Florida Senate - 2024 CS for SB 1662
By the Committee on Governmental Oversight and Accountability;
and Senator Collins
585-02588-24 20241662c1
1 A bill to be entitled
2 An act relating to cybersecurity; amending s.
3 282.0041, F.S.; defining terms; amending s. 282.0051,
4 F.S.; revising the purposes for which the Florida
5 Digital Service is established; requiring the Florida
6 Digital Service to ensure that independent project
7 oversight on certain state agency information
8 technology projects is performed in a certain manner;
9 revising the date by which the Department of
10 Management Services, acting through the Florida
11 Digital Service, must provide certain recommendations
12 to the Executive Office of the Governor and the
13 Legislature; removing certain duties of the Florida
14 Digital Service; revising the total project cost of
15 certain projects for which the Florida Digital Service
16 must provide project oversight; specifying the date by
17 which the Florida Digital Service must provide certain
18 reports; requiring the state chief information
19 officer, in consultation with the Secretary of
20 Management Services, to designate a state chief
21 technology officer; providing duties of the state
22 chief technology officer; revising the total project
23 cost of certain projects for which certain procurement
24 actions must be taken; removing provisions prohibiting
25 the department, acting through the Florida Digital
26 Service, from retrieving or disclosing certain data in
27 certain circumstances; amending s. 282.00515, F.S.;
28 conforming a cross-reference; amending s. 282.318,
29 F.S.; providing that the Florida Digital Service is
30 the lead entity for a certain purpose; requiring the
31 Cybersecurity Operations Center to provide certain
32 notifications; requiring the state chief information
33 officer to make certain reports in consultation with
34 the state chief information security officer; revising
35 the timeframe for a state agency to report ransomware
36 and cybersecurity incidents to the Cybersecurity
37 Operations Center; requiring the Cybersecurity
38 Operations Center to immediately notify certain
39 entities of reported incidents and take certain
40 actions; requiring the state chief information
41 security officer to notify the Legislature of certain
42 incidents within a certain period; requiring that a
43 certain notification be provided in a secure
44 environment; requiring the Cybersecurity Operations
45 Center to provide a certain report to certain entities
46 by a specified date; requiring the department, acting
47 through the Florida Digital Service, to provide
48 cybersecurity briefings to certain legislative
49 committees; authorizing the department, acting through
50 the Florida Digital Service, to obtain certain access
51 to certain infrastructure and direct certain measures;
52 revising the purpose of a state agency’s information
53 security manager and the date by which he or she must
54 be designated; authorizing the department to brief
55 certain legislative committees in a closed setting on
56 certain records that are confidential and exempt from
57 public records requirements; requiring such
58 legislative committees to maintain the confidential
59 and exempt status of certain records; authorizing
60 certain legislators to attend meetings of the Florida
61 Cybersecurity Advisory Council; amending s. 282.3185,
62 F.S.; requiring local governments to report ransomware
63 and certain cybersecurity incidents to the
64 Cybersecurity Operations Center within certain time
65 periods; requiring the Cybersecurity Operations Center
66 to immediately notify certain entities of certain
67 incidents and take certain actions; requiring the
68 state chief information security officer to provide
69 certain notification to the Legislature within a
70 certain timeframe and in a secure environment;
71 amending s. 282.319, F.S.; revising the membership of
72 the Florida Cybersecurity Advisory Council; amending
73 s. 1004.444, F.S.; providing that the Florida Center
74 for Cybersecurity may be referred to as “Cyber
75 Florida”; providing that such center is under the
76 direction of the president of the University of South
77 Florida or his or her designee; authorizing the
78 president to assign the center within a certain
79 college of the university; revising the mission and
80 goals of the center; authorizing the center, if
81 requested by specified entities, to conduct, consult
82 on, or assist on specified state-funded initiatives;
83 providing an effective date.
84
85 Be It Enacted by the Legislature of the State of Florida:
86
87 Section 1. Present subsections (3), (4), and (5), (6)
88 through (16), and (17) through (38) of section 282.0041, Florida
89 Statutes, are redesignated as subsections (4), (5), and (6), (8)
90 through (18), and (20) through (41), respectively, and new
91 subsections (3), (7), and (19) are added to that section, to
92 read:
93 282.0041 Definitions.—As used in this chapter, the term:
94 (3) “As a service” means the contracting with or
95 outsourcing to a third party of a defined role or function as a
96 means of delivery.
