Florida Senate - 2021 CS for SB 1900
By the Committee on Governmental Oversight and Accountability;
and Senator Boyd
585-03626A-21 20211900c1
1 A bill to be entitled
2 An act relating to cybersecurity; amending s. 20.055,
3 F.S.; requiring certain audit plans of an inspector
4 general to include certain information; amending s.
5 282.0041, F.S.; revising and providing definitions;
6 amending ss. 282.0051, 282.201, and 282.206, F.S.;
7 revising provisions to replace references to
8 information technology security with cybersecurity;
9 amending s. 282.318, F.S.; revising provisions to
10 replace references to information technology security
11 and computer security with references to
12 cybersecurity; revising a short title; providing that
13 the Department of Management Services, acting through
14 the Florida Digital Service, is the lead entity for
15 the purpose of certain responsibilities; providing and
16 revising requirements for the department, acting
17 through the Florida Digital Service; providing that
18 the state chief information security officer is
19 responsible for state technology systems and shall be
20 notified of certain incidents and threats; revising
21 requirements for state agency heads; requiring the
22 department, through the Florida Digital Service, to
23 track the implementation by state agencies of certain
24 plans; creating s. 282.319, F.S.; creating the Florida
25 Cybersecurity Advisory Council within the Department
26 of Management Services; providing the purpose of the
27 council; requiring the council to provide certain
28 assistance to the Florida Digital Service; providing
29 for the membership of the council; providing for terms
30 of council members; providing that the Secretary of
31 Management Services, or his or her designee, shall
32 serve as the ex officio, nonvoting executive director
33 of the council; providing that members shall serve
34 without compensation but are entitled to reimbursement
35 for per diem and travel expenses; requiring the
36 council to meet at least quarterly for certain
37 purposes; requiring the council to work with certain
38 entities to identify certain local infrastructure
39 sectors and critical cyber infrastructure; requiring
40 the council to submit an annual report to the
41 Legislature; providing an effective date.
42
43 Be It Enacted by the Legislature of the State of Florida:
44
45 Section 1. Paragraph (i) of subsection (6) of section
46 20.055, Florida Statutes, is amended to read:
47 20.055 Agency inspectors general.—
48 (6) In carrying out the auditing duties and
49 responsibilities of this act, each inspector general shall
50 review and evaluate internal controls necessary to ensure the
51 fiscal accountability of the state agency. The inspector general
52 shall conduct financial, compliance, electronic data processing,
53 and performance audits of the agency and prepare audit reports
54 of his or her findings. The scope and assignment of the audits
55 shall be determined by the inspector general; however, the
56 agency head may at any time request the inspector general to
57 perform an audit of a special program, function, or
58 organizational unit. The performance of the audit shall be under
59 the direction of the inspector general, except that if the
60 inspector general does not possess the qualifications specified
61 in subsection (4), the director of auditing shall perform the
62 functions listed in this subsection.
63 (i) The inspector general shall develop long-term and
64 annual audit plans based on the findings of periodic risk
65 assessments. The plan, where appropriate, should include
66 postaudit samplings of payments and accounts. The plan shall
67 show the individual audits to be conducted during each year and
68 related resources to be devoted to the respective audits. The
69 plan shall include a specific cybersecurity audit plan. The
70 Chief Financial Officer, to assist in fulfilling the
71 responsibilities for examining, auditing, and settling accounts,
72 claims, and demands pursuant to s. 17.03(1), and examining,
73 auditing, adjusting, and settling accounts pursuant to s. 17.04,
74 may use audits performed by the inspectors general and internal
75 auditors. For state agencies under the jurisdiction of the
76 Governor, the audit plans shall be submitted to the Chief
77 Inspector General. The plan shall be submitted to the agency
78 head for approval. A copy of the approved plan shall be
79 submitted to the Auditor General.
80 Section 2. Present subsections (8) through (21) of section
81 282.0041, Florida Statutes, are redesignated as subsections (9)
82 through (22), respectively, a new subsection (8) is added to
83 that section, and present subsection (22) of that section is
84 amended, to read:
85 282.0041 Definitions.—As used in this chapter, the term:
86 (8) “Cybersecurity” means the protection afforded to an
87 automated information system in order to attain the applicable
88 objectives of preserving the confidentiality, integrity, and
89 availability of data, information, and information technology
90 resources.
