Amendment
Bill No. SB 2098
Amendment No. 781675
CHAMBER ACTION
Senate House
.
.
.






1Representative Grimsley offered the following:
2
3     Amendment (with title amendment)
4     Remove everything after the enacting clause and insert:
5
6     Section 1.  Paragraphs (a), (g), (h), (i), (j), and (k) of
7subsection (4) and subsections (5) and (6) of section 14.204,
8Florida Statutes, are amended to read:
9     14.204  Agency for Enterprise Information Technology.-The
10Agency for Enterprise Information Technology is created within
11the Executive Office of the Governor.
12     (4)  The agency shall have the following duties and
13responsibilities:
14     (a)  Develop strategies for the planning, design, delivery,
15implementation, and management of the enterprise information
16technology services established in law, including the state data
17center system services established pursuant to s. 282.201, the
18information technology security service established in s.
19282.318, and the statewide e-mail service established in s.
20282.34.
21     (g)  Coordinate technology resource acquisition planning
22and assist the Division of Purchasing of the Department of
23Management Services in procurement negotiations for technology
24hardware and software products and services in order to improve
25the efficiency and reduce the cost of enterprise information
26technology services.
27     (h)  In consultation with the Division of Purchasing in the
28Department of Management Services, coordinate procurement
29negotiations for information technology products as defined in
30s. 282.0041 which will be used by multiple agencies.
31     (h)(i)  In coordination with, and through the services of,
32the Division of Purchasing in the Department of Management
33Services, establish best practices for the procurement of
34information technology products as defined in s. 282.0041 in
35order to achieve savings for the state.
36     (i)(j)  Develop information technology standards for
37enterprise information technology services as defined in s.
38282.0041.
39     (j)(k)  Provide annually, by December 31, recommendations
40to the Legislature relating to techniques for consolidating the
41purchase of information technology commodities and services,
42which result in savings for the state, and for establishing a
43process to achieve savings through consolidated purchases.
44     (5)  The Office of Information Security shall be created
45within the agency. The agency shall designate a state Chief
46Information Security Officer who shall oversee the office and
47report directly to the executive director.
48     (6)  The agency shall operate in a manner that ensures the
49participation and representation of state agencies and the
50Agency Chief Information Officers Council established in s.
51282.315.
52     Section 2.  Subsection (10) of section 20.315, Florida
53Statutes, is amended to read:
54     20.315  Department of Corrections.-There is created a
55Department of Corrections.
56     (10)  SINGLE INFORMATION AND RECORDS SYSTEM.-There shall be
57only one offender-based information and records computer system
58maintained by the Department of Corrections for the joint use of
59the department and the Parole Commission. This data system shall
60be managed through the department's Office of Information
61Technology Justice Data Center. The department shall develop and
62maintain, in consultation with the Criminal and Juvenile Justice
63Information Systems Council under s. 943.08, such offender-based
64information, including clemency administration information and
65other computer services to serve the needs of both the
66department and the Parole Commission. The department shall
67notify the commission of all violations of parole and the
68circumstances thereof.
69     Section 3.  Subsections (4) through (30) of section
70282.0041, Florida Statutes, are renumbered as subsections (2)
71through (28), respectively, and present subsections (2), (3),
72and (19) of that section are amended to read:
73     282.0041  Definitions.-As used in this chapter, the term:
74     (2)  "Agency chief information officer" means the person
75employed by the agency head to coordinate and manage the
76information technology functions and responsibilities applicable
77to that agency, to participate and represent the agency in
78developing strategies for implementing enterprise information
79technology services established pursuant to this part, and to
80develop recommendations for enterprise information technology
81policy.
82     (3)  "Agency Chief Information Officers Council" means the
83council created in s. 282.315.
84     (17)(19)  "Primary data center" means a state or nonstate
85agency data center that is a recipient entity for consolidation
86of nonprimary data centers and computing facilities and is
87established. A primary data center may be authorized in law or
88designated by the Agency for Enterprise Information Technology
89pursuant to s. 282.201.
90     Section 4.  Subsection (1) of section 282.0056, Florida
91Statutes, is amended to read:
92     282.0056  Development of work plan; development of
93implementation plans; and policy recommendations.-
94     (1)  For the purposes of carrying out its responsibilities
95under s. 282.0055, the Agency for Enterprise Information
96Technology shall develop an annual work plan within 60 days
97after the beginning of the fiscal year describing the activities
98that the agency intends to undertake for that year, including
99proposed outcomes and completion timeframes for the planning and
100implementation of all enterprise information technology
101services. The work plan must be presented at a public hearing
102and that includes the Agency Chief Information Officers Council,
103which may review and comment on the plan. The work plan must
104thereafter be approved by the Governor and Cabinet and submitted
105to the President of the Senate and the Speaker of the House of
106Representatives. The work plan may be amended as needed, subject
107to approval by the Governor and Cabinet.
108     Section 5.  Subsections (2) through (5) of section 282.201,
109Florida Statutes, are amended to read:
110     282.201  State data center system; agency duties and
111limitations.-A state data center system that includes all
112primary data centers, other nonprimary data centers, and
113computing facilities, and that provides an enterprise
114information technology service as defined in s. 282.0041, is
115established.
116     (2)  AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.-
117The Agency for Enterprise Information Technology shall:
118     (a)  Collect and maintain information necessary for
119developing policies relating to the data center system,
120including, but not limited to, an inventory of facilities.
121     (b)  Annually approve cost-recovery mechanisms and rate
122structures for primary data centers which recover costs through
123charges to customer entities.
