Florida Senate - 2014 PROPOSED COMMITTEE SUBSTITUTE
Bill No. SB 928
Ì290876PÎ290876
576-02182-14
Proposed Committee Substitute by the Committee on Appropriations
(Appropriations Subcommittee on General Government)
1 A bill to be entitled
2 An act relating to state technology; repealing s.
3 14.204, F.S., relating to the Agency for Enterprise
4 Information Technology within the Executive Office of
5 the Governor; creating s. 20.61, F.S.; creating the
6 Agency for State Technology within the Department of
7 Management Services; providing for an executive
8 director and other permanent positions; creating a
9 Technology Advisory Council and providing for
10 membership; amending s. 282.0041, F.S.; revising and
11 defining terms used in the Enterprise Information
12 Technology Services Management Act; creating s.
13 282.0051, F.S.; providing the powers, duties, and
14 functions of the Agency for State Technology;
15 authorizing the agency to adopt rules; providing
16 exceptions for certain departments; repealing s.
17 282.0055, F.S., relating to the assignment of
18 information technology resource and service
19 responsibilities; repealing s. 282.0056, F.S.,
20 relating to the development of an annual work plan,
21 the development of implementation plans, and policy
22 recommendations relating to enterprise information
23 technology services; amending s. 282.201, F.S.;
24 providing for a state data center and the duties of
25 the center; deleting duties for the Agency for
26 Enterprise Information Technology; revising the
27 schedule for consolidating agency data centers and
28 deleting obsolete provisions; revising the limitations
29 on state agencies; repealing s. 282.203, F.S.,
30 relating to primary data centers; repealing s.
31 282.204, F.S., relating to the Northwood Shared
32 Resource Center; repealing s. 282.205, F.S., relating
33 to the Southwood Shared Resource Center; amending s.
34 282.318, F.S.; conforming provisions to changes made
35 by the act; revising the duties of the state agencies
36 with respect to information technology security;
37 repealing s. 282.33, F.S., relating to objective
38 standards for data center energy efficiency; repealing
39 s. 282.34, F.S., relating to statewide e-mail service;
40 amending ss. 17.0315, 20.055, 110.205, 215.322, and
41 215.96, F.S.; conforming provisions to changes made by
42 the act; amending s. 216.023, F.S.; requiring the
43 governance structure of information technology
44 projects to incorporate certain standards; amending s.
45 287.057, F.S.; requiring the Department of Management
46 Services to consult with the agency with respect to
47 the online procurement of commodities; amending ss.
48 445.011, 445.045, and 668.50, F.S.; conforming
49 provisions to changes made by the act; amending s.
50 943.0415, F.S.; providing additional duties for the
51 Cybercrime Office in the Department of Law Enforcement
52 relating to cyber security; requiring the office to
53 provide cyber security training to state agency
54 employees; requiring the office to consult with the
55 agency; amending s. 1004.649, F.S.; revising
56 provisions relating to the Northwest Regional Data
57 Center; revising the center’s duties and the content
58 of service-level agreements with state agency
59 customers; transferring the components of the Agency
60 for Enterprise Information Technology to the Agency
61 for State Technology; providing that certain rules
62 adopted by the Agency for Enterprise Information
63 Technology are nullified; transferring the Northwood
64 Shared Resource Center and the Southwood Shared
65 Resource Center to the Agency for State Technology;
66 requiring the Agency for State Technology to complete
67 a feasibility study relating to managing state
68 government data; specifying the components of the
69 study; requiring the study to be submitted to the
70 Governor and Legislature by a certain date; creating
71 the State Data Center Task Force; specifying the
72 membership and purpose of the task force; providing
73 for expiration; providing an appropriation; providing
74 effective dates.
75
76 Be It Enacted by the Legislature of the State of Florida:
77
78 Section 1. Section 14.204, Florida Statutes, is repealed.
79 Section 2. Section 20.61, Florida Statutes, is created to
80 read:
81 20.61 Agency for State Technology.—The Agency for State
82 Technology is created within the Department of Management
83 Services.
84 (1) The agency is a separate budget entity and is not
85 subject to control, supervision, or direction by the department,
86 including, but not limited to, purchasing, transactions
87 involving real or personal property, personnel, or budgetary
88 matters.
89 (2) The agency shall be headed by an executive director
90 appointed by the Governor and subject to the confirmation of the
91 Senate. The executive director shall be the State Chief
92 Information Officer.
93 (a) The executive director must be a proven, effective
94 administrator who preferably has executive-level experience in
95 both the public and private sectors.
96 (b) The Governor shall conduct a thorough search to find
97 the most qualified candidate and in conducting such a search,
98 the Governor shall place emphasis on the development and
99 implementation of information technology strategic planning;
100 management of enterprise information technology projects,
101 particularly management of large-scale consolidation projects;
102 and development and implementation of fiscal and substantive
103 information technology policy.
104 (3) The following positions are established within the
105 agency, all of which shall be appointed by the executive
106 director:
107 (a) A Deputy State Chief Information Officer.
108 (b) A Chief Planning Officer and six Strategic Planning
109 Coordinators with one coordinator assigned to each of the
110 following major program areas: health and human services,
111 education, government operations, criminal and civil justice,
112 agriculture and natural resources, and transportation and
113 economic development.
114 (c) A Chief Operations Officer.
115 (d) A Chief Information Security Officer.
116 (e) A Chief Technology Officer.
117 (4) The Technology Advisory Council, consisting of seven
118 members, is established and shall be maintained within the
119 agency pursuant to s. 20.052. Four members, two of whom must be
120 from the private sector, shall be appointed by the Governor; one
121 member shall be appointed by the Chief Financial Officer in
122 consultation with the Attorney General and the Commissioner of
123 Agriculture; and one member each shall be appointed by the
124 President of the Senate and the Speaker of the House of
125 Representatives. Upon initial establishment of the council, two
126 of the Governor’s appointments shall be for 2-year terms.
127 Thereafter all appointments shall be for 4-year terms.
128 (a) The council shall consider and make recommendations to
129 the executive director of the agency on such matters as
130 enterprise information technology policies, standards, services,
131 and architecture.
132 (b) The executive director of the agency shall consult with
133 the council with regard to executing the duties and
134 responsibilities of the agency related to statewide information
135 technology strategic planning and policy.
136 (c) The council shall be governed by the code of ethics for
137 public officers and employees as set forth in part III of
138 chapter 112 and each member must file a statement of financial
139 interests pursuant to s. 112.3145.
140 Section 3. Section 282.0041, Florida Statutes, is amended
141 to read:
142 282.0041 Definitions.—As used in this chapter, the term:
143 (1) “Agency” has the same meaning as in s. 216.011(1)(qq),
144 except that for purposes of this chapter, “agency” does not
145 include university boards of trustees or state universities.
146 (2) “Agency for Enterprise Information Technology” means
147 the agency created in s. 14.204.
148 (3) “Agency information technology service” means a service
149 that directly helps an agency fulfill its statutory or
150 constitutional responsibilities and policy objectives and is
151 usually associated with the agency’s primary or core business
152 functions.
153 (4) “Annual budget meeting” means a meeting of the board of
154 trustees of a primary data center to review data center usage to
155 determine the apportionment of board members for the following
156 fiscal year, review rates for each service provided, and
157 determine any other required changes.
158 (1)(5) “Breach” has the same meaning as in s. 817.5681(4).
159 (2)(6) “Business continuity plan” means a collection of
160 procedures and information used to maintain an agency’s critical
161 operations during a period of displacement or interruption of
162 normal operations plan for disaster recovery which provides for
163 the continued functioning of a primary data center during and
164 after a disaster.
165 (3)(7) “Computing facility” means agency space containing
166 fewer than a total of 10 physical or logical servers, any of
167 which supports a strategic or nonstrategic information
168 technology service, as described in budget instructions
169 developed pursuant to s. 216.023, but excluding single, logical
170 server installations that exclusively perform a utility function
171 such as file and print servers.
172 (4)(8) “Customer entity” means an entity that obtains
173 services from a state primary data center.
174 (5)(9) “Data center” means agency space containing 10 or
175 more physical or logical servers any of which supports a
176 strategic or nonstrategic information technology service, as
177 described in budget instructions developed pursuant to s.
178 216.023.
179 (6)(10) “Department” means the Department of Management
180 Services.
181 (7) “Disaster recovery” means the processes, policies,
182 procedures, and infrastructure that relate to preparing for and
183 implementing recovery or continuation of an organization’s vital
184 technology infrastructure after a natural or human–induced
185 disaster.
186 (8)(11) “Enterprise information technology service” means
187 an information technology service that is used in all agencies
188 or a subset of agencies and is established in law to be
189 designed, delivered, and managed at the enterprise level.
190 (12) “E-mail, messaging, and calendaring service” means the
191 enterprise information technology service that enables users to
192 send, receive, file, store, manage, and retrieve electronic
193 messages, attachments, appointments, and addresses. The e-mail,
194 messaging, and calendaring service must include e-mail account
195 management; help desk; technical support and user provisioning
196 services; disaster recovery and backup and restore capabilities;
197 antispam and antivirus capabilities; archiving and e-discovery;
198 and remote access and mobile messaging capabilities.
199 (9) “Event” means an observable occurrence in a system or
200 network.
201 (10) “Incident” means a violation or imminent threat of
202 violation of computer security policies, acceptable use
203 policies, or standard security practices. An imminent threat of
204 violation exists when a state agency has a factual basis for
205 believing that a specific incident is about to occur.
206 (13) “Information-system utility” means a full-service
207 information-processing facility offering hardware, software,
208 operations, integration, networking, and consulting services.
209 (11)(14) “Information technology” means equipment,
210 hardware, software, firmware, programs, systems, networks,
211 infrastructure, media, and related material used to
212 automatically, electronically, and wirelessly collect, receive,
213 access, transmit, display, store, record, retrieve, analyze,
214 evaluate, process, classify, manipulate, manage, assimilate,
215 control, communicate, exchange, convert, converge, interface,
216 switch, or disseminate information of any kind or form.