97 (7) “Cloud provider” means an entity that provides cloud
98 computing services.
99 (19) “Enterprise digital data” means information held by a
100 state agency in electronic form that is deemed to be data owned
101 by the state and held for state purposes by the state agency.
102 Enterprise digital data that is subject to statutory
103 requirements for particular types of sensitive data or to
104 contractual limitations for data marked as trade secrets or
105 sensitive corporate data held by state agencies shall be treated
106 in accordance with such requirements or limitations. The
107 department must maintain personnel with appropriate licenses,
108 certifications, or classifications to steward such enterprise
109 digital data, as necessary. Enterprise digital data must be
110 maintained in accordance with chapter 119. This subsection may
111 not be construed to create or expand an exemption from public
112 records requirements under s. 119.07(1) or s. 24(a), Art. I of
113 the State Constitution.
114 Section 2. Subsections (1), (4), and (5) of section
115 282.0051, Florida Statutes, are amended, and paragraph (c) is
116 added to subsection (2) of that section, to read:
117 282.0051 Department of Management Services; Florida Digital
118 Service; powers, duties, and functions.—
119 (1) The Florida Digital Service is established has been
120 created within the department to lead enterprise cybersecurity
121 efforts, to safeguard enterprise digital data, to propose, test,
122 develop, and deploy innovative solutions that securely modernize
123 state government, including technology and information services,
124 to achieve value through digital transformation and
125 interoperability, and to fully support the cloud-first policy as
126 specified in s. 282.206. The department, through the Florida
127 Digital Service, shall have the following powers, duties, and
128 functions:
129 (a) Develop and publish information technology policy for
130 the management of the state’s information technology resources.
131 (b) Develop an enterprise architecture that:
132 1. Acknowledges the unique needs of the entities within the
133 enterprise in the development and publication of standards and
134 terminologies to facilitate digital interoperability;
135 2. Supports the cloud-first policy as specified in s.
136 282.206; and
137 3. Addresses how information technology infrastructure may
138 be modernized to achieve cloud-first objectives.
139 (c) Establish project management and oversight standards
140 with which state agencies must comply when implementing
141 information technology projects. The department, acting through
142 the Florida Digital Service, shall provide training
143 opportunities to state agencies to assist in the adoption of the
144 project management and oversight standards. To support data
145 driven decisionmaking, the standards must include, but are not
146 limited to:
147 1. Performance measurements and metrics that objectively
148 reflect the status of an information technology project based on
149 a defined and documented project scope, cost, and schedule.
150 2. Methodologies for calculating acceptable variances in
151 the projected versus actual scope, schedule, or cost of an
152 information technology project.
153 3. Reporting requirements, including requirements designed
154 to alert all defined stakeholders that an information technology
155 project has exceeded acceptable variances defined and documented
156 in a project plan.
157 4. Content, format, and frequency of project updates.
158 5. Technical standards to ensure an information technology
159 project complies with the enterprise architecture.
160 (d) Ensure that independent Perform project oversight on
161 all state agency information technology projects that have total
162 project costs of $25 $10 million or more and that are funded in
163 the General Appropriations Act or any other law is performed in
164 compliance with applicable state and federal law. The
165 department, acting through the Florida Digital Service, shall
166 report at least quarterly to the Executive Office of the
167 Governor, the President of the Senate, and the Speaker of the
168 House of Representatives on any information technology project
169 that the department identifies as high-risk due to the project
170 exceeding acceptable variance ranges defined and documented in a
171 project plan. The report must include a risk assessment,
172 including fiscal risks, associated with proceeding to the next
173 stage of the project, and a recommendation for corrective
174 actions required, including suspension or termination of the
175 project.
176 (e) Identify opportunities for standardization and
177 consolidation of information technology services that support
178 interoperability and the cloud-first policy, as specified in s.
179 282.206, and business functions and operations, including
180 administrative functions such as purchasing, accounting and
181 reporting, cash management, and personnel, and that are common
182 across state agencies. The department, acting through the
183 Florida Digital Service, shall biennially on January 15 1 of
184 each even-numbered year provide recommendations for
185 standardization and consolidation to the Executive Office of the
186 Governor, the President of the Senate, and the Speaker of the
187 House of Representatives.
188 (f) Establish best practices for the procurement of
189 information technology products and cloud-computing services in
190 order to reduce costs, increase the quality of data center
191 services, or improve government services.