124     (c)  By September December 31 of each year, submit to the
125Legislature, the Executive Office of the Governor, and the
126primary data centers recommendations to improve the efficiency
127and cost-effectiveness effectiveness of computing services
128provided by state data center system facilities. Such
129recommendations may include, but need not be limited to:
130     1.  Policies for improving the cost-effectiveness and
131efficiency of the state data center system and the projected
132cost savings resulting from their implementation.
133     2.  Infrastructure improvements supporting the
134consolidation of facilities or preempting the need to create
135additional data centers or computing facilities.
136     3.  Standards for an objective, credible energy performance
137rating system that data center boards of trustees can use to
138measure state data center energy consumption and efficiency on a
139biannual basis.
140     4.  Uniform disaster recovery standards.
141     5.  Standards for primary data centers to provide cost-
142effective services and providing transparent financial data to
143user agencies.
144     6.  Consolidation of contract practices or coordination of
145software, hardware, or other technology-related procurements and
146the projected cost savings.
147     7.  Improvements to data center governance structures.
148     (d)  By October 1 of each year beginning in 2011 2009,
149provide recommendations recommend to the Governor and
150Legislature regarding changes to the schedule for agency data
151center consolidation established in subsection (4) at least two
152nonprimary data centers for consolidation into a primary data
153center or nonprimary data center facility.
154     1.  The consolidation proposal must provide a transition
155plan that includes:
156     a.  Estimated transition costs for each data center or
157computing facility recommended for consolidation;
158     b.  Detailed timeframes for the complete transition of each
159data center or computing facility recommended for consolidation;
160     c.  Proposed recurring and nonrecurring fiscal impacts,
161including increased or decreased costs and associated budget
162impacts for affected budget entities;
163     d.  Substantive legislative changes necessary to implement
164the transition; and
165     e.  Identification of computing resources to be transferred
166and those that will remain in the agency. The transfer of
167resources must include all hardware, software, staff, contracted
168services, and facility resources performing data center
169management and operations, security, backup and recovery,
170disaster recovery, system administration, database
171administration, system programming, job control, production
172control, print, storage, technical support, help desk, and
173managed services but excluding application development.
174     1.2.  Recommendations shall be based on the goal of
175maximizing current and future cost savings by. The agency shall
176consider the following criteria in selecting consolidations that
177maximize efficiencies by providing the ability to:
178     a.  Consolidating Consolidate purchase decisions;
179     b.  Leveraging Leverage expertise and other resources to
180gain economies of scale;
181     c.  Implementing Implement state information technology
182policies more effectively; and
183     d.  Maintaining Maintain or improving improve the level of
184service provision to customer entities; and
185     e.  Make progress towards the state's goal of consolidating
186data centers and computing facilities into primary data centers.
187     2.3.  The agency shall establish workgroups as necessary to
188ensure participation by affected agencies in the development of
189recommendations related to consolidations.
190     (e)  By December 31, 2010, the agency shall develop and
191submit to the Legislature an overall consolidation plan for
192state data centers. The plan shall indicate a timeframe for the
193consolidation of all remaining nonprimary data centers into
194primary data centers, including existing and proposed primary
195data centers, by 2019.
196     (e)(f)  Develop and establish rules relating to the
197operation of the state data center system which comply with
198applicable federal regulations, including 2 C.F.R. part 225 and
19945 C.F.R. The agency shall provide notice of the development of
200its proposed rules by publication of a notice of development in
201the Florida Administrative Weekly no later than October 1, 2011.
202The rules shall may address:
203     1.  Ensuring that financial information is captured and
204reported consistently and accurately.
205     2.  Implementing standards for hardware, operations
206software, including security, and network infrastructure for the
207primary data centers Requiring the establishment of service-
208level agreements executed between a data center and its customer
209entities for services provided.
210     3.  Requiring annual full cost recovery on an equitable
211rational basis. The cost-recovery methodology must ensure that
212no service is subsidizing another service and may include
213adjusting the subsequent year's rates as a means to recover
214deficits or refund surpluses from a prior year.
215     4.  Requiring that any special assessment imposed to fund
216expansion is based on a methodology that apportions the
217assessment according to the proportional benefit to each
218customer entity.
219     5.  Requiring that rebates be given when revenues have
220exceeded costs, that rebates be applied to offset charges to
221those customer entities that have subsidized the costs of other
222customer entities, and that such rebates may be in the form of
223credits against future billings.
224     6.  Requiring that all service-level agreements have a
225contract term of up to 3 years, but may include an option to
226renew for up to 3 additional years contingent on approval by the
227board, and require at least a 180-day notice of termination.
228     7.  Designating any nonstate data center as a primary data
229center if the center:
230     a.  Has an established governance structure that represents
231customer entities proportionally.
232     b.  Maintains an appropriate cost-allocation methodology
233that accurately bills a customer entity based on the actual
234direct and indirect costs to the customer entity, and prohibits
235the subsidization of one customer entity's costs by another
236entity.
237     c.  Has sufficient raised floor space, cooling, and
238redundant power capacity, including uninterruptible power supply
239and backup power generation, to accommodate the computer
240processing platforms and support necessary to host the computing
241requirements of additional customer entities.
242     8.  Removing a nonstate data center from primary data
243center designation if the nonstate data center fails to meet
244standards necessary to ensure that the state's data is
245maintained pursuant to subparagraph 7.
246     (3)  STATE AGENCY DUTIES.-
247     (a)  For the purpose of completing its work activities as
248described in subsection (1), each state agency shall provide to
249the Agency for Enterprise Information Technology all requested
250information and any other information relevant to the agency's
251ability to effectively transition its computer services into a
252primary data center. The agency shall also participate as
253required in workgroups relating to specific consolidation
254planning and implementation tasks as assigned by the Agency for
255Enterprise Information Technology and determined necessary to
256accomplish consolidation goals.
