Florida Senate - 2022                        COMMITTEE AMENDMENT
       Bill No. CS for SB 1670
       
       
       
       
       
       
                                Ì2725184Î272518                         
       
                              LEGISLATIVE ACTION                        
                    Senate             .             House              
                  Comm: RCS            .                                
                  03/02/2022           .                                
                                       .                                
                                       .                                
                                       .                                
       —————————————————————————————————————————————————————————————————




       —————————————————————————————————————————————————————————————————
       The Committee on Appropriations (Hutson) recommended the
       following:
       
    1         Senate Amendment (with title amendment)
    2  
    3         Delete everything after the enacting clause
    4  and insert:
    5         Section 1. Present subsections (28) through (37) of section
    6  282.0041, Florida Statutes, are redesignated as subsections (29)
    7  through (38), respectively, a new subsection (28) is added to
    8  that section, and subsection (19) of that section is amended, to
    9  read:
   10         282.0041 Definitions.—As used in this chapter, the term:
   11         (19) “Incident” means a violation or imminent threat of
   12  violation, whether such violation is accidental or deliberate,
   13  of information technology resources, security, policies, or
   14  practices. An imminent threat of violation refers to a situation
   15  in which a the state agency, county, or municipality has a
   16  factual basis for believing that a specific incident is about to
   17  occur.
   18         (28)“Ransomware incident” means a malicious cybersecurity
   19  incident in which a person or entity introduces software that
   20  gains unauthorized access to or encrypts, modifies, or otherwise
   21  renders unavailable a state agency’s, county’s, or
   22  municipality’s data and thereafter the person or entity demands
   23  a ransom to prevent the publication of the data, restore access
   24  to the data, or otherwise remediate the impact of the software.
   25         Section 2. Paragraphs (c) and (g) of subsection (3) and
   26  paragraphs (i) and (j) of subsection (4) of section 282.318,
   27  Florida Statutes, are amended, and paragraph (k) is added to
   28  subsection (4) of that section, to read:
   29         282.318 Cybersecurity.—
   30         (3) The department, acting through the Florida Digital
   31  Service, is the lead entity responsible for establishing
   32  standards and processes for assessing state agency cybersecurity
   33  risks and determining appropriate security measures. Such
   34  standards and processes must be consistent with generally
   35  accepted technology best practices, including the National
   36  Institute for Standards and Technology Cybersecurity Framework,
   37  for cybersecurity. The department, acting through the Florida
   38  Digital Service, shall adopt rules that mitigate risks;
   39  safeguard state agency digital assets, data, information, and
   40  information technology resources to ensure availability,
   41  confidentiality, and integrity; and support a security
   42  governance framework. The department, acting through the Florida
   43  Digital Service, shall also:
   44         (c) Develop and publish for use by state agencies a
   45  cybersecurity governance framework that, at a minimum, includes
   46  guidelines and processes for:
   47         1. Establishing asset management procedures to ensure that
   48  an agency’s information technology resources are identified and
   49  managed consistent with their relative importance to the
   50  agency’s business objectives.
   51         2. Using a standard risk assessment methodology that
   52  includes the identification of an agency’s priorities,
   53  constraints, risk tolerances, and assumptions necessary to
   54  support operational risk decisions.
   55         3. Completing comprehensive risk assessments and
   56  cybersecurity audits, which may be completed by a private sector
   57  vendor, and submitting completed assessments and audits to the
   58  department.
   59         4. Identifying protection procedures to manage the
   60  protection of an agency’s information, data, and information
   61  technology resources.
   62         5. Establishing procedures for accessing information and
   63  data to ensure the confidentiality, integrity, and availability
   64  of such information and data.
   65         6. Detecting threats through proactive monitoring of
   66  events, continuous security monitoring, and defined detection
   67  processes.
   68         7. Establishing agency cybersecurity incident response
   69  teams and describing their responsibilities for responding to
   70  cybersecurity incidents, including breaches of personal
   71  information containing confidential or exempt data.
   72         8. Recovering information and data in response to a
   73  cybersecurity incident. The recovery may include recommended
   74  improvements to the agency processes, policies, or guidelines.
