Florida Senate - 2021 COMMITTEE AMENDMENT
Bill No. SB 1900
Ì257954KÎ257954
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/31/2021 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(Boyd) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Paragraph (i) of subsection (6) of section
6 20.055, Florida Statutes, is amended to read:
7 20.055 Agency inspectors general.—
8 (6) In carrying out the auditing duties and
9 responsibilities of this act, each inspector general shall
10 review and evaluate internal controls necessary to ensure the
11 fiscal accountability of the state agency. The inspector general
12 shall conduct financial, compliance, electronic data processing,
13 and performance audits of the agency and prepare audit reports
14 of his or her findings. The scope and assignment of the audits
15 shall be determined by the inspector general; however, the
16 agency head may at any time request the inspector general to
17 perform an audit of a special program, function, or
18 organizational unit. The performance of the audit shall be under
19 the direction of the inspector general, except that if the
20 inspector general does not possess the qualifications specified
21 in subsection (4), the director of auditing shall perform the
22 functions listed in this subsection.
23 (i) The inspector general shall develop long-term and
24 annual audit plans based on the findings of periodic risk
25 assessments. The plan, where appropriate, should include
26 postaudit samplings of payments and accounts. The plan shall
27 show the individual audits to be conducted during each year and
28 related resources to be devoted to the respective audits. The
29 plan shall include a specific cybersecurity audit plan. The
30 Chief Financial Officer, to assist in fulfilling the
31 responsibilities for examining, auditing, and settling accounts,
32 claims, and demands pursuant to s. 17.03(1), and examining,
33 auditing, adjusting, and settling accounts pursuant to s. 17.04,
34 may use audits performed by the inspectors general and internal
35 auditors. For state agencies under the jurisdiction of the
36 Governor, the audit plans shall be submitted to the Chief
37 Inspector General. The plan shall be submitted to the agency
38 head for approval. A copy of the approved plan shall be
39 submitted to the Auditor General.
40 Section 2. Subsections (8) through (21) of section
41 282.0041, Florida Statutes, are renumbered as subsections (9)
42 through (22), respectively, present subsection (22) is amended,
43 and a new subsection (8) is added to that section, to read:
44 282.0041 Definitions.—As used in this chapter, the term:
45 (8) “Cybersecurity” means the protection afforded to an
46 automated information system in order to attain the applicable
47 objectives of preserving the confidentiality, integrity, and
48 availability of data, information, and information technology
49 resources.
50 (22) “Information technology security” means the protection
51 afforded to an automated information system in order to attain
52 the applicable objectives of preserving the integrity,
53 availability, and confidentiality of data, information, and
54 information technology resources.
55 Section 3. Paragraph (j) of subsection (1) of section
56 282.0051, Florida Statutes, is amended to read:
57 282.0051 Department of Management Services; Florida Digital
58 Service; powers, duties, and functions.—
59 (1) The Florida Digital Service has been created within the
60 department to propose innovative solutions that securely
61 modernize state government, including technology and information
62 services, to achieve value through digital transformation and
63 interoperability, and to fully support the cloud-first policy as
64 specified in s. 282.206. The department, through the Florida
65 Digital Service, shall have the following powers, duties, and
66 functions:
67 (j) Provide operational management and oversight of the
68 state data center established pursuant to s. 282.201, which
69 includes:
70 1. Implementing industry standards and best practices for
71 the state data center’s facilities, operations, maintenance,
72 planning, and management processes.
73 2. Developing and implementing cost-recovery mechanisms
74 that recover the full direct and indirect cost of services
75 through charges to applicable customer entities. Such cost
76 recovery mechanisms must comply with applicable state and
77 federal regulations concerning distribution and use of funds and
78 must ensure that, for any fiscal year, no service or customer
79 entity subsidizes another service or customer entity. The
80 Florida Digital Service may recommend other payment mechanisms
81 to the Executive Office of the Governor, the President of the
82 Senate, and the Speaker of the House of Representatives. Such
83 mechanism may be implemented only if specifically authorized by
84 the Legislature.