257     (b)  Each state agency shall submit to the Agency for
258Enterprise Information Technology information relating to its
259data centers and computing facilities as required in
260instructions issued by July 1 of each year by the Agency for
261Enterprise Information Technology. The information required may
262include:
263     1.  Amount of floor space used and available.
264     2.  Numbers and capacities of mainframes and servers.
265     3.  Storage and network capacity.
266     4.  Amount of power used and the available capacity.
267     5.  Estimated expenditures by service area, including
268hardware and software, numbers of full-time equivalent
269positions, personnel turnover, and position reclassifications.
270     6.  A list of contracts in effect for the fiscal year,
271including, but not limited to, contracts for hardware, software
272and maintenance, including the expiration date, the contract
273parties, and the cost of the contract.
274     7.  Service-level agreements by customer entity.
275     (c)  The chief information officer of each state agency
276shall assist the Agency for Enterprise Information Technology at
277the request of the Agency for Enterprise Information Technology.
278     (c)(d)  Each state agency customer of a primary data center
279shall notify the data center, by May 31 and November 30 of each
280year, of any significant changes in anticipated utilization of
281data center services pursuant to requirements established by the
282boards of trustees of each primary data center.
283     (4)  SCHEDULE FOR AGENCY DATA CENTER CONSOLIDATION.-
284     (a)  State agency data center consolidations shall be made
285in accordance with budget adjustments contained in the General
286Appropriations Act no later than the date provided and to the
287specified primary data center as provided in this subsection.
288     (b)  For consolidation during fiscal year 2011-2012 into
289the Northwest Regional Data Center:
290     1.  College Center for Library Automation (CCLA) no later
291than December 31, 2011.
292     2.  Florida Center for Library Automation (FCLA) no later
293than December 31, 2011.
294     3.  Department of Education no later than December 31,
2952011, including the computing services and resources of:
296     a.  The Knott Data Center located in the Turlington
297Building.
298     b.  The Division of Blind Services.
299     c.  The Division of Vocational Rehabilitation.
300     d.  FCAT Explorer.
301     e.  FACTS.org.
302
303Such consolidations are contingent upon the Agency for
304Enterprise Information Technology's completion of a cost-benefit
305analysis to determine whether additional savings can be
306achieved. The cost-benefit analysis shall compare the costs and
307savings estimates provided by the Northwest Regional Data
308Center, the Northwood Shared Resource Center, and the Southwood
309Shared Resource Center for the consolidation of the College
310Center for Library Automation, the Florida Center for Library
311Automation, and the Department of Education to their respective
312data centers. The cost-benefit analysis shall be submitted no
313later than August 1, 2011, to the Executive Office of the
314Governor and the chairs of the House Appropriations Committee
315and the Senate Budget Committee. Any actions recommended as a
316result of the cost-benefit analysis are subject to the notice,
317review, and objection requirements of s. 216.177.
318     (c)  For consolidation during fiscal year 2011-2012 into
319the Southwood Shared Resource Center:
320     1.  The Department of Corrections no later than September
32130, 2011.
322     2.  The Department of Transportation Survey and Mapping
323Office no later than March 31, 2012.
324     3.  The Department of Transportation Burns Office Building
325no later than March 31, 2012.
326     (d)  For consolidation during fiscal year 2011-2012 into
327the Northwood Shared Resource Center:
328     1.  The Department of Transportation Motor Carrier
329Compliance Office no later than July 1, 2011.
330     2.  The Department of Highway Safety and Motor Vehicles no
331later than March 31, 2012.
332     (e)  For consolidation during fiscal year 2012-2013 into
333the Southwood Shared Resource Center:
334     1.  The Department of Community Affairs, including the
335Division of Emergency Management, no later than September 30,
3362012.
337     2.  The Department of Revenue Carlton Building and Taxworld
338Building L locations no later than September 30, 2012.
339     3.  The Department of Health Test and Development Lab and
340all remaining data center resources no later than December 31,
3412012.
342     (f)  For consolidation during fiscal year 2012-2013 into
343the Northwood Shared Resource Center:
344     1.  The Agency for Health Care Administration no later than
345July 1, 2012.
346     2.  The Department of Environmental Protection no later
347than December 31, 2012.
348     3.  The Department of Law Enforcement no later than March
34930, 2013.
350     (g)  The following agencies shall work with the Agency for
351Enterprise Information Technology to begin preliminary planning
352for consolidation of their data centers into a primary data
353center during fiscal year 2013-2014:
354     1.  The Department of the Lottery.
355     2.  The Department of Legal Affairs.
356     3.  The Fish and Wildlife Conservation Commission.
357     4.  The Executive Office of the Governor, excluding all
358resources, equipment, and applications supported within the
359Legislative Appropriations System/Planning and Budget Subsystem.
360     5.  The Department of Veterans' Affairs.
361     6.  The Department of Elderly Affairs.
362     7.  The Department of Financial Services Hartman, Larson,
363and Fletcher Buildings data centers.
364     8.  The Department of Agriculture and Consumer Services
365Agriculture Management Information Center in the Mayo Building
366and the Division of Licensing.
367     (h)  The following agencies shall work with the Agency for
368Enterprise Information Technology to begin preliminary planning
369for consolidation of their data centers into a primary data
370center during fiscal year 2014-2015:
371     1.  The Department of Health Jacksonville Lab Data Center.
372     2.  The Department of Transportation District, Toll,
373Materials Office.
