Florida Senate - 2024 SB 1662
By Senator Collins
14-00407A-24 20241662__
1 A bill to be entitled
2 An act relating to cybersecurity; amending s. 110.205,
3 F.S.; exempting certain personnel from the career
4 service; providing for the establishment of salary and
5 benefits for certain positions; amending s. 282.0041,
6 F.S.; providing definitions; amending s. 282.0051,
7 F.S.; revising the purposes for which the Florida
8 Digital Service is established; requiring the Florida
9 Digital Service to ensure that independent project
10 oversight on certain state agency information
11 technology projects is performed in a certain manner;
12 revising the date by which the Department of
13 Management Services, acting through the Florida
14 Digital Service, must provide certain recommendations
15 to the Executive Office of the Governor and the
16 Legislature; removing certain duties of the Florida
17 Digital Service; revising the total project cost of
18 certain projects for which the Florida Digital Service
19 must provide project oversight; specifying the date by
20 which the Florida Digital Service must provide certain
21 reports; requiring the state chief information
22 officer, in consultation with the Secretary of
23 Management Services, to designate a state chief
24 technology officer; providing duties of the state
25 chief technology officer; revising the total project
26 cost of certain projects for which certain procurement
27 actions must be taken; removing provisions prohibiting
28 the department, acting through the Florida Digital
29 Service, from retrieving or disclosing certain data in
30 certain circumstances; amending s. 282.00515, F.S.;
31 conforming a cross-reference; amending s. 282.318,
32 F.S.; providing that the Florida Digital Service is
33 the lead entity for a certain purpose; requiring the
34 Cybersecurity Operations Center to provide certain
35 notifications; requiring the state chief information
36 officer to make certain reports in consultation with
37 the state chief information security officer; revising
38 the timeframe for a state agency to report ransomware
39 and cybersecurity incidents to the Cybersecurity
40 Operations Center; requiring the Cybersecurity
41 Operations Center to immediately notify certain
42 entities of reported incidents and take certain
43 actions; requiring the state chief information
44 security officer to notify the Legislature of certain
45 incidents within a certain period; requiring that
46 certain notification be provided in a secure
47 environment; requiring the Cybersecurity Operations
48 Center to provide a certain report to certain entities
49 by a specified date; requiring the department, acting
50 through the Florida Digital Service, to provide
51 cybersecurity briefings to certain legislative
52 committees; authorizing the department, acting through
53 the Florida Digital Service, to obtain certain access
54 to certain infrastructure and direct certain measures;
55 requiring state agency heads to annually designate a
56 chief information security officer by a specified
57 date; revising the purpose of an agency’s information
58 security manager and the date by which he or she must
59 be designated; authorizing the department to brief
60 certain legislative committees in a closed setting on
61 certain records that are confidential and exempt from
62 public records requirements; requiring such
63 legislative committees to maintain the confidential
64 and exempt status of certain records; authorizing
65 certain legislators to attend meetings of the Florida
66 Cybersecurity Advisory Council; amending s. 282.3185,
67 F.S.; requiring local governments to report ransomware
68 and certain cybersecurity incidents to the
69 Cybersecurity Operations Center within certain time
70 periods; requiring the Cybersecurity Operations Center
71 to immediately notify certain entities of certain
72 incidents and take certain actions; requiring the
73 state chief information security officer to provide
74 certain notification to the Legislature within a
75 certain timeframe and in a secure environment;
76 amending s. 282.319, F.S.; revising the membership of
77 the Florida Cybersecurity Advisory Council; providing
78 an effective date.