85 3. Developing and implementing appropriate operating
86 guidelines and procedures necessary for the state data center to
87 perform its duties pursuant to s. 282.201. The guidelines and
88 procedures must comply with applicable state and federal laws,
89 regulations, and policies and conform to generally accepted
90 governmental accounting and auditing standards. The guidelines
91 and procedures must include, but need not be limited to:
92 a. Implementing a consolidated administrative support
93 structure responsible for providing financial management,
94 procurement, transactions involving real or personal property,
95 human resources, and operational support.
96 b. Implementing an annual reconciliation process to ensure
97 that each customer entity is paying for the full direct and
98 indirect cost of each service as determined by the customer
99 entity’s use of each service.
100 c. Providing rebates that may be credited against future
101 billings to customer entities when revenues exceed costs.
102 d. Requiring customer entities to validate that sufficient
103 funds exist in the appropriate data processing appropriation
104 category or will be transferred into the appropriate data
105 processing appropriation category before implementation of a
106 customer entity’s request for a change in the type or level of
107 service provided, if such change results in a net increase to
108 the customer entity’s cost for that fiscal year.
109 e. By November 15 of each year, providing to the Office of
110 Policy and Budget in the Executive Office of the Governor and to
111 the chairs of the legislative appropriations committees the
112 projected costs of providing data center services for the
113 following fiscal year.
114 f. Providing a plan for consideration by the Legislative
115 Budget Commission if the cost of a service is increased for a
116 reason other than a customer entity’s request made pursuant to
117 sub-subparagraph d. Such a plan is required only if the service
118 cost increase results in a net increase to a customer entity for
119 that fiscal year.
120 g. Standardizing and consolidating procurement and
121 contracting practices.
122 4. In collaboration with the Department of Law Enforcement,
123 developing and implementing a process for detecting, reporting,
124 and responding to cybersecurity information technology security
125 incidents, breaches, and threats.
126 5. Adopting rules relating to the operation of the state
127 data center, including, but not limited to, budgeting and
128 accounting procedures, cost-recovery methodologies, and
129 operating procedures.
130 Section 4. Paragraph (g) of subsection (1) of section
131 282.201, Florida Statutes, is amended to read:
132 282.201 State data center.—The state data center is
133 established within the department. The provision of data center
134 services must comply with applicable state and federal laws,
135 regulations, and policies, including all applicable security,
136 privacy, and auditing requirements. The department shall appoint
137 a director of the state data center, preferably an individual
138 who has experience in leading data center facilities and has
139 expertise in cloud-computing management.
140 (1) STATE DATA CENTER DUTIES.—The state data center shall:
141 (g) In its procurement process, show preference for cloud
142 computing solutions that minimize or do not require the
143 purchasing, financing, or leasing of state data center
144 infrastructure, and that meet the needs of customer agencies,
145 that reduce costs, and that meet or exceed the applicable state
146 and federal laws, regulations, and standards for cybersecurity
147 information technology security.
148 Section 5. Subsection (2) of section 282.206, Florida
149 Statutes, is amended to read:
150 282.206 Cloud-first policy in state agencies.—
151 (2) In its procurement process, each state agency shall
152 show a preference for cloud-computing solutions that either
153 minimize or do not require the use of state data center
154 infrastructure when cloud-computing solutions meet the needs of
155 the agency, reduce costs, and meet or exceed the applicable
156 state and federal laws, regulations, and standards for
157 cybersecurity information technology security.
158 Section 6. Section 282.318, Florida Statutes, is amended to
159 read:
160 282.318 Cybersecurity Security of data and information
161 technology.—
162 (1) This section may be cited as the “State Cybersecurity
163 Act.” “Information Technology Security Act.”
164 (2) As used in this section, the term “state agency” has
165 the same meaning as provided in s. 282.0041, except that the
166 term includes the Department of Legal Affairs, the Department of
167 Agriculture and Consumer Services, and the Department of
168 Financial Services.
169 (3) The department, acting through the Florida Digital
170 Service, is the lead entity responsible for establishing
171 standards and processes for assessing state agency cybersecurity
172 risks and determining appropriate security measures. Such
173 standards and processes must be consistent with generally
174 accepted technology best practices, including the National
175 Institute for Standards and Technology Cybersecurity Framework,
176 for cybersecurity. The department, acting through the Florida
177 Digital Service, shall adopt information technology security, to
178 include cybersecurity, and adopting rules that mitigate risks;
179 safeguard state agency digital assets, an agency’s data,
180 information, and information technology resources to ensure
181 availability, confidentiality, and integrity; and support a
182 security governance framework and to mitigate risks. The
183 department, acting through the Florida Digital Service, shall
184 also:
185 (a) Designate an employee of the Florida Digital Service as
186 the state chief information security officer. The state chief
187 information security officer must have experience and expertise
188 in security and risk management for communications and
189 information technology resources. The state chief information
190 security officer is responsible for the development, operation,
191 and oversight of cybersecurity for state technology systems. The
192 state chief information security officer shall be notified of
193 all confirmed or suspected incidents or threats of state agency
194 information technology resources and must report such incidents
195 or threats to the state chief information officer and the
196 Governor.
197 (b) Develop, and annually update by February 1, a statewide
198 cybersecurity information technology security strategic plan
199 that includes security goals and objectives for cybersecurity,
200 including the identification and mitigation of risk, proactive
201 protections against threats, tactical risk detection, threat
202 reporting, and response and recovery protocols for a cyber
203 incident the strategic issues of information technology security
204 policy, risk management, training, incident management, and
205 disaster recovery planning.
206 (c) Develop and publish for use by state agencies a
207 cybersecurity governance an information technology security
208 framework that, at a minimum, includes guidelines and processes
209 for:
210 1. Establishing asset management procedures to ensure that
211 an agency’s information technology resources are identified and
212 managed consistent with their relative importance to the
213 agency’s business objectives.
214 2. Using a standard risk assessment methodology that
215 includes the identification of an agency’s priorities,
216 constraints, risk tolerances, and assumptions necessary to
217 support operational risk decisions.
218 3. Completing comprehensive risk assessments and
219 cybersecurity information technology security audits, which may
220 be completed by a private sector vendor, and submitting
221 completed assessments and audits to the department.
222 4. Identifying protection procedures to manage the
223 protection of an agency’s information, data, and information
224 technology resources.
225 5. Establishing procedures for accessing information and
226 data to ensure the confidentiality, integrity, and availability
227 of such information and data.
228 6. Detecting threats through proactive monitoring of
229 events, continuous security monitoring, and defined detection
230 processes.
231 7. Establishing agency cybersecurity computer security
232 incident response teams and describing their responsibilities
233 for responding to cybersecurity information technology security
234 incidents, including breaches of personal information containing
235 confidential or exempt data.
236 8. Recovering information and data in response to a
237 cybersecurity an information technology security incident. The
238 recovery may include recommended improvements to the agency
239 processes, policies, or guidelines.
240 9. Establishing a cybersecurity an information technology
241 security incident reporting process that includes procedures and
242 tiered reporting timeframes for notifying the department and the
243 Department of Law Enforcement of cybersecurity information
244 technology security incidents. The tiered reporting timeframes
245 shall be based upon the level of severity of the cybersecurity
246 information technology security incidents being reported.
247 10. Incorporating information obtained through detection
248 and response activities into the agency’s cybersecurity
249 information technology security incident response plans.
250 11. Developing agency strategic and operational
251 cybersecurity information technology security plans required
252 pursuant to this section.
253 12. Establishing the managerial, operational, and technical
254 safeguards for protecting state government data and information
255 technology resources that align with the state agency risk
256 management strategy and that protect the confidentiality,
257 integrity, and availability of information and data.
258 13. Establishing procedures for procuring information
259 technology commodities and services that require the commodity
260 or service to meet the National Institute of Standards and
261 Technology Cybersecurity Framework.
262 (d) Assist state agencies in complying with this section.
263 (e) In collaboration with the Cybercrime Office of the
264 Department of Law Enforcement, annually provide training for
265 state agency information security managers and computer security
266 incident response team members that contains training on
267 cybersecurity information technology security, including
268 cybersecurity, threats, trends, and best practices.