192 (g) Develop standards for information technology reports
193 and updates, including, but not limited to, operational work
194 plans, project spend plans, and project status reports, for use
195 by state agencies.
196 (h) Upon request, assist state agencies in the development
197 of information technology-related legislative budget requests.
198 (i) Conduct annual assessments of state agencies to
199 determine compliance with all information technology standards
200 and guidelines developed and published by the department and
201 provide results of the assessments to the Executive Office of
202 the Governor, the President of the Senate, and the Speaker of
203 the House of Representatives.
204 (i)(j) Conduct a market analysis not less frequently than
205 every 3 years beginning in 2021 to determine whether the
206 information technology resources within the enterprise are
207 utilized in the most cost-effective and cost-efficient manner,
208 while recognizing that the replacement of certain legacy
209 information technology systems within the enterprise may be cost
210 prohibitive or cost inefficient due to the remaining useful life
211 of those resources; whether the enterprise is complying with the
212 cloud-first policy specified in s. 282.206; and whether the
213 enterprise is utilizing best practices with respect to
214 information technology, information services, and the
215 acquisition of emerging technologies and information services.
216 Each market analysis shall be used to prepare a strategic plan
217 for continued and future information technology and information
218 services for the enterprise, including, but not limited to,
219 proposed acquisition of new services or technologies and
220 approaches to the implementation of any new services or
221 technologies. Copies of each market analysis and accompanying
222 strategic plan must be submitted to the Executive Office of the
223 Governor, the President of the Senate, and the Speaker of the
224 House of Representatives not later than December 31 of each year
225 that a market analysis is conducted.
226 (j)(k) Recommend other information technology services that
227 should be designed, delivered, and managed as enterprise
228 information technology services. Recommendations must include
229 the identification of existing information technology resources
230 associated with the services, if existing services must be
231 transferred as a result of being delivered and managed as
232 enterprise information technology services.
233 (k)(l) In consultation with state agencies, propose a
234 methodology and approach for identifying and collecting both
235 current and planned information technology expenditure data at
236 the state agency level.
237 (l)1.(m)1. Notwithstanding any other law, provide project
238 oversight on any information technology project of the
239 Department of Financial Services, the Department of Legal
240 Affairs, and the Department of Agriculture and Consumer Services
241 which has a total project cost of $25 $20 million or more. Such
242 information technology projects must also comply with the
243 applicable information technology architecture, project
244 management and oversight, and reporting standards established by
245 the department, acting through the Florida Digital Service.
246 2. When performing the project oversight function specified
247 in subparagraph 1., report by the 30th day after the end of each
248 quarter at least quarterly to the Executive Office of the
249 Governor, the President of the Senate, and the Speaker of the
250 House of Representatives on any information technology project
251 that the department, acting through the Florida Digital Service,
252 identifies as high-risk due to the project exceeding acceptable
253 variance ranges defined and documented in the project plan. The
254 report shall include a risk assessment, including fiscal risks,
255 associated with proceeding to the next stage of the project and
256 a recommendation for corrective actions required, including
257 suspension or termination of the project.
258 (m)(n) If an information technology project implemented by
259 a state agency must be connected to or otherwise accommodated by
260 an information technology system administered by the Department
261 of Financial Services, the Department of Legal Affairs, or the
262 Department of Agriculture and Consumer Services, consult with
263 these departments regarding the risks and other effects of such
264 projects on their information technology systems and work
265 cooperatively with these departments regarding the connections,
266 interfaces, timing, or accommodations required to implement such
267 projects.
268 (n)(o) If adherence to standards or policies adopted by or
269 established pursuant to this section causes conflict with
270 federal regulations or requirements imposed on an entity within
271 the enterprise and results in adverse action against an entity
272 or federal funding, work with the entity to provide alternative
273 standards, policies, or requirements that do not conflict with
274 the federal regulation or requirement. The department, acting
275 through the Florida Digital Service, shall annually by January
276 15 report such alternative standards to the Executive Office of
277 the Governor, the President of the Senate, and the Speaker of
278 the House of Representatives.
