Florida Senate - 2021              PROPOSED COMMITTEE SUBSTITUTE
       Bill No. CS for SB 1900
       
       
       
       
       
                               Ì410182zÎ410182                          
       
       576-03929-21                                                    
       Proposed Committee Substitute by the Committee on Appropriations
       (Appropriations Subcommittee on Agriculture, Environment, and
       General Government)
    1                        A bill to be entitled                      
    2         An act relating to cybersecurity; amending s. 20.055,
    3         F.S.; requiring certain audit plans of an inspector
    4         general to include certain information; amending s.
    5         282.0041, F.S.; revising and providing definitions;
    6         amending ss. 282.0051, 282.201, and 282.206, F.S.;
    7         revising provisions to replace references to
    8         information technology security with cybersecurity;
    9         amending s. 282.318, F.S.; revising provisions to
   10         replace references to information technology security
   11         and computer security with references to
   12         cybersecurity; revising a short title; providing that
   13         the Department of Management Services, acting through
   14         the Florida Digital Service, is the lead entity for
   15         the purpose of certain responsibilities; providing and
   16         revising requirements for the department, acting
   17         through the Florida Digital Service; providing that
   18         the state chief information security officer is
   19         responsible for state technology systems and shall be
   20         notified of certain incidents and threats; revising
   21         requirements for state agency heads; requiring the
   22         department, through the Florida Digital Service, to
   23         track the implementation by state agencies of certain
   24         plans; creating s. 282.319, F.S.; creating the Florida
   25         Cybersecurity Advisory Council within the Department
   26         of Management Services; providing the purpose of the
   27         council; requiring the council to provide certain
   28         assistance to the Florida Digital Service; providing
   29         for the membership of the council; providing for terms
   30         of council members; providing that the Secretary of
   31         Management Services, or his or her designee, shall
   32         serve as the ex officio, nonvoting executive director
   33         of the council; providing that members shall serve
   34         without compensation but are entitled to reimbursement
   35         for per diem and travel expenses; requiring council
   36         members to maintain the confidential or exempt status
   37         of information received; prohibiting council members
   38         from using information not otherwise public for their
   39         own personal gain; requiring council members to sign
   40         an agreement acknowledging certain provisions;
   41         requiring the council to meet at least quarterly for
   42         certain purposes; requiring the council to work with
   43         certain entities to identify certain local
   44         infrastructure sectors and critical cyber
   45         infrastructure; requiring the council to submit an
   46         annual report to the Legislature; providing an
   47         effective date.
   48          
   49  Be It Enacted by the Legislature of the State of Florida:
   50  
   51         Section 1. Paragraph (i) of subsection (6) of section
   52  20.055, Florida Statutes, is amended to read:
   53         20.055 Agency inspectors general.—
   54         (6) In carrying out the auditing duties and
   55  responsibilities of this act, each inspector general shall
   56  review and evaluate internal controls necessary to ensure the
   57  fiscal accountability of the state agency. The inspector general
   58  shall conduct financial, compliance, electronic data processing,
   59  and performance audits of the agency and prepare audit reports
   60  of his or her findings. The scope and assignment of the audits
   61  shall be determined by the inspector general; however, the
   62  agency head may at any time request the inspector general to
   63  perform an audit of a special program, function, or
   64  organizational unit. The performance of the audit shall be under
   65  the direction of the inspector general, except that if the
   66  inspector general does not possess the qualifications specified
   67  in subsection (4), the director of auditing shall perform the
   68  functions listed in this subsection.