   75         9. Establishing a cybersecurity incident reporting process
   76  that includes procedures and tiered reporting timeframes for
   77  notifying the department and the Department of Law Enforcement
   78  of cybersecurity incidents. The tiered reporting timeframes
   79  shall be based upon the level of severity of the cybersecurity
   80  incidents being reported.
   81         a.The level of severity of the cybersecurity incident is
   82  defined by the National Cyber Incident Response Plan of the
   83  United States Department of Homeland Security as follows:
   84         (I)Level 5 is an emergency-level incident within the
   85  specified jurisdiction that poses an imminent threat to the
   86  provision of wide-scale critical infrastructure services;
   87  national, state, or local government security; or the lives of
   88  the country’s, state’s, or local government’s residents.
   89         (II)Level 4 is a severe-level incident that is likely to
   90  result in a significant impact in the affected jurisdiction to
   91  public health or safety; national, state, or local security;
   92  economic security; or civil liberties.
   93         (III)Level 3 is a high-level incident that is likely to
   94  result in a demonstrable impact in the affected jurisdiction to
   95  public health or safety; national, state, or local security;
   96  economic security; civil liberties; or public confidence.
   97         (IV)Level 2 is a medium-level incident that may impact
   98  public health or safety; national, state, or local security;
   99  economic security; civil liberties; or public confidence.
  100         (V)Level 1 is a low-level incident that is unlikely to
  101  impact public health or safety; national, state, or local
  102  security; economic security; civil liberties; or public
  103  confidence.
  104         b.The cybersecurity incident reporting process must
  105  specify the information that must be reported by a state agency
  106  following a cybersecurity incident or ransomware incident,
  107  which, at a minimum, must include the following:
  108         (I)A summary of the facts surrounding the cybersecurity
  109  incident or ransomware incident.
  110         (II)The date on which the state agency most recently
  111  backed up its data, the physical location of the backup, if the
  112  backup was affected, and if the backup was created using cloud
  113  computing.
  114         (III)The types of data compromised by the cybersecurity
  115  incident or ransomware incident.
  116         (IV)The estimated fiscal impact of the cybersecurity
  117  incident or ransomware incident.
  118         (V)In the case of a ransomware incident, the details of
  119  the ransom demanded.
  120         c.(I)A state agency shall report all ransomware incidents
  121  and any cybersecurity incident determined by the state agency to
  122  be of severity level 3, 4, or 5 to the Cybersecurity Operations
  123  Center and the Cybercrime Office of the Department of Law
  124  Enforcement as soon as possible but no later than 48 hours after
  125  discovery of the cybersecurity incident and no later than 12
  126  hours after discovery of the ransomware incident. The report
  127  must contain the information required in sub-subparagraph b.
  128         (II)The Cybersecurity Operations Center shall notify the
  129  President of the Senate and the Speaker of the House of
  130  Representatives of any severity level 3, 4, or 5 incident as
  131  soon as possible but no later than 12 hours after receiving a
  132  state agency’s incident report. The notification must include a
  133  high-level description of the incident and the likely effects.
  134         d.A state agency shall report a cybersecurity incident
  135  determined by the state agency to be of severity level 1 or 2 to
  136  the Cybersecurity Operations Center and the Cybercrime Office of
  137  the Department of Law Enforcement as soon as possible. The
  138  report must contain the information required in sub-subparagraph
  139  b.
  140         e.The Cybersecurity Operations Center shall provide a
  141  consolidated incident report on a quarterly basis to the
  142  President of the Senate, the Speaker of the House of
  143  Representatives, and the Florida Cybersecurity Advisory Council.
  144  The report provided to the Florida Cybersecurity Advisory
  145  Council may not contain the name of any agency, network
  146  information, or system identifying information but must contain
  147  sufficient relevant information to allow the Florida
  148  Cybersecurity Advisory Council to fulfill its responsibilities
  149  as required in s. 282.319(9).
  150         10. Incorporating information obtained through detection
  151  and response activities into the agency’s cybersecurity incident
  152  response plans.
  153         11. Developing agency strategic and operational
  154  cybersecurity plans required pursuant to this section.