279 (o)1.(p)1. Establish an information technology policy for
280 all information technology-related state contracts, including
281 state term contracts for information technology commodities,
282 consultant services, and staff augmentation services. The
283 information technology policy must include:
284 a. Identification of the information technology product and
285 service categories to be included in state term contracts.
286 b. Requirements to be included in solicitations for state
287 term contracts.
288 c. Evaluation criteria for the award of information
289 technology-related state term contracts.
290 d. The term of each information technology-related state
291 term contract.
292 e. The maximum number of vendors authorized on each state
293 term contract.
294 f. At a minimum, a requirement that any contract for
295 information technology commodities or services meet the National
296 Institute of Standards and Technology Cybersecurity Framework.
297 g. For an information technology project wherein project
298 oversight is required pursuant to paragraph (d) or paragraph (l)
299 (m), a requirement that independent verification and validation
300 be employed throughout the project life cycle with the primary
301 objective of independent verification and validation being to
302 provide an objective assessment of products and processes
303 throughout the project life cycle. An entity providing
304 independent verification and validation may not have technical,
305 managerial, or financial interest in the project and may not
306 have responsibility for, or participate in, any other aspect of
307 the project.
308 2. Evaluate vendor responses for information technology
309 related state term contract solicitations and invitations to
310 negotiate.
311 3. Answer vendor questions on information technology
312 related state term contract solicitations.
313 4. Ensure that the information technology policy
314 established pursuant to subparagraph 1. is included in all
315 solicitations and contracts that are administratively executed
316 by the department.
317 (p)(q) Recommend potential methods for standardizing data
318 across state agencies which will promote interoperability and
319 reduce the collection of duplicative data.
320 (q)(r) Recommend open data technical standards and
321 terminologies for use by the enterprise.
322 (r)(s) Ensure that enterprise information technology
323 solutions are capable of utilizing an electronic credential and
324 comply with the enterprise architecture standards.
325 (2)
326 (c) The state chief information officer, in consultation
327 with the Secretary of Management Services, shall designate a
328 state chief technology officer who shall be responsible for all
329 of the following:
330 1. Establishing and maintaining an enterprise architecture
331 framework that ensures information technology investments align
332 with the state’s strategic objectives and initiatives pursuant
333 to paragraph (1)(b).
334 2. Conducting comprehensive evaluations of potential
335 technological solutions and cultivating strategic partnerships,
336 internally with state enterprise agencies and externally with
337 the private sector, to leverage collective expertise, foster
338 collaboration, and advance the state’s technological
339 capabilities.
340 3. Supervising program management of enterprise information
341 technology initiatives pursuant to paragraphs (1)(c), (d), and
342 (l); providing advisory support and oversight for technology
343 related projects; and continuously identifying and recommending
344 best practices to optimize outcomes of technology projects and
345 enhance the enterprise’s technological efficiency and
346 effectiveness.
347 (4) For information technology projects that have a total
348 project cost of $25 $10 million or more:
349 (a) State agencies must provide the Florida Digital Service
350 with written notice of any planned procurement of an information
351 technology project.
352 (b) The Florida Digital Service must participate in the
353 development of specifications and recommend modifications to any
354 planned procurement of an information technology project by
355 state agencies so that the procurement complies with the
356 enterprise architecture.
357 (c) The Florida Digital Service must participate in post
358 award contract monitoring.
359 (5) The department, acting through the Florida Digital
360 Service, may not retrieve or disclose any data without a shared
361 data agreement in place between the department and the
362 enterprise entity that has primary custodial responsibility of,
363 or data-sharing responsibility for, that data.
364 Section 3. Subsection (1) of section 282.00515, Florida
365 Statutes, is amended to read:
366 282.00515 Duties of Cabinet agencies.—
367 (1) The Department of Legal Affairs, the Department of
368 Financial Services, and the Department of Agriculture and
369 Consumer Services shall adopt the standards established in s.
370 282.0051(1)(b), (c), and (q) and (3)(e) s. 282.0051(1)(b), (c),
371 and (r) and (3)(e) or adopt alternative standards based on best
372 practices and industry standards that allow for open data
373 interoperability.