   69         (i) The inspector general shall develop long-term and
   70  annual audit plans based on the findings of periodic risk
   71  assessments. The plan, where appropriate, should include
   72  postaudit samplings of payments and accounts. The plan shall
   73  show the individual audits to be conducted during each year and
   74  related resources to be devoted to the respective audits. The
   75  plan shall include a specific cybersecurity audit plan. The
   76  Chief Financial Officer, to assist in fulfilling the
   77  responsibilities for examining, auditing, and settling accounts,
   78  claims, and demands pursuant to s. 17.03(1), and examining,
   79  auditing, adjusting, and settling accounts pursuant to s. 17.04,
   80  may use audits performed by the inspectors general and internal
   81  auditors. For state agencies under the jurisdiction of the
   82  Governor, the audit plans shall be submitted to the Chief
   83  Inspector General. The plan shall be submitted to the agency
   84  head for approval. A copy of the approved plan shall be
   85  submitted to the Auditor General.
   86         Section 2. Present subsections (8) through (21) of section
   87  282.0041, Florida Statutes, are redesignated as subsections (9)
   88  through (22), respectively, a new subsection (8) is added to
   89  that section, and present subsection (22) of that section is
   90  amended, to read:
   91         282.0041 Definitions.—As used in this chapter, the term:
   92         (8)“Cybersecurity” means the protection afforded to an
   93  automated information system in order to attain the applicable
   94  objectives of preserving the confidentiality, integrity, and
   95  availability of data, information, and information technology
   96  resources.
   97         (22)“Information technology security” means the protection
   98  afforded to an automated information system in order to attain
   99  the applicable objectives of preserving the integrity,
  100  availability, and confidentiality of data, information, and
  101  information technology resources.
  102         Section 3. Paragraph (j) of subsection (1) of section
  103  282.0051, Florida Statutes, is amended to read:
  104         282.0051 Department of Management Services; Florida Digital
  105  Service; powers, duties, and functions.—
  106         (1) The Florida Digital Service has been created within the
  107  department to propose innovative solutions that securely
  108  modernize state government, including technology and information
  109  services, to achieve value through digital transformation and
  110  interoperability, and to fully support the cloud-first policy as
  111  specified in s. 282.206. The department, through the Florida
  112  Digital Service, shall have the following powers, duties, and
  113  functions:
  114         (j) Provide operational management and oversight of the
  115  state data center established pursuant to s. 282.201, which
  116  includes:
  117         1. Implementing industry standards and best practices for
  118  the state data center’s facilities, operations, maintenance,
  119  planning, and management processes.
  120         2. Developing and implementing cost-recovery mechanisms
  121  that recover the full direct and indirect cost of services
  122  through charges to applicable customer entities. Such cost
  123  recovery mechanisms must comply with applicable state and
  124  federal regulations concerning distribution and use of funds and
  125  must ensure that, for any fiscal year, no service or customer
  126  entity subsidizes another service or customer entity. The
  127  Florida Digital Service may recommend other payment mechanisms
  128  to the Executive Office of the Governor, the President of the
  129  Senate, and the Speaker of the House of Representatives. Such
  130  mechanism may be implemented only if specifically authorized by
  131  the Legislature.
  132         3. Developing and implementing appropriate operating
  133  guidelines and procedures necessary for the state data center to
  134  perform its duties pursuant to s. 282.201. The guidelines and
  135  procedures must comply with applicable state and federal laws,
  136  regulations, and policies and conform to generally accepted
  137  governmental accounting and auditing standards. The guidelines
  138  and procedures must include, but need not be limited to:
  139         a. Implementing a consolidated administrative support
  140  structure responsible for providing financial management,
  141  procurement, transactions involving real or personal property,
  142  human resources, and operational support.
  143         b. Implementing an annual reconciliation process to ensure
  144  that each customer entity is paying for the full direct and
  145  indirect cost of each service as determined by the customer
  146  entity’s use of each service.
  147         c. Providing rebates that may be credited against future
  148  billings to customer entities when revenues exceed costs.
  149         d. Requiring customer entities to validate that sufficient
  150  funds exist in the appropriate data processing appropriation
  151  category or will be transferred into the appropriate data
  152  processing appropriation category before implementation of a
  153  customer entity’s request for a change in the type or level of
  154  service provided, if such change results in a net increase to
  155  the customer entity’s cost for that fiscal year.