79
80 Be It Enacted by the Legislature of the State of Florida:
81
82 Section 1. Paragraph (y) is added to subsection (2) of
83 section 110.205, Florida Statutes, to read:
84 110.205 Career service; exemptions.—
85 (2) EXEMPT POSITIONS.—The exempt positions that are not
86 covered by this part include the following:
87 (y) Chief information security officers, information
88 security managers designated pursuant to s. 282.318(4), and
89 personnel employed by or reporting to the state chief
90 information security officer, the state chief data officer, or
91 an agency information security manager. Unless otherwise fixed
92 by law, the department shall establish the salary and benefits
93 for these positions in accordance with the rules of the Selected
94 Exempt Service, except that the salary and benefits for agency
95 information security managers shall be established by the
96 department in accordance with the rules of the Senior Management
97 Service.
98 Section 2. Present subsections (3) through (5), (6) through
99 (16), and (17) through (38) of section 282.0041, Florida
100 Statutes, are redesignated as subsections (4) through (6), (8)
101 through (18), and (20) through (41), respectively, and new
102 subsections (3), (7), and (19) are added to that section, to
103 read:
104 282.0041 Definitions.—As used in this chapter, the term:
105 (3) “As a service” means the contracting with or
106 outsourcing to a third party of a defined role or function as a
107 means of delivery.
108 (7) “Cloud provider” means an entity that provides cloud
109 computing services.
110 (19) “Enterprise digital data” means information held by a
111 state agency in electronic form that is deemed to be data owned
112 by the state and held for state purposes by the state agency.
113 Enterprise digital data that is subject to statutory
114 requirements for particular types of sensitive data or to
115 contractual limitations for data marked as trade secrets or
116 sensitive corporate data held by state agencies shall be treated
117 in accordance with such requirements or limitations. The
118 department must maintain personnel with appropriate licenses,
119 certifications, or classifications to steward such enterprise
120 digital data, as necessary. Enterprise digital data must be
121 maintained in accordance with chapter 119. This subsection may
122 not be construed to create or expand an exemption from public
123 records requirements under s. 119.07(1) or s. 24(a), Art. I of
124 the State Constitution.
125 Section 3. Subsections (1), (4), and (5) of section
126 282.0051, Florida Statutes, are amended, and paragraph (c) is
127 added to subsection (2) of that section, to read:
128 282.0051 Department of Management Services; Florida Digital
129 Service; powers, duties, and functions.—
130 (1) The Florida Digital Service is established has been
131 created within the department to lead enterprise cybersecurity
132 efforts, to safeguard enterprise digital data, to propose, test,
133 develop, and deploy innovative solutions that securely modernize
134 state government, including technology and information services,
135 to achieve value through digital transformation and
136 interoperability, and to fully support the cloud-first policy as
137 specified in s. 282.206. The department, through the Florida
138 Digital Service, shall have the following powers, duties, and
139 functions:
140 (a) Develop and publish information technology policy for
141 the management of the state’s information technology resources.
142 (b) Develop an enterprise architecture that:
143 1. Acknowledges the unique needs of the entities within the
144 enterprise in the development and publication of standards and
145 terminologies to facilitate digital interoperability;
146 2. Supports the cloud-first policy as specified in s.
147 282.206; and
148 3. Addresses how information technology infrastructure may
149 be modernized to achieve cloud-first objectives.
150 (c) Establish project management and oversight standards
151 with which state agencies must comply when implementing
152 information technology projects. The department, acting through
153 the Florida Digital Service, shall provide training
154 opportunities to state agencies to assist in the adoption of the
155 project management and oversight standards. To support data
156 driven decisionmaking, the standards must include, but are not
157 limited to:
158 1. Performance measurements and metrics that objectively
159 reflect the status of an information technology project based on
160 a defined and documented project scope, cost, and schedule.
161 2. Methodologies for calculating acceptable variances in
162 the projected versus actual scope, schedule, or cost of an
163 information technology project.
164 3. Reporting requirements, including requirements designed
165 to alert all defined stakeholders that an information technology
166 project has exceeded acceptable variances defined and documented
167 in a project plan.
168 4. Content, format, and frequency of project updates.
169 5. Technical standards to ensure an information technology
170 project complies with the enterprise architecture.
171 (d) Ensure that independent Perform project oversight on
172 all state agency information technology projects that have total
173 project costs of $25 $10 million or more and that are funded in
174 the General Appropriations Act or any other law is performed in
175 compliance with applicable state and federal law. The
176 department, acting through the Florida Digital Service, shall
177 report at least quarterly to the Executive Office of the
178 Governor, the President of the Senate, and the Speaker of the
179 House of Representatives on any information technology project
180 that the department identifies as high-risk due to the project
181 exceeding acceptable variance ranges defined and documented in a
182 project plan. The report must include a risk assessment,
183 including fiscal risks, associated with proceeding to the next
184 stage of the project, and a recommendation for corrective
185 actions required, including suspension or termination of the
186 project.
