Florida Senate - 2023 SB 2508 By the Committee on Appropriations 576-03191-23 20232508__ 1 A bill to be entitled 2 An act relating to state cybersecurity operations; 3 providing for a type two transfer of the Cybersecurity 4 Operations Center and related services, including the 5 position of the state chief information security 6 officer, from the Florida Digital Service within the 7 Department of Management Services to the Department of 8 Law Enforcement; amending s. 282.318, F.S.; requiring 9 the Department of Management Services, acting through 10 the Florida Digital Service, to perform specified 11 actions relating to state agency cybersecurity risks; 12 requiring the Department of Management Services to 13 perform specified actions in consultation with and 14 with approval from the state chief information 15 security officer; requiring that the cybersecurity 16 governance framework minimum guidelines be consistent 17 with the state cybersecurity strategic plan; 18 specifying that the Department of Law Enforcement is 19 the lead entity responsible for enterprise 20 cybersecurity operations; requiring the Department of 21 Law Enforcement to designate a state chief information 22 security officer; providing the qualifications for and 23 the responsibilities of the state chief information 24 security officer; requiring that the state chief 25 information security officer be notified of all 26 confirmed or suspected incidents involving, or threats 27 to, state agency information; requiring the state 28 chief information security officer to report such 29 incidents to the Governor and the state chief 30 information officer; requiring the Department of Law 31 Enforcement to develop, and annually update by a 32 specified date, a certain state cybersecurity 33 strategic plan; requiring the Department of Law 34 Enforcement to operate and maintain the Cybersecurity 35 Operations Center as part of the Florida Fusion 36 Center; requiring that the center be staffed with 37 specified personnel; requiring the center to 38 coordinate with the Florida Digital Service to support 39 state agencies and their responses to cybersecurity 40 incidents; requiring the Department of Law Enforcement 41 to review and approve, before publication, the 42 cybersecurity governance framework established by the 43 Florida Digital Service; requiring the Department of 44 Law Enforcement to review and approve all 45 cybersecurity training provided by or facilitated 46 through the Florida Digital Service; requiring the 47 Department of Law Enforcement to develop and publish 48 specified guidelines and processes for establishing a 49 cybersecurity incident reporting process for use by 50 state agencies; requiring the Florida Digital Service 51 to provide certain reports on a periodic basis to the 52 Legislature, the state chief information security 53 officer, and the Cybersecurity Advisory Council; 54 prohibiting the report transmitted to the advisory 55 council from containing certain information; requiring 56 state agency heads, in consultation with the 57 Cybersecurity Operations Center, the Cybercrime 58 Office, and the Florida Digital Service, to establish 59 an agency cybersecurity response team to respond to 60 cybersecurity incidents; requiring state agencies to 61 submit a corrective action plan to the Florida Digital 62 Service within a specified timeframe for all findings 63 confirmed by the state chief information security 64 officer; requiring that certain implementation plans 65 be submitted to the state chief information officer on 66 a periodic basis; requiring that a specified 67 comprehensive risk assessment be conducted annually; 68 providing that certain public records exemptions do 69 not apply to information made available to the 70 Cybersecurity Operations Center; providing that 71 certain mandatory cybersecurity awareness training 72 offered to state employees may be provided in 73 collaboration with the Cyber Security Operations 74 Center or the Florida Digital Service; conforming a 75 provision to changes made by the act; requiring state 76 agency heads to submit after-action reports to the 77 Department of Law Enforcement and other specified 78 entities; requiring that certain confidential and 79 exempt records be made available to the state chief 80 information officer; requiring the Department of Law 81 Enforcement to adopt specified rules; amending s. 82 282.3185, F.S.; requiring that certain cybersecurity 83 training programs developed by the Florida Digital 84 Service be approved by the state chief information 85 security officer; authorizing the Florida Digital 86 service to collaborate with the Cybersecurity 87 Operations Center to provide certain cybersecurity 88 training; requiring local governments to provide 89 notification of a cybersecurity or ransomware incident 90 to the Florida Digital Service and other entities 91 within a specified timeframe after the incident; 92 requiring local governments to provide a certain 93 report of cybersecurity incidents or ransomware 94 incidents of a specified severity level to the Florida 95 Digital Service and other entities; authorizing local 96 governments to provide a certain report of 97 cybersecurity incidents or ransomware incidents of a 98 specified severity level to the Florida Digital 99 Service; requiring the Florida Digital Service to 100 provide certain consolidated incident reports to the 101 state chief information security officer and other 102 entities; requiring the Florida Digital Service to 103 collaborate with the state chief information security 104 officer to establish guidelines and processes for 105 submitting after-action reports, by a specified date; 106 conforming a cross-reference; providing an effective 107 date. 108 109 Be It Enacted by the Legislature of the State of Florida: 110 111 Section 1.All positions, duties, functions, records, 112 existing contracts, administrative authority, administrative 113 rules, and unexpended balances of appropriations, allocations, 114 and other public funds relating to the Cybersecurity Operations 115 Center and related services, including the position of the state 116 chief information security officer, of the Florida Digital 117 Service within the Department of Management Services are 118 transferred by a type two transfer as defined in s. 20.06(2), 119 Florida Statutes, to the Department of Law Enforcement. 