91 (22) “Information technology security” means the protection
92 afforded to an automated information system in order to attain
93 the applicable objectives of preserving the integrity,
94 availability, and confidentiality of data, information, and
95 information technology resources.
96 Section 3. Paragraph (j) of subsection (1) of section
97 282.0051, Florida Statutes, is amended to read:
98 282.0051 Department of Management Services; Florida Digital
99 Service; powers, duties, and functions.—
100 (1) The Florida Digital Service has been created within the
101 department to propose innovative solutions that securely
102 modernize state government, including technology and information
103 services, to achieve value through digital transformation and
104 interoperability, and to fully support the cloud-first policy as
105 specified in s. 282.206. The department, through the Florida
106 Digital Service, shall have the following powers, duties, and
107 functions:
108 (j) Provide operational management and oversight of the
109 state data center established pursuant to s. 282.201, which
110 includes:
111 1. Implementing industry standards and best practices for
112 the state data center’s facilities, operations, maintenance,
113 planning, and management processes.
114 2. Developing and implementing cost-recovery mechanisms
115 that recover the full direct and indirect cost of services
116 through charges to applicable customer entities. Such cost
117 recovery mechanisms must comply with applicable state and
118 federal regulations concerning distribution and use of funds and
119 must ensure that, for any fiscal year, no service or customer
120 entity subsidizes another service or customer entity. The
121 Florida Digital Service may recommend other payment mechanisms
122 to the Executive Office of the Governor, the President of the
123 Senate, and the Speaker of the House of Representatives. Such
124 mechanism may be implemented only if specifically authorized by
125 the Legislature.
126 3. Developing and implementing appropriate operating
127 guidelines and procedures necessary for the state data center to
128 perform its duties pursuant to s. 282.201. The guidelines and
129 procedures must comply with applicable state and federal laws,
130 regulations, and policies and conform to generally accepted
131 governmental accounting and auditing standards. The guidelines
132 and procedures must include, but need not be limited to:
133 a. Implementing a consolidated administrative support
134 structure responsible for providing financial management,
135 procurement, transactions involving real or personal property,
136 human resources, and operational support.
137 b. Implementing an annual reconciliation process to ensure
138 that each customer entity is paying for the full direct and
139 indirect cost of each service as determined by the customer
140 entity’s use of each service.
141 c. Providing rebates that may be credited against future
142 billings to customer entities when revenues exceed costs.
143 d. Requiring customer entities to validate that sufficient
144 funds exist in the appropriate data processing appropriation
145 category or will be transferred into the appropriate data
146 processing appropriation category before implementation of a
147 customer entity’s request for a change in the type or level of
148 service provided, if such change results in a net increase to
149 the customer entity’s cost for that fiscal year.
150 e. By November 15 of each year, providing to the Office of
151 Policy and Budget in the Executive Office of the Governor and to
152 the chairs of the legislative appropriations committees the
153 projected costs of providing data center services for the
154 following fiscal year.
155 f. Providing a plan for consideration by the Legislative
156 Budget Commission if the cost of a service is increased for a
157 reason other than a customer entity’s request made pursuant to
158 sub-subparagraph d. Such a plan is required only if the service
159 cost increase results in a net increase to a customer entity for
160 that fiscal year.
161 g. Standardizing and consolidating procurement and
162 contracting practices.
163 4. In collaboration with the Department of Law Enforcement,
164 developing and implementing a process for detecting, reporting,
165 and responding to cybersecurity information technology security
166 incidents, breaches, and threats.
167 5. Adopting rules relating to the operation of the state
168 data center, including, but not limited to, budgeting and
169 accounting procedures, cost-recovery methodologies, and
170 operating procedures.