217 (12)(15) “Information technology policy” means a specific
218 course or method of action selected from among alternatives that
219 guide and determine present and future decisions statements that
220 describe clear choices for how information technology will
221 deliver effective and efficient government services to residents
222 and improve state agency operations. A policy may relate to
223 investments, business applications, architecture, or
224 infrastructure. A policy describes its rationale, implications
225 of compliance or noncompliance, the timeline for implementation,
226 metrics for determining compliance, and the accountable
227 structure responsible for its implementation.
228 (13) “Information technology resources” has the same
229 meaning as in s. 119.011.
230 (14) “Information technology security” means the protection
231 afforded to an automated information system in order to attain
232 the applicable objectives of preserving the integrity,
233 availability, and confidentiality of data, information, and
234 information technology resources.
235 (15)(16) “Performance metrics” means the measures of an
236 organization’s activities and performance.
237 (16)(17) “Primary data center” means a data center that is
238 a recipient entity for consolidation of state agency nonprimary
239 data centers and computing facilities and that is established by
240 law.
241 (17)(18) “Project” means an endeavor that has a defined
242 start and end point; is undertaken to create or modify a unique
243 product, service, or result; and has specific objectives that,
244 when attained, signify completion.
245 (18) “Project oversight” means an independent review and
246 analysis of an information technology project in order to
247 provide information on the project’s scope, completion
248 timeframes, and budget and should identify and quantify any
249 issues or risks affecting the successful and timely completion
250 of the project.
251 (19) “Risk assessment analysis” means the process of
252 identifying security risks, determining their magnitude, and
253 identifying areas needing safeguards.
254 (20) “Service level” means the key performance indicators
255 (KPI) of an organization or service which must be regularly
256 performed, monitored, and achieved.
257 (21) “Service-level agreement” means a written contract
258 between a data center and a customer entity which specifies the
259 scope of services provided, service level, the duration of the
260 agreement, the responsible parties, and service costs. A
261 service-level agreement is not a rule pursuant to chapter 120.
262 (22) “Stakeholder” means an individual, group,
263 organization, or state agency involved in or affected by a
264 course of action.
265 (23)(22) “Standards” means required practices, controls,
266 components, or configurations established by an authority.
267 (24) “State Agency” means any official, officer,
268 commission, board, authority, council, committee, or department
269 of the executive branch of state government, and the Justice
270 Administration Commission and the Public Service Commission. For
271 the purpose of this chapter, “agency” does not include
272 university boards of trustees or state universities.
273 (25) “State data center” means an enterprise information
274 technology service provider that is the recipient entity for the
275 consolidation of state agency data centers and computing
276 facilities and that establishes, implements, operates, monitors,
277 reviews, and maintains data center services that are hosted on
278 premises or externally through a third-party provider as an
279 enterprise information technology service which improve
280 information technology services designated by the Agency for
281 State Technology in compliance with the operating guidelines and
282 procedures set forth by the agency pursuant to s. 282.0051(11).
283 (26)(23) “SUNCOM Network” means the state enterprise
284 telecommunications system that provides all methods of
285 electronic or optical telecommunications beyond a single
286 building or contiguous building complex and used by entities
287 authorized as network users under this part.
288 (27)(24) “Telecommunications” means the science and
289 technology of communication at a distance, including electronic
290 systems used in the transmission or reception of information.
291 (28)(25) “Threat” means any circumstance or event that has
292 the potential to adversely affect a state agency’s operation or
293 assets through an information system by means of unauthorized
294 access, destruction, disclosure, modification of information, or
295 denial of service may cause harm to the integrity, availability,
296 or confidentiality of information technology resources.
297 (29) “Variance” means a calculated value that illustrates a
298 positive or negative deviation from a projection measured
299 against documented estimations within a project plan.
300 (26) “Total cost” means all costs associated with
301 information technology projects or initiatives, including, but
302 not limited to, value of hardware, software, service,
303 maintenance, incremental personnel, and facilities. Total cost
304 of a loan or gift of information technology resources to an
305 agency includes the fair market value of the resources.
306 (27) “Usage” means the billing amount charged by the
307 primary data center, less any pass-through charges, to the
308 customer entity.
309 (28) “Usage rate” means a customer entity’s usage or
310 billing amount as a percentage of total usage.
311 Section 4. Section 282.0051, Florida Statutes, is created
312 to read:
313 282.0051 Agency for State Technology; powers, duties, and
314 functions.—
315 (1) The Agency for State Technology has the following
316 powers, duties, and functions:
317 (a) Developing and publishing information technology policy
318 for the management of the state’s information technology
319 resources.
320 (b) Establishing and publishing information technology
321 architecture standards to achieve the most efficient use of the
322 state’s information technology resources and to ensure
323 compatibility and alignment with the needs of state agencies.
324 The agency shall assist state agencies in complying with such
325 standards.
326 (c) By June 30, 2015, establishing project management and
327 project oversight standards that state agencies must comply with
328 while implementing information technology projects. The Agency
329 for State Technology shall provide training opportunities to
330 state agencies to assist in the adoption of the project
331 management and oversight standards. To support data-driven
332 decisionmaking, such standards must include, but are not limited
333 to:
334 1. Performance measurements and metrics that objectively
335 reflect the status of an information technology project based on
336 the defined and documented project scope, cost, and schedule.
337 2. Methodologies for calculating acceptable variance ranges
338 in the projected versus actual scope, schedule, or cost of an
339 information technology project.
340 3. Reporting requirements that provide project visibility
341 to all identified stakeholders, including instances in which an
342 information technology project exceeds the acceptable variance
343 ranges as defined and documented in the project plan.
344 4. The content, format, and frequency of project updates.
345 (d) Beginning January 1, 2015, performing project oversight
346 on all information technology projects that have total project
347 costs of $10 million or more and that are funded in the General
348 Appropriations Act or under state law. The agency shall report
349 at least quarterly to the Executive Office of the Governor, the
350 President of the Senate, and the Speaker of the House of
351 Representatives on any information technology project the agency
352 identifies as being a high-risk project that may exceed the
353 acceptable variance ranges as defined and documented in the
354 project plan. The report must include an assessment of the risk
355 levels, including fiscal risks, associated with proceeding to
356 the next stage of the project and a recommendation for requiring
357 corrective action, which includes suspending or terminating the
358 project.
359 (e) By October 15, 2015, and biennially thereafter,
360 identifying opportunities for standardizing and consolidating
361 information technology services that support business functions
362 and operations, including administrative functions such as
363 purchasing, accounting and reporting, cash management, and
364 personnel, which are common across state agencies, and providing
365 recommendations for such standardization and consolidation to
366 the Executive Office of the Governor, the President of the
367 Senate, and the Speaker of the House of Representatives.
368 (f) The department shall incorporate standards established
369 by the agency which are designed to reduce costs, increase
370 productivity, or improve services into the requirements for
371 procuring information technology products and services. The
372 agency shall review all information technology purchases made by
373 state agencies which have a total cost of $250,000 or more,
374 unless a purchase is specifically mandated by the Legislature,
375 for compliance with the standards established pursuant to this
376 section.
377 (g) The agency shall participate as an evaluator or
378 negotiator and collaborate with the department in conducting
379 procurements for information technology products and services
380 that will be used by multiple state agencies, and collaborate
381 with the department in information technology resource
382 acquisition planning.
383 (h) Encouraging state agencies, when considering technology
384 infrastructure priorities, to actively seek out and identify
385 opportunities that potentially fit into the public-private
386 partnership model, and develop sustainable partnerships between
387 private entities and units of government in order to accelerate
388 project delivery and provide a source of new or increased
389 funding for other infrastructure needs.
390 (i) Establishing standards for information technology
391 reports and updates for use by state agencies which include, but
392 are not limited to, operational work plans, project spending
393 plans, and project status reports.
394 (j) Upon request, assisting state agencies in the
395 development of their information technology-related legislative
396 budget requests.
397 (k) Conducting annual assessments of state agencies to
398 determine their compliance with information technology standards
399 and guidelines developed and published by the Agency for State
400 Technology and provide results of the assessments to the
401 Executive Office of the Governor, the President of the Senate,
402 and the Speaker of the House of Representatives.
403 (l) Providing operational management and oversight of the
404 state data center established pursuant to s. 282.201, which
405 includes:
406 1. Implementing industry standards and best practices for
407 the state data center’s facilities, operations, maintenance,
408 planning, and management processes.
409 2. Developing and implementing cost-recovery mechanisms
410 that recover the full cost of services, including direct and
411 indirect costs, through charges to applicable customer entities.
412 Such mechanisms must comply with applicable state and federal
413 requirements relating to the distribution and use of such funds
414 and must ensure that for any fiscal year a service or customer
415 entity is not subsidizing another service or customer entity.
416 3. Establishing operating guidelines and procedures
417 necessary for the state data center to perform its duties
418 pursuant to s. 282.201 which comply with applicable state and
419 federal laws, rules, and policies and are in accordance with
420 generally accepted governmental accounting and auditing
421 standards. Such guidelines and procedures must include, but need
422 not be limited to:
423 a. Implementing a consolidated administrative support
424 structure that is responsible for the provision of financial
425 management, procurement, transactions involving real or personal
426 property, human resources, and operational support.
427 b. Implementing an annual reconciliation process to ensure
428 that each customer entity is paying for the full direct and
429 indirect cost of each service as determined by the customer
430 entity’s use of each service.
431 c. Providing rebates, which may be credited against future
432 billings, to customer entities when revenues exceed costs.
433 d. Requiring a customer entity to validate that sufficient
434 funds are in or will be transferred into the appropriate data
435 processing appropriation category before implementing a customer
436 entity’s request for a change in the type or level of service if
437 such change results in a net increase to the customer entity’s
438 costs for that fiscal year.
439 e. Providing to each customer entity’s agency head by
440 September 1 of each year the projected costs to provide data
441 center services for the following fiscal year.