374     3.  The Department of Military Affairs Camp Blanding Joint
375Training Center, Starke.
376     4.  The Department of Community Affairs Camp Blanding
377Emergency Operations Center, Starke.
378     5.  The Department of Education Division of Blind Services,
379Disaster Recovery site, Daytona Beach.
380     6.  The Department of Education Disaster Recovery site,
381Sante Fe College.
382     7.  The Department of the Lottery Disaster Recovery Backup
383Data Center, Orlando.
384     8.  The Fish and Wildlife Conservation Commission Research
385Institute, St. Petersburg.
386     9.  The Department of Children and Family Services Suncoast
387Data Center, Tampa.
388     10.  The Department of Children and Family Services Florida
389State Hospital, Chattahoochee.
390     (i)  All computing facilities as defined in s. 282.0041 or
391groups of servers remaining in an agency shall be transferred to
392a primary data center for consolidation during fiscal year 2015-
3932016 unless required to remain in the agency for specific
394business reasons.
395     (j)  All agencies consolidating data centers into a primary
396data center shall execute a new or update an existing service-
397level agreement no later than 60 days after the identified
398consolidation date, as required by s. 282.203, that specifies
399the services and levels of services the agency is to receive
400from the primary data center as a result of the consolidation.
401Any agency that is unable to execute the service-level agreement
402by the required date must submit a report to the Executive
403Office of the Governor and to the chairs of the House
404Appropriations Committee and the Senate Budget Committee within
4055 working days after such date that explains the specific issues
406preventing execution and describing the agency's plan and
407schedule for resolving the issues.
408     (k)  Beginning September 1, 2011, and every 6 months
409thereafter, until all data center consolidations are complete,
410the Agency for Enterprise Information Technology shall provide a
411status report on the implementation of consolidation required to
412be completed during the fiscal year. The report shall be
413submitted to the Executive Office of the Governor and the chairs
414of the House Appropriations Committee and the Senate Budget
415Committee. The status report shall describe:
416     1.  Whether the consolidation is on schedule, including the
417progress on achieving milestones necessary for successful and
418timely consolidation of scheduled agency data centers and
419computing facilities; and
420     2.  Risks that may affect the progress or outcomes of the
421consolidation and how such risks are being addressed, mitigated,
422or managed.
423     (l)  Each agency identified in this subsection for
424consolidation into a primary data center must submit a
425transition plan to the Agency for Enterprise Information
426Technology not later than September 1 of the fiscal year prior
427to its scheduled consolidation. Transition plans shall be
428developed in consultation with the appropriate primary data
429center and the Agency for Enterprise Information Technology and
430must include:
431     1.  An inventory of all resources of the agency data center
432being consolidated, including all hardware, software, staff,
433contracted services, and facility resources performing data
434center management and operations, security, backup and recovery,
435disaster recovery, system administration, database
436administration, system programming, job control, production
437control, print, storage, technical support, help desk, and
438managed services, excluding application development.
439     2.  A description of the level of services needed to meet
440the technical and operational requirements of the platforms
441being consolidated and a cost estimate for the primary data
442center's provision of such services.
443     3.  A description of resources for computing services
444proposed to remain in the department.
445     4.  A timetable with significant milestones for the
446completion of the consolidation.
447     5.  The fiscal year adjustments to budget categories
448currently supporting agency costs to accomplish the transfer of
449sufficient budget resources into the appropriate data processing
450category pursuant to the legislative budget request instructions
451provided in s. 216.023.
452     (m)  Each primary data center shall develop a transition
453plan for absorbing the transfer of agency data center resources
454based upon the timetables for transition as provided in this
455subsection. The plan shall be submitted to the Agency for
456Enterprise Information Technology no later than September 30 of
457the fiscal year prior to the scheduled consolidation. Each plan
458shall include:
459     1.  An estimate of the cost of providing data center
460services for each agency scheduled for consolidation.
461     2.  A staffing plan that identifies the projected staffing
462needs and requirements based on the estimated workload
463identified in the agency transition plans.
464     3.  An analysis of the cost impacts to existing agency
465customers resulting from the planned consolidations.
466     4.  The fiscal year adjustments to budget categories to
467absorb the transfer of agency data center resources pursuant to
468the legislative budget request instructions provided in s.
469216.023.
470     5.  A description of any issues that must be resolved to
471accomplish all consolidations required during the fiscal year as
472efficiently and effectively as possible.
473     (n)  The Agency for Enterprise Information Technology shall
474develop a comprehensive transition plan, which shall be
475submitted no later than October 15 of the fiscal year prior to
476the scheduled consolidations to the Executive Office of the
477Governor and the chairs of the House Appropriations Committee
478and the Senate Budget Committee. The comprehensive transition
479plan shall be developed in consultation with the agencies
480submitting their agency transition plans and the affected
481primary data center. The comprehensive transition plan shall
482include:
483     1.  Recommendations for accomplishing the proposed
484consolidations as efficiently and effectively as possible with
485minimal disruption to the agency's business processes.
486     2.  Strategies to minimize risks associated with any of the
487proposed consolidations.
488     3.  A compilation of the agency transition plans scheduled
489for consolidation in the following fiscal year.
490     4.  Revisions to any budget adjustments provided in the
491agency or primary data center transition plans pursuant to the
492legislative budget request instructions provided in s. 216.023.