269 (f) Annually review the strategic and operational
270 cybersecurity information technology security plans of state
271 executive branch agencies.
272 (g) Provide cybersecurity training to all state agency
273 technology professionals that develops, assesses, and documents
274 competencies by role and skill level. The training may be
275 provided in collaboration with the Cybercrime Office of the
276 Department of Law Enforcement, a private sector entity, or an
277 institution of the state university system.
278 (h) Operate and maintain a Cybersecurity Operations Center
279 led by the state chief information security officer, which must
280 be primarily virtual and staffed with tactical detection and
281 incident response personnel. The Cybersecurity Operations Center
282 shall serve as a clearinghouse for threat information and
283 coordinate with the Department of Law Enforcement to support
284 state agencies and their response to any confirmed or suspected
285 cybersecurity incident.
286 (i) Lead an Emergency Support Function, ESF CYBER, under
287 the state comprehensive emergency management plan as described
288 in s. 252.35.
289 (4) Each state agency head shall, at a minimum:
290 (a) Designate an information security manager to administer
291 the cybersecurity information technology security program of the
292 state agency. This designation must be provided annually in
293 writing to the department by January 1. A state agency’s
294 information security manager, for purposes of these information
295 security duties, shall report directly to the agency head.
296 (b) In consultation with the department, through the
297 Florida Digital Service, and the Cybercrime Office of the
298 Department of Law Enforcement, establish an agency cybersecurity
299 computer security incident response team to respond to a
300 cybersecurity an information technology security incident. The
301 agency cybersecurity computer security incident response team
302 shall convene upon notification of a cybersecurity an
303 information technology security incident and must immediately
304 report all confirmed or suspected incidents to the state chief
305 information security officer, or his or her designee, and comply
306 with all applicable guidelines and processes established
307 pursuant to paragraph (3)(c).
308 (c) Submit to the department annually by July 31, the state
309 agency’s strategic and operational cybersecurity information
310 technology security plans developed pursuant to rules and
311 guidelines established by the department, through the Florida
312 Digital Service.
313 1. The state agency strategic cybersecurity information
314 technology security plan must cover a 3-year period and, at a
315 minimum, define security goals, intermediate objectives, and
316 projected agency costs for the strategic issues of agency
317 information security policy, risk management, security training,
318 security incident response, and disaster recovery. The plan must
319 be based on the statewide cybersecurity information technology
320 security strategic plan created by the department and include
321 performance metrics that can be objectively measured to reflect
322 the status of the state agency’s progress in meeting security
323 goals and objectives identified in the agency’s strategic
324 information security plan.
325 2. The state agency operational cybersecurity information
326 technology security plan must include a progress report that
327 objectively measures progress made towards the prior operational
328 cybersecurity information technology security plan and a project
329 plan that includes activities, timelines, and deliverables for
330 security objectives that the state agency will implement during
331 the current fiscal year.
332 (d) Conduct, and update every 3 years, a comprehensive risk
333 assessment, which may be completed by a private sector vendor,
334 to determine the security threats to the data, information, and
335 information technology resources, including mobile devices and
336 print environments, of the agency. The risk assessment must
337 comply with the risk assessment methodology developed by the
338 department and is confidential and exempt from s. 119.07(1),
339 except that such information shall be available to the Auditor
340 General, the Florida Digital Service within the department, the
341 Cybercrime Office of the Department of Law Enforcement, and, for
342 state agencies under the jurisdiction of the Governor, the Chief
343 Inspector General. If a private sector vendor is used to
344 complete a comprehensive risk assessment, it must attest to the
345 validity of the risk assessment findings.
346 (e) Develop, and periodically update, written internal
347 policies and procedures, which include procedures for reporting
348 cybersecurity information technology security incidents and
349 breaches to the Cybercrime Office of the Department of Law
350 Enforcement and the Florida Digital Service within the
351 department. Such policies and procedures must be consistent with
352 the rules, guidelines, and processes established by the
353 department to ensure the security of the data, information, and
354 information technology resources of the agency. The internal
355 policies and procedures that, if disclosed, could facilitate the
356 unauthorized modification, disclosure, or destruction of data or
357 information technology resources are confidential information
358 and exempt from s. 119.07(1), except that such information shall
359 be available to the Auditor General, the Cybercrime Office of
360 the Department of Law Enforcement, the Florida Digital Service
361 within the department, and, for state agencies under the
362 jurisdiction of the Governor, the Chief Inspector General.
