Florida Senate - 2024 COMMITTEE AMENDMENT
Bill No. SB 1662
Ì209390+Î209390
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
01/29/2024 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
The Committee on Governmental Oversight and Accountability
(Collins) recommended the following:
1 Senate Amendment (with title amendment)
2
3 Delete everything after the enacting clause
4 and insert:
5 Section 1. Present subsections (3), (4), and (5), (6)
6 through (16), and (17) through (38) of section 282.0041, Florida
7 Statutes, are redesignated as subsections (4), (5), and (6), (8)
8 through (18), and (20) through (41), respectively, and new
9 subsections (3), (7), and (19) are added to that section, to
10 read:
11 282.0041 Definitions.—As used in this chapter, the term:
12 (3) “As a service” means the contracting with or
13 outsourcing to a third party of a defined role or function as a
14 means of delivery.
15 (7) “Cloud provider” means an entity that provides cloud
16 computing services.
17 (19) “Enterprise digital data” means information held by a
18 state agency in electronic form that is deemed to be data owned
19 by the state and held for state purposes by the state agency.
20 Enterprise digital data that is subject to statutory
21 requirements for particular types of sensitive data or to
22 contractual limitations for data marked as trade secrets or
23 sensitive corporate data held by state agencies shall be treated
24 in accordance with such requirements or limitations. The
25 department must maintain personnel with appropriate licenses,
26 certifications, or classifications to steward such enterprise
27 digital data, as necessary. Enterprise digital data must be
28 maintained in accordance with chapter 119. This subsection may
29 not be construed to create or expand an exemption from public
30 records requirements under s. 119.07(1) or s. 24(a), Art. I of
31 the State Constitution.
32 Section 2. Subsections (1), (4), and (5) of section
33 282.0051, Florida Statutes, are amended, and paragraph (c) is
34 added to subsection (2) of that section, to read:
35 282.0051 Department of Management Services; Florida Digital
36 Service; powers, duties, and functions.—
37 (1) The Florida Digital Service is established has been
38 created within the department to lead enterprise cybersecurity
39 efforts, to safeguard enterprise digital data, to propose, test,
40 develop, and deploy innovative solutions that securely modernize
41 state government, including technology and information services,
42 to achieve value through digital transformation and
43 interoperability, and to fully support the cloud-first policy as
44 specified in s. 282.206. The department, through the Florida
45 Digital Service, shall have the following powers, duties, and
46 functions:
47 (a) Develop and publish information technology policy for
48 the management of the state’s information technology resources.
49 (b) Develop an enterprise architecture that:
50 1. Acknowledges the unique needs of the entities within the
51 enterprise in the development and publication of standards and
52 terminologies to facilitate digital interoperability;
53 2. Supports the cloud-first policy as specified in s.
54 282.206; and
55 3. Addresses how information technology infrastructure may
56 be modernized to achieve cloud-first objectives.
57 (c) Establish project management and oversight standards
58 with which state agencies must comply when implementing
59 information technology projects. The department, acting through
60 the Florida Digital Service, shall provide training
61 opportunities to state agencies to assist in the adoption of the
62 project management and oversight standards. To support data
63 driven decisionmaking, the standards must include, but are not
64 limited to:
65 1. Performance measurements and metrics that objectively
66 reflect the status of an information technology project based on
67 a defined and documented project scope, cost, and schedule.
68 2. Methodologies for calculating acceptable variances in
69 the projected versus actual scope, schedule, or cost of an
70 information technology project.
71 3. Reporting requirements, including requirements designed
72 to alert all defined stakeholders that an information technology
73 project has exceeded acceptable variances defined and documented
74 in a project plan.
75 4. Content, format, and frequency of project updates.
76 5. Technical standards to ensure an information technology
77 project complies with the enterprise architecture.
78 (d) Ensure that independent Perform project oversight on
79 all state agency information technology projects that have total
80 project costs of $25 $10 million or more and that are funded in
81 the General Appropriations Act or any other law is performed in
82 compliance with applicable state and federal law. The
83 department, acting through the Florida Digital Service, shall
84 report at least quarterly to the Executive Office of the
85 Governor, the President of the Senate, and the Speaker of the
86 House of Representatives on any information technology project
87 that the department identifies as high-risk due to the project
88 exceeding acceptable variance ranges defined and documented in a
89 project plan. The report must include a risk assessment,
90 including fiscal risks, associated with proceeding to the next
91 stage of the project, and a recommendation for corrective
92 actions required, including suspension or termination of the
93 project.