  156         e. By November 15 of each year, providing to the Office of
  157  Policy and Budget in the Executive Office of the Governor and to
  158  the chairs of the legislative appropriations committees the
  159  projected costs of providing data center services for the
  160  following fiscal year.
  161         f. Providing a plan for consideration by the Legislative
  162  Budget Commission if the cost of a service is increased for a
  163  reason other than a customer entity’s request made pursuant to
  164  sub-subparagraph d. Such a plan is required only if the service
  165  cost increase results in a net increase to a customer entity for
  166  that fiscal year.
  167         g. Standardizing and consolidating procurement and
  168  contracting practices.
  169         4. In collaboration with the Department of Law Enforcement,
  170  developing and implementing a process for detecting, reporting,
  171  and responding to cybersecurity information technology security
  172  incidents, breaches, and threats.
  173         5. Adopting rules relating to the operation of the state
  174  data center, including, but not limited to, budgeting and
  175  accounting procedures, cost-recovery methodologies, and
  176  operating procedures.
  177         Section 4. Paragraph (g) of subsection (1) of section
  178  282.201, Florida Statutes, is amended to read:
  179         282.201 State data center.—The state data center is
  180  established within the department. The provision of data center
  181  services must comply with applicable state and federal laws,
  182  regulations, and policies, including all applicable security,
  183  privacy, and auditing requirements. The department shall appoint
  184  a director of the state data center, preferably an individual
  185  who has experience in leading data center facilities and has
  186  expertise in cloud-computing management.
  187         (1) STATE DATA CENTER DUTIES.—The state data center shall:
  188         (g) In its procurement process, show preference for cloud
  189  computing solutions that minimize or do not require the
  190  purchasing, financing, or leasing of state data center
  191  infrastructure, and that meet the needs of customer agencies,
  192  that reduce costs, and that meet or exceed the applicable state
  193  and federal laws, regulations, and standards for cybersecurity
  194  information technology security.
  195         Section 5. Subsection (2) of section 282.206, Florida
  196  Statutes, is amended to read:
  197         282.206 Cloud-first policy in state agencies.—
  198         (2) In its procurement process, each state agency shall
  199  show a preference for cloud-computing solutions that either
  200  minimize or do not require the use of state data center
  201  infrastructure when cloud-computing solutions meet the needs of
  202  the agency, reduce costs, and meet or exceed the applicable
  203  state and federal laws, regulations, and standards for
  204  cybersecurity information technology security.
  205         Section 6. Section 282.318, Florida Statutes, is amended to
  206  read:
  207         282.318 Cybersecurity Security of data and information
  208  technology.—
  209         (1) This section may be cited as the “State Cybersecurity
  210  Act.” “Information Technology Security Act.”
  211         (2) As used in this section, the term “state agency” has
  212  the same meaning as provided in s. 282.0041, except that the
  213  term includes the Department of Legal Affairs, the Department of
  214  Agriculture and Consumer Services, and the Department of
  215  Financial Services.
  216         (3) The department, acting through the Florida Digital
  217  Service, is the lead entity responsible for establishing
  218  standards and processes for assessing state agency cybersecurity
  219  risks and determining appropriate security measures. Such
  220  standards and processes must be consistent with generally
  221  accepted technology best practices, including the National
  222  Institute for Standards and Technology Cybersecurity Framework,
  223  for cybersecurity. The department, acting through the Florida
  224  Digital Service, shall adopt information technology security, to
  225  include cybersecurity, and adopting rules that mitigate risks;
  226  safeguard state agency digital assets, an agency’s data,
  227  information, and information technology resources to ensure
  228  availability, confidentiality, and integrity; and support a
  229  security governance framework and to mitigate risks. The
  230  department, acting through the Florida Digital Service, shall
  231  also:
  232         (a) Designate an employee of the Florida Digital Service as
  233  the state chief information security officer. The state chief
  234  information security officer must have experience and expertise
  235  in security and risk management for communications and
  236  information technology resources. The state chief information
  237  security officer is responsible for the development, operation,
  238  and oversight of cybersecurity for state technology systems. The
  239  state chief information security officer shall be notified of
  240  all confirmed or suspected incidents or threats of state agency
  241  information technology resources and must report such incidents
  242  or threats to the state chief information officer and the
  243  Governor.
  244         (b) Develop, and annually update by February 1, a statewide
  245  cybersecurity information technology security strategic plan
  246  that includes security goals and objectives for cybersecurity,
  247  including the identification and mitigation of risk, proactive
  248  protections against threats, tactical risk detection, threat
  249  reporting, and response and recovery protocols for a cyber
  250  incident the strategic issues of information technology security
  251  policy, risk management, training, incident management, and
  252  disaster recovery planning.
  253         (c) Develop and publish for use by state agencies a
  254  cybersecurity governance an information technology security
  255  framework that, at a minimum, includes guidelines and processes
  256  for:
  257         1. Establishing asset management procedures to ensure that
  258  an agency’s information technology resources are identified and
  259  managed consistent with their relative importance to the
  260  agency’s business objectives.
  261         2. Using a standard risk assessment methodology that
  262  includes the identification of an agency’s priorities,
  263  constraints, risk tolerances, and assumptions necessary to
  264  support operational risk decisions.
  265         3. Completing comprehensive risk assessments and
  266  cybersecurity information technology security audits, which may
  267  be completed by a private sector vendor, and submitting
  268  completed assessments and audits to the department.
  269         4. Identifying protection procedures to manage the
  270  protection of an agency’s information, data, and information
  271  technology resources.
  272         5. Establishing procedures for accessing information and
  273  data to ensure the confidentiality, integrity, and availability
  274  of such information and data.
  275         6. Detecting threats through proactive monitoring of
  276  events, continuous security monitoring, and defined detection
  277  processes.
  278         7. Establishing agency cybersecurity computer security
  279  incident response teams and describing their responsibilities
  280  for responding to cybersecurity information technology security
  281  incidents, including breaches of personal information containing
  282  confidential or exempt data.
  283         8. Recovering information and data in response to a
  284  cybersecurity an information technology security incident. The
  285  recovery may include recommended improvements to the agency
  286  processes, policies, or guidelines.
  287         9. Establishing a cybersecurity an information technology
  288  security incident reporting process that includes procedures and
  289  tiered reporting timeframes for notifying the department and the
  290  Department of Law Enforcement of cybersecurity information
  291  technology security incidents. The tiered reporting timeframes
  292  shall be based upon the level of severity of the cybersecurity
  293  information technology security incidents being reported.
  294         10. Incorporating information obtained through detection
  295  and response activities into the agency’s cybersecurity
  296  information technology security incident response plans.
  297         11. Developing agency strategic and operational
  298  cybersecurity information technology security plans required
  299  pursuant to this section.
  300         12. Establishing the managerial, operational, and technical
  301  safeguards for protecting state government data and information
  302  technology resources that align with the state agency risk
  303  management strategy and that protect the confidentiality,
  304  integrity, and availability of information and data.
  305         13.Establishing procedures for procuring information
  306  technology commodities and services that require the commodity
  307  or service to meet the National Institute of Standards and
  308  Technology Cybersecurity Framework.
  309         (d) Assist state agencies in complying with this section.
  310         (e) In collaboration with the Cybercrime Office of the
  311  Department of Law Enforcement, annually provide training for
  312  state agency information security managers and computer security
  313  incident response team members that contains training on
  314  cybersecurity information technology security, including
  315  cybersecurity, threats, trends, and best practices.
  316         (f) Annually review the strategic and operational
  317  cybersecurity information technology security plans of state
  318  executive branch agencies.