493     (5)(4)  AGENCY LIMITATIONS.-
494     (a)  Unless authorized by the Legislature or as provided in
495paragraphs (b) and (c), a state agency may not:
496     1.  Create a new computing facility or data center, or
497expand the capability to support additional computer equipment
498in an existing computing facility or nonprimary data center, or
499purchase equipment or other resources necessary to expand the
500capabilities of the agency data center;
501     2.  Expend funds prior to the agency's scheduled
502consolidation into a primary data center for the purchase or
503modification of hardware or operations software that do not
504comply with the standards established for efficient
505consolidation and without consultation with the primary data
506center;
507     3.2.  Transfer existing computer services to a nonprimary
508data center or computing facility, including outsourced computer
509service providers;
510     4.3.  Terminate services with a primary data center or
511transfer services between primary data centers without giving
512written notice of intent to terminate or transfer services 180
513days before such termination or transfer and completing a cost-
514benefit analysis that documents that the requested transfer will
515not increase the agency's data center costs; or
516     5.4.  Initiate a new computer service if it does not
517currently have an internal data center except with a primary
518data center.
519     (b)  Exceptions to the limitations in subparagraphs (a)1.,
5202., 3., and 5. 4. may be granted by the Agency for Enterprise
521Information Technology if there is insufficient capacity in a
522primary data center to absorb the workload associated with
523agency computing services.
524     1.  A request for an exception must be submitted in writing
525to the Agency for Enterprise Information Technology. The agency
526must accept, accept with conditions, or deny the request within
52760 days after receipt of the written request. The agency's
528decision is not subject to chapter 120.
529     2.  At a minimum, the agency may not approve a request
530unless it includes:
531     a.  Documentation approved by the primary data center's
532board of trustees which confirms that the center cannot meet the
533capacity requirements of the agency requesting the exception
534within the current fiscal year.
535     b.  A description of the capacity requirements of the
536agency requesting the exception.
537     c.  Documentation from the agency demonstrating why it is
538critical to the agency's mission that the expansion or transfer
539must be completed within the fiscal year rather than when
540capacity is established at a primary data center.
541     (c)  Exceptions to subparagraph (a)4.3. may be granted by
542the board of trustees of the primary data center if the
543termination or transfer of services can be absorbed within the
544current cost-allocation plan.
545     (d)  Upon the termination of or transfer of agency
546computing services from the primary data center, the primary
547data center shall require information sufficient to determine
548compliance with this section. If a primary data center
549determines that an agency is in violation of this section, it
550shall report the violation to the Agency for Enterprise
551Information Technology.
552     (6)(5)  RULES.-The Agency for Enterprise Information
553Technology is authorized to adopt rules pursuant to ss.
554120.536(1) and 120.54 to administer the provisions of this part
555relating to the state data center system including the primary
556data centers.
557     Section 6.  Subsection (1) and paragraph (a) of subsection
558(2) of section 282.203, Florida Statutes, are amended to read:
559     282.203  Primary data centers.-
560     (1)  DATA CENTER DUTIES.-Each primary data center shall:
561     (a)  Serve customer entities as an information-system
562utility.
563     (b)  Cooperate with customer entities to offer, develop,
564and support the services and applications as defined and
565provided by the center's board of trustees and customer
566entities.
567     (c)  Comply with standards and rules adopted by the Agency
568for Enterprise Information Technology, pursuant to this section,
569and coordinate with the agency in the consolidation of data
570centers.
571     (d)  Provide transparent financial statements to customer
572entities, the center's board of trustees, and the Agency for
573Enterprise Information Technology. The financial statements
574shall be provided as follows:
575     1.  Annually, by July 30 for the current fiscal year and by
576December 1 for the subsequent fiscal year, the data center must
577provide the total annual budgeted costs by major expenditure
578category, including, but not limited to, salaries, expense,
579operating capital outlay, contracted services, or other
580personnel services, which directly relate to the provision of
581each service and which separately indicate the administrative
582overhead allocated to each service.
583     2.  Annually, by July 30 for the current fiscal year and by
584December 1 for the subsequent fiscal year, the data center must
585provide total projected billings for each customer entity which
586are required to recover the costs of the data center.
587     3.  Annually, by January 31, the data center must provide
588updates of the financial statements required under subparagraphs
5891. and 2. for the current fiscal year.
590     4.  By February 15, for proposed legislative budget
591increases, the data center must provide updates of the financial
592statements required under subparagraphs 1. and 2. for the
593subsequent fiscal year.
594
595The financial information required under subparagraphs 1., 2.,
596and 3. must be based on current law and current appropriations.
597     (e)  Annually, by October 1, submit to the board of
598trustees cost-reduction proposals, including strategies and
599timetables for lowering customer entities' costs without
600reducing the level of services.
601     (f)  By December 31, 2010, submit organizational plans that
602minimize the annual recurring cost of center operations and
603eliminate the need for state agency customers to maintain data
604center skills and staff within their agency. The plans shall:
605     1.  Establish an efficient organizational structure
606describing the roles and responsibilities of all positions and
607business units in the centers;
608     2.  Define a human resources planning and management
609process that shall be used to make required center staffing
610decisions; and
611     3.  Develop a process for projecting staffing requirements
612based on estimated workload identified in customer agency
613service level agreements.
614     (f)(g)  Maintain the performance of the facility, which
615includes ensuring proper data backup, data backup recovery, an
616effective disaster recovery plan, and appropriate security,
617power, cooling and fire suppression, and capacity.
618     (g)(h)  Develop a business continuity plan and conduct a
619live exercise of the plan at least annually. The plan must be
620approved by the board and the Agency for Enterprise Information
621Technology.
622     (h)(i)  Enter into a service-level agreement with each
623customer entity to provide services as defined and approved by
624the board in compliance with rules of the Agency for Enterprise
625Information Technology. A service-level agreement may not have a
626term exceeding 3 years but may include an option to renew for up
627to 3 years contingent on approval by the board.