187 (e) Identify opportunities for standardization and
188 consolidation of information technology services that support
189 interoperability and the cloud-first policy, as specified in s.
190 282.206, and business functions and operations, including
191 administrative functions such as purchasing, accounting and
192 reporting, cash management, and personnel, and that are common
193 across state agencies. The department, acting through the
194 Florida Digital Service, shall biennially on January 15 1 of
195 each even-numbered year provide recommendations for
196 standardization and consolidation to the Executive Office of the
197 Governor, the President of the Senate, and the Speaker of the
198 House of Representatives.
199 (f) Establish best practices for the procurement of
200 information technology products and cloud-computing services in
201 order to reduce costs, increase the quality of data center
202 services, or improve government services.
203 (g) Develop standards for information technology reports
204 and updates, including, but not limited to, operational work
205 plans, project spend plans, and project status reports, for use
206 by state agencies.
207 (h) Upon request, assist state agencies in the development
208 of information technology-related legislative budget requests.
209 (i) Conduct annual assessments of state agencies to
210 determine compliance with all information technology standards
211 and guidelines developed and published by the department and
212 provide results of the assessments to the Executive Office of
213 the Governor, the President of the Senate, and the Speaker of
214 the House of Representatives.
215 (i)(j) Conduct a market analysis not less frequently than
216 every 3 years beginning in 2021 to determine whether the
217 information technology resources within the enterprise are
218 utilized in the most cost-effective and cost-efficient manner,
219 while recognizing that the replacement of certain legacy
220 information technology systems within the enterprise may be cost
221 prohibitive or cost inefficient due to the remaining useful life
222 of those resources; whether the enterprise is complying with the
223 cloud-first policy specified in s. 282.206; and whether the
224 enterprise is utilizing best practices with respect to
225 information technology, information services, and the
226 acquisition of emerging technologies and information services.
227 Each market analysis shall be used to prepare a strategic plan
228 for continued and future information technology and information
229 services for the enterprise, including, but not limited to,
230 proposed acquisition of new services or technologies and
231 approaches to the implementation of any new services or
232 technologies. Copies of each market analysis and accompanying
233 strategic plan must be submitted to the Executive Office of the
234 Governor, the President of the Senate, and the Speaker of the
235 House of Representatives not later than December 31 of each year
236 that a market analysis is conducted.
237 (j)(k) Recommend other information technology services that
238 should be designed, delivered, and managed as enterprise
239 information technology services. Recommendations must include
240 the identification of existing information technology resources
241 associated with the services, if existing services must be
242 transferred as a result of being delivered and managed as
243 enterprise information technology services.
244 (k)(l) In consultation with state agencies, propose a
245 methodology and approach for identifying and collecting both
246 current and planned information technology expenditure data at
247 the state agency level.
248 (l)1.(m)1. Notwithstanding any other law, provide project
249 oversight on any information technology project of the
250 Department of Financial Services, the Department of Legal
251 Affairs, and the Department of Agriculture and Consumer Services
252 which has a total project cost of $25 $20 million or more. Such
253 information technology projects must also comply with the
254 applicable information technology architecture, project
255 management and oversight, and reporting standards established by
256 the department, acting through the Florida Digital Service.
257 2. When performing the project oversight function specified
258 in subparagraph 1., report by the 30th day after the end of each
259 quarter at least quarterly to the Executive Office of the
260 Governor, the President of the Senate, and the Speaker of the
261 House of Representatives on any information technology project
262 that the department, acting through the Florida Digital Service,
263 identifies as high-risk due to the project exceeding acceptable
264 variance ranges defined and documented in the project plan. The
265 report shall include a risk assessment, including fiscal risks,
266 associated with proceeding to the next stage of the project and
267 a recommendation for corrective actions required, including
268 suspension or termination of the project.
