Florida Senate - 2020 COMMITTEE AMENDMENT
Bill No. SB 1870
Senate . House
The Committee on Innovation, Industry, and Technology (Hutson)
recommended the following:
1 Senate Substitute for Amendment (427788) (with title
4 Delete everything after the enacting clause
5 and insert:
6 Section 1. Subsection (2) of section 20.22, Florida
7 Statutes, is amended to read:
8 20.22 Department of Management Services.—There is created a
9 Department of Management Services.
10 (2) The
following divisions and programs within the
11 Department of Management Services shall consist of the following
12 are established:
13 (a) The Facilities Program.
14 (b) The Division of Telecommunications State Technology,
15 the director of which is appointed by the secretary of the
16 department and shall serve as the state chief information
17 officer. The state chief information officer must be a proven,
18 effective administrator who must have at least 10 years of
19 executive-level experience in the public or private sector,
20 preferably with experience in the development of information
21 technology strategic planning and the development and
22 implementation of fiscal and substantive information technology
23 policy and standards.
24 (c) The Workforce Program.
25 (d)1.The Support Program.
26 2. The Federal Property Assistance Program.
27 (e) The Administration Program.
28 (f) The Division of Administrative Hearings.
29 (g) The Division of Retirement.
30 (h) The Division of State Group Insurance.
31 (i) The Florida Digital Service.
32 Section 2. Section 282.0041, Florida Statutes, is amended
33 to read:
34 282.0041 Definitions.—As used in this chapter, the term:
35 (1) “Agency assessment” means the amount each customer
36 entity must pay annually for services from the Department of
37 Management Services and includes administrative and data center
38 services costs.
39 (2) “Agency data center” means agency space containing 10
40 or more physical or logical servers.
41 (3) “Breach” has the same meaning as provided in s.
43 (4) “Business continuity plan” means a collection of
44 procedures and information designed to keep an agency’s critical
45 operations running during a period of displacement or
46 interruption of normal operations.
47 (5) “Cloud computing” has the same meaning as provided in
48 Special Publication 800-145 issued by the National Institute of
49 Standards and Technology.
50 (6) “Computing facility” or “agency computing facility”
51 means agency space containing fewer than a total of 10 physical
52 or logical servers, but excluding single, logical-server
53 installations that exclusively perform a utility function such
54 as file and print servers.
55 (7) “Credential service provider” means a provider
56 competitively procured by the department to supply secure
57 identity management and verification services based on open
58 standards to qualified entities.
59 (8) (7) “Customer entity” means an entity that obtains
60 services from the Department of Management Services.
61 (9) (8) “Data” means a subset of structured information in a
62 format that allows such information to be electronically
63 retrieved and transmitted.
64 (10) “Data-call” means an electronic transaction with the
65 credential service provider that verifies the authenticity of a
66 digital identity by querying enterprise data.
67 (11) (9) “Department” means the Department of Management
69 (12) (10) “Disaster recovery” means the process, policies,
70 procedures, and infrastructure related to preparing for and
71 implementing recovery or continuation of an agency’s vital
72 technology infrastructure after a natural or human-induced
74 (13) “Electronic” means technology having electrical,
75 digital, magnetic, wireless, optical, electromagnetic, or
76 similar capabilities.
77 (14) “Electronic credential” means a digital asset which
78 verifies the identity of a person, organization, application, or
80 (15) “Enterprise” means the collection of state agencies.
81 The term includes the Department of Legal Affairs, the
82 Department of Agriculture and Consumer Services, the Department
83 of Financial Services, and the judicial branch.
84 (16) “Enterprise architecture” means a comprehensive
85 operational framework that contemplates the needs and assets of
86 the enterprise to support interoperability across state
88 (17) (11) “Enterprise information technology service” means
89 an information technology service that is used in all agencies
90 or a subset of agencies and is established in law to be
91 designed, delivered, and managed at the enterprise level.
92 (18) (12) “Event” means an observable occurrence in a system
93 or network.
94 (19) (13) “Incident” means a violation or imminent threat of
95 violation, whether such violation is accidental or deliberate,
96 of information technology resources, security, policies, or
97 practices. An imminent threat of violation refers to a situation
98 in which the state agency has a factual basis for believing that
99 a specific incident is about to occur.
100 (20) (14) “Information technology” means equipment,
101 hardware, software, firmware, programs, systems, networks,
102 infrastructure, media, and related material used to
103 automatically, electronically, and wirelessly collect, receive,
104 access, transmit, display, store, record, retrieve, analyze,
105 evaluate, process, classify, manipulate, manage, assimilate,
106 control, communicate, exchange, convert, converge, interface,
107 switch, or disseminate information of any kind or form.
108 (21) (15) “Information technology policy” means a definite
109 course or method of action selected from among one or more
110 alternatives that guide and determine present and future
112 (22) (16) “Information technology resources” has the same
113 meaning as provided in s. 119.011.
114 (23) (17) “Information technology security” means the
115 protection afforded to an automated information system in order
116 to attain the applicable objectives of preserving the integrity,
117 availability, and confidentiality of data, information, and
118 information technology resources.
119 (24) “Interoperability” means the technical ability to
120 share and use data across and throughout the enterprise.
121 (25) (18) “Open data” means data collected or created by a
122 state agency and structured in a way that enables the data to be
123 fully discoverable and usable by the public. The term does not
124 include data that are restricted from public distribution based
125 on federal or state privacy, confidentiality, and security laws
126 and regulations or data for which a state agency is statutorily
127 authorized to assess a fee for its distribution.
128 (26) (19) “Performance metrics” means the measures of an
129 organization’s activities and performance.
130 (27) (20) “Project” means an endeavor that has a defined
131 start and end point; is undertaken to create or modify a unique
132 product, service, or result; and has specific objectives that,
133 when attained, signify completion.
134 (28) (21) “Project oversight” means an independent review
135 and analysis of an information technology project that provides
136 information on the project’s scope, completion timeframes, and
137 budget and that identifies and quantifies issues or risks
138 affecting the successful and timely completion of the project.
139 (29) “Qualified entity” means a public or private entity or
140 individual that enters into a binding agreement with the
141 department, meets usage criteria, agrees to terms and
142 conditions, and is subsequently and prescriptively authorized by
143 the department to access data under the terms of that agreement.
144 (30) (22) “Risk assessment” means the process of identifying
145 security risks, determining their magnitude, and identifying
146 areas needing safeguards.