  319         (g)Provide cybersecurity training to all state agency
  320  technology professionals which develops, assesses, and documents
  321  competencies by role and skill level. The training may be
  322  provided in collaboration with the Cybercrime Office of the
  323  Department of Law Enforcement, a private sector entity, or an
  324  institution of the state university system.
  325         (h)Operate and maintain a Cybersecurity Operations Center
  326  led by the state chief information security officer, which must
  327  be primarily virtual and staffed with tactical detection and
  328  incident response personnel. The Cybersecurity Operations Center
  329  shall serve as a clearinghouse for threat information and
  330  coordinate with the Department of Law Enforcement to support
  331  state agencies and their response to any confirmed or suspected
  332  cybersecurity incident.
  333         (i)Lead an Emergency Support Function, ESF CYBER, under
  334  the state comprehensive emergency management plan as described
  335  in s. 252.35.
  336         (4) Each state agency head shall, at a minimum:
  337         (a) Designate an information security manager to administer
  338  the cybersecurity information technology security program of the
  339  state agency. This designation must be provided annually in
  340  writing to the department by January 1. A state agency’s
  341  information security manager, for purposes of these information
  342  security duties, shall report directly to the agency head.
  343         (b) In consultation with the department, through the
  344  Florida Digital Service, and the Cybercrime Office of the
  345  Department of Law Enforcement, establish an agency cybersecurity
  346  computer security incident response team to respond to a
  347  cybersecurity an information technology security incident. The
  348  agency cybersecurity computer security incident response team
  349  shall convene upon notification of a cybersecurity an
  350  information technology security incident and must immediately
  351  report all confirmed or suspected incidents to the state chief
  352  information security officer, or his or her designee, and comply
  353  with all applicable guidelines and processes established
  354  pursuant to paragraph (3)(c).
  355         (c) Submit to the department annually by July 31, the state
  356  agency’s strategic and operational cybersecurity information
  357  technology security plans developed pursuant to rules and
  358  guidelines established by the department, through the Florida
  359  Digital Service.
  360         1. The state agency strategic cybersecurity information
  361  technology security plan must cover a 3-year period and, at a
  362  minimum, define security goals, intermediate objectives, and
  363  projected agency costs for the strategic issues of agency
  364  information security policy, risk management, security training,
  365  security incident response, and disaster recovery. The plan must
  366  be based on the statewide cybersecurity information technology
  367  security strategic plan created by the department and include
  368  performance metrics that can be objectively measured to reflect
  369  the status of the state agency’s progress in meeting security
  370  goals and objectives identified in the agency’s strategic
  371  information security plan.
  372         2. The state agency operational cybersecurity information
  373  technology security plan must include a progress report that
  374  objectively measures progress made towards the prior operational
  375  cybersecurity information technology security plan and a project
  376  plan that includes activities, timelines, and deliverables for
  377  security objectives that the state agency will implement during
  378  the current fiscal year.
  379         (d) Conduct, and update every 3 years, a comprehensive risk
  380  assessment, which may be completed by a private sector vendor,
  381  to determine the security threats to the data, information, and
  382  information technology resources, including mobile devices and
  383  print environments, of the agency. The risk assessment must
  384  comply with the risk assessment methodology developed by the
  385  department and is confidential and exempt from s. 119.07(1),
  386  except that such information shall be available to the Auditor
  387  General, the Florida Digital Service within the department, the
  388  Cybercrime Office of the Department of Law Enforcement, and, for
  389  state agencies under the jurisdiction of the Governor, the Chief
  390  Inspector General. If a private sector vendor is used to
  391  complete a comprehensive risk assessment, it must attest to the
  392  validity of the risk assessment findings.