363 (f) Implement managerial, operational, and technical
364 safeguards and risk assessment remediation plans recommended by
365 the department to address identified risks to the data,
366 information, and information technology resources of the agency.
367 The department, through the Florida Digital Service, shall track
368 implementation by state agencies upon development of such
369 remediation plans in coordination with agency inspectors
370 general.
371 (g) Ensure that periodic internal audits and evaluations of
372 the agency’s cybersecurity information technology security
373 program for the data, information, and information technology
374 resources of the agency are conducted. The results of such
375 audits and evaluations are confidential information and exempt
376 from s. 119.07(1), except that such information shall be
377 available to the Auditor General, the Cybercrime Office of the
378 Department of Law Enforcement, the Florida Digital Service
379 within the department, and, for agencies under the jurisdiction
380 of the Governor, the Chief Inspector General.
381 (h) Ensure that the information technology security and
382 cybersecurity requirements in both the written specifications
383 for the solicitation, contracts, and service-level agreement of
384 information technology and information technology resources and
385 services meet or exceed the applicable state and federal laws,
386 regulations, and standards for information technology security
387 and cybersecurity, including the National Institute of Standards
388 and Technology Cybersecurity Framework. Service-level agreements
389 must identify service provider and state agency responsibilities
390 for privacy and security, protection of government data,
391 personnel background screening, and security deliverables with
392 associated frequencies.
393 (i) Provide information technology security and
394 cybersecurity awareness training to all state agency employees
395 in the first 30 days after commencing employment concerning
396 cybersecurity information technology security risks and the
397 responsibility of employees to comply with policies, standards,
398 guidelines, and operating procedures adopted by the state agency
399 to reduce those risks. The training may be provided in
400 collaboration with the Cybercrime Office of the Department of
401 Law Enforcement, a private sector entity, or an institution of
402 the state university system.
403 (j) Develop a process for detecting, reporting, and
404 responding to threats, breaches, or cybersecurity information
405 technology security incidents which is consistent with the
406 security rules, guidelines, and processes established by the
407 department, through the Florida Digital Service.
408 1. All cybersecurity information technology security
409 incidents and breaches must be reported to the Florida Digital
410 Service within the department and the Cybercrime Office of the
411 Department of Law Enforcement and must comply with the
412 notification procedures and reporting timeframes established
413 pursuant to paragraph (3)(c).
414 2. For cybersecurity information technology security
415 breaches, state agencies shall provide notice in accordance with
416 s. 501.171.
417 (5) Portions of records held by a state agency which
418 contain network schematics, hardware and software
419 configurations, or encryption, or which identify detection,
420 investigation, or response practices for suspected or confirmed
421 cybersecurity information technology security incidents,
422 including suspected or confirmed breaches, are confidential and
423 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
424 Constitution, if the disclosure of such records would facilitate
425 unauthorized access to or the unauthorized modification,
426 disclosure, or destruction of:
427 (a) Data or information, whether physical or virtual; or
428 (b) Information technology resources, which includes:
429 1. Information relating to the security of the agency’s
430 technologies, processes, and practices designed to protect
431 networks, computers, data processing software, and data from
432 attack, damage, or unauthorized access; or
433 2. Security information, whether physical or virtual, which
434 relates to the agency’s existing or proposed information
435 technology systems.
436 (6) The portions of risk assessments, evaluations, external
437 audits, and other reports of a state agency’s cybersecurity
438 information technology security program for the data,
439 information, and information technology resources of the state
440 agency which are held by a state agency are confidential and
441 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
442 Constitution if the disclosure of such portions of records would
443 facilitate unauthorized access to or the unauthorized
444 modification, disclosure, or destruction of:
445 (a) Data or information, whether physical or virtual; or
446 (b) Information technology resources, which include:
447 1. Information relating to the security of the agency’s
448 technologies, processes, and practices designed to protect
449 networks, computers, data processing software, and data from
450 attack, damage, or unauthorized access; or
451 2. Security information, whether physical or virtual, which
452 relates to the agency’s existing or proposed information
453 technology systems.