147 (31) (23) “Service level” means the key performance
148 indicators (KPI) of an organization or service which must be
149 regularly performed, monitored, and achieved.
150 (32) (24) “Service-level agreement” means a written contract
151 between the Department of Management Services and a customer
152 entity which specifies the scope of services provided, service
153 level, the duration of the agreement, the responsible parties,
154 and service costs. A service-level agreement is not a rule
155 pursuant to chapter 120.
156 (33) (25) “Stakeholder” means a person, group, organization,
157 or state agency involved in or affected by a course of action.
158 (34) (26) “Standards” means required practices, controls,
159 components, or configurations established by an authority.
160 (35) (27) “State agency” means any official, officer,
161 commission, board, authority, council, committee, or department
162 of the executive branch of state government; the Justice
163 Administrative Commission; and the Public Service Commission.
164 The term does not include university boards of trustees or state
165 universities. As used in part I of this chapter, except as
166 otherwise specifically provided, the term does not include the
167 Department of Legal Affairs, the Department of Agriculture and
168 Consumer Services, or the Department of Financial Services.
169 (36) (28) “SUNCOM Network” means the state enterprise
170 telecommunications system that provides all methods of
171 electronic or optical telecommunications beyond a single
172 building or contiguous building complex and used by entities
173 authorized as network users under this part.
174 (37) (29) “Telecommunications” means the science and
175 technology of communication at a distance, including electronic
176 systems used in the transmission or reception of information.
177 (38) (30) “Threat” means any circumstance or event that has
178 the potential to adversely impact a state agency’s operations or
179 assets through an information system via unauthorized access,
180 destruction, disclosure, or modification of information or
181 denial of service.
182 (39) (31) “Variance” means a calculated value that
183 illustrates how far positive or negative a projection has
184 deviated when measured against documented estimates within a
185 project plan.
186 Section 3. Section 282.0051, Florida Statutes, is amended
187 to read:
188 282.0051 Florida Digital Service Department of Management
189 Services; powers, duties, and functions.—There is established
190 the Florida Digital Service within the department to create
191 innovative solutions that securely modernize state government,
192 achieve value through digital transformation and
193 interoperability, and fully support the cloud-first policy as
194 specified in s. 282.206.
195 (1) The Florida Digital Service department shall have the
196 following powers, duties, and functions:
197 (a) (1) Develop and publish information technology policy
198 for the management of the state’s information technology
200 (b) (2) Establish and publish information technology
201 architecture standards to provide for the most efficient use of
202 the state’s information technology resources and to ensure
203 compatibility and alignment with the needs of state agencies.
204 The Florida Digital Service department shall assist state
205 agencies in complying with the standards.
206 (c) (3) Establish project management and oversight
207 standards with which state agencies must comply when
208 implementing projects that have an information technology
209 component projects. The Florida Digital Service department shall
210 provide training opportunities to state agencies to assist in
211 the adoption of the project management and oversight standards.
212 To support data-driven decision making, the standards must
213 include, but are not limited to:
214 1. (a) Performance measurements and metrics that
215 objectively reflect the status of a project with an information
216 technology component project based on a defined and documented
217 project scope, cost, and schedule.
218 2. (b) Methodologies for calculating acceptable variances
219 in the projected versus actual scope, schedule, or cost of a
220 project with an information technology component project.
221 3. (c) Reporting requirements, including requirements
222 designed to alert all defined stakeholders that a project with
223 an information technology component project has exceeded
224 acceptable variances defined and documented in a project plan.
225 4. (d) Content, format, and frequency of project updates.
226 (d) (4) Perform project oversight on all state agency
227 information technology projects that have an information
228 technology component with a total project cost costs of $10
229 million or more and that are funded in the General
230 Appropriations Act or any other law. The Florida Digital Service
231 department shall report at least quarterly to the Executive
232 Office of the Governor, the President of the Senate, and the
233 Speaker of the House of Representatives on any project with an
234 information technology component project that the Florida
235 Digital Service department identifies as high-risk due to the
236 project exceeding acceptable variance ranges defined and
237 documented in a project plan. The report must include a risk
238 assessment, including fiscal risks, associated with proceeding
239 to the next stage of the project, and a recommendation for
240 corrective actions required, including suspension or termination
241 of the project. The Florida Digital Service shall establish a
242 process for state agencies to apply for an exception to the
243 requirements of this paragraph for a specific project with an
244 information technology component.
245 (e) (5) Identify opportunities for standardization and
246 consolidation of information technology services that support
247 interoperability and the cloud-first policy as specified in s.
248 282.206, business functions and operations, including
249 administrative functions such as purchasing, accounting and
250 reporting, cash management, and personnel, and that are common
251 across state agencies. The Florida Digital Service department
252 shall biennially on April 1 provide recommendations for
253 standardization and consolidation to the Executive Office of the
254 Governor, the President of the Senate, and the Speaker of the
255 House of Representatives.
256 (f) (6) Establish best practices for the procurement of
257 information technology products and cloud-computing services in
258 order to reduce costs, increase the quality of data center
259 services, or improve government services.
260 (g) (7) Develop standards for information technology reports
261 and updates, including, but not limited to, operational work
262 plans, project spend plans, and project status reports, for use
263 by state agencies.
264 (h) (8) Upon request, assist state agencies in the
265 development of information technology-related legislative budget
267 (i) (9) Conduct annual assessments of state agencies to
268 determine compliance with all information technology standards
269 and guidelines developed and published by the Florida Digital
270 Service department and provide results of the assessments to the
271 Executive Office of the Governor, the President of the Senate,
272 and the Speaker of the House of Representatives.
273 (j) (10) Provide operational management and oversight of the
274 state data center established pursuant to s. 282.201, which
276 1. (a) Implementing industry standards and best practices
277 for the state data center’s facilities, operations, maintenance,
278 planning, and management processes.
279 2. (b) Developing and implementing cost-recovery or other
280 payment mechanisms that recover the full direct and indirect
281 cost of services through charges to applicable customer
282 entities. Such cost-recovery or other payment mechanisms must
283 comply with applicable state and federal regulations concerning
284 distribution and use of funds and must ensure that, for any
285 fiscal year, no service or customer entity subsidizes another
286 service or customer entity.