442 f. Providing a plan for consideration by the Legislative
443 Budget Commission if the cost of a service is increased for a
444 reason other than a customer entity’s request pursuant to
445 subparagraph 4. which results in a net increase to the customer
446 entity for that fiscal year.
447 g. Standardizing and consolidating procurement and
448 contracting practices.
449 4. In collaboration with the Department of Law Enforcement,
450 developing and implementing a process for detecting, reporting,
451 and responding to information technology security incidents,
452 breaches, or threats.
453 5. Adopting rules relating to the operation of the state
454 data center, which include, but are not limited to, its
455 budgeting and accounting procedures, cost-recovery
456 methodologies, and operating procedures.
457 6. Consolidating contract practices and coordinating
458 software, hardware, or other technology-related procurements.
459 7. Annually conducting a market analysis to determine if
460 the state’s approach to the provision of data center services is
461 the most effective and efficient manner by which its customer
462 entities can acquire such services based on federal, state, and
463 local government trends, best practices in service provision,
464 and the acquisition of new and emerging technologies. The
465 results of the market analysis should assist the state data
466 center in making any necessary adjustments to its data center
467 service offerings.
468 (m) Recommending other information technology services that
469 should be designed, delivered, and managed as enterprise
470 information technology services. Such recommendations should
471 include the identification of any existing information
472 technology resources associated with such services which would
473 need to be transferred as a result of such services being
474 delivered and managed as enterprise information technology
475 services.
476 (n) Recommending any further agency computing facility or
477 data center consolidations into the state data center
478 established pursuant to s. 282.201. Such recommendations should
479 include the proposed timeline for the consolidation.
480 (o) In consultation with state agencies, proposing
481 methodology and approaches for identifying and collecting both
482 current and planned information technology expenditure data at
483 the state agency level.
484 (p) If adherence to the standards or policies adopted or to
485 the requirements established pursuant to this section conflicts
486 with federal regulations or requirements imposed on the state
487 agency and results in adverse action against the state agency or
488 federal funding, the agency shall work with the state agency to
489 provide alternative standards, policies, or requirements that do
490 not conflict with the federal regulations or requirements. Such
491 alternatives shall be reported annually, starting July 1, 2015,
492 to the Governor, the President of the Senate, and the Speaker of
493 the House of Representatives.
494 (q) Adopting rules to administer this section.
495 (2) Except as provided in subsection (3), the Department of
496 Financial Services, the Department of Legal Affairs, and the
497 Department of Agriculture and Consumer Services are not subject
498 to the powers, duties, and functions of the Agency for State
499 Technology established under this section. Each of those
500 departments shall adopt the standards established in paragraphs
501 (1)(b), (1)(c), and (1)(i) or adopt alternative standards based
502 on best practices or industry standards and may contract
503 separately with the Agency for State Technology to provide and
504 perform any of the services and functions for those departments.
505 (3)(a) An information technology project administered or
506 implemented by the Department of Financial Services, the
507 Department of Legal Affairs, or the Department of Agriculture
508 and Consumer Services is subject to project oversight as
509 established in paragraph (1)(d), architecture standards as
510 established in paragraph (1)(b), project management standards as
511 established in paragraph (1)(c), and reporting standards as
512 established in paragraph (1)(i) by the Agency for State
513 Technology if the project is expected to have a total project
514 cost of $25 million or more and if the project directly affects
515 another state agency or another information technology project
516 that is subject to the powers, duties, and functions of the
517 Agency for State Technology.
518 (b) If an information technology project administered by a
519 state agency subject to the powers, duties, and functions of the
520 Agency for State Technology must be connected to or otherwise
521 accommodated by an information technology system administered by
522 the Department of Financial Services, the Department of Legal
523 Affairs or the Department of Agriculture and Consumer Services,
524 the Agency for State Technology shall consult with those
525 departments regarding the risks and other effects of such
526 projects on those departments’ information technology systems
527 and shall work cooperatively with those departments regarding
528 the connections, interfaces, timing, or accommodation required
529 to implement such projects.
530 Section 5. Section 282.0055, Florida Statutes, is repealed.
531 Section 6. Section 282.0056, Florida Statutes, is repealed.
532 Section 7. Section 282.201, Florida Statutes, is amended to
533 read:
534 282.201 State data center system; agency duties and
535 limitations.—The A state data center system that includes all
536 primary data centers, other nonprimary data centers, and
537 computing facilities, and that provides an enterprise
538 information technology service as defined in s. 282.0041, is
539 established as a primary data center within the Agency for State
540 Technology and includes the facilities formerly known as the
541 Northwood Shared Resource Center and the Southwood Shared
542 Resource Center.
543 (1) INTENT.—The Legislature finds that the most efficient
544 and effective means of providing quality utility data processing
545 services to state agencies requires that computing resources be
546 concentrated in quality facilities that provide the proper
547 security, disaster recovery, infrastructure, and staff resources
548 to ensure that the state’s data is maintained reliably and
549 safely, and is recoverable in the event of a disaster.
550 Efficiencies resulting from such consolidation include the
551 increased ability to leverage technological expertise and
552 hardware and software capabilities; increased savings through
553 consolidated purchasing decisions; and the enhanced ability to
554 deploy technology improvements and implement new policies
555 consistently throughout the consolidated organization. Unless
556 otherwise exempt by law, it is the intent of the Legislature
557 that all agency data centers and computing facilities be
558 consolidated into the state a primary data center by 2019.
559 (2) STATE DATA CENTER DUTIES.—The state data center shall:
560 (a) Offer, develop, and support the services and
561 applications as provided in the service-level agreements
562 executed with its customer entities.
563 (b) Maintain the performance of the state data center,
564 which includes ensuring proper data backup, data backup
565 recovery, a disaster recovery plan, appropriate security, power,
566 cooling, fire suppression, and capacity.
567 (c) Develop a business continuity plan and a disaster
568 recovery plan, and conduct a live exercise of these plans at
569 least annually.
570 (d) Enter into a service level agreement with each customer
571 entity to provide the required type and level of service or
572 services. If a customer entity fails to execute an agreement
573 within 60 days after the commencement of a service, the state
574 data center may cease service. A service level agreement may not
575 have a term exceeding 3 years and at a minimum must:
576 1. Identify the parties and their roles, duties, and
577 responsibilities under the agreement.
578 2. State the duration of the contractual term and specify
579 the conditions for renewal.
580 3. Identify the scope of work.
581 4. Identify the products or services to be delivered with
582 sufficient specificity to permit an external financial or
583 performance audit.
584 5. Establish the services to be provided, the business
585 standards that must be met for each service, the cost of each
586 service, and the metrics and processes by which the business
587 standards for each service are to be objectively measured and
588 reported.
589 6. Provide a timely billing methodology for recovering the
590 cost of services provided to the customer entity pursuant to s.
591 215.422.
592 7. Provide a procedure for modifying the service level
593 agreement based on changes in the type, level, and cost of a
594 service.
595 8. Include a right-to-audit clause to ensure that the
596 parties to the agreement have access to records for audit
597 purposes during the term of the service level agreement.
598 9. Provide that a service level agreement may be terminated
599 by either party for cause only after giving the other party and
600 the Agency for State Technology notice in writing of the cause
601 for termination and an opportunity for the other party to
602 resolve the identified cause within a reasonable period.
603 10. Provide for the mediation of disputes by the Division
604 of Administrative Hearings pursuant to s. 120.573.
605 (e) Be the custodian of resources and equipment that are
606 located, operated, supported, and managed by the state data
607 center for the purposes of chapter 273.
608 (f) Assume administrative access rights to the resources
609 and equipment, such as servers, network components, and other
610 devices that are consolidated into the state data center.
611 1. On the date of each consolidation specified in this
612 section, the General Appropriations Act, or the Laws of Florida,
613 each state agency shall relinquish all administrative rights to
614 such resources and equipment. State agencies required to comply
615 with federal security regulations and policies shall retain
616 administrative access rights sufficient to comply with the
617 management control provisions of those regulations and policies;
618 however, the state data center shall have the appropriate type
619 or level of rights to allow the center to comply with its duties
620 pursuant to this section. The Department of Law Enforcement
621 shall serve as the arbiter of any disputes which may arise
622 regarding the appropriate type and level of administrative
623 access rights relating to the provision of management control in
624 accordance with federal criminal justice information guidelines.
625 2. The state data center shall provide its customer
626 entities with access to applications, servers, network
627 components, and other devices necessary for state agencies to
628 perform business activities and functions, and as defined and
629 documented in the service level agreement.
630 (2) AGENCY FOR ENTERPRISE INFORMATION TECHNOLOGY DUTIES.
631 The Agency for Enterprise Information Technology shall:
632 (a) Collect and maintain information necessary for
633 developing policies relating to the data center system,
634 including, but not limited to, an inventory of facilities.
635 (b) Annually approve cost-recovery mechanisms and rate
636 structures for primary data centers which recover costs through
637 charges to customer entities.
638 (c) By September 30 of each year, submit to the
639 Legislature, the Executive Office of the Governor, and the
640 primary data centers recommendations to improve the efficiency
641 and cost-effectiveness of computing services provided by state
642 data center system facilities. Such recommendations must
643 include, but need not be limited to:
644 1. Policies for improving the cost-effectiveness and
645 efficiency of the state data center system, which includes the
646 primary data centers being transferred to a shared, virtualized
647 server environment, and the associated cost savings resulting
648 from the implementation of such policies.
649 2. Infrastructure improvements supporting the consolidation
650 of facilities or preempting the need to create additional data
651 centers or computing facilities.
652 3. Uniform disaster recovery standards.
653 4. Standards for primary data centers which provide cost
654 effective services and transparent financial data to user
655 agencies.
656 5. Consolidation of contract practices or coordination of
657 software, hardware, or other technology-related procurements and
658 the associated cost savings.
659 6. Improvements to data center governance structures.