374 Section 4. Present subsection (10) of section 282.318,
375 Florida Statutes, is redesignated subsection (11), a new
376 subsection (10) is added to that section, and subsection (3) and
377 paragraph (a) of subsection (4) of that section are amended, to
378 read:
379 282.318 Cybersecurity.—
380 (3) The department, acting through the Florida Digital
381 Service, is the lead entity responsible for leading
382 cybersecurity efforts, safeguarding enterprise digital data,
383 establishing standards and processes for assessing state agency
384 cybersecurity risks, and determining appropriate security
385 measures. Such standards and processes must be consistent with
386 generally accepted technology best practices, including the
387 National Institute for Standards and Technology Cybersecurity
388 Framework, for cybersecurity. The department, acting through the
389 Florida Digital Service, shall adopt rules that mitigate risks;
390 safeguard state agency digital assets, data, information, and
391 information technology resources to ensure availability,
392 confidentiality, and integrity; and support a security
393 governance framework. The department, acting through the Florida
394 Digital Service, shall also:
395 (a) Designate an employee of the Florida Digital Service as
396 the state chief information security officer. The state chief
397 information security officer must have experience and expertise
398 in security and risk management for communications and
399 information technology resources. The state chief information
400 security officer is responsible for the development, operation,
401 and oversight of cybersecurity for state technology systems. The
402 Cybersecurity Operations Center shall immediately notify the
403 state chief information officer and the state chief information
404 security officer shall be notified of all confirmed or suspected
405 incidents or threats of state agency information technology
406 resources. The state chief information officer, in consultation
407 with the state chief information security officer, and must
408 report such incidents or threats to the state chief information
409 officer and the Governor.
410 (b) Develop, and annually update by February 1, a statewide
411 cybersecurity strategic plan that includes security goals and
412 objectives for cybersecurity, including the identification and
413 mitigation of risk, proactive protections against threats,
414 tactical risk detection, threat reporting, and response and
415 recovery protocols for a cyber incident.
416 (c) Develop and publish for use by state agencies a
417 cybersecurity governance framework that, at a minimum, includes
418 guidelines and processes for:
419 1. Establishing asset management procedures to ensure that
420 an agency’s information technology resources are identified and
421 managed consistent with their relative importance to the
422 agency’s business objectives.
423 2. Using a standard risk assessment methodology that
424 includes the identification of an agency’s priorities,
425 constraints, risk tolerances, and assumptions necessary to
426 support operational risk decisions.
427 3. Completing comprehensive risk assessments and
428 cybersecurity audits, which may be completed by a private sector
429 vendor, and submitting completed assessments and audits to the
430 department.
431 4. Identifying protection procedures to manage the
432 protection of an agency’s information, data, and information
433 technology resources.
434 5. Establishing procedures for accessing information and
435 data to ensure the confidentiality, integrity, and availability
436 of such information and data.
437 6. Detecting threats through proactive monitoring of
438 events, continuous security monitoring, and defined detection
439 processes.
440 7. Establishing agency cybersecurity incident response
441 teams and describing their responsibilities for responding to
442 cybersecurity incidents, including breaches of personal
443 information containing confidential or exempt data.
444 8. Recovering information and data in response to a
445 cybersecurity incident. The recovery may include recommended
446 improvements to the agency processes, policies, or guidelines.
447 9. Establishing a cybersecurity incident reporting process
448 that includes procedures for notifying the department and the
449 Department of Law Enforcement of cybersecurity incidents.
450 a. The level of severity of the cybersecurity incident is
451 defined by the National Cyber Incident Response Plan of the
452 United States Department of Homeland Security as follows:
453 (I) Level 5 is an emergency-level incident within the
454 specified jurisdiction that poses an imminent threat to the
455 provision of wide-scale critical infrastructure services;
456 national, state, or local government security; or the lives of
457 the country’s, state’s, or local government’s residents.
458 (II) Level 4 is a severe-level incident that is likely to
459 result in a significant impact in the affected jurisdiction to
460 public health or safety; national, state, or local security;
461 economic security; or civil liberties.
462 (III) Level 3 is a high-level incident that is likely to
463 result in a demonstrable impact in the affected jurisdiction to
464 public health or safety; national, state, or local security;
465 economic security; civil liberties; or public confidence.
466 (IV) Level 2 is a medium-level incident that may impact
467 public health or safety; national, state, or local security;
468 economic security; civil liberties; or public confidence.