  393         (e) Develop, and periodically update, written internal
  394  policies and procedures, which include procedures for reporting
  395  cybersecurity information technology security incidents and
  396  breaches to the Cybercrime Office of the Department of Law
  397  Enforcement and the Florida Digital Service within the
  398  department. Such policies and procedures must be consistent with
  399  the rules, guidelines, and processes established by the
  400  department to ensure the security of the data, information, and
  401  information technology resources of the agency. The internal
  402  policies and procedures that, if disclosed, could facilitate the
  403  unauthorized modification, disclosure, or destruction of data or
  404  information technology resources are confidential information
  405  and exempt from s. 119.07(1), except that such information shall
  406  be available to the Auditor General, the Cybercrime Office of
  407  the Department of Law Enforcement, the Florida Digital Service
  408  within the department, and, for state agencies under the
  409  jurisdiction of the Governor, the Chief Inspector General.
  410         (f) Implement managerial, operational, and technical
  411  safeguards and risk assessment remediation plans recommended by
  412  the department to address identified risks to the data,
  413  information, and information technology resources of the agency.
  414  The department, through the Florida Digital Service, shall track
  415  implementation by state agencies upon development of such
  416  remediation plans in coordination with agency inspectors
  417  general.
  418         (g) Ensure that periodic internal audits and evaluations of
  419  the agency’s cybersecurity information technology security
  420  program for the data, information, and information technology
  421  resources of the agency are conducted. The results of such
  422  audits and evaluations are confidential information and exempt
  423  from s. 119.07(1), except that such information shall be
  424  available to the Auditor General, the Cybercrime Office of the
  425  Department of Law Enforcement, the Florida Digital Service
  426  within the department, and, for agencies under the jurisdiction
  427  of the Governor, the Chief Inspector General.
  428         (h) Ensure that the information technology security and
  429  cybersecurity requirements in both the written specifications
  430  for the solicitation, contracts, and service-level agreement of
  431  information technology and information technology resources and
  432  services meet or exceed the applicable state and federal laws,
  433  regulations, and standards for information technology security
  434  and cybersecurity, including the National Institute of Standards
  435  and Technology Cybersecurity Framework. Service-level agreements
  436  must identify service provider and state agency responsibilities
  437  for privacy and security, protection of government data,
  438  personnel background screening, and security deliverables with
  439  associated frequencies.
  440         (i) Provide information technology security and
  441  cybersecurity awareness training to all state agency employees
  442  in the first 30 days after commencing employment concerning
  443  cybersecurity information technology security risks and the
  444  responsibility of employees to comply with policies, standards,
  445  guidelines, and operating procedures adopted by the state agency
  446  to reduce those risks. The training may be provided in
  447  collaboration with the Cybercrime Office of the Department of
  448  Law Enforcement, a private sector entity, or an institution of
  449  the state university system.
  450         (j) Develop a process for detecting, reporting, and
  451  responding to threats, breaches, or cybersecurity information
  452  technology security incidents which is consistent with the
  453  security rules, guidelines, and processes established by the
  454  department through the Florida Digital Service.
  455         1. All cybersecurity information technology security
  456  incidents and breaches must be reported to the Florida Digital
  457  Service within the department and the Cybercrime Office of the
  458  Department of Law Enforcement and must comply with the
  459  notification procedures and reporting timeframes established
  460  pursuant to paragraph (3)(c).
  461         2. For cybersecurity information technology security
  462  breaches, state agencies shall provide notice in accordance with
  463  s. 501.171.
  464         (5) Portions of records held by a state agency which
  465  contain network schematics, hardware and software
  466  configurations, or encryption, or which identify detection,
  467  investigation, or response practices for suspected or confirmed
  468  cybersecurity information technology security incidents,
  469  including suspected or confirmed breaches, are confidential and
  470  exempt from s. 119.07(1) and s. 24(a), Art. I of the State
  471  Constitution, if the disclosure of such records would facilitate
  472  unauthorized access to or the unauthorized modification,
  473  disclosure, or destruction of:
  474         (a) Data or information, whether physical or virtual; or
  475         (b) Information technology resources, which includes:
  476         1. Information relating to the security of the agency’s
  477  technologies, processes, and practices designed to protect
  478  networks, computers, data processing software, and data from
  479  attack, damage, or unauthorized access; or
  480         2. Security information, whether physical or virtual, which
  481  relates to the agency’s existing or proposed information
  482  technology systems.