94 (e) Identify opportunities for standardization and
95 consolidation of information technology services that support
96 interoperability and the cloud-first policy, as specified in s.
97 282.206, and business functions and operations, including
98 administrative functions such as purchasing, accounting and
99 reporting, cash management, and personnel, and that are common
100 across state agencies. The department, acting through the
101 Florida Digital Service, shall biennially on January 15 1 of
102 each even-numbered year provide recommendations for
103 standardization and consolidation to the Executive Office of the
104 Governor, the President of the Senate, and the Speaker of the
105 House of Representatives.
106 (f) Establish best practices for the procurement of
107 information technology products and cloud-computing services in
108 order to reduce costs, increase the quality of data center
109 services, or improve government services.
110 (g) Develop standards for information technology reports
111 and updates, including, but not limited to, operational work
112 plans, project spend plans, and project status reports, for use
113 by state agencies.
114 (h) Upon request, assist state agencies in the development
115 of information technology-related legislative budget requests.
116 (i) Conduct annual assessments of state agencies to
117 determine compliance with all information technology standards
118 and guidelines developed and published by the department and
119 provide results of the assessments to the Executive Office of
120 the Governor, the President of the Senate, and the Speaker of
121 the House of Representatives.
122 (i)(j) Conduct a market analysis not less frequently than
123 every 3 years beginning in 2021 to determine whether the
124 information technology resources within the enterprise are
125 utilized in the most cost-effective and cost-efficient manner,
126 while recognizing that the replacement of certain legacy
127 information technology systems within the enterprise may be cost
128 prohibitive or cost inefficient due to the remaining useful life
129 of those resources; whether the enterprise is complying with the
130 cloud-first policy specified in s. 282.206; and whether the
131 enterprise is utilizing best practices with respect to
132 information technology, information services, and the
133 acquisition of emerging technologies and information services.
134 Each market analysis shall be used to prepare a strategic plan
135 for continued and future information technology and information
136 services for the enterprise, including, but not limited to,
137 proposed acquisition of new services or technologies and
138 approaches to the implementation of any new services or
139 technologies. Copies of each market analysis and accompanying
140 strategic plan must be submitted to the Executive Office of the
141 Governor, the President of the Senate, and the Speaker of the
142 House of Representatives not later than December 31 of each year
143 that a market analysis is conducted.
144 (j)(k) Recommend other information technology services that
145 should be designed, delivered, and managed as enterprise
146 information technology services. Recommendations must include
147 the identification of existing information technology resources
148 associated with the services, if existing services must be
149 transferred as a result of being delivered and managed as
150 enterprise information technology services.
151 (k)(l) In consultation with state agencies, propose a
152 methodology and approach for identifying and collecting both
153 current and planned information technology expenditure data at
154 the state agency level.
155 (l)1.(m)1. Notwithstanding any other law, provide project
156 oversight on any information technology project of the
157 Department of Financial Services, the Department of Legal
158 Affairs, and the Department of Agriculture and Consumer Services
159 which has a total project cost of $25 $20 million or more. Such
160 information technology projects must also comply with the
161 applicable information technology architecture, project
162 management and oversight, and reporting standards established by
163 the department, acting through the Florida Digital Service.
164 2. When performing the project oversight function specified
165 in subparagraph 1., report by the 30th day after the end of each
166 quarter at least quarterly to the Executive Office of the
167 Governor, the President of the Senate, and the Speaker of the
168 House of Representatives on any information technology project
169 that the department, acting through the Florida Digital Service,
170 identifies as high-risk due to the project exceeding acceptable
171 variance ranges defined and documented in the project plan. The
172 report shall include a risk assessment, including fiscal risks,
173 associated with proceeding to the next stage of the project and
174 a recommendation for corrective actions required, including
175 suspension or termination of the project.
176 (m)(n) If an information technology project implemented by
177 a state agency must be connected to or otherwise accommodated by
178 an information technology system administered by the Department
179 of Financial Services, the Department of Legal Affairs, or the
180 Department of Agriculture and Consumer Services, consult with
181 these departments regarding the risks and other effects of such
182 projects on their information technology systems and work
183 cooperatively with these departments regarding the connections,
184 interfaces, timing, or accommodations required to implement such
185 projects.