171 Section 4. Paragraph (g) of subsection (1) of section
172 282.201, Florida Statutes, is amended to read:
173 282.201 State data center.—The state data center is
174 established within the department. The provision of data center
175 services must comply with applicable state and federal laws,
176 regulations, and policies, including all applicable security,
177 privacy, and auditing requirements. The department shall appoint
178 a director of the state data center, preferably an individual
179 who has experience in leading data center facilities and has
180 expertise in cloud-computing management.
181 (1) STATE DATA CENTER DUTIES.—The state data center shall:
182 (g) In its procurement process, show preference for cloud
183 computing solutions that minimize or do not require the
184 purchasing, financing, or leasing of state data center
185 infrastructure, and that meet the needs of customer agencies,
186 that reduce costs, and that meet or exceed the applicable state
187 and federal laws, regulations, and standards for cybersecurity
188 information technology security.
189 Section 5. Subsection (2) of section 282.206, Florida
190 Statutes, is amended to read:
191 282.206 Cloud-first policy in state agencies.—
192 (2) In its procurement process, each state agency shall
193 show a preference for cloud-computing solutions that either
194 minimize or do not require the use of state data center
195 infrastructure when cloud-computing solutions meet the needs of
196 the agency, reduce costs, and meet or exceed the applicable
197 state and federal laws, regulations, and standards for
198 cybersecurity information technology security.
199 Section 6. Section 282.318, Florida Statutes, is amended to
200 read:
201 282.318 Cybersecurity Security of data and information
202 technology.—
203 (1) This section may be cited as the “State Cybersecurity
204 Act.” “Information Technology Security Act.”
205 (2) As used in this section, the term “state agency” has
206 the same meaning as provided in s. 282.0041, except that the
207 term includes the Department of Legal Affairs, the Department of
208 Agriculture and Consumer Services, and the Department of
209 Financial Services.
210 (3) The department, acting through the Florida Digital
211 Service, is the lead entity responsible for establishing
212 standards and processes for assessing state agency cybersecurity
213 risks and determining appropriate security measures. Such
214 standards and processes must be consistent with generally
215 accepted technology best practices, including the National
216 Institute for Standards and Technology Cybersecurity Framework,
217 for cybersecurity. The department, acting through the Florida
218 Digital Service, shall adopt information technology security, to
219 include cybersecurity, and adopting rules that mitigate risks;
220 safeguard state agency digital assets, an agency’s data,
221 information, and information technology resources to ensure
222 availability, confidentiality, and integrity; and support a
223 security governance framework and to mitigate risks. The
224 department, acting through the Florida Digital Service, shall
225 also:
226 (a) Designate an employee of the Florida Digital Service as
227 the state chief information security officer. The state chief
228 information security officer must have experience and expertise
229 in security and risk management for communications and
230 information technology resources. The state chief information
231 security officer is responsible for the development, operation,
232 and oversight of cybersecurity for state technology systems. The
233 state chief information security officer shall be notified of
234 all confirmed or suspected incidents or threats of state agency
235 information technology resources and must report such incidents
236 or threats to the state chief information officer and the
237 Governor.
238 (b) Develop, and annually update by February 1, a statewide
239 cybersecurity information technology security strategic plan
240 that includes security goals and objectives for cybersecurity,
241 including the identification and mitigation of risk, proactive
242 protections against threats, tactical risk detection, threat
243 reporting, and response and recovery protocols for a cyber
244 incident the strategic issues of information technology security
245 policy, risk management, training, incident management, and
246 disaster recovery planning.
247 (c) Develop and publish for use by state agencies a
248 cybersecurity governance an information technology security
249 framework that, at a minimum, includes guidelines and processes
250 for:
251 1. Establishing asset management procedures to ensure that
252 an agency’s information technology resources are identified and
253 managed consistent with their relative importance to the
254 agency’s business objectives.
255 2. Using a standard risk assessment methodology that
256 includes the identification of an agency’s priorities,
257 constraints, risk tolerances, and assumptions necessary to
258 support operational risk decisions.
259 3. Completing comprehensive risk assessments and
260 cybersecurity information technology security audits, which may
261 be completed by a private sector vendor, and submitting
262 completed assessments and audits to the department.
263 4. Identifying protection procedures to manage the
264 protection of an agency’s information, data, and information
265 technology resources.