628     1.  A service-level agreement, at a minimum, must:
629     a.  Identify the parties and their roles, duties, and
630responsibilities under the agreement;
631     b.  Identify the legal authority under which the service-
632level agreement was negotiated and entered into by the parties;
633     c.  State the duration of the contractual term and specify
634the conditions for contract renewal;
635     d.  Prohibit the transfer of computing services between
636primary data center facilities without at least 180 days' notice
637of service cancellation;
638     e.  Identify the scope of work;
639     f.  Identify the products or services to be delivered with
640sufficient specificity to permit an external financial or
641performance audit;
642     g.  Establish the services to be provided, the business
643standards that must be met for each service, the cost of each
644service, and the process by which the business standards for
645each service are to be objectively measured and reported;
646     h.  Identify applicable funds and funding streams for the
647services or products under contract;
648     i.  Provide a timely billing methodology for recovering the
649cost of services provided to the customer entity;
650     j.  Provide a procedure for modifying the service-level
651agreement to address changes in projected costs of service;
652     k.  Provide that a service-level agreement may be
653terminated by either party for cause only after giving the other
654party and the Agency for Enterprise Information Technology
655notice in writing of the cause for termination and an
656opportunity for the other party to resolve the identified cause
657within a reasonable period; and
658     l.  Provide for mediation of disputes by the Division of
659Administrative Hearings pursuant to s. 120.573.
660     2.  A service-level agreement may include:
661     a.  A dispute resolution mechanism, including alternatives
662to administrative or judicial proceedings; or
663     b.  The setting of a surety or performance bond for
664service-level agreements entered into with nonstate agency
665primary data centers, which may be designated by the Agency for
666Enterprise Information Technology; or
667     b.c.  Additional terms and conditions as determined
668advisable by the parties if such additional terms and conditions
669do not conflict with the requirements of this section or rules
670adopted by the Agency for Enterprise Information Technology.
671     3.  The failure to execute a service-level agreement within
67260 days after service commencement shall, in the case of an
673existing customer entity, result in a continuation of the terms
674of the service-level agreement from the prior fiscal year,
675including any amendments that were formally proposed to the
676customer entity by the primary data center within the 3 months
677before service commencement, and a revised cost-of-service
678estimate. If a new customer entity fails to execute an agreement
679within 60 days after service commencement, the data center may
680cease services.
681     (i)(j)  Plan, design, establish pilot projects for, and
682conduct experiments with information technology resources, and
683implement enhancements in services if such implementation is
684cost-effective and approved by the board.
685     (j)(k)  Enter into a memorandum of understanding with the
686agency where the primary data center is administratively located
687which establishes the services to be provided by that agency to
688the primary data center and the cost of such services.
689     (k)(l)  Be the custodian of resources and equipment that
690are located, operated, supported, and managed by the center for
691the purposes of chapter 273, except resources and equipment
692located, operated, supported, and managed by Northwest Regional
693Data Center.
694     (l)  Assume administrative access rights to the resources
695and equipment, such as servers, network components, and other
696devices, that are consolidated into the primary data center.
697Upon the date of each consolidation specified in s. 282.201 or
698as provided in the General Appropriations Act, each agency shall
699relinquish all administrative access rights. Each primary data
700center shall provide its customer agencies with the appropriate
701level of access to applications, servers, network components,
702and other devices necessary for the agency to perform core
703business activities and functions.
704     (2)  BOARD OF TRUSTEES.-Each primary data center shall be
705headed by a board of trustees as defined in s. 20.03.
706     (a)  The members of the board shall be appointed by the
707agency head or chief executive officer of the representative
708customer entities of the primary data center and shall serve at
709the pleasure of the appointing customer entity.
710     1.  During the fiscal year prior to its consolidation into
711a primary data center and for the following full fiscal year, an
712agency shall have a single trustee having one vote on the board
713of the primary data center into which it is to consolidate,
714unless in the second year it is entitled to a greater number of
715votes as provided in subparagraphs 3. and 4. For each of the
716first 2 fiscal years that a center is in operation, membership
717shall be as provided in subparagraph 3. based on projected
718customer entity usage rates for the fiscal operating year of the
719primary data center. However, at a minimum:
720     a.  During the Southwood Shared Resource Center's first 2
721operating years, the Department of Transportation, the
722Department of Highway Safety and Motor Vehicles, the Department
723of Health, and the Department of Revenue must each have at least
724one trustee.
725     b.  During the Northwood Shared Resource Center's first
726operating year, the Department of State and the Department of
727Education must each have at least one trustee.
728     2.  Board After the second full year of operation,
729membership shall be as provided in subparagraph 3. based on the
730most recent estimate of customer entity usage rates for the
731prior year and a projection of usage rates for the first 9
732months of the next fiscal year. Such calculation must be
733completed before the annual budget meeting held before the
734beginning of the next fiscal year so that any decision to add or
735remove board members can be voted on at the budget meeting and
736become effective on July 1 of the subsequent fiscal year.
737     3.  Each customer entity that has a projected usage rate of
7384 percent or greater during the fiscal operating year of the
739primary data center shall have one trustee on the board.
740     4.  The total number of votes for each trustee shall be
741apportioned as follows:
742     a.  Customer entities of a primary data center whose usage
743rate represents 4 but less than 15 percent of total usage shall
744have one vote.
745     b.  Customer entities of a primary data center whose usage
746rate represents 15 but less than 30 percent of total usage shall
747have two votes.
748     c.  Customer entities of a primary data center whose usage
749rate represents 30 but less than 50 percent of total usage shall
750have three votes.