454
455 For purposes of this subsection, “external audit” means an audit
456 that is conducted by an entity other than the state agency that
457 is the subject of the audit.
458 (7) Those portions of a public meeting as specified in s.
459 286.011 which would reveal records which are confidential and
460 exempt under subsection (5) or subsection (6) are exempt from s.
461 286.011 and s. 24(b), Art. I of the State Constitution. No
462 exempt portion of an exempt meeting may be off the record. All
463 exempt portions of such meeting shall be recorded and
464 transcribed. Such recordings and transcripts are confidential
465 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
466 I of the State Constitution unless a court of competent
467 jurisdiction, after an in camera review, determines that the
468 meeting was not restricted to the discussion of data and
469 information made confidential and exempt by this section. In the
470 event of such a judicial determination, only that portion of the
471 recording and transcript which reveals nonexempt data and
472 information may be disclosed to a third party.
473 (8) The portions of records made confidential and exempt in
474 subsections (5), (6), and (7) shall be available to the Auditor
475 General, the Cybercrime Office of the Department of Law
476 Enforcement, the Florida Digital Service within the department,
477 and, for agencies under the jurisdiction of the Governor, the
478 Chief Inspector General. Such portions of records may be made
479 available to a local government, another state agency, or a
480 federal agency for cybersecurity information technology security
481 purposes or in furtherance of the state agency’s official
482 duties.
483 (9) The exemptions contained in subsections (5), (6), and
484 (7) apply to records held by a state agency before, on, or after
485 the effective date of this exemption.
486 (10) Subsections (5), (6), and (7) are subject to the Open
487 Government Sunset Review Act in accordance with s. 119.15 and
488 shall stand repealed on October 2, 2025, unless reviewed and
489 saved from repeal through reenactment by the Legislature.
490 (11) The department shall adopt rules relating to
491 cybersecurity information technology security and to administer
492 this section.
493 Section 7. Section 282.319, Florida Statutes, is created to
494 read:
495 282.319 Florida Cybersecurity Advisory Council.—
496 (1) The Florida Cybersecurity Advisory Council, an advisory
497 council as defined in s. 20.03(7), is created within the
498 department. Except as otherwise provided in this section, the
499 advisory council shall operate in a manner consistent with s.
500 20.052.
501 (2) The purpose of the council is to assist state agencies
502 in protecting their information technology resources from cyber
503 threats and incidents.
504 (3) The council shall assist the Florida Digital Service in
505 implementing best cybersecurity practices, taking into
506 consideration the final recommendations of the Florida
507 Cybersecurity Task Force created under chapter 2019-118, Laws of
508 Florida.
509 (4) The council shall be comprised of the following
510 members:
511 (a) The Lieutenant Governor or his or her designee.
512 (b) The state chief information officer.
513 (c) The state chief information security officer.
514 (d) The director of the Division of Emergency Management or
515 his or her designee.
516 (e) A representative of the computer crime center of the
517 Department of Law Enforcement, appointed by the executive
518 director of the department.
519 (f) A representative of the Florida Fusion Center of the
520 Department of Law Enforcement, appointed by the executive
521 director of the department.
522 (g) The Chief Inspector General.
523 (h) A representative from the Public Service Commission.
524 (i) Up to two representatives from institutions of higher
525 education located in the state, appointed by the Governor.
526 (j) Three representatives from critical infrastructure
527 sectors, one of which must be from a water-treatment facility,
528 appointed by the Governor.
529 (k) Four representatives of the private sector with senior
530 level experience in cybersecurity or software engineering from
531 within the finance, energy, health care, and transportation
532 sector, appointed by the Governor.
533 (l) Two representatives with expertise on emerging
534 technology with one appointed by the President of the Senate and
535 one appointed by the Speaker of the House of Representatives.