266 5. Establishing procedures for accessing information and
267 data to ensure the confidentiality, integrity, and availability
268 of such information and data.
269 6. Detecting threats through proactive monitoring of
270 events, continuous security monitoring, and defined detection
271 processes.
272 7. Establishing agency cybersecurity computer security
273 incident response teams and describing their responsibilities
274 for responding to cybersecurity information technology security
275 incidents, including breaches of personal information containing
276 confidential or exempt data.
277 8. Recovering information and data in response to a
278 cybersecurity an information technology security incident. The
279 recovery may include recommended improvements to the agency
280 processes, policies, or guidelines.
281 9. Establishing a cybersecurity an information technology
282 security incident reporting process that includes procedures and
283 tiered reporting timeframes for notifying the department and the
284 Department of Law Enforcement of cybersecurity information
285 technology security incidents. The tiered reporting timeframes
286 shall be based upon the level of severity of the cybersecurity
287 information technology security incidents being reported.
288 10. Incorporating information obtained through detection
289 and response activities into the agency’s cybersecurity
290 information technology security incident response plans.
291 11. Developing agency strategic and operational
292 cybersecurity information technology security plans required
293 pursuant to this section.
294 12. Establishing the managerial, operational, and technical
295 safeguards for protecting state government data and information
296 technology resources that align with the state agency risk
297 management strategy and that protect the confidentiality,
298 integrity, and availability of information and data.
299 13. Establishing procedures for procuring information
300 technology commodities and services that require the commodity
301 or service to meet the National Institute of Standards and
302 Technology Cybersecurity Framework.
303 (d) Assist state agencies in complying with this section.
304 (e) In collaboration with the Cybercrime Office of the
305 Department of Law Enforcement, annually provide training for
306 state agency information security managers and computer security
307 incident response team members that contains training on
308 cybersecurity information technology security, including
309 cybersecurity, threats, trends, and best practices.
310 (f) Annually review the strategic and operational
311 cybersecurity information technology security plans of state
312 executive branch agencies.
313 (g) Provide cybersecurity training to all state agency
314 technology professionals which develops, assesses, and documents
315 competencies by role and skill level. The training may be
316 provided in collaboration with the Cybercrime Office of the
317 Department of Law Enforcement, a private sector entity, or an
318 institution of the state university system.
319 (h) Operate and maintain a Cybersecurity Operations Center
320 led by the state chief information security officer, which must
321 be primarily virtual and staffed with tactical detection and
322 incident response personnel. The Cybersecurity Operations Center
323 shall serve as a clearinghouse for threat information and
324 coordinate with the Department of Law Enforcement to support
325 state agencies and their response to any confirmed or suspected
326 cybersecurity incident.
327 (i) Lead an Emergency Support Function, ESF CYBER, under
328 the state comprehensive emergency management plan as described
329 in s. 252.35.
330 (4) Each state agency head shall, at a minimum:
331 (a) Designate an information security manager to administer
332 the cybersecurity information technology security program of the
333 state agency. This designation must be provided annually in
334 writing to the department by January 1. A state agency’s
335 information security manager, for purposes of these information
336 security duties, shall report directly to the agency head.
337 (b) In consultation with the department, through the
338 Florida Digital Service, and the Cybercrime Office of the
339 Department of Law Enforcement, establish an agency cybersecurity
340 computer security incident response team to respond to a
341 cybersecurity an information technology security incident. The
342 agency cybersecurity computer security incident response team
343 shall convene upon notification of a cybersecurity an
344 information technology security incident and must immediately
345 report all confirmed or suspected incidents to the state chief
346 information security officer, or his or her designee, and comply
347 with all applicable guidelines and processes established
348 pursuant to paragraph (3)(c).