269 (m)(n) If an information technology project implemented by
270 a state agency must be connected to or otherwise accommodated by
271 an information technology system administered by the Department
272 of Financial Services, the Department of Legal Affairs, or the
273 Department of Agriculture and Consumer Services, consult with
274 these departments regarding the risks and other effects of such
275 projects on their information technology systems and work
276 cooperatively with these departments regarding the connections,
277 interfaces, timing, or accommodations required to implement such
278 projects.
279 (n)(o) If adherence to standards or policies adopted by or
280 established pursuant to this section causes conflict with
281 federal regulations or requirements imposed on an entity within
282 the enterprise and results in adverse action against an entity
283 or federal funding, work with the entity to provide alternative
284 standards, policies, or requirements that do not conflict with
285 the federal regulation or requirement. The department, acting
286 through the Florida Digital Service, shall annually by January
287 15 report such alternative standards to the Executive Office of
288 the Governor, the President of the Senate, and the Speaker of
289 the House of Representatives.
290 (o)1.(p)1. Establish an information technology policy for
291 all information technology-related state contracts, including
292 state term contracts for information technology commodities,
293 consultant services, and staff augmentation services. The
294 information technology policy must include:
295 a. Identification of the information technology product and
296 service categories to be included in state term contracts.
297 b. Requirements to be included in solicitations for state
298 term contracts.
299 c. Evaluation criteria for the award of information
300 technology-related state term contracts.
301 d. The term of each information technology-related state
302 term contract.
303 e. The maximum number of vendors authorized on each state
304 term contract.
305 f. At a minimum, a requirement that any contract for
306 information technology commodities or services meet the National
307 Institute of Standards and Technology Cybersecurity Framework.
308 g. For an information technology project wherein project
309 oversight is required pursuant to paragraph (d) or paragraph (l)
310 (m), a requirement that independent verification and validation
311 be employed throughout the project life cycle with the primary
312 objective of independent verification and validation being to
313 provide an objective assessment of products and processes
314 throughout the project life cycle. An entity providing
315 independent verification and validation may not have technical,
316 managerial, or financial interest in the project and may not
317 have responsibility for, or participate in, any other aspect of
318 the project.
319 2. Evaluate vendor responses for information technology
320 related state term contract solicitations and invitations to
321 negotiate.
322 3. Answer vendor questions on information technology
323 related state term contract solicitations.
324 4. Ensure that the information technology policy
325 established pursuant to subparagraph 1. is included in all
326 solicitations and contracts that are administratively executed
327 by the department.
328 (p)(q) Recommend potential methods for standardizing data
329 across state agencies which will promote interoperability and
330 reduce the collection of duplicative data.
331 (q)(r) Recommend open data technical standards and
332 terminologies for use by the enterprise.
333 (r)(s) Ensure that enterprise information technology
334 solutions are capable of utilizing an electronic credential and
335 comply with the enterprise architecture standards.
336 (2)
337 (c) The state chief information officer, in consultation
338 with the Secretary of Management Services, shall designate a
339 state chief technology officer who shall be responsible for all
340 of the following:
341 1. Establishing and maintaining an enterprise architecture
342 framework that ensures information technology investments align
343 with the state’s strategic objectives and initiatives pursuant
344 to paragraph (1)(b).
345 2. Conducting comprehensive evaluations of potential
346 technological solutions and cultivating strategic partnerships,
347 internally with state enterprise agencies and externally with
348 the private sector, to leverage collective expertise, foster
349 collaboration, and advance the state’s technological
350 capabilities.
351 3. Supervising program management of enterprise information
352 technology initiatives pursuant to paragraphs (1)(c), (d), and
353 (l); providing advisory support and oversight for technology
354 related projects; and continuously identifying and recommending
355 best practices to optimize outcomes of technology projects and
356 enhance the enterprise’s technological efficiency and
357 effectiveness.
358 (4) For information technology projects that have a total
359 project cost of $25 $10 million or more:
360 (a) State agencies must provide the Florida Digital Service
361 with written notice of any planned procurement of an information
362 technology project.
363 (b) The Florida Digital Service must participate in the
364 development of specifications and recommend modifications to any
365 planned procurement of an information technology project by
366 state agencies so that the procurement complies with the
367 enterprise architecture.