536 (5) Members shall serve for a term of 4 years; however, for
537 the purpose of providing staggered terms, the initial
538 appointments of members made by the Governor shall be for a term
539 of 2 years. A vacancy shall be filled for the remainder of the
540 unexpired term in the same manner as the initial appointment.
541 All members of the council are eligible for reappointment.
542 (6) The Secretary of Management Services, or his or her
543 designee, shall serve as the ex officio, nonvoting executive
544 director of the council.
545 (7) Members of the council shall serve without compensation
546 but are entitled to receive reimbursement for per diem and
547 travel expenses pursuant to s. 112.061.
548 (8) The council shall meet at least quarterly to:
549 (a) Review existing state agency cybersecurity policies.
550 (b) Assess ongoing risks to state agency information
551 technology.
552 (c) Recommend a reporting and information sharing system to
553 notify state agencies of new risks.
554 (d) Recommend data breach simulation exercises.
555 (e) Assist the Florida Digital Service in developing
556 cybersecurity best practice recommendations for state agencies
557 that include recommendations regarding:
558 1. Continuous risk monitoring.
559 2. Password management.
560 3. Protecting data in legacy and new systems.
561 (f) Examine inconsistencies between state and federal law
562 regarding cybersecurity.
563 (9) The council shall work with the National Institute of
564 Standards and Technology and other federal agencies, private
565 sector businesses, and private cybersecurity experts:
566 (a) For critical infrastructure not covered by federal law,
567 to identify which local infrastructure sectors are at the
568 greatest risk of cyber attacks and need the most enhanced
569 cybersecurity measures.
570 (b) To use federal guidance to identify categories of
571 critical infrastructure as critical cyber infrastructure if
572 cyber damage or unauthorized cyber access to the infrastructure
573 could reasonably result in catastrophic consequences.
574 (10) Beginning June 30, 2022, and each June 30 thereafter,
575 the council shall submit to the President of the Senate and the
576 Speaker of the House of Representatives any legislative
577 recommendations considered necessary by the council to address
578 cybersecurity.
579 Section 8. This act shall take effect July 1, 2021.
580
581 ================= T I T L E A M E N D M E N T ================
582 And the title is amended as follows:
583 Delete everything before the enacting clause
584 and insert:
585 A bill to be entitled
586 An act relating to cybersecurity; An act relating to
587 cybersecurity; amending s. 20.055, F.S.; requiring
588 certain audit plans of an inspector general to include
589 certain information; amending s. 282.0041, F.S.;
590 revising and providing definitions; amending ss.
591 282.0051, 282.201, and 282.206, F.S.; revising
592 provisions to replace references to information
593 technology security with cybersecurity; amending s.
594 282.318, F.S.; revising provisions to replace
595 references to information technology security and
596 computer security with references to cybersecurity;
597 revising a short title; providing that the Department
598 of Management Services, acting through the Florida
599 Digital Service, is the lead entity for the purpose of
600 certain responsibilities; providing and revising
601 requirements for the department, acting through the
602 Florida Digital Service; providing that certain
603 employees shall be assigned to selected exempt
604 service; providing that the state chief information
605 security officer is responsible for state technology
606 systems and shall be notified of certain incidents and
607 threats; revising requirements for state agency heads;
608 requiring the department, through the Florida Digital
609 Service, to track the implementation by state agencies
610 of certain plans; creating 282.319, F.S.; creating the
611 Florida Cybersecurity Advisory Council within the
612 Department of Management Services; providing the
613 purpose of the council; requiring the council to
614 provide certain assistance to the Florida Digital
615 Service; providing for the membership of the council;
616 providing for terms of council members; providing that
617 the Secretary of Management Services, or his or her
618 designee, shall serve as the ex officio executive
619 director of the council; providing that members shall
620 serve without compensation but are entitled to
621 reimbursement for per diem and travel expenses;
622 requiring the council to meet at least quarterly for
623 certain purposes; requiring the council to work with
624 certain entities to identify certain local
625 infrastructure sectors and critical cyber
626 infrastructure; requiring the council to submit an
627 annual report to the Legislature; providing an
628 effective date.