349 (c) Submit to the department annually by July 31, the state
350 agency’s strategic and operational cybersecurity information
351 technology security plans developed pursuant to rules and
352 guidelines established by the department, through the Florida
353 Digital Service.
354 1. The state agency strategic cybersecurity information
355 technology security plan must cover a 3-year period and, at a
356 minimum, define security goals, intermediate objectives, and
357 projected agency costs for the strategic issues of agency
358 information security policy, risk management, security training,
359 security incident response, and disaster recovery. The plan must
360 be based on the statewide cybersecurity information technology
361 security strategic plan created by the department and include
362 performance metrics that can be objectively measured to reflect
363 the status of the state agency’s progress in meeting security
364 goals and objectives identified in the agency’s strategic
365 information security plan.
366 2. The state agency operational cybersecurity information
367 technology security plan must include a progress report that
368 objectively measures progress made towards the prior operational
369 cybersecurity information technology security plan and a project
370 plan that includes activities, timelines, and deliverables for
371 security objectives that the state agency will implement during
372 the current fiscal year.
373 (d) Conduct, and update every 3 years, a comprehensive risk
374 assessment, which may be completed by a private sector vendor,
375 to determine the security threats to the data, information, and
376 information technology resources, including mobile devices and
377 print environments, of the agency. The risk assessment must
378 comply with the risk assessment methodology developed by the
379 department and is confidential and exempt from s. 119.07(1),
380 except that such information shall be available to the Auditor
381 General, the Florida Digital Service within the department, the
382 Cybercrime Office of the Department of Law Enforcement, and, for
383 state agencies under the jurisdiction of the Governor, the Chief
384 Inspector General. If a private sector vendor is used to
385 complete a comprehensive risk assessment, it must attest to the
386 validity of the risk assessment findings.
387 (e) Develop, and periodically update, written internal
388 policies and procedures, which include procedures for reporting
389 cybersecurity information technology security incidents and
390 breaches to the Cybercrime Office of the Department of Law
391 Enforcement and the Florida Digital Service within the
392 department. Such policies and procedures must be consistent with
393 the rules, guidelines, and processes established by the
394 department to ensure the security of the data, information, and
395 information technology resources of the agency. The internal
396 policies and procedures that, if disclosed, could facilitate the
397 unauthorized modification, disclosure, or destruction of data or
398 information technology resources are confidential information
399 and exempt from s. 119.07(1), except that such information shall
400 be available to the Auditor General, the Cybercrime Office of
401 the Department of Law Enforcement, the Florida Digital Service
402 within the department, and, for state agencies under the
403 jurisdiction of the Governor, the Chief Inspector General.
404 (f) Implement managerial, operational, and technical
405 safeguards and risk assessment remediation plans recommended by
406 the department to address identified risks to the data,
407 information, and information technology resources of the agency.
408 The department, through the Florida Digital Service, shall track
409 implementation by state agencies upon development of such
410 remediation plans in coordination with agency inspectors
411 general.
412 (g) Ensure that periodic internal audits and evaluations of
413 the agency’s cybersecurity information technology security
414 program for the data, information, and information technology
415 resources of the agency are conducted. The results of such
416 audits and evaluations are confidential information and exempt
417 from s. 119.07(1), except that such information shall be
418 available to the Auditor General, the Cybercrime Office of the
419 Department of Law Enforcement, the Florida Digital Service
420 within the department, and, for agencies under the jurisdiction
421 of the Governor, the Chief Inspector General.
422 (h) Ensure that the information technology security and
423 cybersecurity requirements in both the written specifications
424 for the solicitation, contracts, and service-level agreement of
425 information technology and information technology resources and
426 services meet or exceed the applicable state and federal laws,
427 regulations, and standards for information technology security
428 and cybersecurity, including the National Institute of Standards
429 and Technology Cybersecurity Framework. Service-level agreements
430 must identify service provider and state agency responsibilities
431 for privacy and security, protection of government data,
432 personnel background screening, and security deliverables with
433 associated frequencies.
434 (i) Provide information technology security and
435 cybersecurity awareness training to all state agency employees
436 in the first 30 days after commencing employment concerning
437 cybersecurity information technology security risks and the
438 responsibility of employees to comply with policies, standards,
439 guidelines, and operating procedures adopted by the state agency
440 to reduce those risks. The training may be provided in
441 collaboration with the Cybercrime Office of the Department of
442 Law Enforcement, a private sector entity, or an institution of
443 the state university system.