287 3. (c) Developing and implementing appropriate operating
288 guidelines and procedures necessary for the state data center to
289 perform its duties pursuant to s. 282.201. The guidelines and
290 procedures must comply with applicable state and federal laws,
291 regulations, and policies and conform to generally accepted
292 governmental accounting and auditing standards. The guidelines
293 and procedures must include, but need not be limited to:
294 a. 1. Implementing a consolidated administrative support
295 structure responsible for providing financial management,
296 procurement, transactions involving real or personal property,
297 human resources, and operational support.
298 b. 2. Implementing an annual reconciliation process to
299 ensure that each customer entity is paying for the full direct
300 and indirect cost of each service as determined by the customer
301 entity’s use of each service.
302 c. 3. Providing rebates that may be credited against future
303 billings to customer entities when revenues exceed costs.
304 d. 4. Requiring customer entities to validate that
305 sufficient funds exist in the appropriate data processing
306 appropriation category or will be transferred into the
307 appropriate data processing appropriation category before
308 implementation of a customer entity’s request for a change in
309 the type or level of service provided, if such change results in
310 a net increase to the customer entity’s cost for that fiscal
312 e. 5. By November 15 of each year, providing to the Office
313 of Policy and Budget in the Executive Office of the Governor and
314 to the chairs of the legislative appropriations committees the
315 projected costs of providing data center services for the
316 following fiscal year.
317 f. 6. Providing a plan for consideration by the Legislative
318 Budget Commission if the cost of a service is increased for a
319 reason other than a customer entity’s request made pursuant to
320 sub-subparagraph d. subparagraph 4. Such a plan is required only
321 if the service cost increase results in a net increase to a
322 customer entity for that fiscal year.
323 g. 7. Standardizing and consolidating procurement and
324 contracting practices.
325 4. (d) In collaboration with the Department of Law
326 Enforcement, developing and implementing a process for
327 detecting, reporting, and responding to information technology
328 security incidents, breaches, and threats.
329 5. (e) Adopting rules relating to the operation of the state
330 data center, including, but not limited to, budgeting and
331 accounting procedures, cost-recovery or other payment
332 methodologies, and operating procedures.
333 (f) Conducting an annual market analysis to determine
334 whether the state’s approach to the provision of data center
335 services is the most effective and cost-efficient manner by
336 which its customer entities can acquire such services, based on
337 federal, state, and local government trends; best practices in
338 service provision; and the acquisition of new and emerging
339 technologies. The results of the market analysis shall assist
340 the state data center in making adjustments to its data center
341 service offerings.
342 (k) (11) Recommend other information technology services
343 that should be designed, delivered, and managed as enterprise
344 information technology services. Recommendations must include
345 the identification of existing information technology resources
346 associated with the services, if existing services must be
347 transferred as a result of being delivered and managed as
348 enterprise information technology services.
349 (l) (12) In consultation with state agencies, propose a
350 methodology and approach for identifying and collecting both
351 current and planned information technology expenditure data at
352 the state agency level.
353 (m)1. (13)(a) Notwithstanding any other law, provide project
354 oversight on any project with an information technology
355 component project of the Department of Financial Services, the
356 Department of Legal Affairs, and the Department of Agriculture
357 and Consumer Services which has a total project cost of $25
358 million or more and which impacts one or more other agencies.
359 Such projects with an information technology component projects
360 must also comply with the applicable information technology
361 architecture, project management and oversight, and reporting
362 standards established by the Florida Digital Service department.
363 The Florida Digital Service shall establish a process for the
364 Department of Financial Services, the Department of Legal
365 Affairs, and the Department of Agriculture and Consumer Services
366 to apply for an exception to the requirements of this paragraph
367 for a specific project with an information technology component.
368 2. (b) When performing the project oversight function
369 specified in subparagraph 1. paragraph (a), report at least
370 quarterly to the Executive Office of the Governor, the President
371 of the Senate, and the Speaker of the House of Representatives
372 on any project with an information technology component project
373 that the Florida Digital Service department identifies as high
374 risk due to the project exceeding acceptable variance ranges
375 defined and documented in the project plan. The report shall
376 include a risk assessment, including fiscal risks, associated
377 with proceeding to the next stage of the project and a
378 recommendation for corrective actions required, including
379 suspension or termination of the project.
380 (n) (14) If a project with an information technology
381 component project implemented by a state agency must be
382 connected to or otherwise accommodated by an information
383 technology system administered by the Department of Financial
384 Services, the Department of Legal Affairs, or the Department of
385 Agriculture and Consumer Services, consult with these
386 departments regarding the risks and other effects of such
387 projects on their information technology systems and work
388 cooperatively with these departments regarding the connections,
389 interfaces, timing, or accommodations required to implement such
391 (o) (15) If adherence to standards or policies adopted by or
392 established pursuant to this section causes conflict with
393 federal regulations or requirements imposed on a state agency
394 and results in adverse action against the state agency or
395 federal funding, work with the state agency to provide
396 alternative standards, policies, or requirements that do not
397 conflict with the federal regulation or requirement. The Florida
398 Digital Service department shall annually report such
399 alternative standards to the Governor, the President of the
400 Senate, and the Speaker of the House of Representatives.
401 (p)1. (16)(a) Establish an information technology policy for
402 all information technology-related state contracts, including
403 state term contracts for information technology commodities,
404 consultant services, and staff augmentation services. The
405 information technology policy must include:
406 a. 1. Identification of the information technology product
407 and service categories to be included in state term contracts.
408 b. 2. Requirements to be included in solicitations for state
409 term contracts.
410 c. 3. Evaluation criteria for the award of information
411 technology-related state term contracts.
412 d. 4. The term of each information technology-related state
413 term contract.
414 e. 5. The maximum number of vendors authorized on each state
415 term contract.
416 2. (b) Evaluate vendor responses for information technology
417 related state term contract solicitations and invitations to
419 3. (c) Answer vendor questions on information technology
420 related state term contract solicitations.
421 4. (d) Ensure that the information technology policy
422 established pursuant to subparagraph 1. paragraph (a) is
423 included in all solicitations and contracts that are
424 administratively executed by the department.
425 (q) (17) Recommend potential methods for standardizing data
426 across state agencies which will promote interoperability and
427 reduce the collection of duplicative data.
428 (r) (18) Recommend open data technical standards and
429 terminologies for use by state agencies.