751     d.  A customer entity of a primary data center whose usage
752rate represents 50 percent or more of total usage shall have
753four votes.
754     e.  A single trustee having one vote shall represent those
755customer entities that represent less than 4 percent of the
756total usage. The trustee shall be selected by a process
757determined by the board.
758     Section 7.  Section 282.206, Florida Statutes, is created
759to read:
760     282.206  Northwest Regional Data Center.-Northwest Regional
761Data Center is designated as a primary data center as defined in
762s. 282.0041. The center shall be managed by a board of trustees
763as provided in s. 282.203, who shall comply with all
764requirements of that section related to the operation of the
765center and with the rules of the Agency for Enterprise
766Information Technology relating to primary data centers.
767     Section 8.  Sections 282.3055 and 282.315, Florida
768Statutes, are repealed.
769     Section 9.  Subsections (3) through (7) of section 282.318,
770Florida Statutes, are amended to read:
771     282.318  Enterprise security of data and information
772technology.-
773     (3)  The Office of Information Security within the Agency
774for Enterprise Information Technology is responsible for
775establishing rules and publishing guidelines for ensuring an
776appropriate level of security for all data and information
777technology resources for executive branch agencies. The Agency
778for Enterprise Information Technology office shall also perform
779the following duties and responsibilities:
780     (a)  Develop, and annually update by February 1, an
781enterprise information security strategic plan that includes
782security goals and objectives for the strategic issues of
783information security policy, risk management, training, incident
784management, and survivability planning.
785     (b)  Develop enterprise security rules and published
786guidelines for:
787     1.  Comprehensive risk analyses and information security
788audits conducted by state agencies.
789     2.  Responding to suspected or confirmed information
790security incidents, including suspected or confirmed breaches of
791personal information or exempt data.
792     3.  Agency security plans, including strategic security
793plans and security program plans.
794     4.  The recovery of information technology and data
795following a disaster.
796     5.  The managerial, operational, and technical safeguards
797for protecting state government data and information technology
798resources.
799     (c)  Assist agencies in complying with the provisions of
800this section.
801     (d)  Pursue appropriate funding for the purpose of
802enhancing domestic security.
803     (e)  Provide training for agency information security
804managers.
805     (f)  Annually review the strategic and operational
806information security plans of executive branch agencies.
807     (4)  To assist the Agency for Enterprise Information
808Technology Office of Information Security in carrying out its
809responsibilities, each agency head shall, at a minimum:
810     (a)  Designate an information security manager to
811administer the security program of the agency for its data and
812information technology resources. This designation must be
813provided annually in writing to the Agency for Enterprise
814Information Technology office by January 1.
815     (b)  Submit to the Agency for Enterprise Information
816Technology, office annually by July 31, the agency's strategic
817and operational information security plans developed pursuant to
818the rules and guidelines established by the Agency for
819Enterprise Information Technology office.
820     1.  The agency strategic information security plan must
821cover a 3-year period and define security goals, intermediate
822objectives, and projected agency costs for the strategic issues
823of agency information security policy, risk management, security
824training, security incident response, and survivability. The
825plan must be based on the enterprise strategic information
826security plan created by the Agency for Enterprise Information
827Technology office. Additional issues may be included.
828     2.  The agency operational information security plan must
829include a progress report for the prior operational information
830security plan and a project plan that includes activities,
831timelines, and deliverables for security objectives that,
832subject to current resources, the agency will implement during
833the current fiscal year. The cost of implementing the portions
834of the plan which cannot be funded from current resources must
835be identified in the plan.
836     (c)  Conduct, and update every 3 years, a comprehensive
837risk analysis to determine the security threats to the data,
838information, and information technology resources of the agency.
839The risk analysis information is confidential and exempt from
840the provisions of s. 119.07(1), except that such information
841shall be available to the Auditor General and the Agency for
842Enterprise Information Technology for performing postauditing
843duties.
844     (d)  Develop, and periodically update, written internal
845policies and procedures, which include procedures for notifying
846the Agency for Enterprise Information Technology office when a
847suspected or confirmed breach, or an information security
848incident, occurs. Such policies and procedures must be
849consistent with the rules and guidelines established by the
850Agency for Enterprise Information Technology office to ensure
851the security of the data, information, and information
852technology resources of the agency. The internal policies and
853procedures that, if disclosed, could facilitate the unauthorized
854modification, disclosure, or destruction of data or information
855technology resources are confidential information and exempt
856from s. 119.07(1), except that such information shall be
857available to the Auditor General and the Agency for Enterprise
858Information Technology for performing postauditing duties.
859     (e)  Implement appropriate cost-effective safeguards to
860address identified risks to the data, information, and
861information technology resources of the agency.
862     (f)  Ensure that periodic internal audits and evaluations
863of the agency's security program for the data, information, and
864information technology resources of the agency are conducted.
865The results of such audits and evaluations are confidential
866information and exempt from s. 119.07(1), except that such
867information shall be available to the Auditor General and the
868Agency for Enterprise Information Technology for performing
869postauditing duties.
870     (g)  Include appropriate security requirements in the
871written specifications for the solicitation of information
872technology and information technology resources and services,
873which are consistent with the rules and guidelines established
874by the Agency for Enterprise Information Technology office.
875     (h)  Provide security awareness training to employees and
876users of the agency's communication and information resources
877concerning information security risks and the responsibility of
878employees and users to comply with policies, standards,
879guidelines, and operating procedures adopted by the agency to
880reduce those risks.
881     (i)  Develop a process for detecting, reporting, and
882responding to suspected or confirmed security incidents,
883including suspected or confirmed breaches consistent with the
884security rules and guidelines established by the Agency for
885Enterprise Information Technology office.