186 (n)(o) If adherence to standards or policies adopted by or
187 established pursuant to this section causes conflict with
188 federal regulations or requirements imposed on an entity within
189 the enterprise and results in adverse action against an entity
190 or federal funding, work with the entity to provide alternative
191 standards, policies, or requirements that do not conflict with
192 the federal regulation or requirement. The department, acting
193 through the Florida Digital Service, shall annually by January
194 15 report such alternative standards to the Executive Office of
195 the Governor, the President of the Senate, and the Speaker of
196 the House of Representatives.
197 (o)1.(p)1. Establish an information technology policy for
198 all information technology-related state contracts, including
199 state term contracts for information technology commodities,
200 consultant services, and staff augmentation services. The
201 information technology policy must include:
202 a. Identification of the information technology product and
203 service categories to be included in state term contracts.
204 b. Requirements to be included in solicitations for state
205 term contracts.
206 c. Evaluation criteria for the award of information
207 technology-related state term contracts.
208 d. The term of each information technology-related state
209 term contract.
210 e. The maximum number of vendors authorized on each state
211 term contract.
212 f. At a minimum, a requirement that any contract for
213 information technology commodities or services meet the National
214 Institute of Standards and Technology Cybersecurity Framework.
215 g. For an information technology project wherein project
216 oversight is required pursuant to paragraph (d) or paragraph (l)
217 (m), a requirement that independent verification and validation
218 be employed throughout the project life cycle with the primary
219 objective of independent verification and validation being to
220 provide an objective assessment of products and processes
221 throughout the project life cycle. An entity providing
222 independent verification and validation may not have technical,
223 managerial, or financial interest in the project and may not
224 have responsibility for, or participate in, any other aspect of
225 the project.
226 2. Evaluate vendor responses for information technology
227 related state term contract solicitations and invitations to
228 negotiate.
229 3. Answer vendor questions on information technology
230 related state term contract solicitations.
231 4. Ensure that the information technology policy
232 established pursuant to subparagraph 1. is included in all
233 solicitations and contracts that are administratively executed
234 by the department.
235 (p)(q) Recommend potential methods for standardizing data
236 across state agencies which will promote interoperability and
237 reduce the collection of duplicative data.
238 (q)(r) Recommend open data technical standards and
239 terminologies for use by the enterprise.
240 (r)(s) Ensure that enterprise information technology
241 solutions are capable of utilizing an electronic credential and
242 comply with the enterprise architecture standards.
243 (2)
244 (c) The state chief information officer, in consultation
245 with the Secretary of Management Services, shall designate a
246 state chief technology officer who shall be responsible for all
247 of the following:
248 1. Establishing and maintaining an enterprise architecture
249 framework that ensures information technology investments align
250 with the state’s strategic objectives and initiatives pursuant
251 to paragraph (1)(b).
252 2. Conducting comprehensive evaluations of potential
253 technological solutions and cultivating strategic partnerships,
254 internally with state enterprise agencies and externally with
255 the private sector, to leverage collective expertise, foster
256 collaboration, and advance the state’s technological
257 capabilities.
258 3. Supervising program management of enterprise information
259 technology initiatives pursuant to paragraphs (1)(c), (d), and
260 (l); providing advisory support and oversight for technology
261 related projects; and continuously identifying and recommending
262 best practices to optimize outcomes of technology projects and
263 enhance the enterprise’s technological efficiency and
264 effectiveness.
265 (4) For information technology projects that have a total
266 project cost of $25 $10 million or more:
267 (a) State agencies must provide the Florida Digital Service
268 with written notice of any planned procurement of an information
269 technology project.
270 (b) The Florida Digital Service must participate in the
271 development of specifications and recommend modifications to any
272 planned procurement of an information technology project by
273 state agencies so that the procurement complies with the
274 enterprise architecture.
275 (c) The Florida Digital Service must participate in post
276 award contract monitoring.
277 (5) The department, acting through the Florida Digital
278 Service, may not retrieve or disclose any data without a shared
279 data agreement in place between the department and the
280 enterprise entity that has primary custodial responsibility of,
281 or data-sharing responsibility for, that data.