660 (d) By October 1 of each year, provide recommendations to
661 the Governor and Legislature relating to changes to the schedule
662 for the consolidations of state agency data centers as provided
663 in subsection (4).
664 1. The recommendations must be based on the goal of
665 maximizing current and future cost savings by:
666 a. Consolidating purchase decisions.
667 b. Leveraging expertise and other resources to gain
668 economies of scale.
669 c. Implementing state information technology policies more
670 effectively.
671 d. Maintaining or improving the level of service provision
672 to customer entities.
673 2. The agency shall establish workgroups as necessary to
674 ensure participation by affected agencies in the development of
675 recommendations related to consolidations.
676 (e) Develop and establish rules relating to the operation
677 of the state data center system which comply with applicable
678 federal regulations, including 2 C.F.R. part 225 and 45 C.F.R.
679 The rules must address:
680 1. Ensuring that financial information is captured and
681 reported consistently and accurately.
682 2. Identifying standards for hardware, including standards
683 for a shared, virtualized server environment, and operations
684 system software and other operational software, including
685 security and network infrastructure, for the primary data
686 centers; requiring compliance with such standards in order to
687 enable the efficient consolidation of the agency data centers or
688 computing facilities; and providing an exemption process from
689 compliance with such standards, which must be consistent with
690 paragraph (5)(b).
691 3. Requiring annual full cost recovery on an equitable
692 rational basis. The cost-recovery methodology must ensure that
693 no service is subsidizing another service and may include
694 adjusting the subsequent year’s rates as a means to recover
695 deficits or refund surpluses from a prior year.
696 4. Requiring that any special assessment imposed to fund
697 expansion is based on a methodology that apportions the
698 assessment according to the proportional benefit to each
699 customer entity.
700 5. Requiring that rebates be given when revenues have
701 exceeded costs, that rebates be applied to offset charges to
702 those customer entities that have subsidized the costs of other
703 customer entities, and that such rebates may be in the form of
704 credits against future billings.
705 6. Requiring that all service-level agreements have a
706 contract term of up to 3 years, but may include an option to
707 renew for up to 3 additional years contingent on approval by the
708 board, and require at least a 180-day notice of termination.
709 (3) STATE AGENCY DUTIES.—
710 (a) For the purpose of completing the work activities
711 described in subsections (1) and (2), Each state agency shall
712 provide to the Agency for State Enterprise Information
713 Technology all requested information relating to its data
714 centers and computing facilities and any other information
715 relevant to the effective agency’s ability to effectively
716 transition of a state agency data center or computing facility
717 its computer services into the state a primary data center. The
718 agency shall also participate as required in workgroups relating
719 to specific consolidation planning and implementation tasks as
720 assigned by the Agency for Enterprise Information Technology and
721 determined necessary to accomplish consolidation goals.
722 (b) Each state agency customer of the state a primary data
723 center shall notify the state data center, by May 31 and
724 November 30 of each year, of any significant changes in
725 anticipated use utilization of data center services pursuant to
726 requirements established by the state boards of trustees of each
727 primary data center.
728 (4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
729 (a) Consolidations of agency data centers and computing
730 facilities shall be made by the date and to the specified state
731 primary data center facility as provided in this section and in
732 accordance with budget adjustments contained in the General
733 Appropriations Act.
734 (b) By December 31, 2011, the following shall be
735 consolidated into the Northwest Regional Data Center:
736 1. The Department of Education’s Knott Data Center in the
737 Turlington Building.
738 2. The Department of Education’s Division of Vocational
739 Rehabilitation.
740 3. The Department of Education’s Division of Blind
741 Services, except for the division’s disaster recovery site in
742 Daytona Beach.
743 4. The FCAT Explorer.
744 (c) During the 2011-2012 fiscal year, the following shall
745 be consolidated into the Southwood Shared Resource Center:
746 1. By September 30, 2011, the Department of Corrections.
747 2. By March 31, 2012, the Department of Transportation’s
748 Burns Building.
749 3. By March 31, 2012, the Department of Transportation’s
750 Survey & Mapping Office.
751 (d) By July 1, 2012, the Department of Highway Safety and
752 Motor Vehicles’ Office of Commercial Vehicle Enforcement shall
753 be consolidated into the Northwood Shared Resource Center.
754 (e) By September 30, 2012, the Department of Revenue’s
755 Carlton Building and Imaging Center locations shall be
756 consolidated into the Northwest Regional Data Center.
757 (f) During the 2012-2013 fiscal year, the following shall
758 be consolidated into the Northwood Shared Resource Center:
759 1. By July 1, 2012, the Agency for Health Care
760 Administration.
761 2. By August 31, 2012, the Department of Highway Safety and
762 Motor Vehicles.
763 3. By December 31, 2012, the Department of Environmental
764 Protection’s Palmetto Commons.
765 4. By December 31, 2012, the Department of Health’s Test
766 and Development Lab and all remaining data center resources
767 located at the Capital Circle Office Complex.
768 (g) During the 2013-2014 fiscal year, the following shall
769 be consolidated into the Southwood Shared Resource Center:
770 1. By October 31, 2013, the Department of Economic
771 Opportunity.
772 2. By December 31, 2013, the Executive Office of the
773 Governor, to include the Division of Emergency Management except
774 for the Emergency Operation Center’s management system in
775 Tallahassee and the Camp Blanding Emergency Operations Center in
776 Starke.
777 3. By March 31, 2014, the Department of Elderly Affairs.
778 (h) By October 30, 2013, the Fish and Wildlife Conservation
779 Commission, except for the commission’s Fish and Wildlife
780 Research Institute in St. Petersburg, shall be consolidated into
781 the Northwood Shared Resource Center.
782 (i) During the 2014-2015 fiscal year, the following
783 agencies shall work with the Agency for Enterprise Information
784 Technology to begin preliminary planning for consolidation into
785 a primary data center:
786 1. The Department of Health’s Jacksonville Lab Data Center.
787 2. The Department of Transportation’s district offices,
788 toll offices, and the District Materials Office.
789 3. The Department of Military Affairs’ Camp Blanding Joint
790 Training Center in Starke.
791 4. The Camp Blanding Emergency Operations Center in Starke.
792 5. The Department of Education’s Division of Blind Services
793 disaster recovery site in Daytona Beach.
794 6. The Department of Education’s disaster recovery site at
795 Santa Fe College.
796 7. The Fish and Wildlife Conservation Commission’s Fish and
797 Wildlife Research Institute in St. Petersburg.
798 8. The Department of Children and Family Services’ Suncoast
799 Data Center in Tampa.
800 9. The Department of Children and Family Services’ Florida
801 State Hospital in Chattahoochee.
802 (j) During the 2015-2016 fiscal year, all computing
803 resources remaining within an agency data center or computing
804 facility, to include the Department of Financial Services’
805 Hartman, Larson, and Fletcher Buildings data centers, shall be
806 transferred to a primary data center for consolidation unless
807 otherwise required to remain in the agency for specified
808 financial, technical, or business reasons that must be justified
809 in writing and approved by the Agency for Enterprise Information
810 Technology. Such data centers, computing facilities, and
811 resources must be identified by the Agency for Enterprise
812 Information Technology by October 1, 2014.
813 (b)(k) The Department of Financial Services, the Department
814 of Legal Affairs, the Department of Agriculture and Consumer
815 Services, the Department of Law Enforcement, the Department of
816 the Lottery’s Gaming System, Systems Design and Development in
817 the Office of Policy and Budget, the regional traffic management
818 centers and the Office of Toll Operations of the Department of
819 Transportation, and the State Board of Administration, state
820 attorneys, public defenders, criminal conflict and civil
821 regional counsel, capital collateral regional counsel, the
822 Florida Clerks of Court Operations Corporation, and the Florida
823 Housing Finance Corporation are exempt from data center
824 consolidation under this section.
825 (c)(l) A state Any agency that is consolidating its agency
826 data center or computing facility centers into the state a
827 primary data center must execute a new or update an existing
828 service-level agreement within 60 days after the commencement of
829 service specified consolidation date, as required by s.
830 282.201(2) s. 282.203, in order to specify the services and
831 levels of service it is to receive from the state primary data
832 center as a result of the consolidation. If the state an agency
833 and the state primary data center are unable to execute a
834 service-level agreement by that date, the agency and the primary
835 data center shall submit a report to the Executive Office of the
836 Governor and to the chairs of the legislative appropriations
837 committees within 5 working days after that date which explains
838 the specific issues preventing execution and describing the plan
839 and schedule for resolving those issues.
840 (m) Beginning September 1, 2011, and every 6 months
841 thereafter until data center consolidations are complete, the
842 Agency for Enterprise Information Technology shall provide a
843 status report on the implementation of the consolidations that
844 must be completed during the fiscal year. The report shall be
845 submitted to the Executive Office of the Governor and the chairs
846 of the legislative appropriations committees. The report must,
847 at a minimum, describe:
848 1. Whether the consolidation is on schedule, including
849 progress on achieving the milestones necessary for successful
850 and timely consolidation of scheduled agency data centers and
851 computing facilities.
852 2. The risks that may affect the progress or outcome of the
853 consolidation and how these risks are being addressed,
854 mitigated, or managed.
855 (d)(n) Each state agency scheduled identified in this
856 subsection for consolidation into the state a primary data
857 center shall submit a transition plan to the Agency for State
858 Technology appropriate primary data center by July 1 of the
859 fiscal year before the fiscal year in which the scheduled
860 consolidation will occur. Transition plans shall be developed in
861 consultation with the state appropriate primary data center
862 centers and the Agency for Enterprise Information Technology,
863 and must include:
864 1. An inventory of the state agency data center’s resources
865 being consolidated, including all hardware and its associated
866 life cycle replacement schedule, software, staff, contracted
867 services, and facility resources performing data center
868 management and operations, security, backup and recovery,
869 disaster recovery, system administration, database
870 administration, system programming, job control, production
871 control, print, storage, technical support, help desk, and
872 managed services, but excluding application development, and the
873 state agency’s costs supporting these resources.