444 (j) Develop a process for detecting, reporting, and
445 responding to threats, breaches, or cybersecurity information
446 technology security incidents which is consistent with the
447 security rules, guidelines, and processes established by the
448 department through the Florida Digital Service.
449 1. All cybersecurity information technology security
450 incidents and breaches must be reported to the Florida Digital
451 Service within the department and the Cybercrime Office of the
452 Department of Law Enforcement and must comply with the
453 notification procedures and reporting timeframes established
454 pursuant to paragraph (3)(c).
455 2. For cybersecurity information technology security
456 breaches, state agencies shall provide notice in accordance with
457 s. 501.171.
458 (5) Portions of records held by a state agency which
459 contain network schematics, hardware and software
460 configurations, or encryption, or which identify detection,
461 investigation, or response practices for suspected or confirmed
462 cybersecurity information technology security incidents,
463 including suspected or confirmed breaches, are confidential and
464 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
465 Constitution, if the disclosure of such records would facilitate
466 unauthorized access to or the unauthorized modification,
467 disclosure, or destruction of:
468 (a) Data or information, whether physical or virtual; or
469 (b) Information technology resources, which includes:
470 1. Information relating to the security of the agency’s
471 technologies, processes, and practices designed to protect
472 networks, computers, data processing software, and data from
473 attack, damage, or unauthorized access; or
474 2. Security information, whether physical or virtual, which
475 relates to the agency’s existing or proposed information
476 technology systems.
477 (6) The portions of risk assessments, evaluations, external
478 audits, and other reports of a state agency’s cybersecurity
479 information technology security program for the data,
480 information, and information technology resources of the state
481 agency which are held by a state agency are confidential and
482 exempt from s. 119.07(1) and s. 24(a), Art. I of the State
483 Constitution if the disclosure of such portions of records would
484 facilitate unauthorized access to or the unauthorized
485 modification, disclosure, or destruction of:
486 (a) Data or information, whether physical or virtual; or
487 (b) Information technology resources, which include:
488 1. Information relating to the security of the agency’s
489 technologies, processes, and practices designed to protect
490 networks, computers, data processing software, and data from
491 attack, damage, or unauthorized access; or
492 2. Security information, whether physical or virtual, which
493 relates to the agency’s existing or proposed information
494 technology systems.
495
496 For purposes of this subsection, “external audit” means an audit
497 that is conducted by an entity other than the state agency that
498 is the subject of the audit.
499 (7) Those portions of a public meeting as specified in s.
500 286.011 which would reveal records which are confidential and
501 exempt under subsection (5) or subsection (6) are exempt from s.
502 286.011 and s. 24(b), Art. I of the State Constitution. No
503 exempt portion of an exempt meeting may be off the record. All
504 exempt portions of such meeting shall be recorded and
505 transcribed. Such recordings and transcripts are confidential
506 and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
507 I of the State Constitution unless a court of competent
508 jurisdiction, after an in camera review, determines that the
509 meeting was not restricted to the discussion of data and
510 information made confidential and exempt by this section. In the
511 event of such a judicial determination, only that portion of the
512 recording and transcript which reveals nonexempt data and
513 information may be disclosed to a third party.
514 (8) The portions of records made confidential and exempt in
515 subsections (5), (6), and (7) shall be available to the Auditor
516 General, the Cybercrime Office of the Department of Law
517 Enforcement, the Florida Digital Service within the department,
518 and, for agencies under the jurisdiction of the Governor, the
519 Chief Inspector General. Such portions of records may be made
520 available to a local government, another state agency, or a
521 federal agency for cybersecurity information technology security
522 purposes or in furtherance of the state agency’s official
523 duties.
524 (9) The exemptions contained in subsections (5), (6), and
525 (7) apply to records held by a state agency before, on, or after
526 the effective date of this exemption.
527 (10) Subsections (5), (6), and (7) are subject to the Open
528 Government Sunset Review Act in accordance with s. 119.15 and
529 shall stand repealed on October 2, 2025, unless reviewed and
530 saved from repeal through reenactment by the Legislature.