430 (2)(a) The Secretary of Management Services shall appoint a
431 state chief information officer, who shall administer the
432 Florida Digital Service and is included in the Senior Management
434 (b) The state chief information officer shall appoint a
435 chief data officer, who shall report to the state chief
436 information officer and is included in the Senior Management
438 (3) The Florida Digital Service shall develop a
439 comprehensive enterprise architecture that:
440 (a) Recognizes the unique needs of those included within
441 the enterprise that results in the publication of standards,
442 terminologies, and procurement guidelines to facilitate digital
444 (b) Supports the cloud-first policy as specified in s.
446 (c) Addresses how information technology infrastructure may
447 be modernized to achieve cloud-first objectives.
448 (4) The Florida Digital Service shall, pursuant to
449 legislative appropriation:
450 (a) Create and maintain a comprehensive indexed data
451 catalog that lists what data elements are housed within the
452 enterprise and in which legacy system or application these data
453 elements are located.
454 (b) Develop and publish, in collaboration with the
455 enterprise, a data dictionary for each agency that reflects the
456 nomenclature in the comprehensive indexed data catalog.
457 (c) Review and document use cases across the enterprise
459 (d) Develop and publish standards that support the creation
460 and deployment of application programming interfaces to
461 facilitate integration throughout the enterprise.
462 (e) Facilitate collaborative analysis of enterprise
463 architecture data to improve service delivery.
464 (f) Develop plans to provide a testing environment in which
465 any newly developed solution can be tested for compliance within
466 the enterprise architecture and for functionality assurance
467 before deployment.
468 (g) Publish standards necessary to facilitate a secure
469 ecosystem of data interoperability that is compliant with the
470 enterprise architecture and allows for a qualified entity to
471 access enterprise’s data under the terms of the agreements with
472 the department.
473 (h) Publishing standards that facilitate the deployment of
474 applications or solutions to existing enterprise obligations in
475 a controlled and phased approach, including, but not limited to:
476 1. Electronic credentials, including Digital licenses, as
477 referenced in s. 322.032.
478 2. Interoperability that enables supervisors of elections
479 to authenticate voter eligibility in real time at the point of
481 3. The criminal justice database.
482 4. Motor vehicle insurance cancellation integration between
483 insurers and the Department of Highway Safety and Motor
485 5. Interoperability solutions between agencies, including,
486 but not limited to, the Department of Health, the Agency for
487 Health Care Administration, the Agency for Persons with
488 Disabilities, the Department of Education, the Department of
489 Elderly Affairs, and the Department of Children and Families.
490 6. Interoperability solutions to support military members,
491 veterans, and their families.
492 (5) Pursuant to legislative authorization and subject to
494 (a) The department may procure a credential service
495 provider through a competitive process pursuant to s. 287.057.
496 The terms of the contract developed from such procurement must
497 pay for the value on a per-data-call or subscription basis, and
498 there shall be no cost to the enterprise or law enforcement for
499 using the services provided by the credential service provider.
500 (b) The department may enter into agreements with qualified
501 entities that have the technological capabilities necessary to
502 integrate with the credential service provider; ensure secure
503 validation and authentication of data; meet usage criteria; and
504 agree to terms and conditions, privacy policies, and uniform
505 remittance terms relating to the consumption of enterprise data.
506 These agreements must include clear, enforceable, and
507 significant penalties for violations of the agreements.
508 (c) The department may enter into agreements with qualified
509 entities that meet usage criteria and agree to the enterprise
510 architecture terms of service and privacy policies. These
511 agreements must include clear, enforceable, and significant
512 penalties for violations of the agreements.
513 (d) The terms of the agreements between the department, the
514 credential service provider and the qualified entities shall be
515 based on the per-data-call or subscription charges to validate
516 and authenticate and allow the department to recover any state
517 costs for implementing and administering a solution. Credential
518 service provider and qualifying entity revenues may not be
519 derived from any other transactions that generate revenue for
520 the enterprise outside of the per-data-call or subscription
522 (e) All revenues generated from the agreements with the
523 credential service provider and qualified entities shall be
524 remitted to the department, and the department shall deposit
525 these revenues into the Department of Management Services
526 Operating Trust Fund for distribution pursuant to a legislative
527 appropriation and department agreements with the credential
528 service provider and qualified entities.
529 (f) Upon the signing of the agreement and the enterprise
530 architecture terms of service and privacy policies with a
531 qualified entity the department shall provide to the qualified
532 entity, as applicable, appropriate access to enterprise data to
533 facilitate authorized integrations to collaboratively solve
534 enterprise use cases.
535 (6) The Florida Digital Service may develop a process to:
536 (a) Receive written notice from the state agencies within
537 the enterprise of any planned or existing procurement of an
538 information technology project that is subject to governance by
539 the enterprise architecture.
540 (b) Intervene in any planned procurement by a state agency
541 so that the procurement complies with the enterprise
543 (c) Report to the Governor, the President of the Senate,
544 and the Speaker of the House of Representatives on any
545 information technology project within the judicial branch that
546 does not comply with the enterprise architecture.
547 (7) (19) The Florida Digital Service may adopt rules to
548 administer this section.
550 Section 4. Section 282.00515, Florida Statutes, is amended
551 to read:
552 282.00515 Enterprise Architecture Advisory Council Duties
553 of Cabinet Agencies.— The Department of Legal Affairs, the
554 Department of Financial Services, and the Department of
555 Agriculture and Consumer Services shall adopt the standards
556 established in s. 282.0051(2), (3), and (7) or adopt alternative
557 standards based on best practices and industry standards, and
558 may contract with the department to provide or perform any of
559 the services and functions described in s. 282.0051 for the
560 Department of Legal Affairs, the Department of Financial
561 Services, or the Department of Agriculture and Consumer
563 (1)(a) The Enterprise Architecture Advisory Council, an
564 advisory council as defined in s. 20.03(7), is established
565 within the Department of Management Services. The council shall
566 comply with the requirements of s. 20.052, except as otherwise
567 provided in this section.
568 (b) The council shall consist of the following members:
569 1. Four members appointed by the Governor.
570 2. One member appointed by the President of the Senate. 3.
571 One member appointed by the Speaker of the House of
573 4. One member appointed by the Chief Justice of the Supreme
575 5. The director of the Office of Policy and Budget in the
576 Executive Office of the Governor, or the person acting in the
577 director’s capacity should the position be vacant.