469 (V) Level 1 is a low-level incident that is unlikely to
470 impact public health or safety; national, state, or local
471 security; economic security; civil liberties; or public
472 confidence.
473 b. The cybersecurity incident reporting process must
474 specify the information that must be reported by a state agency
475 following a cybersecurity incident or ransomware incident,
476 which, at a minimum, must include the following:
477 (I) A summary of the facts surrounding the cybersecurity
478 incident or ransomware incident.
479 (II) The date on which the state agency most recently
480 backed up its data; the physical location of the backup, if the
481 backup was affected; and if the backup was created using cloud
482 computing.
483 (III) The types of data compromised by the cybersecurity
484 incident or ransomware incident.
485 (IV) The estimated fiscal impact of the cybersecurity
486 incident or ransomware incident.
487 (V) In the case of a ransomware incident, the details of
488 the ransom demanded.
489 c.(I) A state agency shall report all ransomware incidents
490 and any cybersecurity incidents incident determined by the state
491 agency to be of severity level 3, 4, or 5 to the Cybersecurity
492 Operations Center and the Cybercrime Office of the Department of
493 Law Enforcement as soon as possible but no later than 12 48
494 hours after discovery of the cybersecurity incident and no later
495 than 6 12 hours after discovery of the ransomware incident. The
496 report must contain the information required in sub-subparagraph
497 b.
498 (II) The Cybersecurity Operations Center shall:
499 (A) Immediately notify the Cybercrime Office of the
500 Department of Law Enforcement of a reported incident and provide
501 to the Cybercrime Office of the Department of Law Enforcement
502 regular reports on the status of the incident, preserve forensic
503 data to support a subsequent investigation, and provide aid to
504 the investigative efforts of the Cybercrime Office of the
505 Department of Law Enforcement upon the office’s request if the
506 state chief information security officer finds that the
507 investigation does not impede remediation of the incident and
508 that there is no risk to the public and no risk to critical
509 state functions.
510 (B) Immediately notify the state chief information officer
511 and the state chief information security officer of a reported
512 incident. The state chief information security officer shall
513 notify the President of the Senate and the Speaker of the House
514 of Representatives of any severity level 3, 4, or 5 incident as
515 soon as possible but no later than 24 12 hours after receiving a
516 state agency’s incident report. The notification must include a
517 high-level description of the incident and the likely effects
518 and must be provided in a secure environment.
519 d. A state agency shall report a cybersecurity incident
520 determined by the state agency to be of severity level 1 or 2 to
521 the Cybersecurity Operations Center and the Cybercrime Office of
522 the Department of Law Enforcement as soon as possible. The
523 report must contain the information required in sub-subparagraph
524 b.
525 e. The Cybersecurity Operations Center shall provide a
526 consolidated incident report by the 30th day after the end of
527 each quarter on a quarterly basis to the Governor, the Attorney
528 General, the executive director of the Department of Law
529 Enforcement, the President of the Senate, the Speaker of the
530 House of Representatives, and the Florida Cybersecurity Advisory
531 Council. The report provided to the Florida Cybersecurity
532 Advisory Council may not contain the name of any agency, network
533 information, or system identifying information but must contain
534 sufficient relevant information to allow the Florida
535 Cybersecurity Advisory Council to fulfill its responsibilities
536 as required in s. 282.319(9).
537 10. Incorporating information obtained through detection
538 and response activities into the agency’s cybersecurity incident
539 response plans.
540 11. Developing agency strategic and operational
541 cybersecurity plans required pursuant to this section.
542 12. Establishing the managerial, operational, and technical
543 safeguards for protecting state government data and information
544 technology resources that align with the state agency risk
545 management strategy and that protect the confidentiality,
546 integrity, and availability of information and data.
547 13. Establishing procedures for procuring information
548 technology commodities and services that require the commodity
549 or service to meet the National Institute of Standards and
550 Technology Cybersecurity Framework.
551 14. Submitting after-action reports following a
552 cybersecurity incident or ransomware incident. Such guidelines
553 and processes for submitting after-action reports must be
554 developed and published by December 1, 2022.
555 (d) Assist state agencies in complying with this section.