874 2. A list of contracts in effect, including, but not
875 limited to, contracts for hardware, software, and maintenance,
876 which identifies the expiration date, the contract parties, and
877 the cost of each contract.
878 3. A detailed description of the level of services needed
879 to meet the technical and operational requirements of the
880 platforms being consolidated.
881 4. A description of resources for computing services
882 proposed to remain in the department.
883 4.5. A timetable with significant milestones for the
884 completion of the consolidation.
885 (o) Each primary data center shall develop a transition
886 plan for absorbing the transfer of agency data center resources
887 based upon the timetables for transition as provided in this
888 subsection. The plan shall be submitted to the Agency for
889 Enterprise Information Technology, the Executive Office of the
890 Governor, and the chairs of the legislative appropriations
891 committees by September 1 of the fiscal year before the fiscal
892 year in which the scheduled consolidations will occur. Each plan
893 must include:
894 1. The projected cost to provide data center services for
895 each agency scheduled for consolidation.
896 2. A staffing plan that identifies the projected staffing
897 needs and requirements based on the estimated workload
898 identified in the agency transition plan.
899 3. The fiscal year adjustments to budget categories in
900 order to absorb the transfer of agency data center resources
901 pursuant to the legislative budget request instructions provided
902 in s. 216.023.
903 4. An analysis of the cost effects resulting from the
904 planned consolidations on existing agency customers.
905 5. A description of any issues that must be resolved in
906 order to accomplish as efficiently and effectively as possible
907 all consolidations required during the fiscal year.
908 (e)(p) Each state agency scheduled identified in this
909 subsection for consolidation into the state a primary data
910 center shall submit with its respective legislative budget
911 request the specific recurring and nonrecurring budget
912 adjustments of resources by appropriation category into the
913 appropriate data processing category pursuant to the legislative
914 budget request instructions in s. 216.023.
915 (5) AGENCY LIMITATIONS.—
916 (a) Unless exempt from state data center consolidation
917 pursuant to this section, authorized by the Legislature, or as
918 provided in paragraph paragraphs (b) and (c), a state agency may
919 not:
920 1. Create a new computing facility or data center, or
921 expand the capability to support additional computer equipment
922 in an existing state agency computing facility or nonprimary
923 data center;
924 2. Spend funds before the state agency’s scheduled
925 consolidation into the state a primary data center to purchase
926 or modify hardware or operations software that does not comply
927 with hardware and software standards established by the Agency
928 for State Enterprise Information Technology pursuant to
929 paragraph (2)(e) for the efficient consolidation of the agency
930 data centers or computing facilities;
931 3. Transfer existing computer services to any data center
932 other than the state a primary data center;
933 4. Terminate services with the state a primary data center
934 or transfer services between primary data centers without giving
935 written notice of intent to terminate or transfer services 180
936 days before such termination or transfer; or
937 5. Initiate a new computer service except with the state a
938 primary data center.
939 (b) Exceptions to the limitations in subparagraphs (a)1.,
940 2., 3., and 5. may be granted by the Agency for State Enterprise
941 Information Technology if there is insufficient capacity in the
942 state a primary data center to absorb the workload associated
943 with agency computing services, if expenditures are compatible
944 with the scheduled consolidation and the standards established
945 pursuant to s. 282.0051 paragraph (2)(e), or if the equipment or
946 resources are needed to meet a critical agency business need
947 that cannot be satisfied by from surplus equipment or resources
948 of the state primary data center until the agency data center is
949 consolidated. The Agency for State Technology shall develop and
950 publish the guidelines and required documentation that a state
951 agency must comply with when requesting an exception. The
952 agency’s decision regarding the exception request is not subject
953 to chapter 120.
954 1. A request for an exception must be submitted in writing
955 to the Agency for Enterprise Information Technology. The agency
956 must accept, accept with conditions, or deny the request within
957 60 days after receipt of the written request. The agency’s
958 decision is not subject to chapter 120.
959 2. At a minimum, the agency may not approve a request
960 unless it includes:
961 a. Documentation approved by the primary data center’s
962 board of trustees which confirms that the center cannot meet the
963 capacity requirements of the agency requesting the exception
964 within the current fiscal year.
965 b. A description of the capacity requirements of the agency
966 requesting the exception.
967 c. Documentation from the agency demonstrating why it is
968 critical to the agency’s mission that the expansion or transfer
969 must be completed within the fiscal year rather than when
970 capacity is established at a primary data center.
971 (c) Exceptions to subparagraph (a)4. may be granted by the
972 board of trustees of the primary data center if the termination
973 or transfer of services can be absorbed within the current cost
974 allocation plan.
975 (d) Upon the termination of or transfer of agency computing
976 services from the primary data center, the primary data center
977 shall require information sufficient to determine compliance
978 with this section. If a primary data center determines that an
979 agency is in violation of this section, it shall report the
980 violation to the Agency for Enterprise Information Technology.
981 (6) RULES.—The Agency for Enterprise Information Technology
982 may adopt rules to administer this part relating to the state
983 data center system including the primary data centers.
984 Section 8. Section 282.203, Florida Statutes, is repealed.
985 Section 9. Section 282.204, Florida Statutes, is repealed.
986 Section 10. Section 282.205, Florida Statutes, is repealed.
987 Section 11. Section 282.318, Florida Statutes, is amended
988 to read:
989 282.318 Enterprise security of data and information
990 technology.—
991 (1) This section may be cited as the “Enterprise Security
992 of Data and Information Technology Act.”
993 (2) Information technology security is established as an
994 enterprise information technology service as defined in s.
995 282.0041.
996 (2)(3) The Agency for State Enterprise Information
997 Technology is responsible for establishing standards,
998 guidelines, and processes by rule which are consistent with
999 generally accepted best practices for information technology
1000 security, and adopting rules that safeguard an agency’s data,
1001 information, and information technology resources to ensure its
1002 availability, confidentiality, and integrity rules and
1003 publishing guidelines for ensuring an appropriate level of
1004 security for all data and information technology resources for
1005 executive branch agencies. The agency shall also perform the
1006 following duties and responsibilities:
1007 (a) By June 30, 2015, develop, and annually update a
1008 statewide by February 1, an enterprise information technology
1009 security strategic plan that includes security goals and
1010 objectives for the strategic issues of information technology
1011 security policy, risk management, training, incident management,
1012 and disaster recovery survivability planning.
1013 (b) Develop and publish an information technology security
1014 framework for use by state agencies which, at a minimum,
1015 includes guidelines and processes enterprise security rules and
1016 published guidelines for:
1017 1. Developing and using a risk assessment methodology that
1018 will apply to state agencies to identify the priorities,
1019 constraints, risk tolerance, and assumptions.
1020 2.1. Completing comprehensive risk assessments analyses and
1021 information technology security audits. Such assessments and
1022 audits shall be conducted by state agencies and reviewed by the
1023 Agency for State Technology conducted by state agencies.
1024 3. Identifying protection procedures to manage the
1025 protection of a state agency’s information, data, and
1026 information technology resources.
1027 4. Detecting threats through proactive monitoring of
1028 events, continuous security monitoring, and specified detection
1029 processes.
1030 5.2. Responding to suspected or confirmed information
1031 technology security incidents, including suspected or confirmed
1032 breaches of personal information containing confidential or
1033 exempt data.
1034 6.3. Developing state agency strategic and operational
1035 information technology security plans required under this
1036 section, including strategic security plans and security program
1037 plans.
1038 7.4. Recovering The recovery of information technology and
1039 data in response to an information technology security incident
1040 following a disaster. The recovery may include recommended
1041 improvements to the processes, policies, or guidelines.
1042 8.5. Establishing The managerial, operational, and
1043 technical safeguards for protecting state government data and
1044 information technology resources which align with state agency
1045 risk management strategies for protecting the confidentiality,
1046 integrity, and availability of information technology and data.
1047 9. Establishing procedures for accessing information
1048 technology resources and data in order to limit authorized
1049 users, processes, or devices to authorized activities and
1050 transactions to ensure the confidentiality, integrity, and
1051 availability of such information and data.
1052 10. Establishing asset management procedures to ensure that
1053 information technology resources are identified and consistently
1054 managed with their relative importance to business objectives.
1055 (c) Assist state agencies in complying with the provisions
1056 of this section.
1057 (d) Pursue appropriate funding for the purpose of enhancing
1058 domestic security.
1059 (d)(e) In collaboration with the Cybercrime Office in the
1060 Department of Law Enforcement, provide training for state agency
1061 information security managers.
1062 (e)(f) Annually review the strategic and operational
1063 information technology security plans of state executive branch
1064 agencies.
1065 (3)(4) To assist the Agency for Enterprise Information
1066 Technology in carrying out its responsibilities, Each state
1067 agency head shall, at a minimum:
1068 (a) Designate an information security manager who, for the
1069 purposes of his or her information technology security duties,
1070 shall report to the agency head and shall to administer the
1071 information technology security program of the agency for its
1072 data and information technology resources. This designation must
1073 be provided annually in writing to the Agency for State
1074 Enterprise Information Technology by January 1.
1075 (b) Submit annually to the Agency for State Enterprise
1076 Information Technology annually by July 31, the state agency’s
1077 strategic and operational information technology security plans
1078 developed pursuant to the rules and guidelines established by
1079 the Agency for State Enterprise Information Technology.
1080 1. The state agency strategic information technology
1081 security plan must cover a 3-year period and, at a minimum,
1082 define security goals, intermediate objectives, and projected
1083 agency costs for the strategic issues of agency information
1084 security policy, risk management, security training, security
1085 incident response, and disaster recovery survivability. The plan
1086 must be based on the statewide enterprise strategic information
1087 security strategic plan created by the Agency for State
1088 Enterprise Information Technology and include performance
1089 metrics that can be objectively measured in order to gauge the
1090 state agency’s progress in meeting the security goals and
1091 objectives identified in the strategic information technology
1092 security plan. Additional issues may be included.