578 6. The Secretary of Management Services, or the person
579 acting in the secretary’s capacity should the position be
581 7. The state chief information officer, or the person
582 acting in the state chief information officer’s capacity should
583 the position be vacant.
584 8. The chief information officer of the Department of
585 Financial Services, or the person acting in the chief
586 information officer’s capacity should the position be vacant.
587 9. The chief information officer of the Department of Legal
588 Affairs, or the person acting in the chief information officer’s
589 capacity should the position be vacant.
590 10. The chief information officer of the Department of
591 Agriculture and Consumer Services, or the person acting in the
592 chief information officer’s capacity should the position be
594 (2)(a) The appointments made by the Governor, the President
595 of the Senate, the Speaker of the House of Representatives, and
596 the Chief Justice of the Supreme Court are for terms of 4 years.
597 However, for the purpose of providing staggered terms:
598 1. The appointments made by the Governor, the President of
599 the Senate, and the Speaker of the House of Representatives are
600 for initial terms of 2 years.
601 2. The appointment made by the Chief Justice is for an
602 initial term of 3 years.
603 (b) A vacancy on the council among members appointed under
604 subparagraph (1)(b)1., subparagraph (1)(b)2., subparagraph
605 (1)(b)3., or subparagraph (1)(b)4. shall be filled in the same
606 manner as the original appointment for the remainder of the
607 unexpired term.
608 (c) The council shall elect a chair from among its members.
609 (d) The council shall meet at least semiannually, beginning
610 October 1, 2020, to discuss implementation, management, and
611 coordination of the enterprise architecture as defined in s.
612 282.0041; identify potential issues and threats with specific
613 use cases; and recommend proactive solutions. The council may
614 conduct its meetings through teleconferences or other similar
616 Section 5. Paragraph (a) of subsection (3) of section
617 282.318, Florida Statutes, is amended to read:
618 282.318 Security of data and information technology.—
619 (3) The department is responsible for establishing
620 standards and processes consistent with generally accepted best
621 practices for information technology security, to include
622 cybersecurity, and adopting rules that safeguard an agency’s
623 data, information, and information technology resources to
624 ensure availability, confidentiality, and integrity and to
625 mitigate risks. The department shall also:
626 (a) Designate a state chief information security officer
627 who shall be appointed by and report to the state chief
628 information officer of the Florida Digital Service and is in the
629 Senior Management Service. The state chief information security
630 officer must have experience and expertise in security and risk
631 management for communications and information technology
633 Section 6. Subsection (4) of section 287.0591, Florida
634 Statutes, is amended to read:
635 287.0591 Information technology.—
636 (4) If the department issues a competitive solicitation for
637 information technology commodities, consultant services, or
638 staff augmentation contractual services, the Florida Digital
639 Service Division of State Technology within the department shall
640 participate in such solicitations.
641 Section 7. Paragraph (a) of subsection (3) of section
642 365.171, Florida Statutes, is amended to read:
643 365.171 Emergency communications number E911 state plan.—
644 (3) DEFINITIONS.—As used in this section, the term:
645 (a) “Office” means the Division of Telecommunications State
646 Technology within the Department of Management Services, as
647 designated by the secretary of the department.
648 Section 8. Paragraph (s) of subsection (3) of section
649 365.172, Florida Statutes, is amended to read:
650 365.172 Emergency communications number “E911.”—
651 (3) DEFINITIONS.—Only as used in this section and ss.
652 365.171, 365.173, 365.174, and 365.177, the term:
653 (s) “Office” means the Division of Telecommunications State
654 Technology within the Department of Management Services, as
655 designated by the secretary of the department.
656 Section 9. Paragraph (a) of subsection (1) of section
657 365.173, Florida Statutes, is amended to read:
658 365.173 Communications Number E911 System Fund.—
659 (1) REVENUES.—
660 (a) Revenues derived from the fee levied on subscribers
661 under s. 365.172(8) must be paid by the board into the State
662 Treasury on or before the 15th day of each month. Such moneys
663 must be accounted for in a special fund to be designated as the
664 Emergency Communications Number E911 System Fund, a fund created
665 in the Division of Telecommunications State Technology, or other
666 office as designated by the Secretary of Management Services.
667 Section 10. Subsection (5) of section 943.0415, Florida
668 Statutes, is amended to read:
669 943.0415 Cybercrime Office.—There is created within the
670 Department of Law Enforcement the Cybercrime Office. The office
672 (5) Consult with the Florida Digital Service Division of
673 State Technology within the Department of Management Services in
674 the adoption of rules relating to the information technology
675 security provisions in s. 282.318.
676 Section 11. Effective January 1, 2021, section 559.952,
677 Florida Statutes, is created to read:
678 559.952 Financial Technology Sandbox.—
679 (1) SHORT TITLE.—This section may be cited as the
680 “Financial Technology Sandbox.”
681 (2) CREATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—There is
682 created the Financial Technology Sandbox within the Office of
683 Financial Regulation to allow financial technology innovators to
684 test new products and services in a supervised, flexible
685 regulatory sandbox using exceptions of specified general law and
686 waivers of the corresponding rule requirements under defined
687 conditions. The creation of a supervised, flexible regulatory
688 sandbox provides a welcoming business environment for technology
689 innovators and may lead to significant business growth.
690 (3) DEFINITIONS.—As used in this section, the term:
691 (a) “Commission” means the Financial Services Commission.
692 (b) “Consumer” means a person in this state, whether a
693 natural person or a business entity, who purchases, uses,
694 receives, or enters into an agreement to purchase, use, or
695 receive an innovative financial product or service made
696 available through the Financial Technology Sandbox.
697 (c) “Financial product or service” means a product or
698 service related to finance, including securities, consumer
699 credit, or money transmission, which is traditionally subject to
700 general law or rule requirements in the provisions enumerated in
701 paragraph (7)(a) and which is under the jurisdiction of the
703 (d) “Financial Technology Sandbox” means the program
704 created in this section which allows a person to make an
705 innovative financial product or service available to consumers
706 through the provisions enumerated in paragraph (7)(a) during a
707 sandbox period through an exception to general laws or and a
708 waiver of rule requirements, or portions thereof, as specified
709 in this section.
710 (e) “Innovative” means new or emerging technology, or new
711 uses of existing technology, which provides a product, service,
712 business model, or delivery mechanism to the public.
713 (f) “Office” means, unless the context clearly indicates
714 otherwise, the Office of Financial Regulation.