  483         (6) The portions of risk assessments, evaluations, external
  484  audits, and other reports of a state agency’s cybersecurity
  485  information technology security program for the data,
  486  information, and information technology resources of the state
  487  agency which are held by a state agency are confidential and
  488  exempt from s. 119.07(1) and s. 24(a), Art. I of the State
  489  Constitution if the disclosure of such portions of records would
  490  facilitate unauthorized access to or the unauthorized
  491  modification, disclosure, or destruction of:
  492         (a) Data or information, whether physical or virtual; or
  493         (b) Information technology resources, which include:
  494         1. Information relating to the security of the agency’s
  495  technologies, processes, and practices designed to protect
  496  networks, computers, data processing software, and data from
  497  attack, damage, or unauthorized access; or
  498         2. Security information, whether physical or virtual, which
  499  relates to the agency’s existing or proposed information
  500  technology systems.
  501  
  502  For purposes of this subsection, “external audit” means an audit
  503  that is conducted by an entity other than the state agency that
  504  is the subject of the audit.
  505         (7) Those portions of a public meeting as specified in s.
  506  286.011 which would reveal records which are confidential and
  507  exempt under subsection (5) or subsection (6) are exempt from s.
  508  286.011 and s. 24(b), Art. I of the State Constitution. No
  509  exempt portion of an exempt meeting may be off the record. All
  510  exempt portions of such meeting shall be recorded and
  511  transcribed. Such recordings and transcripts are confidential
  512  and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
  513  I of the State Constitution unless a court of competent
  514  jurisdiction, after an in camera review, determines that the
  515  meeting was not restricted to the discussion of data and
  516  information made confidential and exempt by this section. In the
  517  event of such a judicial determination, only that portion of the
  518  recording and transcript which reveals nonexempt data and
  519  information may be disclosed to a third party.
  520         (8) The portions of records made confidential and exempt in
  521  subsections (5), (6), and (7) shall be available to the Auditor
  522  General, the Cybercrime Office of the Department of Law
  523  Enforcement, the Florida Digital Service within the department,
  524  and, for agencies under the jurisdiction of the Governor, the
  525  Chief Inspector General. Such portions of records may be made
  526  available to a local government, another state agency, or a
  527  federal agency for cybersecurity information technology security
  528  purposes or in furtherance of the state agency’s official
  529  duties.
  530         (9) The exemptions contained in subsections (5), (6), and
  531  (7) apply to records held by a state agency before, on, or after
  532  the effective date of this exemption.
  533         (10) Subsections (5), (6), and (7) are subject to the Open
  534  Government Sunset Review Act in accordance with s. 119.15 and
  535  shall stand repealed on October 2, 2025, unless reviewed and
  536  saved from repeal through reenactment by the Legislature.
  537         (11) The department shall adopt rules relating to
  538  cybersecurity information technology security and to administer
  539  this section.
  540         Section 7. Section 282.319, Florida Statutes, is created to
  541  read:
  542         282.319Florida Cybersecurity Advisory Council.—
  543         (1)The Florida Cybersecurity Advisory Council, an advisory
  544  council as defined in s. 20.03(7), is created within the
  545  department. Except as otherwise provided in this section, the
  546  advisory council shall operate in a manner consistent with s.
  547  20.052.
  548         (2)The purpose of the council is to assist state agencies
  549  in protecting their information technology resources from cyber
  550  threats and incidents.
  551         (3)The council shall assist the Florida Digital Service in
  552  implementing best cybersecurity practices, taking into
  553  consideration the final recommendations of the Florida
  554  Cybersecurity Task Force created under chapter 2019-118, Laws of
  555  Florida.
  556         (4)The council shall be comprised of the following
  557  members:
  558         (a)The Lieutenant Governor or his or her designee.