282 Section 3. Subsection (1) of section 282.00515, Florida
283 Statutes, is amended to read:
284 282.00515 Duties of Cabinet agencies.—
285 (1) The Department of Legal Affairs, the Department of
286 Financial Services, and the Department of Agriculture and
287 Consumer Services shall adopt the standards established in s.
288 282.0051(1)(b), (c), and (q) and (3)(e) s. 282.0051(1)(b), (c),
289 and (r) and (3)(e) or adopt alternative standards based on best
290 practices and industry standards that allow for open data
291 interoperability.
292 Section 4. Present subsection (10) of section 282.318,
293 Florida Statutes, is redesignated subsection (11), a new
294 subsection (10) is added to that section, and subsection (3) and
295 paragraph (a) of subsection (4) of that section are amended, to
296 read:
297 282.318 Cybersecurity.—
298 (3) The department, acting through the Florida Digital
299 Service, is the lead entity responsible for leading
300 cybersecurity efforts, safeguarding enterprise digital data,
301 establishing standards and processes for assessing state agency
302 cybersecurity risks, and determining appropriate security
303 measures. Such standards and processes must be consistent with
304 generally accepted technology best practices, including the
305 National Institute for Standards and Technology Cybersecurity
306 Framework, for cybersecurity. The department, acting through the
307 Florida Digital Service, shall adopt rules that mitigate risks;
308 safeguard state agency digital assets, data, information, and
309 information technology resources to ensure availability,
310 confidentiality, and integrity; and support a security
311 governance framework. The department, acting through the Florida
312 Digital Service, shall also:
313 (a) Designate an employee of the Florida Digital Service as
314 the state chief information security officer. The state chief
315 information security officer must have experience and expertise
316 in security and risk management for communications and
317 information technology resources. The state chief information
318 security officer is responsible for the development, operation,
319 and oversight of cybersecurity for state technology systems. The
320 Cybersecurity Operations Center shall immediately notify the
321 state chief information officer and the state chief information
322 security officer shall be notified of all confirmed or suspected
323 incidents or threats of state agency information technology
324 resources. The state chief information officer, in consultation
325 with the state chief information security officer, and must
326 report such incidents or threats to the state chief information
327 officer and the Governor.
328 (b) Develop, and annually update by February 1, a statewide
329 cybersecurity strategic plan that includes security goals and
330 objectives for cybersecurity, including the identification and
331 mitigation of risk, proactive protections against threats,
332 tactical risk detection, threat reporting, and response and
333 recovery protocols for a cyber incident.
334 (c) Develop and publish for use by state agencies a
335 cybersecurity governance framework that, at a minimum, includes
336 guidelines and processes for:
337 1. Establishing asset management procedures to ensure that
338 an agency’s information technology resources are identified and
339 managed consistent with their relative importance to the
340 agency’s business objectives.
341 2. Using a standard risk assessment methodology that
342 includes the identification of an agency’s priorities,
343 constraints, risk tolerances, and assumptions necessary to
344 support operational risk decisions.
345 3. Completing comprehensive risk assessments and
346 cybersecurity audits, which may be completed by a private sector
347 vendor, and submitting completed assessments and audits to the
348 department.
349 4. Identifying protection procedures to manage the
350 protection of an agency’s information, data, and information
351 technology resources.
352 5. Establishing procedures for accessing information and
353 data to ensure the confidentiality, integrity, and availability
354 of such information and data.
355 6. Detecting threats through proactive monitoring of
356 events, continuous security monitoring, and defined detection
357 processes.
358 7. Establishing agency cybersecurity incident response
359 teams and describing their responsibilities for responding to
360 cybersecurity incidents, including breaches of personal
361 information containing confidential or exempt data.
362 8. Recovering information and data in response to a
363 cybersecurity incident. The recovery may include recommended
364 improvements to the agency processes, policies, or guidelines.
365 9. Establishing a cybersecurity incident reporting process
366 that includes procedures for notifying the department and the
367 Department of Law Enforcement of cybersecurity incidents.
368 a. The level of severity of the cybersecurity incident is
369 defined by the National Cyber Incident Response Plan of the
370 United States Department of Homeland Security as follows:
371 (I) Level 5 is an emergency-level incident within the
372 specified jurisdiction that poses an imminent threat to the
373 provision of wide-scale critical infrastructure services;
374 national, state, or local government security; or the lives of
375 the country’s, state’s, or local government’s residents.