120 Section 2.Section 282.318, Florida Statutes, is amended to 121 read: 122 282.318Cybersecurity. 123 (1)This section may be cited as the State Cybersecurity 124 Act. 125 (2)As used in this section, the term state agency has 126 the same meaning as provided in s. 282.0041, except that the 127 term includes the Department of Legal Affairs, the Department of 128 Agriculture and Consumer Services, and the Department of 129 Financial Services. 130 (3)The department, acting through the Florida Digital 131 Service, is the lead entity responsible for establishing 132 standards and processes for assessing state agency cybersecurity 133 risks and determining appropriate security measures. Such 134 standards and processes must be consistent with generally 135 accepted technology best practices for cybersecurity, including 136 the National Institute for Standards and Technology 137 Cybersecurity Framework, for cybersecurity. The department, 138 acting through the Florida Digital Service, shall: 139 (a)Assist state agencies in complying with this section. 140 (b)Annually review the strategic and operational 141 cybersecurity plans of state agencies for compliance with the 142 cybersecurity governance framework. The review of the plans must 143 include the following: 144 1.Providing findings to the state chief information 145 security officer for review and confirmation; 146 2.Notifying agencies of confirmed findings and the date by 147 which the agency must submit a corrective action plan; 148 3.Reviewing corrective action plans submitted by agencies; 149 4.Tracking and monitoring progress of the implementation 150 of corrective action plans; and 151 5.Annually submitting a report to the state chief 152 information security officer which includes, by agency, 153 completed reviews, any confirmed findings, a brief description 154 of corresponding corrective action plans, and the status of 155 corrective action plan implementation. 156 (c)Review state agency annual risk assessment findings and 157 corresponding remediation plans, including: 158 1.Tracking and monitoring the progress of the risk 159 assessment remediation plans; and 160 2.Annually submitting a report to the state chief 161 information security officer which includes, by agency, risk 162 assessment findings, a brief description of corresponding 163 remediation plans, and the status of remediation plan 164 implementation. 165 (d)Annually provide cybersecurity training for state 166 agency information security managers and computer security 167 incident response team members which includes training on 168 cybersecurity threats, trends, and best practices. The training 169 curriculum must be approved by the state chief information 170 security officer. 171 (e)Annually provide cybersecurity training to all state 172 agency technology professionals and employees with access to 173 highly sensitive information which develops, assesses, and 174 documents competencies by role and skill level. The 175 cybersecurity training curriculum must include training on the 176 identification of each cybersecurity incident severity level 177 referenced in subparagraph (5)(g)1. The training must be 178 approved by the state chief information security officer and may 179 be provided in collaboration with a private sector entity or an 180 institution of the State University System. 181 (4)The department, acting through the Florida Digital 182 Service, and in consultation with and with approval from the 183 state chief information security officer, shall: 184 (a)Adopt rules that mitigate risks; safeguard state agency 185 digital assets, data, information, and information technology 186 resources to ensure availability, confidentiality, and 187 integrity; and support a security governance framework. The 188 department, acting through the Florida Digital Service, shall 189 also: 190 (a)Designate an employee of the Florida Digital Service as 191 the state chief information security officer. The state chief 192 information security officer must have experience and expertise 193 in security and risk management for communications and 194 information technology resources. The state chief information 195 security officer is responsible for the development, operation, 196 and oversight of cybersecurity for state technology systems. The 197 state chief information security officer shall be notified of 198 all confirmed or suspected incidents or threats of state agency 199 information technology resources and must report such incidents 200 or threats to the state chief information officer and the 201 Governor. 202 (b)Develop, and annually update by February 1, a statewide 203 cybersecurity strategic plan that includes security goals and 204 objectives for cybersecurity, including the identification and 205 mitigation of risk, proactive protections against threats, 206 tactical risk detection, threat reporting, and response and 207 recovery protocols for a cyber incident. 