886     1.  Suspected or confirmed information security incidents
887and breaches must be immediately reported to the Agency for
888Enterprise Information Technology office.
889     2.  For incidents involving breaches, agencies shall
890provide notice in accordance with s. 817.5681 and to the Agency
891for Enterprise Information Technology office in accordance with
892this subsection.
893     (5)  Each state agency shall include appropriate security
894requirements in the specifications for the solicitation of
895contracts for procuring information technology or information
896technology resources or services which are consistent with the
897rules and guidelines established by the Agency for Enterprise
898Information Technology Office of Information Security.
899     (6)  The Agency for Enterprise Information Technology may
900adopt rules relating to information security and to administer
901the provisions of this section.
902     (7)  By December 31, 2010, the Agency for Enterprise
903Information Technology shall develop, and submit to the
904Governor, the President of the Senate, and the Speaker of the
905House of Representatives a proposed implementation plan for
906information technology security. The agency shall describe the
907scope of operation, conduct costs and requirements analyses,
908conduct an inventory of all existing security information
909technology resources, and develop strategies, timeframes, and
910resources necessary for statewide migration.
911     Section 10.  Subsection (5) of section 282.34, Florida
912Statutes, is amended to read:
913     282.34  Statewide e-mail service.-A state e-mail system
914that includes the delivery and support of e-mail, messaging, and
915calendaring capabilities is established as an enterprise
916information technology service as defined in s. 282.0041. The
917service shall be designed to meet the needs of all executive
918branch agencies. The primary goals of the service are to
919minimize the state investment required to establish, operate,
920and support the statewide service; reduce the cost of current e-
921mail operations and the number of duplicative e-mail systems;
922and eliminate the need for each state agency to maintain its own
923e-mail staff.
924     (5)  In order to develop the implementation plan for the
925statewide e-mail service, the Agency for Enterprise Information
926Technology shall establish and coordinate a statewide e-mail
927project team. The agency shall also consult with and, as
928necessary, form workgroups consisting of agency e-mail
929management staff, agency chief information officers, agency
930budget directors, and other administrative staff. The statewide
931e-mail implementation plan must be submitted to the Governor,
932the President of the Senate, and the Speaker of the House of
933Representatives by July 1, 2011.
934     Section 11.  Paragraph (h) of subsection (3) and paragraph
935(b) of subsection (4) of section 287.042, Florida Statutes, are
936amended to read:
937     287.042  Powers, duties, and functions.-The department
938shall have the following powers, duties, and functions:
939     (3)  To establish a system of coordinated, uniform
940procurement policies, procedures, and practices to be used by
941agencies in acquiring commodities and contractual services,
942which shall include, but not be limited to:
943     (h)  Development, in consultation with the Agency Chief
944Information Officers Council, of procedures to be used by state
945agencies when procuring information technology commodities and
946contractual services to ensure compliance with public records
947requirements and records retention and archiving requirements.
948     (4)
949     (b)  To prescribe, in consultation with the Agency Chief
950Information Officers Council, procedures for procuring
951information technology and information technology consultant
952services which provide for public announcement and
953qualification, competitive solicitations, contract award, and
954prohibition against contingent fees. Such procedures shall be
955limited to information technology consultant contracts for which
956the total project costs, or planning or study activities, are
957estimated to exceed the threshold amount provided for in s.
958287.017, for CATEGORY TWO.
959     Section 12.  This act shall take effect July 1, 2011.
960
961
962
-----------------------------------------------------
963
T I T L E  A M E N D M E N T
964     Remove the entire title and insert:
965
A bill to be entitled
966An act relating to the Agency for Enterprise Information
967Technology; amending s. 14.204, F.S.; revising duties and
968responsibilities of the agency; removing provisions for
969the Office of Information Security and the Agency Chief
970Information Officers Council; amending s. 20.315, F.S.,
971relating to the Department of Corrections; providing for
972the department's data system to be managed through the
973department's Office of Information Technology; removing
974reference to the Justice Data Center; amending s.
975282.0041, F.S.; removing the definitions of the terms
976"agency chief information officer" and "Agency Chief
977Information Officers Council"; revising the definition of
978the term "primary data center"; amending s. 282.0056,
979F.S.; revising requirements for development of an annual
980work plan by the agency; amending s. 282.201, F.S.;
981revising duties of the agency; providing for submission of
982certain recommendations to the Executive Office of the
983Governor, the Legislature, and primary data centers;
984removing a provision for an overall consolidation plan;
985revising provisions for adoption of rules by the agency;
986requiring publication of notice; revising duties of state
987agencies; providing a schedule for state agency data
988center consolidation; providing conditions for
989consolidations; requiring the agency to make certain
990reports; requiring development of transition plans;
991amending s. 282.203, F.S.; revising duties of primary data
992centers; revising provisions for service-level agreements;
993revising provisions for membership of boards of trustees
994of primary data centers; creating s. 282.206, F.S.;
995designating the Northwest Regional Data Center as a
996primary data center; repealing s. 282.3055, F.S., relating
997to agency chief information officers; repealing s.
998282.315, F.S., relating to the Agency Chief Information
999Officers Council; amending s. 282.318, F.S., relating to
1000enterprise security of data and information technology;
1001conforming to changes made by the act; deleting an
1002obsolete provision; amending ss. 282.34 and 287.042, F.S.,
1003relating to statewide e-mail service and powers, duties,
1004and functions of the Department of Management Services,
1005respectively; conforming provisions to changes made by the
1006act; providing an effective date.


CODING: Words stricken are deletions; words underlined are additions.