376 (II) Level 4 is a severe-level incident that is likely to
377 result in a significant impact in the affected jurisdiction to
378 public health or safety; national, state, or local security;
379 economic security; or civil liberties.
380 (III) Level 3 is a high-level incident that is likely to
381 result in a demonstrable impact in the affected jurisdiction to
382 public health or safety; national, state, or local security;
383 economic security; civil liberties; or public confidence.
384 (IV) Level 2 is a medium-level incident that may impact
385 public health or safety; national, state, or local security;
386 economic security; civil liberties; or public confidence.
387 (V) Level 1 is a low-level incident that is unlikely to
388 impact public health or safety; national, state, or local
389 security; economic security; civil liberties; or public
390 confidence.
391 b. The cybersecurity incident reporting process must
392 specify the information that must be reported by a state agency
393 following a cybersecurity incident or ransomware incident,
394 which, at a minimum, must include the following:
395 (I) A summary of the facts surrounding the cybersecurity
396 incident or ransomware incident.
397 (II) The date on which the state agency most recently
398 backed up its data; the physical location of the backup, if the
399 backup was affected; and if the backup was created using cloud
400 computing.
401 (III) The types of data compromised by the cybersecurity
402 incident or ransomware incident.
403 (IV) The estimated fiscal impact of the cybersecurity
404 incident or ransomware incident.
405 (V) In the case of a ransomware incident, the details of
406 the ransom demanded.
407 c.(I) A state agency shall report all ransomware incidents
408 and any cybersecurity incidents incident determined by the state
409 agency to be of severity level 3, 4, or 5 to the Cybersecurity
410 Operations Center and the Cybercrime Office of the Department of
411 Law Enforcement as soon as possible but no later than 12 48
412 hours after discovery of the cybersecurity incident and no later
413 than 6 12 hours after discovery of the ransomware incident. The
414 report must contain the information required in sub-subparagraph
415 b.
416 (II) The Cybersecurity Operations Center shall:
417 (A) Immediately notify the Cybercrime Office of the
418 Department of Law Enforcement of a reported incident and provide
419 to the Cybercrime Office of the Department of Law Enforcement
420 regular reports on the status of the incident, preserve forensic
421 data to support a subsequent investigation, and provide aid to
422 the investigative efforts of the Cybercrime Office of the
423 Department of Law Enforcement upon the office’s request if the
424 state chief information security officer finds that the
425 investigation does not impede remediation of the incident and
426 that there is no risk to the public and no risk to critical
427 state functions.
428 (B) Immediately notify the state chief information officer
429 and the state chief information security officer of a reported
430 incident. The state chief information security officer shall
431 notify the President of the Senate and the Speaker of the House
432 of Representatives of any severity level 3, 4, or 5 incident as
433 soon as possible but no later than 24 12 hours after receiving a
434 state agency’s incident report. The notification must include a
435 high-level description of the incident and the likely effects
436 and must be provided in a secure environment.
437 d. A state agency shall report a cybersecurity incident
438 determined by the state agency to be of severity level 1 or 2 to
439 the Cybersecurity Operations Center and the Cybercrime Office of
440 the Department of Law Enforcement as soon as possible. The
441 report must contain the information required in sub-subparagraph
442 b.
443 e. The Cybersecurity Operations Center shall provide a
444 consolidated incident report by the 30th day after the end of
445 each quarter on a quarterly basis to the Governor, the Attorney
446 General, the executive director of the Department of Law
447 Enforcement, the President of the Senate, the Speaker of the
448 House of Representatives, and the Florida Cybersecurity Advisory
449 Council. The report provided to the Florida Cybersecurity
450 Advisory Council may not contain the name of any agency, network
451 information, or system identifying information but must contain
452 sufficient relevant information to allow the Florida
453 Cybersecurity Advisory Council to fulfill its responsibilities
454 as required in s. 282.319(9).
455 10. Incorporating information obtained through detection
456 and response activities into the agency’s cybersecurity incident
457 response plans.
458 11. Developing agency strategic and operational
459 cybersecurity plans required pursuant to this section.
460 12. Establishing the managerial, operational, and technical
461 safeguards for protecting state government data and information
462 technology resources that align with the state agency risk
463 management strategy and that protect the confidentiality,
464 integrity, and availability of information and data.