531 (11) The department shall adopt rules relating to
532 cybersecurity information technology security and to administer
533 this section.
534 Section 7. Section 282.319, Florida Statutes, is created to
535 read:
536 282.319 Florida Cybersecurity Advisory Council.—
537 (1) The Florida Cybersecurity Advisory Council, an advisory
538 council as defined in s. 20.03(7), is created within the
539 department. Except as otherwise provided in this section, the
540 advisory council shall operate in a manner consistent with s.
541 20.052.
542 (2) The purpose of the council is to assist state agencies
543 in protecting their information technology resources from cyber
544 threats and incidents.
545 (3) The council shall assist the Florida Digital Service in
546 implementing best cybersecurity practices, taking into
547 consideration the final recommendations of the Florida
548 Cybersecurity Task Force created under chapter 2019-118, Laws of
549 Florida.
550 (4) The council shall be comprised of the following
551 members:
552 (a) The Lieutenant Governor or his or her designee.
553 (b) The state chief information officer.
554 (c) The state chief information security officer.
555 (d) The director of the Division of Emergency Management or
556 his or her designee.
557 (e) A representative of the computer crime center of the
558 Department of Law Enforcement, appointed by the executive
559 director of the department.
560 (f) A representative of the Florida Fusion Center of the
561 Department of Law Enforcement, appointed by the executive
562 director of the department.
563 (g) The Chief Inspector General.
564 (h) A representative from the Public Service Commission.
565 (i) Up to two representatives from institutions of higher
566 education located in this state, appointed by the Governor.
567 (j) Three representatives from critical infrastructure
568 sectors, one of which must be from a water treatment facility,
569 appointed by the Governor.
570 (k) Four representatives of the private sector with senior
571 level experience in cybersecurity or software engineering from
572 within the finance, energy, health care, and transportation
573 sectors, appointed by the Governor.
574 (l) Two representatives with expertise on emerging
575 technology, with one appointed by the President of the Senate
576 and one appointed by the Speaker of the House of
577 Representatives.
578 (5) Members shall serve for a term of 4 years; however, for
579 the purpose of providing staggered terms, the initial
580 appointments of members made by the Governor shall be for a term
581 of 2 years. A vacancy shall be filled for the remainder of the
582 unexpired term in the same manner as the initial appointment.
583 All members of the council are eligible for reappointment.
584 (6) The Secretary of Management Services, or his or her
585 designee, shall serve as the ex officio, nonvoting executive
586 director of the council.
587 (7) Members of the council shall serve without compensation
588 but are entitled to receive reimbursement for per diem and
589 travel expenses pursuant to s. 112.061.
590 (8) The council shall meet at least quarterly to:
591 (a) Review existing state agency cybersecurity policies.
592 (b) Assess ongoing risks to state agency information
593 technology.
594 (c) Recommend a reporting and information sharing system to
595 notify state agencies of new risks.
596 (d) Recommend data breach simulation exercises.
597 (e) Assist the Florida Digital Service in developing
598 cybersecurity best practice recommendations for state agencies
599 which include recommendations regarding:
600 1. Continuous risk monitoring.
601 2. Password management.
602 3. Protecting data in legacy and new systems.
603 (f) Examine inconsistencies between state and federal law
604 regarding cybersecurity.
605 (9) The council shall work with the National Institute of
606 Standards and Technology and other federal agencies, private
607 sector businesses, and private cybersecurity experts:
608 (a) For critical infrastructure not covered by federal law,
609 to identify which local infrastructure sectors are at the
610 greatest risk of cyber attacks and need the most enhanced
611 cybersecurity measures.
612 (b) To use federal guidance to identify categories of
613 critical infrastructure as critical cyber infrastructure if
614 cyber damage or unauthorized cyber access to the infrastructure
615 could reasonably result in catastrophic consequences.
616 (10) Beginning June 30, 2022, and each June 30 thereafter,
617 the council shall submit to the President of the Senate and the
618 Speaker of the House of Representatives any legislative
619 recommendations considered necessary by the council to address
620 cybersecurity.
621 Section 8. This act shall take effect July 1, 2021.