established in s.
474 282.0051(1)(b), (c), (g), (r), and (3)(e) s. 282.0051(2), (3),
475 and (7) or adopt alternative standards based on best practices
476 and industry standards that allow for the interoperability of
477 open data within the enterprise.
478 (2) The Department of Legal Affairs, the Department of
479 Financial Services, or the Department of Agriculture and
480 Consumer Services may contract with the department to provide or
481 perform any of the services and functions described in s.
482 282.0051.
483 (3)(a) This section or s. 282.0051 does not require the
484
485 ================= T I T L E A M E N D M E N T ================
486 And the title is amended as follows:
487 Delete lines 1067 - 1070
488 and insert:
489 and Consumer Services must adopt; providing
490 construction; prohibiting the