368 (c) The Florida Digital Service must participate in post
369 award contract monitoring.
370 (5) The department, acting through the Florida Digital
371 Service, may not retrieve or disclose any data without a shared
372 data agreement in place between the department and the
373 enterprise entity that has primary custodial responsibility of,
374 or data-sharing responsibility for, that data.
375 Section 4. Subsection (1) of section 282.00515, Florida
376 Statutes, is amended to read:
377 282.00515 Duties of Cabinet agencies.—
378 (1) The Department of Legal Affairs, the Department of
379 Financial Services, and the Department of Agriculture and
380 Consumer Services shall adopt the standards established in s.
381 282.0051(1)(b), (c), and (q) and (3)(e) s. 282.0051(1)(b), (c),
382 and (r) and (3)(e) or adopt alternative standards based on best
383 practices and industry standards that allow for open data
384 interoperability.
385 Section 5. Present paragraphs (a) through (k) of subsection
386 (4) and subsection (10) of section 282.318, Florida Statutes,
387 are redesignated as paragraphs (b) through (l) of subsection (4)
388 and subsection (11), respectively, a new paragraph (a) is added
389 to subsection (4) and a new subsection (10) is added to that
390 section, and subsection (3) and present paragraph (a) of
391 subsection (4) of that section are amended, to read:
392 282.318 Cybersecurity.—
393 (3) The department, acting through the Florida Digital
394 Service, is the lead entity responsible for leading
395 cybersecurity efforts, safeguarding enterprise digital data,
396 establishing standards and processes for assessing state agency
397 cybersecurity risks, and determining appropriate security
398 measures. Such standards and processes must be consistent with
399 generally accepted technology best practices, including the
400 National Institute for Standards and Technology Cybersecurity
401 Framework, for cybersecurity. The department, acting through the
402 Florida Digital Service, shall adopt rules that mitigate risks;
403 safeguard state agency digital assets, data, information, and
404 information technology resources to ensure availability,
405 confidentiality, and integrity; and support a security
406 governance framework. The department, acting through the Florida
407 Digital Service, shall also:
408 (a) Designate an employee of the Florida Digital Service as
409 the state chief information security officer. The state chief
410 information security officer must have experience and expertise
411 in security and risk management for communications and
412 information technology resources. The state chief information
413 security officer is responsible for the development, operation,
414 and oversight of cybersecurity for state technology systems. The
415 Cybersecurity Operations Center shall immediately notify the
416 state chief information officer and the state chief information
417 security officer shall be notified of all confirmed or suspected
418 incidents or threats of state agency information technology
419 resources. The state chief information officer, in consultation
420 with the state chief information security officer, and must
421 report such incidents or threats to the state chief information
422 officer and the Governor.
423 (b) Develop, and annually update by February 1, a statewide
424 cybersecurity strategic plan that includes security goals and
425 objectives for cybersecurity, including the identification and
426 mitigation of risk, proactive protections against threats,
427 tactical risk detection, threat reporting, and response and
428 recovery protocols for a cyber incident.
429 (c) Develop and publish for use by state agencies a
430 cybersecurity governance framework that, at a minimum, includes
431 guidelines and processes for:
432 1. Establishing asset management procedures to ensure that
433 an agency’s information technology resources are identified and
434 managed consistent with their relative importance to the
435 agency’s business objectives.
436 2. Using a standard risk assessment methodology that
437 includes the identification of an agency’s priorities,
438 constraints, risk tolerances, and assumptions necessary to
439 support operational risk decisions.
440 3. Completing comprehensive risk assessments and
441 cybersecurity audits, which may be completed by a private sector
442 vendor, and submitting completed assessments and audits to the
443 department.
444 4. Identifying protection procedures to manage the
445 protection of an agency’s information, data, and information
446 technology resources.
447 5. Establishing procedures for accessing information and
448 data to ensure the confidentiality, integrity, and availability
449 of such information and data.
450 6. Detecting threats through proactive monitoring of
451 events, continuous security monitoring, and defined detection
452 processes.