715 (g) “Sandbox period” means the period, initially not longer
716 than 24 months, in which the office has:
717 1. Authorized an innovative financial product or service to
718 be made available to consumers.
719 2. Granted the person who makes the innovative financial
720 product or service available an exception to general law or a
721 waiver of the corresponding rule requirements, as determined by
722 the office, so that the authorization under subparagraph 1. is
724 (4) FINANCIAL TECHNOLOGY SANDBOX APPLICATION; STANDARDS
725 FOR APPROVAL.—
726 (a) Before filing an application to enter the Financial
727 Technology Sandbox, a substantially affected person may seek a
728 declaratory statement pursuant to s. 120.565 regarding the
729 applicability of a statute, rule, or agency order to the
730 petitioner’s particular set of circumstances.
731 (b) Before making an innovative financial product or
732 service available to consumers in the Financial Technology
733 Sandbox, a person must file an application with the office. The
734 commission shall prescribe by rule the form and manner of the
736 1. In the application, the person must specify the general
737 law or rule requirements for which an exception or waiver is
738 sought and the reasons why these requirements prevent the
739 innovative financial product or service from being made
740 available to consumers.
741 2. The application must also contain the information
742 specified in paragraph (e).
743 (c) A business entity filing an application under this
744 section must be a domestic corporation or other organized
745 domestic entity with a physical presence, other than that of a
746 registered office or agent or virtual mailbox, in this state.
747 (d) Before a person applies on behalf of a business entity
748 intending to make an innovative financial product or service
749 available to consumers, the person must obtain the consent of
750 the business entity.
751 (e) The office shall approve or deny in writing a Financial
752 Technology Sandbox application within 60 days after receiving
753 the completed application. The office and the applicant may
754 jointly agree to extend the time beyond 60 days. Consistent with
755 this section, the office may impose conditions on any approval.
756 In deciding to approve or deny an application, the office must
757 consider each of the following:
758 1. The nature of the innovative financial product or
759 service proposed to be made available to consumers in the
760 Financial Technology Sandbox, including all relevant technical
762 2. The potential risk to consumers and the methods that
763 will be used to protect consumers and resolve complaints during
764 the sandbox period.
765 3. The business plan proposed by the applicant, including a
766 statement regarding the applicant’s current and proposed
768 4. Whether the applicant has the necessary personnel,
769 adequate financial and technical expertise, and a sufficient
770 plan to test, monitor, and assess the innovative financial
771 product or service.
772 5. If any person substantially involved in the development,
773 operation, or management of the applicant’s innovative financial
774 product or service has pled no contest to, has been convicted or
775 found guilty of, or is currently under investigation for, fraud,
776 a state or federal securities violation, any property-based
777 offense, or any crime involving moral turpitude or dishonest
778 dealing, their application to the Sandbox will be denied. A plea
779 of no contest, a conviction, or a finding of guilt must be
780 reported under this subparagraph regardless of adjudication.
781 6. A copy of the disclosures that will be provided to
782 consumers under paragraph (6)(c).
783 7. The financial responsibility of any person substantially
784 involved in the development, operation, or management of the
785 applicant’s innovative financial product or service.
786 8. Any other factor that the office determines to be
788 (f) The office may not approve an application if:
789 1. The applicant had a prior Financial Technology Sandbox
790 application that was approved and that related to a
791 substantially similar financial product or service; or
792 2. Any person substantially involved in the development,
793 operation, or management of the applicant’s innovative financial
794 product or service was substantially involved with another
795 Financial Technology Sandbox applicant whose application was
796 approved and whose application related to a substantially
797 similar financial product or service.
798 (g) Upon approval of an application, the office shall
799 specify the general law or rule requirements, or portions
800 thereof, for which an exception or rule waiver is granted during
801 the sandbox period and the length of the initial sandbox period,
802 not to exceed 24 months. The office shall post on its website
803 notice of the approval of the application, a summary of the
804 innovative financial product or service, and the contact
805 information of the person making the financial product or
806 service available.
807 (5) OPERATION OF THE FINANCIAL TECHNOLOGY SANDBOX.—
808 (a) A person whose Financial Technology Sandbox application
809 is approved may make an innovative financial product or service
810 available to consumers during the sandbox period.
811 (b) The office may, on a case-by-case basis and after
812 consultation with the person who makes the financial product or
813 service available to consumers, specify the maximum number of
814 consumers authorized to receive an innovative financial product
815 or service. The office may not authorize more than 15,000
816 consumers to receive the financial product or service until the
817 person who makes the financial product or service available to
818 consumers has filed the first report required under subsection
819 (8). After the filing of the report, if the person demonstrates
820 adequate financial capitalization, risk management process, and
821 management oversight, the office may authorize up to 25,000
822 consumers to receive the financial product or service.
823 (c)1. Before a consumer purchases, uses, receives, or
824 enters into an agreement to purchase, use, or receive an
825 innovative financial product or service through the Financial
826 Technology Sandbox, the person making the financial product or
827 service available must provide a written statement of all of the
828 following to the consumer:
829 a. The name and contact information of the person making
830 the financial product or service available to consumers.
831 b. That the financial product or service has been
832 authorized to be made available to consumers for a temporary
833 period by the office, under the laws of this state.
834 c. That this state does not endorse the financial product
835 or service.
836 d. That the financial product or service is undergoing
837 testing, may not function as intended, and may entail financial
839 e. That the person making the financial product or service
840 available to consumers is not immune from civil liability for
841 any losses or damages caused by the financial product or
843 f. The expected end date of the sandbox period.
844 g. The contact information for the office, and notification
845 that suspected legal violations, complaints, or other comments
846 related to the financial product or service may be submitted to
847 the office.
848 h. Any other statements or disclosures required by rule of
849 the commission which are necessary to further the purposes of
850 this section.
851 2. The written statement must contain an acknowledgment
852 from the consumer, which must be retained for the duration of
853 the sandbox period by the person making the financial product or
854 service available.
855 (d) The office may enter into an agreement with a state,
856 federal, or foreign regulatory agency to allow persons:
857 1. Who make an innovative financial product or service
858 available in this state through the Financial Technology Sandbox
859 to make their products or services available in other
861 2. Who operate in similar financial technology sandboxes in
862 other jurisdictions to make innovative financial products and
863 services available in this state under the standards of this
865 (e)1. A person whose Financial Technology Sandbox
866 application is approved by the office shall maintain
867 comprehensive records relating to the innovative financial
868 product or service. The person shall keep these records for at
869 least 5 years after the conclusion of the sandbox period. The
870 commission may specify by rule additional records requirements.