  155         12. Establishing the managerial, operational, and technical
  156  safeguards for protecting state government data and information
  157  technology resources that align with the state agency risk
  158  management strategy and that protect the confidentiality,
  159  integrity, and availability of information and data.
  160         13. Establishing procedures for procuring information
  161  technology commodities and services that require the commodity
  162  or service to meet the National Institute of Standards and
  163  Technology Cybersecurity Framework.
  164         14.Submitting after-action reports following a
  165  cybersecurity incident or ransomware incident. Such guidelines
  166  and processes for submitting after-action reports must be
  167  developed and published by December 1, 2022.
  168         (g) Annually provide cybersecurity training to all state
  169  agency technology professionals and employees with access to
  170  highly sensitive information which that develops, assesses, and
  171  documents competencies by role and skill level. The
  172  cybersecurity training curriculum must include training on the
  173  identification of each cybersecurity incident severity level
  174  referenced in sub-subparagraph (c)9.a. The training may be
  175  provided in collaboration with the Cybercrime Office of the
  176  Department of Law Enforcement, a private sector entity, or an
  177  institution of the State University System.
  178         (4) Each state agency head shall, at a minimum:
  179         (i) Provide cybersecurity awareness training to all state
  180  agency employees within in the first 30 days after commencing
  181  employment, and annually thereafter, concerning cybersecurity
  182  risks and the responsibility of employees to comply with
  183  policies, standards, guidelines, and operating procedures
  184  adopted by the state agency to reduce those risks. The training
  185  may be provided in collaboration with the Cybercrime Office of
  186  the Department of Law Enforcement, a private sector entity, or
  187  an institution of the State University System.
  188         (j) Develop a process for detecting, reporting, and
  189  responding to threats, breaches, or cybersecurity incidents
  190  which is consistent with the security rules, guidelines, and
  191  processes established by the department through the Florida
  192  Digital Service.
  193         1. All cybersecurity incidents and ransomware incidents
  194  breaches must be reported by state agencies. Such reports to the
  195  Florida Digital Service within the department and the Cybercrime
  196  Office of the Department of Law Enforcement and must comply with
  197  the notification procedures and reporting timeframes established
  198  pursuant to paragraph (3)(c).
  199         2. For cybersecurity breaches, state agencies shall provide
  200  notice in accordance with s. 501.171.
  201         (k)Submit to the Florida Digital Service, within 1 week
  202  after the remediation of a cybersecurity incident or ransomware
  203  incident, an after-action report that summarizes the incident,
  204  the incident’s resolution, and any insights gained as a result
  205  of the incident.
  206         Section 3. Section 282.3185, Florida Statutes, is created
  207  to read:
  208         282.3185Local government cybersecurity.—
  209         (1)SHORT TITLE.—This section may be cited as the “Local
  210  Government Cybersecurity Act.”
  211         (2)DEFINITION.—As used in this section, the term “local
  212  government” means any county or municipality.
  213         (3)CYBERSECURITY TRAINING.—
  214         (a)The Florida Digital Service shall:
  215         1.Develop a basic cybersecurity training curriculum for
  216  local government employees. All local government employees with
  217  access to the local government’s network must complete the basic
  218  cybersecurity training within 30 days after commencing
  219  employment and annually thereafter.
  220         2.Develop an advanced cybersecurity training curriculum
  221  for local governments which is consistent with the cybersecurity
  222  training required under s. 282.318(3)(g). All local government
  223  technology professionals and employees with access to highly
  224  sensitive information must complete the advanced cybersecurity
  225  training within 30 days after commencing employment and annually
  226  thereafter.
  227         (b)The Florida Digital Service may provide the
  228  cybersecurity training required by this subsection in
  229  collaboration with the Cybercrime Office of the Department of
  230  Law Enforcement, a private sector entity, or an institution of
  231  the State University System.