1093 2. The state agency operational information technology
1094 security plan must include a progress report that objectively
1095 measures progress made toward for the prior operational
1096 information technology security plan and a project plan that
1097 includes activities, timelines, and deliverables for security
1098 objectives that, subject to current resources, the state agency
1099 will implement during the current fiscal year. The cost of
1100 implementing the portions of the plan which cannot be funded
1101 from current resources must be identified in the plan.
1102 (c) Conduct, and update every 3 years, a comprehensive risk
1103 assessment analysis to determine the security threats to the
1104 data, information, and information technology resources of the
1105 state agency. The risk assessment must comply with the risk
1106 assessment methodology developed by the Agency for State
1107 Technology. The risk assessment analysis information is
1108 confidential and exempt from the provisions of s. 119.07(1),
1109 except that such information shall be available to the Auditor
1110 General, and the Agency for State Enterprise Information
1111 Technology, and the Cybercrime Office in the Department of Law
1112 Enforcement for performing postauditing duties.
1113 (d) Develop, and periodically update, written internal
1114 policies and procedures, which include procedures for reporting
1115 information technology security incidents and breaches to the
1116 Cybercrime Office in the Department of Law Enforcement and
1117 notifying the Agency for State Enterprise Information
1118 Technology, and for those agencies under the jurisdiction of the
1119 Governor, to the Chief Inspector General when a suspected or
1120 confirmed breach, or an information security incident, occurs.
1121 Such policies and procedures must be consistent with the rules,
1122 and guidelines, and processes established by the Agency for
1123 State Enterprise Information Technology to ensure the security
1124 of the data, information, and information technology resources
1125 of the state agency. The internal policies and procedures that,
1126 if disclosed, could facilitate the unauthorized modification,
1127 disclosure, or destruction of data or information technology
1128 resources are confidential information and exempt from s.
1129 119.07(1), except that such information shall be available to
1130 the Auditor General, the Cybercrime Office in the Department of
1131 Law Enforcement, and the Agency for State Enterprise Information
1132 Technology, and for those agencies under the jurisdiction of the
1133 Governor, to the Chief Inspector General for performing
1134 postauditing duties.
1135 (e) Implement the managerial, operational, and technical
1136 appropriate cost-effective safeguards established by the Agency
1137 for State Technology to address identified risks to the data,
1138 information, and information technology resources of the agency.
1139 (f) Ensure that periodic internal audits and evaluations of
1140 the agency’s information technology security program for the
1141 data, information, and information technology resources of the
1142 agency are conducted. The results of such audits and evaluations
1143 are confidential information and exempt from s. 119.07(1),
1144 except that such information shall be available to the Auditor
1145 General, the Cybercrime Office in the Department of Law
1146 Enforcement, and the Agency for State Enterprise Information
1147 Technology for performing postauditing duties.
1148 (g) Include appropriate information technology security
1149 requirements in the written specifications for the solicitation
1150 of information technology and information technology resources
1151 and services, which are consistent with the rules and guidelines
1152 established by the Agency for State Enterprise Information
1153 Technology in collaboration with the department.
1154 (h) Require that state agency employees complete the
1155 security awareness training offered by the Agency for State
1156 Technology in collaboration with the Cybercrime Office in the
1157 Department of Law Enforcement. Coordinate with state agencies to
1158 provide agency-specific security training aligned with the
1159 agency operational information technology security plan. Provide
1160 security awareness training to employees and users of the
1161 agency’s communication and information resources concerning
1162 information security risks and the responsibility of employees
1163 and users to comply with policies, standards, guidelines, and
1164 operating procedures adopted by the agency to reduce those
1165 risks.
1166 (i) Develop processes a process for detecting, reporting,
1167 and responding to information technology suspected or confirmed
1168 security threats or breaches or information technology security
1169 incidents which are, including suspected or confirmed breaches
1170 consistent with the security rules, and guidelines, and
1171 processes established by the Agency for State Enterprise
1172 Information Technology.
1173 1. All Suspected or confirmed information technology
1174 security incidents and breaches must be immediately reported to
1175 the Cybercrime Office in the Department of Law Enforcement and
1176 the Agency for State Enterprise Information Technology.
1177 2. For information technology security incidents involving
1178 breaches, agencies shall provide notice in accordance with s.
1179 817.5681 and to the Agency for Enterprise Information Technology
1180 in accordance with this subsection.
1181 (5) Each state agency shall include appropriate security
1182 requirements in the specifications for the solicitation of
1183 contracts for procuring information technology or information
1184 technology resources or services which are consistent with the
1185 rules and guidelines established by the Agency for Enterprise
1186 Information Technology.
1187 (4)(6) The Agency for State Enterprise Information
1188 Technology may adopt rules relating to information technology
1189 security and to administer the provisions of this section.
1190 Section 12. Section 282.33, Florida Statutes, is repealed.
1191 Section 13. Effective upon this act becoming a law, section
1192 282.34, Florida Statutes, is repealed.
1193 Section 14. Subsections (1) and (2) of section 17.0315,
1194 Florida Statutes, are amended to read:
1195 17.0315 Financial and cash management system; task force.—
1196 (1) The Chief Financial Officer, as the constitutional
1197 officer responsible for settling and approving accounts against
1198 the state and keeping all state funds pursuant to s. 4, Art. IV
1199 of the State Constitution, is shall be the head of and shall
1200 appoint members to a task force established to develop a
1201 strategic business plan for a successor financial and cash
1202 management system. The task force shall include the executive
1203 director of the Agency for State Enterprise Information
1204 Technology and the director of the Office of Policy and Budget
1205 in the Executive Office of the Governor. Any member of the task
1206 force may appoint a designee.
1207 (2) The strategic business plan for a successor financial
1208 and cash management system must:
1209 (a) Permit proper disbursement and auditing controls
1210 consistent with the respective constitutional duties of the
1211 Chief Financial Officer and the Legislature;
1212 (b) Promote transparency in the accounting of public funds;
1213 (c) Provide timely and accurate recording of financial
1214 transactions by agencies and their professional staffs;
1215 (d) Support executive reporting and data analysis
1216 requirements;
1217 (e) Be capable of interfacing with other systems providing
1218 human resource services, procuring goods and services, and
1219 providing other enterprise functions;
1220 (f) Be capable of interfacing with the existing legislative
1221 appropriations, planning, and budgeting systems;
1222 (g) Be coordinated with the information technology strategy
1223 development efforts of the Agency for State Enterprise
1224 Information Technology;
1225 (h) Be coordinated with the revenue estimating conference
1226 process as supported by the Office of Economic and Demographic
1227 Research; and
1228 (i) Address other such issues as the Chief Financial
1229 Officer identifies.
1230 Section 15. Subsection (1) of section 20.055, Florida
1231 Statutes, is reordered and amended to read:
1232 20.055 Agency inspectors general.—
1233 (1) As used in For the purposes of this section, the term:
1234 (d)(a) “State agency” means each department created
1235 pursuant to this chapter, and also includes the Executive Office
1236 of the Governor, the Department of Military Affairs, the Fish
1237 and Wildlife Conservation Commission, the Office of Insurance
1238 Regulation of the Financial Services Commission, the Office of
1239 Financial Regulation of the Financial Services Commission, the
1240 Public Service Commission, the Board of Governors of the State
1241 University System, the Florida Housing Finance Corporation, the
1242 Agency for State Technology, and the state courts system.
1243 (a)(b) “Agency head” means the Governor, a Cabinet officer,
1244 a secretary as defined in s. 20.03(5), or an executive director
1245 as those terms are defined in s. 20.03, 20.03(6). It also
1246 includes the chair of the Public Service Commission, the
1247 Director of the Office of Insurance Regulation of the Financial
1248 Services Commission, the Director of the Office of Financial
1249 Regulation of the Financial Services Commission, the board of
1250 directors of the Florida Housing Finance Corporation, and the
1251 Chief Justice of the State Supreme Court.
1252 (c) “Individuals substantially affected” means natural
1253 persons who have established a real and sufficiently immediate
1254 injury in fact due to the findings, conclusions, or
1255 recommendations of a final report of a state agency inspector
1256 general, who are the subject of the audit or investigation, and
1257 who do not have or are not currently afforded an existing right
1258 to an independent review process. The term does not apply to
1259 employees of the state, including career service, probationary,
1260 other personal service, Selected Exempt Service, and Senior
1261 Management Service employees;, are not covered by this
1262 definition. This definition also does not cover former employees
1263 of the state if the final report of the state agency inspector
1264 general relates to matters arising during a former employee’s
1265 term of state employment; or. This definition does not apply to
1266 persons who are the subject of audits or investigations
1267 conducted pursuant to ss. 112.3187-112.31895 or s. 409.913 or
1268 which are otherwise confidential and exempt under s. 119.07.
1269 (b)(d) “Entities contracting with the state” means for
1270 profit and not-for-profit organizations or businesses that have
1271 having a legal existence, such as corporations or partnerships,
1272 as opposed to natural persons, which have entered into a
1273 relationship with a state agency as defined in paragraph (a) to
1274 provide for consideration certain goods or services to the state
1275 agency or on behalf of the state agency. The relationship may be
1276 evidenced by payment by warrant or purchasing card, contract,
1277 purchase order, provider agreement, or other such mutually
1278 agreed upon relationship. The term This definition does not
1279 apply to entities that which are the subject of audits or
1280 investigations conducted pursuant to ss. 112.3187-112.31895 or
1281 s. 409.913 or which are otherwise confidential and exempt under
1282 s. 119.07.
1283 Section 16. Paragraph (e) of subsection (2) of section
1284 110.205, Florida Statutes, is amended to read:
1285 110.205 Career service; exemptions.—
1286 (2) EXEMPT POSITIONS.—The exempt positions that are not
1287 covered by this part include the following:
1288 (e) The Chief Information Officer in the Agency for State
1289 Enterprise Information Technology. Unless otherwise fixed by
1290 law, the Agency for State Enterprise Information Technology
1291 shall set the salary and benefits of this position in accordance
1292 with the rules of the Senior Management Service.