465 13. Establishing procedures for procuring information
466 technology commodities and services that require the commodity
467 or service to meet the National Institute of Standards and
468 Technology Cybersecurity Framework.
469 14. Submitting after-action reports following a
470 cybersecurity incident or ransomware incident. Such guidelines
471 and processes for submitting after-action reports must be
472 developed and published by December 1, 2022.
473 (d) Assist state agencies in complying with this section.
474 (e) In collaboration with the Cybercrime Office of the
475 Department of Law Enforcement, annually provide training for
476 state agency information security managers and computer security
477 incident response team members that contains training on
478 cybersecurity, including cybersecurity threats, trends, and best
479 practices.
480 (f) Annually review the strategic and operational
481 cybersecurity plans of state agencies.
482 (g) Annually provide cybersecurity training to all state
483 agency technology professionals and employees with access to
484 highly sensitive information which develops, assesses, and
485 documents competencies by role and skill level. The
486 cybersecurity training curriculum must include training on the
487 identification of each cybersecurity incident severity level
488 referenced in sub-subparagraph (c)9.a. The training may be
489 provided in collaboration with the Cybercrime Office of the
490 Department of Law Enforcement, a private sector entity, or an
491 institution of the State University System.
492 (h) Operate and maintain a Cybersecurity Operations Center
493 led by the state chief information security officer, which must
494 be primarily virtual and staffed with tactical detection and
495 incident response personnel. The Cybersecurity Operations Center
496 shall serve as a clearinghouse for threat information and
497 coordinate with the Department of Law Enforcement to support
498 state agencies and their response to any confirmed or suspected
499 cybersecurity incident.
500 (i) Lead an Emergency Support Function, ESF-20 ESF CYBER,
501 under the state comprehensive emergency management plan as
502 described in s. 252.35.
503 (j) Provide cybersecurity briefings to the members of any
504 legislative committee or subcommittee responsible for policy
505 matters relating to cybersecurity.
506 (k) Have the authority to obtain immediate access to public
507 or private infrastructure hosting enterprise digital data and to
508 direct, in consultation with the state agency that holds the
509 particular enterprise digital data, measures to assess, monitor,
510 and safeguard the enterprise digital data.
511 (4) Each state agency head shall, at a minimum:
512 (a) Designate an information security manager to ensure
513 compliance with cybersecurity governance and with the state’s
514 enterprise security program and incident response plan. The
515 information security manager must coordinate with the agency’s
516 information security personnel and the Cybersecurity Operations
517 Center to ensure that the unique needs of the agency are met
518 administer the cybersecurity program of the state agency. This
519 designation must be provided annually in writing to the
520 department by January 15 1. A state agency’s information
521 security manager, for purposes of these information security
522 duties, shall report directly to the agency head.
523 (10) The department may brief any legislative committee or
524 subcommittee responsible for cybersecurity policy in a meeting
525 or other setting closed by the respective body under the rules
526 of such legislative body at which the legislative committee or
527 subcommittee is briefed on records made confidential and exempt
528 under subsections (5) and (6). The legislative committee or
529 subcommittee must maintain the confidential and exempt status of
530 such records. A legislator serving on a legislative committee or
531 subcommittee responsible for cybersecurity policy may also
532 attend meetings of the Florida Cybersecurity Advisory Council,
533 including any portions of such meetings that are exempt from s.
534 286.011 and s. 24(b), Art. I of the State Constitution.
535 Section 5. Paragraphs (b) and (c) of subsection (5) of
536 section 282.3185, Florida Statutes, are amended to read:
537 282.3185 Local government cybersecurity.—
538 (5) INCIDENT NOTIFICATION.—
539 (b)1. A local government shall report all ransomware
540 incidents and any cybersecurity incident determined by the local
541 government to be of severity level 3, 4, or 5 as provided in s.
542 282.318(3)(c) to the Cybersecurity Operations Center, the
543 Cybercrime Office of the Department of Law Enforcement, and the
544 sheriff who has jurisdiction over the local government as soon
545 as possible but no later than 12 48 hours after discovery of the
546 cybersecurity incident and no later than 6 12 hours after
547 discovery of the ransomware incident. The report must contain
548 the information required in paragraph (a).