  232         (4)CYBERSECURITY STANDARDS.—
  233         (a)Each local government shall adopt cybersecurity
  234  standards that safeguard its data, information technology, and
  235  information technology resources to ensure availability,
  236  confidentiality, and integrity. The cybersecurity standards must
  237  be consistent with generally accepted best practices for
  238  cybersecurity, including the National Institute of Standards and
  239  Technology Cybersecurity Framework.
  240         (b)Each county with a population of 75,000 or more must
  241  adopt the cybersecurity standards required by this subsection by
  242  January 1, 2024. Each county with a population of less than
  243  75,000 must adopt the cybersecurity standards required by this
  244  subsection by January 1, 2025.
  245         (c)Each municipality with a population of 25,000 or more
  246  must adopt the cybersecurity standards required by this
  247  subsection by January 1, 2024. Each municipality with a
  248  population of less than 25,000 must adopt the cybersecurity
  249  standards required by this subsection by January 1, 2025.
  250         (d)Each local government shall notify the Florida Digital
  251  Service of its compliance with this subsection as soon as
  252  possible.
  253         (5)INCIDENT NOTIFICATION.—
  254         (a)A local government shall provide notification of a
  255  cybersecurity incident or ransomware incident to the
  256  Cybersecurity Operations Center, Cybercrime Office of the
  257  Department of Law Enforcement, and sheriff who has jurisdiction
  258  over the local government in accordance with paragraph (b). The
  259  notification must include, at a minimum, the following
  260  information:
  261         1.A summary of the facts surrounding the cybersecurity
  262  incident or ransomware incident.
  263         2.The date on which the local government most recently
  264  backed up its data, the physical location of the backup, if the
  265  backup was affected, and if the backup was created using cloud
  266  computing.
  267         3.The types of data compromised by the cybersecurity
  268  incident or ransomware incident.
  269         4.The estimated fiscal impact of the cybersecurity
  270  incident or ransomware incident.
  271         5.In the case of a ransomware incident, the details of the
  272  ransom demanded.
  273         6.A statement requesting or declining assistance from the
  274  Cybersecurity Operations Center, the Cybercrime Office of the
  275  Department of Law Enforcement, or the sheriff who has
  276  jurisdiction over the local government.
  277         (b)1.A local government shall report all ransomware
  278  incidents and any cybersecurity incident determined by the local
  279  government to be of severity level 3, 4, or 5 as provided in s.
  280  282.318(3)(c) to the Cybersecurity Operations Center, the
  281  Cybercrime Office of the Department of Law Enforcement, and the
  282  sheriff who has jurisdiction over the local government as soon
  283  as possible but no later than 48 hours after discovery of the
  284  cybersecurity incident and no later than 12 hours after
  285  discovery of the ransomware incident. The report must contain
  286  the information required in paragraph (a).
  287         2.The Cybersecurity Operations Center shall notify the
  288  President of the Senate and the Speaker of the House of
  289  Representatives of any severity level 3, 4, or 5 incident as
  290  soon as possible but no later than 12 hours after receiving a
  291  local government’s incident report. The notification must
  292  include a high-level description of the incident and the likely
  293  effects.
  294         (c)A local government may report a cybersecurity incident
  295  determined by the local government to be of severity level 1 or
  296  2 as provided in s. 282.318(3)(c) to the Cybersecurity
  297  Operations Center, the Cybercrime Office of the Department of
  298  Law Enforcement, and the sheriff who has jurisdiction over the
  299  local government. The report shall contain the information
  300  required in paragraph (a).
  301         (d)The Cybersecurity Operations Center shall provide a
  302  consolidated incident report on a quarterly basis to the
  303  President of the Senate, the Speaker of the House of
  304  Representatives, and the Florida Cybersecurity Advisory Council.
  305  The report provided to the Florida Cybersecurity Advisory
  306  Council may not contain the name of any local government,
  307  network information, or system identifying information but must
  308  contain sufficient relevant information to allow the Florida
  309  Cybersecurity Advisory Council to fulfill its responsibilities
  310  as required in s. 282.319(9).
  311         (6)AFTER-ACTION REPORT.—A local government must submit to
  312  the Florida Digital Service, within 1 week after the remediation
  313  of a cybersecurity incident or ransomware incident, an after
  314  action report that summarizes the incident, the incident’s
  315  resolution, and any insights gained as a result of the incident.