1293 Section 17. Subsections (2) and (9) of section 215.322,
1294 Florida Statutes, are amended to read:
1295 215.322 Acceptance of credit cards, charge cards, debit
1296 cards, or electronic funds transfers by state agencies, units of
1297 local government, and the judicial branch.—
1298 (2) A state agency as defined in s. 216.011, or the
1299 judicial branch, may accept credit cards, charge cards, debit
1300 cards, or electronic funds transfers in payment for goods and
1301 services with the prior approval of the Chief Financial Officer.
1302 If the Internet or other related electronic methods are to be
1303 used as the collection medium, the Agency for State Enterprise
1304 Information Technology shall review and recommend to the Chief
1305 Financial Officer whether to approve the request with regard to
1306 the process or procedure to be used.
1307 (9) For payment programs in which credit cards, charge
1308 cards, or debit cards are accepted by state agencies, the
1309 judicial branch, or units of local government, the Chief
1310 Financial Officer, in consultation with the Agency for State
1311 Enterprise Information Technology, may adopt rules to establish
1312 uniform security safeguards for cardholder data and to ensure
1313 compliance with the Payment Card Industry Data Security
1314 Standards.
1315 Section 18. Subsection (2) of section 215.96, Florida
1316 Statutes, is amended to read:
1317 215.96 Coordinating council and design and coordination
1318 staff.—
1319 (2) The coordinating council shall consist of the Chief
1320 Financial Officer; the Commissioner of Agriculture; the Attorney
1321 General; the secretary of the Department of Management Services;
1322 the executive director of the Agency for State Technology the
1323 Attorney General; and the Director of Planning and Budgeting,
1324 Executive Office of the Governor, or their designees. The Chief
1325 Financial Officer, or his or her designee, shall be chair of the
1326 coordinating council, and the design and coordination staff
1327 shall provide administrative and clerical support to the council
1328 and the board. The design and coordination staff shall maintain
1329 the minutes of each meeting and shall make such minutes
1330 available to any interested person. The Auditor General, the
1331 State Courts Administrator, an executive officer of the Florida
1332 Association of State Agency Administrative Services Directors,
1333 and an executive officer of the Florida Association of State
1334 Budget Officers, or their designees, shall serve without voting
1335 rights as ex officio members of on the coordinating council. The
1336 chair may call meetings of the coordinating council as often as
1337 necessary to transact business; however, the coordinating
1338 council must shall meet at least annually once a year. Action of
1339 the coordinating council shall be by motion, duly made, seconded
1340 and passed by a majority of the coordinating council voting in
1341 the affirmative for approval of items that are to be recommended
1342 for approval to the Financial Management Information Board.
1343 Section 19. Paragraph (a) of subsection (4) of section
1344 216.023, Florida Statutes, is amended to read:
1345 216.023 Legislative budget requests to be furnished to
1346 Legislature by agencies.—
1347 (4)(a) The legislative budget request must contain for each
1348 program must contain:
1349 1. The constitutional or statutory authority for a program,
1350 a brief purpose statement, and approved program components.
1351 2. Information on expenditures for 3 fiscal years (actual
1352 prior-year expenditures, current-year estimated expenditures,
1353 and agency budget requested expenditures for the next fiscal
1354 year) by appropriation category.
1355 3. Details on trust funds and fees.
1356 4. The total number of positions (authorized, fixed, and
1357 requested).
1358 5. An issue narrative describing and justifying changes in
1359 amounts and positions requested for current and proposed
1360 programs for the next fiscal year.
1361 6. Information resource requests.
1362 7. Supporting information, including applicable cost
1363 benefit analyses, business case analyses, performance
1364 contracting procedures, service comparisons, and impacts on
1365 performance standards for any request to outsource or privatize
1366 agency functions. The cost-benefit and business case analyses
1367 must include an assessment of the impact on each affected
1368 activity from those identified in accordance with paragraph (b).
1369 Performance standards must include standards for each affected
1370 activity and be expressed in terms of the associated unit of
1371 activity.
1372 8. An evaluation of any major outsourcing and privatization
1373 initiatives undertaken during the last 5 fiscal years having
1374 aggregate expenditures exceeding $10 million during the term of
1375 the contract. The evaluation must shall include an assessment of
1376 contractor performance, a comparison of anticipated service
1377 levels to actual service levels, and a comparison of estimated
1378 savings to actual savings achieved. Consolidated reports issued
1379 by the Department of Management Services may be used to satisfy
1380 this requirement.
1381 9. Supporting information for any proposed consolidated
1382 financing of deferred-payment commodity contracts including
1383 guaranteed energy performance savings contracts. Supporting
1384 information must also include narrative describing and
1385 justifying the need, baseline for current costs, estimated cost
1386 savings, projected equipment purchases, estimated contract
1387 costs, and return on investment calculation.
1388 10. For projects that exceed $10 million in total cost, the
1389 statutory reference of the existing policy or the proposed
1390 substantive policy that establishes and defines the project’s
1391 governance structure, planned scope, main business objectives
1392 that must be achieved, and estimated completion timeframes. The
1393 governance structure for information technology-related projects
1394 requested by a state agency must incorporate the applicable
1395 project management and oversight standards established under s.
1396 282.0051. Information technology budget requests for the
1397 continuance of existing hardware and software maintenance
1398 agreements, renewal of existing software licensing agreements,
1399 or the replacement of desktop units with new technology that is
1400 similar to the technology currently in use are exempt from this
1401 requirement.
1402 Section 20. Subsection (22) of section 287.057, Florida
1403 Statutes, is amended to read:
1404 287.057 Procurement of commodities or contractual
1405 services.—
1406 (22) The department, in consultation with the Chief
1407 Financial Officer and the Agency for State Technology, shall
1408 maintain a program for the online procurement of commodities and
1409 contractual services. To enable the state to promote open
1410 competition and leverage its buying power, agencies shall
1411 participate in the online procurement program, and eligible
1412 users may participate in the program. Only vendors prequalified
1413 as meeting mandatory requirements and qualifications criteria
1414 may participate in online procurement.
1415 (a) The department, in consultation with the Agency for
1416 State Technology and in compliance with the standards and
1417 policies of the agency, may contract for equipment and services
1418 necessary to develop and implement online procurement.
1419 (b) The department shall adopt rules to administer the
1420 program for online procurement. The rules must include, but not
1421 be limited to:
1422 1. Determining the requirements and qualification criteria
1423 for prequalifying vendors.
1424 2. Establishing the procedures for conducting online
1425 procurement.
1426 3. Establishing the criteria for eligible commodities and
1427 contractual services.
1428 4. Establishing the procedures for providing access to
1429 online procurement.
1430 5. Determining the criteria warranting any exceptions to
1431 participation in the online procurement program.
1432 (c) The department may impose and shall collect all fees
1433 for the use of the online procurement systems.
1434 1. The fees may be imposed on an individual transaction
1435 basis or as a fixed percentage of the cost savings generated. At
1436 a minimum, the fees must be set in an amount sufficient to cover
1437 the projected costs of the services, including administrative
1438 and project service costs in accordance with the policies of the
1439 department.
1440 2. If the department contracts with a provider for online
1441 procurement, the department, pursuant to appropriation, shall
1442 compensate the provider from the fees after the department has
1443 satisfied all ongoing costs. The provider shall report
1444 transaction data to the department each month so that the
1445 department may determine the amount due and payable to the
1446 department from each vendor.
1447 3. All fees that are due and payable to the state on a
1448 transactional basis or as a fixed percentage of the cost savings
1449 generated are subject to s. 215.31 and must be remitted within
1450 40 days after receipt of payment for which the fees are due. For
1451 fees that are not remitted within 40 days, the vendor shall pay
1452 interest at the rate established under s. 55.03(1) on the unpaid
1453 balance from the expiration of the 40-day period until the fees
1454 are remitted.
1455 4. All fees and surcharges collected under this paragraph
1456 shall be deposited in the Operating Trust Fund as provided by
1457 law.
1458 Section 21. Subsection (4) of section 445.011, Florida
1459 Statutes, is amended to read:
1460 445.011 Workforce information systems.—
1461 (4) Workforce Florida, Inc., shall coordinate development
1462 and implementation of workforce information systems with the
1463 executive director of the Agency for State Enterprise
1464 Information Technology to ensure compatibility with the state’s
1465 information system strategy and enterprise architecture.
1466 Section 22. Subsections (2) and (4) of section 445.045,
1467 Florida Statutes, are amended to read:
1468 445.045 Development of an Internet-based system for
1469 information technology industry promotion and workforce
1470 recruitment.—
1471 (2) Workforce Florida, Inc., shall coordinate with the
1472 Agency for State Enterprise Information Technology and the
1473 Department of Economic Opportunity to ensure links, where
1474 feasible and appropriate, to existing job information websites
1475 maintained by the state and state agencies and to ensure that
1476 information technology positions offered by the state and state
1477 agencies are posted on the information technology website.
1478 (4)(a) Workforce Florida, Inc., shall coordinate
1479 development and maintenance of the website under this section
1480 with the executive director of the Agency for State Enterprise
1481 Information Technology to ensure compatibility with the state’s
1482 information system strategy and enterprise architecture.
1483 (b) Workforce Florida, Inc., may enter into an agreement
1484 with the Agency for State Enterprise Information Technology, the
1485 Department of Economic Opportunity, or any other public agency
1486 with the requisite information technology expertise for the
1487 provision of design, operating, or other technological services
1488 necessary to develop and maintain the website.
1489 (c) Workforce Florida, Inc., may procure services necessary
1490 to implement the provisions of this section, if it employs
1491 competitive processes, including requests for proposals,
1492 competitive negotiation, and other competitive processes that to
1493 ensure that the procurement results in the most cost-effective
1494 investment of state funds.