871 2. The office may examine the records maintained under
872 subparagraph 1. at any time, with or without notice.
873 (6) EXTENSIONS AND CONCLUSION OF SANDBOX PERIOD.—
874 (a) A person who is authorized to make an innovative
875 financial product or service available to consumers may apply
876 for an extension of the initial sandbox period for up to 12
877 additional months for a purpose specified in subparagraph (b)1.
878 or subparagraph (b)2. A complete application for an extension
879 must be filed with the office at least 90 days before the
880 conclusion of the initial sandbox period. The office shall
881 approve or deny the application for extension in writing at
882 least 35 days before the conclusion of the initial sandbox
883 period. In deciding to approve or deny an application for
884 extension of the sandbox period, the office must, at a minimum,
885 consider the current status of the factors previously considered
886 under paragraph (4)(e).
887 (b) An application for an extension under paragraph (a)
888 must cite one of the following reasons as the basis for the
889 application and must provide all relevant supporting information
891 1. Amendments to general law or rules are necessary to
892 offer the innovative financial product or service in this state
894 2. An application for a license that is required in order
895 to offer the innovative financial product or service in this
896 state permanently has been filed with the office, and approval
897 is pending.
898 (c) At least 30 days before the conclusion of the initial
899 sandbox period or the extension, whichever is later, a person
900 who makes an innovative financial product or service available
901 shall provide written notification to consumers regarding the
902 conclusion of the initial sandbox period or the extension and
903 may not make the financial product or service available to any
904 new consumers after the conclusion of the initial sandbox period
905 or the extension, whichever is later, until legal authority
906 outside of the Financial Technology Sandbox exists to make the
907 financial product or service available to consumers. After the
908 conclusion of the sandbox period or the extension, whichever is
909 later, the person who makes the innovative financial product or
910 service available may:
911 1. Collect and receive money owed to the person or pay
912 money owed by the person, based on agreements with consumers
913 made before the conclusion of the sandbox period or the
915 2. Take necessary legal action.
916 3. Take other actions authorized by commission rule which
917 are not inconsistent with this subsection.
918 (7) EXCEPTIONS TO GENERAL LAW AND WAIVERS OF RULE
920 (a) Notwithstanding any other provision of law, upon
921 approval of a Financial Technology Sandbox application, the
922 office may grant an applicant a waiver of a requirement, or a
923 portion thereof, which is imposed by rule as authorized by any
924 of the following provisions of general law, if all of the
925 conditions in paragraph (b) are met. If the application is
926 approved for a person who otherwise would be subject to the
927 provisions of chapters 560, 516, 517, 520, or 537, the following
928 provisions shall not be applicable to the approved sandbox
930 1. Section 560.1105.
931 2. Section 560.118.
932 3. Section 560.125, except for s. 560.125(2).
933 4. Section 560.128.
934 5. Section 560.1401, except for s. 560.1401(2)-(4).
935 6. Section 560.141, except for s. 560.141(1)(b)-(d).
936 7. Section 560.142, except that the office may prorate ,
937 the license renewal fees provided in ss. 560.142 and 560.143 for
938 an extension granted under subsection (7).
939 8. Section 560.143(2) to the extent necessary for proration
940 of the renewal fee under subparagraph 7.
941 9. Section 560.205, except for s. 560.205(1) and (3).
942 10. Section 560.208, except for s. 560.208(3)-(6).
943 11. Section 560.209, except that the office may modify the
944 net worth, corporate surety bond, and collateral deposit amounts
945 required under s. 560.209. The modified amounts must be in such
946 lower amounts that the office determines to be commensurate with
947 the considerations under paragraph (4)(e) and the maximum number
948 of consumers authorized to receive the financial product or
949 service under this section.
950 12. Section 516.03, except for the license and
951 investigation fee. The office may prorate the license renewal
952 fees for an extension granted under subsection (8). The office
953 may not waive the evidence of liquid assets of at least $25,000.
954 13. Section 516.05, except that the office may make an
955 investigation of the facts concerning the applicant’s
957 14. Section 516.12.
958 15. Section 516.19.
959 16. Section 517.07.
960 17. Section 517.12.
961 18. Section 517.121.
962 19. Section 520.03, except for the application fee. The
963 office may prorate the license renewal fees for an extension
964 granted under subsection (8).
965 20. Section 520.12.
966 21. Section 520.25.
967 22. Section 520.32, except for the application fee. The
968 office may prorate the license renewal fees for an extension
969 granted under subsection (8).
970 23. Section 520.39.
971 24. Section 520.52, except for the application fee. The
972 office may prorate the license renewal fees for an extension
973 granted under subsection (8).
974 25. Section 520.57.
975 26. Section 520.63, except for the application fee. The
976 office may prorate the license renewal fees for an extension
977 granted under subsection (8).
978 27. Section 520.997.
979 28. Section 520.98.
980 29. Section 537.004, except for s. 537.004(2) and (5). The
981 office may prorate the license renewal fees for an extension
982 granted under subsection (7).
983 30. Section 537.005, except that the office may modify the
984 corporate surety bond amount required by s. 537.005. The
985 modified amount must be in such lower amount that the office
986 determines to be commensurate with the considerations under
987 paragraph (4) (e) and the maximum number of consumers authorized
988 to receive the product or service under this section.
989 31. Section 537.007.
990 32. Section 537.009.
991 33. Section 537.015.
992 (b) During a sandbox period, the exceptions granted in
993 paragraph (a) are applicable if all of the following conditions
994 are met:
995 1. The general law or corresponding rule currently prevents
996 the innovative financial product or service to be made available
997 to consumers.
998 2. The exceptions or rule waivers are not broader than
999 necessary to accomplish the purposes and standards specified in
1000 this section, as determined by the office.
1001 3. No provision relating to the liability of an
1002 incorporator, director, or officer of the applicant is eligible
1003 for a waiver.
1004 4. The other requirements of this section are met.
1005 (9) REPORT.—A person authorized to make an innovative
1006 financial product or service available to consumers under this
1007 section shall submit a report to the office twice a year as
1008 prescribed by commission rule. The report must, at a minimum,
1009 include financial reports and the number of consumers who have
1010 received the financial product or service.