549 2. The Cybersecurity Operations Center shall:
550 a. Immediately notify the Cybercrime Office of the
551 Department of Law Enforcement and the sheriff who has
552 jurisdiction over the local government of a reported incident
553 and provide to the Cybercrime Office of the Department of Law
554 Enforcement and the sheriff who has jurisdiction over the local
555 government regular reports on the status of the incident,
556 preserve forensic data to support a subsequent investigation,
557 and provide aid to the investigative efforts of the Cybercrime
558 Office of the Department of Law Enforcement upon the office’s
559 request if the state chief information security officer finds
560 that the investigation does not impede remediation of the
561 incident and that there is no risk to the public and no risk to
562 critical state functions.
563 b. Immediately notify the state chief information security
564 officer of a reported incident. The state chief information
565 security officer shall notify the President of the Senate and
566 the Speaker of the House of Representatives of any severity
567 level 3, 4, or 5 incident as soon as possible but no later than
568 24 12 hours after receiving a local government’s incident
569 report. The notification must include a high-level description
570 of the incident and the likely effects and must be provided in a
571 secure environment.
572 (c) A local government may report a cybersecurity incident
573 determined by the local government to be of severity level 1 or
574 2 as provided in s. 282.318(3)(c) to the Cybersecurity
575 Operations Center, the Cybercrime Office of the Department of
576 Law Enforcement, and the sheriff who has jurisdiction over the
577 local government. The report shall contain the information
578 required in paragraph (a). The Cybersecurity Operations Center
579 shall immediately notify the Cybercrime Office of the Department
580 of Law Enforcement and the sheriff who has jurisdiction over the
581 local government of a reported incident and provide regular
582 reports on the status of the cybersecurity incident, preserve
583 forensic data to support a subsequent investigation, and provide
584 aid to the investigative efforts of the Cybercrime Office of the
585 Department of Law Enforcement upon request if the state chief
586 information security officer finds that the investigation does
587 not impede remediation of the cybersecurity incident and that
588 there is no risk to the public and no risk to critical state
589 functions.
590 Section 6. Paragraph (j) of subsection (4) of section
591 282.319, Florida Statutes, is amended, and paragraph (m) is
592 added to that subsection, to read:
593 282.319 Florida Cybersecurity Advisory Council.—
594 (4) The council shall be comprised of the following
595 members:
596 (j) Three representatives from critical infrastructure
597 sectors, one of whom must be from a utility provider water
598 treatment facility, appointed by the Governor.
599 (m) A representative of local government.
600 Section 7. Section 1004.444, Florida Statutes, is amended
601 to read:
602 1004.444 Florida Center for Cybersecurity.—
603 (1) The Florida Center for Cybersecurity, which may also be
604 referred to as “Cyber Florida,” is established as a center
605 within the University of South Florida under the direction of
606 the president of the university or the president’s designee. The
607 president may assign the center within a college of the
608 university if the college has a strong emphasis on
609 cybersecurity, technology, or computer sciences and engineering
610 as determined and approved by the university’s board of
611 trustees.
612 (2) The mission and goals of the center are to:
613 (a) Position Florida as the national leader in
614 cybersecurity and its related workforce primarily through
615 advancing and funding education and, research and development
616 initiatives in cybersecurity and related fields, with a
617 secondary emphasis on, and community engagement and
618 cybersecurity awareness.
619 (b) Assist in the creation of jobs in the state’s
620 cybersecurity industry and enhance the existing cybersecurity
621 workforce through education, research, applied science, and
622 engagements and partnerships with the private and military
623 sectors.
624 (c) Act as a cooperative facilitator for state business and
625 higher education communities to share cybersecurity knowledge,
626 resources, and training.
627 (d) Seek out research and development agreements and other
628 partnerships with major military installations and affiliated
629 contractors to assist, when possible, in homeland cybersecurity
630 defense initiatives.
631 (e) Attract cybersecurity companies and jobs to the state
632 with an emphasis on defense, finance, health care,
633 transportation, and utility sectors.
634 (f) Conduct, fund, and facilitate research and applied
635 science that leads to the creation of new technologies and
636 software packages that have military and civilian applications
637 and which can be transferred for military and homeland defense
638 purposes or for sale or use in the private sector.