556 (e) In collaboration with the Cybercrime Office of the
557 Department of Law Enforcement, annually provide training for
558 state agency information security managers and computer security
559 incident response team members that contains training on
560 cybersecurity, including cybersecurity threats, trends, and best
561 practices.
562 (f) Annually review the strategic and operational
563 cybersecurity plans of state agencies.
564 (g) Annually provide cybersecurity training to all state
565 agency technology professionals and employees with access to
566 highly sensitive information which develops, assesses, and
567 documents competencies by role and skill level. The
568 cybersecurity training curriculum must include training on the
569 identification of each cybersecurity incident severity level
570 referenced in sub-subparagraph (c)9.a. The training may be
571 provided in collaboration with the Cybercrime Office of the
572 Department of Law Enforcement, a private sector entity, or an
573 institution of the State University System.
574 (h) Operate and maintain a Cybersecurity Operations Center
575 led by the state chief information security officer, which must
576 be primarily virtual and staffed with tactical detection and
577 incident response personnel. The Cybersecurity Operations Center
578 shall serve as a clearinghouse for threat information and
579 coordinate with the Department of Law Enforcement to support
580 state agencies and their response to any confirmed or suspected
581 cybersecurity incident.
582 (i) Lead an Emergency Support Function, ESF-20 ESF CYBER,
583 under the state comprehensive emergency management plan as
584 described in s. 252.35.
585 (j) Provide cybersecurity briefings to the members of any
586 legislative committee or subcommittee responsible for policy
587 matters relating to cybersecurity.
588 (k) Have the authority to obtain immediate access to public
589 or private infrastructure hosting enterprise digital data and to
590 direct, in consultation with the state agency that holds the
591 particular enterprise digital data, measures to assess, monitor,
592 and safeguard the enterprise digital data.
593 (4) Each state agency head shall, at a minimum:
594 (a) Designate an information security manager to ensure
595 compliance with cybersecurity governance and with the state’s
596 enterprise security program and incident response plan. The
597 information security manager must coordinate with the agency’s
598 information security personnel and the Cybersecurity Operations
599 Center to ensure that the unique needs of the agency are met
600 administer the cybersecurity program of the state agency. This
601 designation must be provided annually in writing to the
602 department by January 15 1. A state agency’s information
603 security manager, for purposes of these information security
604 duties, shall report directly to the agency head.
605 (10) The department may brief any legislative committee or
606 subcommittee responsible for cybersecurity policy in a meeting
607 or other setting closed by the respective body under the rules
608 of such legislative body at which the legislative committee or
609 subcommittee is briefed on records made confidential and exempt
610 under subsections (5) and (6). The legislative committee or
611 subcommittee must maintain the confidential and exempt status of
612 such records. A legislator serving on a legislative committee or
613 subcommittee responsible for cybersecurity policy may also
614 attend meetings of the Florida Cybersecurity Advisory Council,
615 including any portions of such meetings that are exempt from s.
616 286.011 and s. 24(b), Art. I of the State Constitution.
617 Section 5. Paragraphs (b) and (c) of subsection (5) of
618 section 282.3185, Florida Statutes, are amended to read:
619 282.3185 Local government cybersecurity.—
620 (5) INCIDENT NOTIFICATION.—
621 (b)1. A local government shall report all ransomware
622 incidents and any cybersecurity incident determined by the local
623 government to be of severity level 3, 4, or 5 as provided in s.
624 282.318(3)(c) to the Cybersecurity Operations Center, the
625 Cybercrime Office of the Department of Law Enforcement, and the
626 sheriff who has jurisdiction over the local government as soon
627 as possible but no later than 12 48 hours after discovery of the
628 cybersecurity incident and no later than 6 12 hours after
629 discovery of the ransomware incident. The report must contain
630 the information required in paragraph (a).
631 2. The Cybersecurity Operations Center shall:
632 a. Immediately notify the Cybercrime Office of the
633 Department of Law Enforcement and the sheriff who has
634 jurisdiction over the local government of a reported incident
635 and provide to the Cybercrime Office of the Department of Law
636 Enforcement and the sheriff who has jurisdiction over the local
637 government regular reports on the status of the incident,
638 preserve forensic data to support a subsequent investigation,
639 and provide aid to the investigative efforts of the Cybercrime
640 Office of the Department of Law Enforcement upon the office’s
641 request if the state chief information security officer finds
642 that the investigation does not impede remediation of the
643 incident and that there is no risk to the public and no risk to
644 critical state functions.