1011 (10) CONSTRUCTION.—A person whose Financial Technology
1012 Sandbox application is approved shall be deemed licensed under
1013 the applicable exceptions to general law or waiver of the rule
1014 requirements specified under subsection (7), unless the person’s
1015 authorization to make the financial product or service available
1016 to consumers under this section has been revoked or suspended.
1017 (11) VIOLATIONS AND PENALTIES.—
1018 (a) A person who makes an innovative financial product or
1019 service available to consumers in the Financial Technology
1020 Sandbox is:
1021 1. Not immune from civil damages for acts and omissions
1022 relating to this section.
1023 2. Subject to all criminal statutes and any other statute
1024 not specifically excepted under section (7)..
1025 (b)1. The office may, by order, revoke or suspend
1026 authorization granted to a person to make an innovative
1027 financial product or service available to consumers if:
1028 a. The person has violated or refused to comply with this
1029 section, a rule of the commission, an order of the office, or a
1030 condition placed by the office on the approval of the person’s
1031 Financial Technology Sandbox application;
1032 b. A fact or condition exists that, if it had existed or
1033 become known at the time that the Financial Technology Sandbox
1034 application was pending, would have warranted denial of the
1035 application or the imposition of material conditions;
1036 c. A material error, false statement, misrepresentation, or
1037 material omission was made in the Financial Technology Sandbox
1038 application; or
1039 d. After consultation with the person, continued testing of
1040 the innovative financial product or service would:
1041 (I) Be likely to harm consumers; or
1042 (II) No longer serve the purposes of this section because
1043 of the financial or operational failure of the financial product
1044 or service.
1045 2. Written notice of a revocation or suspension order made
1046 under subparagraph 1. must be served using any means authorized
1047 by law. If the notice relates to a suspension, the notice must
1048 include any condition or remedial action that the person must
1049 complete before the office lifts the suspension.
1050 (c) The office may refer any suspected violation of law to
1051 an appropriate state or federal agency for investigation,
1052 prosecution, civil penalties, and other appropriate enforcement
1054 (d) If service of process on a person making an innovative
1055 financial product or service available to consumers in the
1056 Financial Technology Sandbox is not feasible, service on the
1057 office shall be deemed service on such person.
1058 (12) RULES AND ORDERS.—
1059 (a) The commission shall adopt rules to administer this
1061 (b) The office may issue all necessary orders to enforce
1062 this section and may enforce the orders in accordance with
1063 chapter 120 or in any court of competent jurisdiction. These
1064 orders include, but are not limited to, orders for payment of
1065 restitution for harm suffered by consumers as a result of an
1066 innovative financial product or service.
1067 Section 11. Except as otherwise expressly provided in this
1068 act, this act shall take effect July 1, 2020.
1071 ================= T I T L E A M E N D M E N T ================
1072 And the title is amended as follows:
1073 Delete everything before the enacting clause
1074 and insert:
1075 A bill to be entitled
1076 An act relating to technology innovation; amending s.20.22,
1077 F.S.; renaming the division of State Technology within the
1078 department of Management Services as the Division of
1079 Telecommunications; adding Florida Digital Service to the
1080 department; amending s. 282.0041, F.S.; providing definitions;
1081 amending s. 282.0051, F.S.; establishing the Florida Digital
1082 Service within the department; transferring specified powers,
1083 duties, and functions; providing appointments and duties of the
1084 state chief information officer and chief data officer of the
1085 Florida Digital Service; requiring the Florida Digital Service
1086 to develop a comprehensive enterprise architecture; providing
1087 requirements for such enterprise architecture; providing duties
1088 and authorities of the Florida Digital Service; providing duties
1089 of the department under certain circumstances; providing
1090 requirements for procurement terms of contract under certain
1091 circumstances; prohibiting costs to the enterprise and law
1092 enforcement for using services provided by credential service
1093 providers under certain circumstances; providing requirements
1094 for agreements between the department and credential service
1095 providers and qualified entities under certain circumstances;
1096 providing disposition of revenues generated from such agreements
1097 under certain circumstances; providing report requirements;
1098 providing rulemaking authority to the Florida Digital Service;
1099 establishing the Enterprise Architecture Advisory Council;
1100 requiring the council to comply with specified requirements;
1101 providing membership and meeting requirements and duties of the
1102 council; deleting provisions relating to specified duties and
1103 powers of the Department of Legal Affairs, the Department of
1104 Financial Services, and the Department of Agriculture and
1105 Consumer Services; amending ss. 282.318, 287.0591, 365.171,
1106 365.172, 365.173, and 943.0415, F.S.; conforming provisions to
1107 changes made by the act; creating s. 559.952, F.S.; providing a
1108 short title; creating the Financial Technology Sandbox within
1109 the Office of Financial Regulation; defining terms; authorizing
1110 the office to grant exceptions and waivers of specified
1111 financial regulatory requirements to certain applicants offering
1112 certain financial products or services during a sandbox period;
1113 requiring an application for the program for persons who want to
1114 make innovative financial products or services available to
1115 consumers; providing application requirements and procedures;
1116 providing standards for application approval or denial;
1117 requiring the office to perform certain actions upon approval of
1118 an application; specifying authorized actions of, limitations
1119 on, and disclosure requirements for persons making financial
1120 products or services available during a sandbox period;
1121 authorizing the office to enter into agreement with certain
1122 regulatory agencies for specified purposes; providing
1123 recordkeeping requirements; authorizing the office to examine
1124 specified records; providing requirements and procedures for
1125 applying for extensions and concluding sandbox periods;
1126 specifying criteria for granting an extension and a waiver
1127 requiring written notification to consumers at the end of an
1128 extension or conclusion of the sandbox period; providing acts
1129 that persons who make innovative financial products or services
1130 available to consumers may and may not engage in at the end of
1131 an extension or conclusion of the sandbox period; specifying
1132 reporting requirements to the office; providing construction;
1133 providing that such persons are not immune from civil damages
1134 and are subject to criminal and consumer protection laws;
1135 providing penalties; providing for service of process; requiring
1136 the Financial Services Commission to adopt rules; authorizing
1137 the office to issue orders and enforce such orders through
1138 administrative or judicial process; authorizing the office to
1139 issue and enforce orders for payment of restitution; providing
1140 effective dates.