639 (3) Upon receiving a request for assistance from the
640 Department of Management Services, the Florida Digital Service,
641 or another state agency, the center is authorized, but may not
642 be compelled by the agency, to conduct, consult on, or otherwise
643 assist any state-funded initiatives related to:
644 (a) Cybersecurity training, professional development, and
645 education for state and local government employees, including
646 school districts and the judicial branch.
647 (b) Increasing the cybersecurity effectiveness of the
648 state’s and local governments’ technology platforms and
649 infrastructure, including school districts and the judicial
650 branch.
651 Section 8. This act shall take effect July 1, 2024.
652
653 ================= T I T L E A M E N D M E N T ================
654 And the title is amended as follows:
655 Delete everything before the enacting clause
656 and insert:
657 A bill to be entitled
658 An act relating to cybersecurity; amending s.
659 282.0041, F.S.; defining terms; amending s. 282.0051,
660 F.S.; revising the purposes for which the Florida
661 Digital Service is established; requiring the Florida
662 Digital Service to ensure that independent project
663 oversight on certain state agency information
664 technology projects is performed in a certain manner;
665 revising the date by which the Department of
666 Management Services, acting through the Florida
667 Digital Service, must provide certain recommendations
668 to the Executive Office of the Governor and the
669 Legislature; removing certain duties of the Florida
670 Digital Service; revising the total project cost of
671 certain projects for which the Florida Digital Service
672 must provide project oversight; specifying the date by
673 which the Florida Digital Service must provide certain
674 reports; requiring the state chief information
675 officer, in consultation with the Secretary of
676 Management Services, to designate a state chief
677 technology officer; providing duties of the state
678 chief technology officer; revising the total project
679 cost of certain projects for which certain procurement
680 actions must be taken; removing provisions prohibiting
681 the department, acting through the Florida Digital
682 Service, from retrieving or disclosing certain data in
683 certain circumstances; amending s. 282.00515, F.S.;
684 conforming a cross-reference; amending s. 282.318,
685 F.S.; providing that the Florida Digital Service is
686 the lead entity for a certain purpose; requiring the
687 Cybersecurity Operations Center to provide certain
688 notifications; requiring the state chief information
689 officer to make certain reports in consultation with
690 the state chief information security officer; revising
691 the timeframe for a state agency to report ransomware
692 and cybersecurity incidents to the Cybersecurity
693 Operations Center; requiring the Cybersecurity
694 Operations Center to immediately notify certain
695 entities of reported incidents and take certain
696 actions; requiring the state chief information
697 security officer to notify the Legislature of certain
698 incidents within a certain period; requiring that a
699 certain notification be provided in a secure
700 environment; requiring the Cybersecurity Operations
701 Center to provide a certain report to certain entities
702 by a specified date; requiring the department, acting
703 through the Florida Digital Service, to provide
704 cybersecurity briefings to certain legislative
705 committees; authorizing the department, acting through
706 the Florida Digital Service, to obtain certain access
707 to certain infrastructure and direct certain measures;
708 revising the purpose of a state agency’s information
709 security manager and the date by which he or she must
710 be designated; authorizing the department to brief
711 certain legislative committees in a closed setting on
712 certain records that are confidential and exempt from
713 public records requirements; requiring such
714 legislative committees to maintain the confidential
715 and exempt status of certain records; authorizing
716 certain legislators to attend meetings of the Florida
717 Cybersecurity Advisory Council; amending s. 282.3185,
718 F.S.; requiring local governments to report ransomware
719 and certain cybersecurity incidents to the
720 Cybersecurity Operations Center within certain time
721 periods; requiring the Cybersecurity Operations Center
722 to immediately notify certain entities of certain
723 incidents and take certain actions; requiring the
724 state chief information security officer to provide
725 certain notification to the Legislature within a
726 certain timeframe and in a secure environment;
727 amending s. 282.319, F.S.; revising the membership of
728 the Florida Cybersecurity Advisory Council; amending
729 s. 1004.444, F.S.; providing that the Florida Center
730 for Cybersecurity may be referred to as “Cyber
731 Florida”; providing that such center is under the
732 direction of the president of the University of South
733 Florida or his or her designee; authorizing the
734 president to assign the center within a certain
735 college of the university; revising the mission and
736 goals of the center; authorizing the center, if
737 requested by specified entities, to conduct, consult
738 on, or assist on specified state-funded initiatives;
739 providing an effective date.