453 7. Establishing agency cybersecurity incident response
454 teams and describing their responsibilities for responding to
455 cybersecurity incidents, including breaches of personal
456 information containing confidential or exempt data.
457 8. Recovering information and data in response to a
458 cybersecurity incident. The recovery may include recommended
459 improvements to the agency processes, policies, or guidelines.
460 9. Establishing a cybersecurity incident reporting process
461 that includes procedures for notifying the department and the
462 Department of Law Enforcement of cybersecurity incidents.
463 a. The level of severity of the cybersecurity incident is
464 defined by the National Cyber Incident Response Plan of the
465 United States Department of Homeland Security as follows:
466 (I) Level 5 is an emergency-level incident within the
467 specified jurisdiction that poses an imminent threat to the
468 provision of wide-scale critical infrastructure services;
469 national, state, or local government security; or the lives of
470 the country’s, state’s, or local government’s residents.
471 (II) Level 4 is a severe-level incident that is likely to
472 result in a significant impact in the affected jurisdiction to
473 public health or safety; national, state, or local security;
474 economic security; or civil liberties.
475 (III) Level 3 is a high-level incident that is likely to
476 result in a demonstrable impact in the affected jurisdiction to
477 public health or safety; national, state, or local security;
478 economic security; civil liberties; or public confidence.
479 (IV) Level 2 is a medium-level incident that may impact
480 public health or safety; national, state, or local security;
481 economic security; civil liberties; or public confidence.
482 (V) Level 1 is a low-level incident that is unlikely to
483 impact public health or safety; national, state, or local
484 security; economic security; civil liberties; or public
485 confidence.
486 b. The cybersecurity incident reporting process must
487 specify the information that must be reported by a state agency
488 following a cybersecurity incident or ransomware incident,
489 which, at a minimum, must include the following:
490 (I) A summary of the facts surrounding the cybersecurity
491 incident or ransomware incident.
492 (II) The date on which the state agency most recently
493 backed up its data; the physical location of the backup, if the
494 backup was affected; and if the backup was created using cloud
495 computing.
496 (III) The types of data compromised by the cybersecurity
497 incident or ransomware incident.
498 (IV) The estimated fiscal impact of the cybersecurity
499 incident or ransomware incident.
500 (V) In the case of a ransomware incident, the details of
501 the ransom demanded.
502 c.(I) A state agency shall report all ransomware incidents
503 and any cybersecurity incidents incident determined by the state
504 agency to be of severity level 3, 4, or 5 to the Cybersecurity
505 Operations Center and the Cybercrime Office of the Department of
506 Law Enforcement as soon as possible but no later than 12 48
507 hours after discovery of the cybersecurity incident and no later
508 than 6 12 hours after discovery of the ransomware incident. The
509 report must contain the information required in sub-subparagraph
510 b.
511 (II) The Cybersecurity Operations Center shall:
512 (A) Immediately notify the Cybercrime Office of the
513 Department of Law Enforcement of a reported incident and provide
514 to the Cybercrime Office of the Department of Law Enforcement
515 regular reports on the status of the incident, preserve forensic
516 data to support a subsequent investigation, and provide aid to
517 the investigative efforts of the Cybercrime Office of the
518 Department of Law Enforcement upon the office’s request if the
519 state chief information security officer finds that the
520 investigation does not impede remediation of the incident and
521 that there is no risk to the public and no risk to critical
522 state functions.
523 (B) Immediately notify the state chief information officer
524 and the state chief information security officer of a reported
525 incident. The state chief information security officer shall
526 notify the President of the Senate and the Speaker of the House
527 of Representatives of any severity level 3, 4, or 5 incident as
528 soon as possible but no later than 24 12 hours after receiving a
529 state agency’s incident report. The notification must include a
530 high-level description of the incident and the likely effects
531 and must be provided in a secure environment.
532 d. A state agency shall report a cybersecurity incident
533 determined by the state agency to be of severity level 1 or 2 to
534 the Cybersecurity Operations Center and the Cybercrime Office of
535 the Department of Law Enforcement as soon as possible. The
536 report must contain the information required in sub-subparagraph
537 b.