  316  By December 1, 2022, the Florida Digital Service shall establish
  317  guidelines and processes for submitting an after-action report.
  318         Section 4. Section 282.3186, Florida Statutes, is created
  319  to read:
  320         282.3186Ransomware incident compliance.—A state agency as
  321  defined in s. 282.318(2), a county, or a municipality
  322  experiencing a ransomware incident may not pay or otherwise
  323  comply with a ransom demand.
  324         Section 5. Subsection (2) of section 282.319, Florida
  325  Statutes, is amended, and paragraphs (g) and (h) are added to
  326  subsection (9) and subsections (12) and (13) are added to that
  327  section, to read:
  328         282.319 Florida Cybersecurity Advisory Council.—
  329         (2) The purpose of the council is to:
  330         (a) Assist state agencies in protecting their information
  331  technology resources from cybersecurity cyber threats and
  332  incidents.
  333         (b)Advise counties and municipalities on cybersecurity,
  334  including cybersecurity threats, trends, and best practices.
  335         (9) The council shall meet at least quarterly to:
  336         (g)Review information relating to cybersecurity incidents
  337  and ransomware incidents to determine commonalities and develop
  338  best practice recommendations for state agencies, counties, and
  339  municipalities.
  340         (h)Recommend any additional information that a county or
  341  municipality should report to the Florida Digital Service as
  342  part of its cybersecurity incident or ransomware incident
  343  notification pursuant to s. 282.3185.
  344         (12)Beginning December 1, 2022, and each December 1
  345  thereafter, the council shall submit to the Governor, the
  346  President of the Senate, and the Speaker of the House of
  347  Representatives a comprehensive report that includes data,
  348  trends, analysis, findings, and recommendations for state and
  349  local action regarding ransomware incidents. At a minimum, the
  350  report must include:
  351         (a)Descriptive statistics including the amount of ransom
  352  requested, duration of the ransomware incident, and overall
  353  monetary cost to taxpayers of the ransomware incident.
  354         (b)A detailed statistical analysis of the circumstances
  355  that led to the ransomware incident which does not include the
  356  name of the state agency, county, or municipality; network
  357  information; or system identifying information.
  358         (c)A detailed statistical analysis of the level of
  359  cybersecurity employee training and frequency of data backup for
  360  the state agency, county, or municipality that reported the
  361  ransomware incident.
  362         (d)Specific issues identified with current policies,
  363  procedures, rules, or statutes and recommendations to address
  364  such issues.
  365         (e)Any other recommendations to prevent ransomware
  366  incidents.
  367         (13)For purposes of this section, the term “state agency”
  368  has the same meaning as provided in s. 282.318(2).
  369         Section 6. Section 815.062, Florida Statutes, is created to
  370  read:
  371         815.062Offenses against governmental entities.—
  372         (1)As used in this section, the term “governmental entity”
  373  means any official, officer, commission, board, authority,
  374  council, committee, or department of the executive, judicial, or
  375  legislative branch of state government; any state university; or
  376  any county or municipality, special district, water management
  377  district, or other political subdivision of the state.
  378         (2)A person who willfully, knowingly, and without
  379  authorization introduces a computer contaminant that gains
  380  unauthorized access to, encrypts, modifies, or otherwise renders
  381  unavailable data, programs, or supporting documentation residing
  382  or existing within a computer, computer system, computer
  383  network, or electronic device owned or operated by a
  384  governmental entity and demands a ransom to prevent the
  385  publication of or restore access to the data, programs, or
  386  supporting documentation or to otherwise remediate the impact of
  387  the computer contaminant commits a felony of the first degree,
  388  punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
  389         (3)An employee or contractor of a governmental entity with
  390  access to the governmental entity’s network who willfully and
  391  knowingly aids or abets another in the commission of a violation
  392  of subsection (2) commits a felony of the first degree,
  393  punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
  394         (4)In addition to any other penalty imposed, a person
  395  convicted of a violation of this section must pay a fine equal
  396  to twice the amount of the ransom demand. Moneys recovered under
  397  this subsection shall be deposited into the General Revenue
  398  Fund.
  399         Section 7. The Legislature finds and declares that this act
  400  fulfills an important state interest.