1495 Section 23. Paragraph (b) of subsection (18) of section
1496 668.50, Florida Statutes, is amended to read:
1497 668.50 Uniform Electronic Transaction Act.—
1498 (18) ACCEPTANCE AND DISTRIBUTION OF ELECTRONIC RECORDS BY
1499 GOVERNMENTAL AGENCIES.—
1500 (b) To the extent that a governmental agency uses
1501 electronic records and electronic signatures under paragraph
1502 (a), the Agency for State Enterprise Information Technology, in
1503 consultation with the governmental agency, giving due
1504 consideration to security, may specify:
1505 1. The manner and format in which the electronic records
1506 must be created, generated, sent, communicated, received, and
1507 stored and the systems established for those purposes.
1508 2. If electronic records must be signed by electronic
1509 means, the type of electronic signature required, the manner and
1510 format in which the electronic signature must be affixed to the
1511 electronic record, and the identity of, or criteria that must be
1512 met by, any third party used by a person filing a document to
1513 facilitate the process.
1514 3. Control processes and procedures as appropriate to
1515 ensure adequate preservation, disposition, integrity, security,
1516 confidentiality, and auditability of electronic records.
1517 4. Any other required attributes for electronic records
1518 which are specified for corresponding nonelectronic records or
1519 reasonably necessary under the circumstances.
1520 Section 24. Section 943.0415, Florida Statutes, is amended
1521 to read:
1522 943.0415 Cybercrime Office.—The Cybercrime Office There is
1523 created within the Department of Law Enforcement the Cybercrime
1524 Office. The office may:
1525 (1) Investigate violations of state law pertaining to the
1526 sexual exploitation of children which are facilitated by or
1527 connected to the use of any device capable of storing electronic
1528 data.
1529 (2) Monitor information technology resources and provide
1530 analysis on information technology security incidents, threats,
1531 or breaches as those terms are defined in s. 282.0041.
1532 (3) Investigate violations of state law pertaining to
1533 information technology security incidents, threats, or breaches
1534 pursuant to s. 282.0041 and assist in incident response and
1535 recovery.
1536 (4) Provide security awareness training and information to
1537 state agency employees concerning cyber security, online sexual
1538 exploitation of children, security risks, and the responsibility
1539 of employees to comply with policies, standards, guidelines, and
1540 operating procedures adopted by the Agency for State Technology.
1541 (5) Consult with the Agency for State Technology in the
1542 adoption of rules relating to the information technology
1543 security provisions of s. 282.318.
1544 Section 25. Section 1004.649, Florida Statutes, is amended
1545 to read:
1546 1004.649 Northwest Regional Data Center.—
1547 (1) For the purpose of providing data center services to
1548 serving its state agency customers, the Northwest Regional Data
1549 Center at Florida State University is designated as a primary
1550 data center and shall:
1551 (a) Operate under a governance structure that represents
1552 its customers proportionally.
1553 (b) Maintain an appropriate cost-allocation methodology
1554 that accurately bills state agency customers based solely on the
1555 actual direct and indirect costs of the services provided to
1556 state agency customers, and ensures that for any fiscal year a
1557 state agency customer is not subsidizing a prohibits the
1558 subsidization of nonstate agency customer or another state
1559 agency customer customers’ costs by state agency customers. Such
1560 cost-allocation methodology must comply with applicable state
1561 and federal requirements concerning the distribution and use of
1562 state and federal funds.
1563 (c) Enter into a service-level agreement with each state
1564 agency customer to provide services as defined and approved by
1565 the governing board of the center. At a minimum, such service
1566 level agreements must:
1567 1. Identify the parties and their roles, duties, and
1568 responsibilities under the agreement;
1569 2. State the duration of the agreement term and specify the
1570 conditions for renewal;
1571 3. Identify the scope of work;
1572 4. Establish the services to be provided, the business
1573 standards that must be met for each service, the cost of each
1574 service, and the process by which the business standards for
1575 each service are to be objectively measured and reported;
1576 5. Provide a timely billing methodology for recovering the
1577 cost of services provided pursuant to s. 215.422; and
1578 6. Provide a procedure for modifying the service-level
1579 agreement to address any changes in projected costs of service;
1580 7. Prohibit the transfer of computing services between the
1581 Northwest Regional Data Center and the state data center
1582 established under s. 282.201 without at least 180 days’ notice
1583 of service cancellation;
1584 8. Identify the products or services to be delivered with
1585 sufficient specificity to permit an external financial or
1586 performance audit; and
1587 9. Provide that the service-level agreement may be
1588 terminated by either party for cause only after giving the other
1589 party notice in writing of the cause for termination and an
1590 opportunity for the other party to resolve the identified cause
1591 within a reasonable period.
1592 (d) Provide to the Board of Governors the total annual
1593 budget by major expenditure category, including, but not limited
1594 to, salaries, expenses, operating capital outlay, contracted
1595 services, or other personnel services by July 30 each fiscal
1596 year.
1597 (e) Provide to each state agency customer its projected
1598 annual cost for providing the agreed-upon data center services
1599 by September 1 each fiscal year.
1600 (f) Provide a plan for consideration by the Legislative
1601 Budget Commission if the governing body of the center approves
1602 the use of a billing rate schedule after the start of the fiscal
1603 year that increases any state agency customer’s costs for that
1604 fiscal year.
1605 (2) The Northwest Regional Data Center’s designation as a
1606 primary data center for purposes of serving its state agency
1607 customers may be terminated if:
1608 (a) The center requests such termination to the Board of
1609 Governors, the Senate President, and the Speaker of the House of
1610 Representatives; or
1611 (b) The center fails to comply with the provisions of this
1612 section.
1613 (3) If such designation is terminated, the center shall
1614 have 1 year to provide for the transition of its state agency
1615 customers to the state data center system established under s.
1616 282.201 Southwood Shared Resource Center or the Northwood Shared
1617 Resource Center.
1618 Section 26. The Agency for Enterprise Information
1619 Technology in the Executive Office of the Governor is
1620 transferred by a type two transfer, pursuant to s. 20.06,
1621 Florida Statutes, to the Agency for State Technology established
1622 pursuant to s. 20.61, Florida Statutes, except that the only
1623 rules that are transferred are chapters 71A-1 and 71A-2, Florida
1624 Administrative Code. All other rules adopted by the Agency for
1625 Enterprise Information Technology are nullified and of no
1626 further force or effect.
1627 Section 27. The Northwood Shared Resource Center in the
1628 Department of Management Services is transferred by a type two
1629 transfer, pursuant to s. 20.06, Florida Statutes, to the Agency
1630 for State Technology established pursuant to s. 20.61, Florida
1631 Statutes. This transfer does not require and is not subject to
1632 Legislative Budget Commission approval.
1633 Section 28. The Southwood Shared Resource Center in the
1634 Department of Management Services is transferred by a type two
1635 transfer, pursuant to s. 20.06, Florida Statutes, to the Agency
1636 for State Technology established pursuant to s. 20.61, Florida
1637 Statutes. This transfer does not require and is not subject to
1638 Legislative Budget Commission approval.
1639 Section 29. The Agency for State Technology shall:
1640 (1) Complete a feasibility study that analyzes, evaluates,
1641 and provides recommendations for managing state government data
1642 in a manner that promotes its interoperability and openness and,
1643 if legally permissible and not cost prohibitive, ensures that
1644 such data is available to the public in ways that make the data
1645 easy to find and use, and complies with chapter 119, Florida
1646 Statutes. At a minimum, the feasibility study must include the
1647 following components:
1648 (a) A clear description of which state government data
1649 should be public information. The guiding principle for this
1650 component is a presumption of openness to the extent permitted
1651 by law but subject to valid restrictions relating to privacy,
1652 confidentiality, and security, and other fiscal and legal
1653 restrictions.
1654 (b) Recommended standards for making the format and
1655 accessibility of public information uniform and ensuring that
1656 such data is published in a nonproprietary, searchable,
1657 sortable, platform-independent, and machine-readable format. The
1658 agency should include the projected cost to state agencies of
1659 implementing and maintaining such standards.
1660 (c) A project plan for implementing a single Internet
1661 website that contains public information or links to public
1662 information. The plan should include a timeline and benchmarks
1663 for making public information available online and identify any
1664 costs associated with the development and ongoing maintenance of
1665 such a website.
1666 (d) A recommended governance structure and review and
1667 compliance process to ensure accountability on the part of those
1668 who create, maintain, manage, or store public information or
1669 post it on the single Internet website. The agency should
1670 include any associated costs to implement and maintain the
1671 recommended governance structure and the review and compliance
1672 process.
1673 (2) Submit the completed feasibility study to the Executive
1674 Office of the Governor, the President of the Senate, and the
1675 Speaker of the House of Representatives by June 1, 2015.
1676 Section 30. The State Data Center Task Force is created.
1677 The task force shall be comprised of those individuals who were
1678 members of the boards of trustees of the Northwood and Southwood
1679 Shared Resource Centers as of June 30, 2014. The purpose of the
1680 task force is to provide assistance in the transition of the
1681 Northwood and Southwood Shared Resource Centers into the state
1682 data center established under s. 282.201, Florida Statutes. The
1683 task force shall identify any operational or fiscal issues
1684 affecting the transition and provide recommendations to the
1685 Agency for State Technology for the resolution of such issues.
1686 The task force may not make decisions regarding the state data
1687 center or the facilities formerly known as the Northwood and
1688 Southwood Shared Resource Centers and shall expire on or before
1689 June 30, 2015.
1690 Section 31. For the 2014-2015 fiscal year, the sum of
1691 $2,134,892 in nonrecurring general revenue funds, $2,865,108 in
1692 recurring general revenue funds, and 25 full-time equivalent
1693 positions and associated salary rate of 2,010,951 are
1694 appropriated to the Agency for State Technology for the purpose
1695 of implementing and administering this act.
1696 Section 32. Except as otherwise expressly provided in this
1697 act and except for this section, which shall take effect upon
1698 this act becoming a law, this act shall take effect July 1,
1699 2014.