645 b. Immediately notify the state chief information security
646 officer of a reported incident. The state chief information
647 security officer shall notify the President of the Senate and
648 the Speaker of the House of Representatives of any severity
649 level 3, 4, or 5 incident as soon as possible but no later than
650 24 12 hours after receiving a local government’s incident
651 report. The notification must include a high-level description
652 of the incident and the likely effects and must be provided in a
653 secure environment.
654 (c) A local government may report a cybersecurity incident
655 determined by the local government to be of severity level 1 or
656 2 as provided in s. 282.318(3)(c) to the Cybersecurity
657 Operations Center, the Cybercrime Office of the Department of
658 Law Enforcement, and the sheriff who has jurisdiction over the
659 local government. The report shall contain the information
660 required in paragraph (a). The Cybersecurity Operations Center
661 shall immediately notify the Cybercrime Office of the Department
662 of Law Enforcement and the sheriff who has jurisdiction over the
663 local government of a reported incident and provide regular
664 reports on the status of the cybersecurity incident, preserve
665 forensic data to support a subsequent investigation, and provide
666 aid to the investigative efforts of the Cybercrime Office of the
667 Department of Law Enforcement upon request if the state chief
668 information security officer finds that the investigation does
669 not impede remediation of the cybersecurity incident and that
670 there is no risk to the public and no risk to critical state
671 functions.
672 Section 6. Paragraph (j) of subsection (4) of section
673 282.319, Florida Statutes, is amended, and paragraph (m) is
674 added to that subsection, to read:
675 282.319 Florida Cybersecurity Advisory Council.—
676 (4) The council shall be comprised of the following
677 members:
678 (j) Three representatives from critical infrastructure
679 sectors, one of whom must be from a utility provider water
680 treatment facility, appointed by the Governor.
681 (m) A representative of local government.
682 Section 7. Section 1004.444, Florida Statutes, is amended
683 to read:
684 1004.444 Florida Center for Cybersecurity.—
685 (1) The Florida Center for Cybersecurity, which may also be
686 referred to as “Cyber Florida,” is established as a center
687 within the University of South Florida under the direction of
688 the president of the university or the president’s designee. The
689 president may assign the center within a college of the
690 university if the college has a strong emphasis on
691 cybersecurity, technology, or computer sciences and engineering
692 as determined and approved by the university’s board of
693 trustees.
694 (2) The mission and goals of the center are to:
695 (a) Position Florida as the national leader in
696 cybersecurity and its related workforce primarily through
697 advancing and funding education and, research and development
698 initiatives in cybersecurity and related fields, with a
699 secondary emphasis on, and community engagement and
700 cybersecurity awareness.
701 (b) Assist in the creation of jobs in the state’s
702 cybersecurity industry and enhance the existing cybersecurity
703 workforce through education, research, applied science, and
704 engagements and partnerships with the private and military
705 sectors.
706 (c) Act as a cooperative facilitator for state business and
707 higher education communities to share cybersecurity knowledge,
708 resources, and training.
709 (d) Seek out research and development agreements and other
710 partnerships with major military installations and affiliated
711 contractors to assist, when possible, in homeland cybersecurity
712 defense initiatives.
713 (e) Attract cybersecurity companies and jobs to the state
714 with an emphasis on defense, finance, health care,
715 transportation, and utility sectors.
716 (f) Conduct, fund, and facilitate research and applied
717 science that leads to the creation of new technologies and
718 software packages that have military and civilian applications
719 and which can be transferred for military and homeland defense
720 purposes or for sale or use in the private sector.
721 (3) Upon receiving a request for assistance from the
722 Department of Management Services, the Florida Digital Service,
723 or another state agency, the center is authorized, but may not
724 be compelled by the agency, to conduct, consult on, or otherwise
725 assist any state-funded initiatives related to:
726 (a) Cybersecurity training, professional development, and
727 education for state and local government employees, including
728 school districts and the judicial branch.
729 (b) Increasing the cybersecurity effectiveness of the
730 state’s and local governments’ technology platforms and
731 infrastructure, including school districts and the judicial
732 branch.
733 Section 8. This act shall take effect July 1, 2024.