538 d.e. The Cybersecurity Operations Center shall provide a
539 consolidated incident report by the 30th day after the end of
540 each quarter on a quarterly basis to the Governor, the Attorney
541 General, the executive director of the Department of Law
542 Enforcement, the President of the Senate, the Speaker of the
543 House of Representatives, and the Florida Cybersecurity Advisory
544 Council. The report provided to the Florida Cybersecurity
545 Advisory Council may not contain the name of any agency, network
546 information, or system identifying information but must contain
547 sufficient relevant information to allow the Florida
548 Cybersecurity Advisory Council to fulfill its responsibilities
549 as required in s. 282.319(9).
550 10. Incorporating information obtained through detection
551 and response activities into the agency’s cybersecurity incident
552 response plans.
553 11. Developing agency strategic and operational
554 cybersecurity plans required pursuant to this section.
555 12. Establishing the managerial, operational, and technical
556 safeguards for protecting state government data and information
557 technology resources that align with the state agency risk
558 management strategy and that protect the confidentiality,
559 integrity, and availability of information and data.
560 13. Establishing procedures for procuring information
561 technology commodities and services that require the commodity
562 or service to meet the National Institute of Standards and
563 Technology Cybersecurity Framework.
564 14. Submitting after-action reports following a
565 cybersecurity incident or ransomware incident. Such guidelines
566 and processes for submitting after-action reports must be
567 developed and published by December 1, 2022.
568 (d) Assist state agencies in complying with this section.
569 (e) In collaboration with the Cybercrime Office of the
570 Department of Law Enforcement, annually provide training for
571 state agency information security managers and computer security
572 incident response team members that contains training on
573 cybersecurity, including cybersecurity threats, trends, and best
574 practices.
575 (f) Annually review the strategic and operational
576 cybersecurity plans of state agencies.
577 (g) Annually provide cybersecurity training to all state
578 agency technology professionals and employees with access to
579 highly sensitive information which develops, assesses, and
580 documents competencies by role and skill level. The
581 cybersecurity training curriculum must include training on the
582 identification of each cybersecurity incident severity level
583 referenced in sub-subparagraph (c)9.a. The training may be
584 provided in collaboration with the Cybercrime Office of the
585 Department of Law Enforcement, a private sector entity, or an
586 institution of the State University System.
587 (h) Operate and maintain a Cybersecurity Operations Center
588 led by the state chief information security officer, which must
589 be primarily virtual and staffed with tactical detection and
590 incident response personnel. The Cybersecurity Operations Center
591 shall serve as a clearinghouse for threat information and
592 coordinate with the Department of Law Enforcement to support
593 state agencies and their response to any confirmed or suspected
594 cybersecurity incident.
595 (i) Lead an Emergency Support Function, ESF-20 ESF CYBER,
596 under the state comprehensive emergency management plan as
597 described in s. 252.35.
598 (j) Provide cybersecurity briefings to the members of any
599 legislative committee or subcommittee responsible for policy
600 matters relating to cybersecurity.
601 (k) Have the authority to obtain immediate access to public
602 or private infrastructure hosting enterprise digital data and to
603 direct, in consultation with the state agency that holds the
604 particular enterprise digital data, measures to assess, monitor,
605 and safeguard the enterprise digital data.
606 (4) Each state agency head shall, at a minimum:
607 (a) Designate a chief information security officer to
608 integrate the agency’s technical and operational cybersecurity
609 efforts with the Cybersecurity Operations Center. This
610 designation must be provided annually in writing to the Florida
611 Digital Service by January 15. For a state agency under the
612 jurisdiction of the Governor, the agency’s chief information
613 security officer shall be under the general supervision of the
614 agency head or designee for administrative purposes but shall
615 report to the state chief information officer. An agency may
616 request that the department procure a chief information security
617 officer as a service to fulfill the agency’s duties under this
618 paragraph.
619 (b)(a) Designate an information security manager to ensure
620 compliance with cybersecurity governance and with the state’s
621 enterprise security program and incident response plan
622 administer the cybersecurity program of the state agency. This
623 designation must be provided annually in writing to the
624 department by January 15 1. A state agency’s information
625 security manager, for purposes of these information security
626 duties, shall report directly to the agency head.