  401         Section 8. This act shall take effect July 1, 2022.
  402  
  403  ================= T I T L E  A M E N D M E N T ================
  404  And the title is amended as follows:
  405         Delete everything before the enacting clause
  406  and insert:
  407                        A bill to be entitled                      
  408         An act relating to cybersecurity; amending s.
  409         282.0041, F.S.; revising a definition and defining the
  410         term “ransomware incident”; amending s. 282.318, F.S.;
  411         requiring the Department of Management Services,
  412         acting through the Florida Digital Service, to develop
  413         and publish guidelines and processes for reporting
  414         cybersecurity incidents; requiring state agencies to
  415         report ransomware incidents and certain cybersecurity
  416         incidents to certain entities within specified
  417         timeframes; requiring the Cybersecurity Operations
  418         Center to provide certain notifications to the
  419         Legislature within a specified timeframe; requiring
  420         the Cybersecurity Operations Center to quarterly
  421         provide certain reports to the Legislature and the
  422         Florida Cybersecurity Advisory Council; requiring the
  423         department, acting through the Florida Digital
  424         Service, to develop and publish guidelines and
  425         processes by a specified date for submitting after
  426         action reports and annually provide cybersecurity
  427         training to certain persons; requiring state agency
  428         heads to annually provide cybersecurity awareness
  429         training to certain persons; requiring state agencies
  430         to report cybersecurity incidents and ransomware
  431         incidents in compliance with certain procedures and
  432         timeframes; requiring state agency heads to submit
  433         certain after-action reports to the Florida Digital
  434         Service within a specified timeframe; creating s.
  435         282.3185, F.S.; providing a short title; defining the
  436         term “local government”; requiring the Florida Digital
  437         Service to develop certain cybersecurity training
  438         curricula; requiring certain persons to complete
  439         certain cybersecurity training within a specified
  440         timeframe and annually thereafter; authorizing the
  441         Florida Digital Service to provide a certain training
  442         in collaboration with certain entities; requiring
  443         certain local governments to adopt certain
  444         cybersecurity standards by specified dates; requiring
  445         local governments to provide a certain notification to
  446         the Florida Digital Service and certain entities;
  447         providing notification requirements; requiring local
  448         governments to report ransomware incidents and certain
  449         cybersecurity incidents to certain entities within
  450         specified timeframes; requiring the Cybersecurity
  451         Operations Center to provide a certain notification to
  452         the Legislature within a specified timeframe;
  453         authorizing local governments to report certain
  454         cybersecurity incidents to certain entities; requiring
  455         the Cybersecurity Operations Center to quarterly
  456         provide certain reports to the Legislature and the
  457         Florida Cybersecurity Advisory Council; requiring
  458         local governments to submit after-action reports
  459         containing certain information to the Florida Digital
  460         Service within a specified timeframe; requiring the
  461         Florida Digital Service to establish certain
  462         guidelines and processes by a specified date; creating
  463         s. 282.3186, F.S.; prohibiting certain entities from
  464         paying or otherwise complying with a ransom demand;
  465         amending s. 282.319, F.S.; revising the purpose of the
  466         Florida Cybersecurity Advisory Council to include
  467         advising counties and municipalities on cybersecurity;
  468         requiring the council to meet at least quarterly to
  469         review certain information and develop and make
  470         certain recommendations; requiring the council to
  471         annually submit to the Governor and the Legislature a
  472         certain ransomware incident report beginning on a
  473         specified date; providing requirements for the report;
  474         defining the term “state agency”; creating s. 815.062,
  475         F.S.; defining the term “governmental entity”;
  476         prohibiting certain persons from introducing computer
  477         contaminants in order to procure a ransom; prohibiting
  478         certain employees or contractors from aiding or
  479         abetting another to introduce computer contaminants in
  480         order to procure a ransom; providing criminal
  481         penalties; requiring a person convicted of certain
  482         offenses to pay a certain fine; requiring deposit of
  483         certain moneys in the General Revenue Fund; providing
  484         a legislative finding and declaration of an important
  485         state interest; providing an effective date.