  559         (b)The state chief information officer.
  560         (c)The state chief information security officer.
  561         (d)The director of the Division of Emergency Management or
  562  his or her designee.
  563         (e)A representative of the computer crime center of the
  564  Department of Law Enforcement, appointed by the executive
  565  director of the Department of Law Enforcement.
  566         (f)A representative of the Florida Fusion Center of the
  567  Department of Law Enforcement, appointed by the executive
  568  director of the Department of Law Enforcement.
  569         (g)The Chief Inspector General.
  570         (h)A representative from the Public Service Commission.
  571         (i)Up to two representatives from institutions of higher
  572  education located in this state, appointed by the Governor.
  573         (j)Three representatives from critical infrastructure
  574  sectors, one of which must be from a water treatment facility,
  575  appointed by the Governor.
  576         (k)Four representatives of the private sector with senior
  577  level experience in cybersecurity or software engineering from
  578  within the finance, energy, health care, and transportation
  579  sectors, appointed by the Governor.
  580         (l)Two representatives with expertise on emerging
  581  technology, with one appointed by the President of the Senate
  582  and one appointed by the Speaker of the House of
  583  Representatives.
  584         (5)Members shall serve for a term of 4 years; however, for
  585  the purpose of providing staggered terms, the initial
  586  appointments of members made by the Governor shall be for a term
  587  of 2 years. A vacancy shall be filled for the remainder of the
  588  unexpired term in the same manner as the initial appointment.
  589  All members of the council are eligible for reappointment.
  590         (6)The Secretary of Management Services, or his or her
  591  designee, shall serve as the ex officio, nonvoting executive
  592  director of the council.
  593         (7)Members of the council shall serve without compensation
  594  but are entitled to receive reimbursement for per diem and
  595  travel expenses pursuant to s. 112.061.
  596         (8)Members of the council shall maintain the confidential
  597  or exempt status of information received in the performance of
  598  their duties and responsibilities as members of the council. In
  599  accordance with s. 112.313, a current or former member of the
  600  council may not disclose or use information not available to the
  601  general public and gained by reason of their official position,
  602  except for information relating exclusively to governmental
  603  practices, for their personal gain or benefit or for the
  604  personal gain or benefit of any other person or business entity.
  605  Members shall sign an agreement acknowledging the provisions of
  606  this subsection.
  607         (9)The council shall meet at least quarterly to:
  608         (a)Review existing state agency cybersecurity policies.
  609         (b)Assess ongoing risks to state agency information
  610  technology.
  611         (c)Recommend a reporting and information sharing system to
  612  notify state agencies of new risks.
  613         (d)Recommend data breach simulation exercises.
  614         (e)Assist the Florida Digital Service in developing
  615  cybersecurity best practice recommendations for state agencies
  616  which include recommendations regarding:
  617         1.Continuous risk monitoring.
  618         2.Password management.
  619         3.Protecting data in legacy and new systems.
  620         (f)Examine inconsistencies between state and federal law
  621  regarding cybersecurity.
  622         (10)The council shall work with the National Institute of
  623  Standards and Technology and other federal agencies, private
  624  sector businesses, and private cybersecurity experts:
  625         (a)For critical infrastructure not covered by federal law,
  626  to identify which local infrastructure sectors are at the
  627  greatest risk of cyber attacks and need the most enhanced
  628  cybersecurity measures.
  629         (b)To use federal guidance to identify categories of
  630  critical infrastructure as critical cyber infrastructure if
  631  cyber damage or unauthorized cyber access to the infrastructure
  632  could reasonably result in catastrophic consequences.
  633         (11)Beginning June 30, 2022, and each June 30 thereafter,
  634  the council shall submit to the President of the Senate and the
  635  Speaker of the House of Representatives any legislative
  636  recommendations considered necessary by the council to address
  637  cybersecurity.
  638         Section 8. This act shall take effect July 1, 2021.