627 (10) The department may brief any legislative committee or
628 subcommittee responsible for cybersecurity policy in a meeting
629 or other setting closed by the respective body under the rules
630 of such legislative body at which the legislative committee or
631 subcommittee is briefed on records made confidential and exempt
632 under subsections (5) and (6). The legislative committee or
633 subcommittee must maintain the confidential and exempt status of
634 such records. A legislator serving on a legislative committee or
635 subcommittee responsible for cybersecurity policy may also
636 attend meetings of the Florida Cybersecurity Advisory Council,
637 including any portions of such meetings that are exempt from s.
638 286.011 and s. 24(b), Art. I of the State Constitution.
639 Section 6. Paragraphs (b) and (c) of subsection (5) of
640 section 282.3185, Florida Statutes, are amended to read:
641 282.3185 Local government cybersecurity.—
642 (5) INCIDENT NOTIFICATION.—
643 (b)1. A local government shall report all ransomware
644 incidents and any cybersecurity incident determined by the local
645 government to be of severity level 3, 4, or 5 as provided in s.
646 282.318(3)(c) to the Cybersecurity Operations Center, the
647 Cybercrime Office of the Department of Law Enforcement, and the
648 sheriff who has jurisdiction over the local government as soon
649 as possible but no later than 12 48 hours after discovery of the
650 cybersecurity incident and no later than 6 12 hours after
651 discovery of the ransomware incident. The report must contain
652 the information required in paragraph (a).
653 2. The Cybersecurity Operations Center shall:
654 a. Immediately notify the Cybercrime Office of the
655 Department of Law Enforcement and the sheriff who has
656 jurisdiction over the local government of a reported incident
657 and provide to the Cybercrime Office of the Department of Law
658 Enforcement and the sheriff who has jurisdiction over the local
659 government regular reports on the status of the incident,
660 preserve forensic data to support a subsequent investigation,
661 and provide aid to the investigative efforts of the Cybercrime
662 Office of the Department of Law Enforcement upon the office’s
663 request if the state chief information security officer finds
664 that the investigation does not impede remediation of the
665 incident and that there is no risk to the public and no risk to
666 critical state functions.
667 b. Immediately notify the state chief information security
668 officer of a reported incident. The state chief information
669 security officer shall notify the President of the Senate and
670 the Speaker of the House of Representatives of any severity
671 level 3, 4, or 5 incident as soon as possible but no later than
672 24 12 hours after receiving a local government’s incident
673 report. The notification must include a high-level description
674 of the incident and the likely effects and must be provided in a
675 secure environment.
676 (c) A local government may report a cybersecurity incident
677 determined by the local government to be of severity level 1 or
678 2 as provided in s. 282.318(3)(c) to the Cybersecurity
679 Operations Center, the Cybercrime Office of the Department of
680 Law Enforcement, and the sheriff who has jurisdiction over the
681 local government. The report shall contain the information
682 required in paragraph (a). The Cybersecurity Operations Center
683 shall immediately notify the Cybercrime Office of the Department
684 of Law Enforcement and the sheriff who has jurisdiction over the
685 local government of a reported incident and provide regular
686 reports on the status of the cybersecurity incident, preserve
687 forensic data to support a subsequent investigation, and provide
688 aid to the investigative efforts of the Cybercrime Office of the
689 Department of Law Enforcement upon request if the state chief
690 information security officer finds that the investigation does
691 not impede remediation of the cybersecurity incident and that
692 there is no risk to the public and no risk to critical state
693 functions.
694 Section 7. Paragraph (j) of subsection (4) of section
695 282.319, Florida Statutes, is amended, and paragraph (m) is
696 added to that subsection, to read:
697 282.319 Florida Cybersecurity Advisory Council.—
698 (4) The council shall be comprised of the following
699 members:
700 (j) Three representatives from critical infrastructure
701 sectors, one of whom must be from a utility provider water
702 treatment facility, appointed by the Governor.
703 (m) A representative of local government.
704 Section 8. This act shall take effect July 1, 2024.