208 (b)(c)Develop and publish for use by state agencies a 209 cybersecurity governance framework consistent with the state 210 cybersecurity strategic plan which that, at a minimum, includes 211 guidelines and processes for: 212 1.Establishing asset management procedures to ensure that 213 an agencys information technology resources are identified and 214 managed consistent with their relative importance to the 215 agencys business objectives. 216 2.Using a standard risk assessment methodology that 217 includes the identification of an agencys priorities, 218 constraints, risk tolerances, and assumptions necessary to 219 support operational risk decisions. 220 3.Completing comprehensive risk assessments and 221 cybersecurity audits, which may be completed by a private sector 222 vendor, and submitting completed assessments and audits to the 223 department. 224 3.4.Identifying protection procedures to manage the 225 protection of an agencys information, data, and information 226 technology resources. 227 4.5.Establishing procedures for accessing information and 228 data to ensure the confidentiality, integrity, and availability 229 of such information and data. 230 5.6.Detecting threats through proactive monitoring of 231 events, continuous security monitoring, and defined detection 232 processes. 233 6.7.Establishing agency cybersecurity incident response 234 teams and describing their responsibilities for responding to 235 cybersecurity incidents, including breaches of personal 236 information containing confidential or exempt data. 237 7.8.Recovering information and data in response to a 238 cybersecurity incident. The recovery may include recommended 239 improvements to the agency processes, policies, or guidelines. 240 9.Establishing a cybersecurity incident reporting process 241 that includes procedures for notifying the department and the 242 Department of Law Enforcement of cybersecurity incidents. 243 a.The level of severity of the cybersecurity incident is 244 defined by the National Cyber Incident Response Plan of the 245 United States Department of Homeland Security as follows: 246 (I)Level 5 is an emergency-level incident within the 247 specified jurisdiction that poses an imminent threat to the 248 provision of wide-scale critical infrastructure services; 249 national, state, or local government security; or the lives of 250 the countrys, states, or local governments residents. 251 (II)Level 4 is a severe-level incident that is likely to 252 result in a significant impact in the affected jurisdiction to 253 public health or safety; national, state, or local security; 254 economic security; or civil liberties. 255 (III)Level 3 is a high-level incident that is likely to 256 result in a demonstrable impact in the affected jurisdiction to 257 public health or safety; national, state, or local security; 258 economic security; civil liberties; or public confidence. 259 (IV)Level 2 is a medium-level incident that may impact 260 public health or safety; national, state, or local security; 261 economic security; civil liberties; or public confidence. 262 (V)Level 1 is a low-level incident that is unlikely to 263 impact public health or safety; national, state, or local 264 security; economic security; civil liberties; or public 265 confidence. 266 b.The cybersecurity incident reporting process must 267 specify the information that must be reported by a state agency 268 following a cybersecurity incident or ransomware incident, 269 which, at a minimum, must include the following: 270 (I)A summary of the facts surrounding the cybersecurity 271 incident or ransomware incident. 272 (II)The date on which the state agency most recently 273 backed up its data; the physical location of the backup, if the 274 backup was affected; and if the backup was created using cloud 275 computing. 276 (III)The types of data compromised by the cybersecurity 277 incident or ransomware incident. 278 (IV)The estimated fiscal impact of the cybersecurity 279 incident or ransomware incident. 280 (V)In the case of a ransomware incident, the details of 281 the ransom demanded. 282 c.(I)A state agency shall report all ransomware incidents 283 and any cybersecurity incident determined by the state agency to 284 be of severity level 3, 4, or 5 to the Cybersecurity Operations 285 Center and the Cybercrime Office of the Department of Law 286 Enforcement as soon as possible but no later than 48 hours after 287 discovery of the cybersecurity incident and no later than 12 288 hours after discovery of the ransomware incident. The report 289 must contain the information required in sub-subparagraph b. 290 (II)The Cybersecurity Operations Center shall notify the 291 President of the Senate and the Speaker of the House of 292 Representatives of any severity level 3, 4, or 5 incident as 293 soon as possible but no later than 12 hours after receiving a 294 state agencys incident report. The notification must include a 295 high-level description of the incident and the likely effects. 296 d.A state agency shall report a cybersecurity incident 297 determined by the state agency to be of severity level 1 or 2 to 298 the Cybersecurity Operations Center and the Cybercrime Office of 299 the Department of Law Enforcement as soon as possible. The 300 report must contain the information required in sub-subparagraph 301 b. 302 e.The Cybersecurity Operations Center shall provide a 303 consolidated incident report on a quarterly basis to the 304 President of the Senate, the Speaker of the House of 305 Representatives, and the Florida Cybersecurity Advisory Council. 306 The report provided to the Florida Cybersecurity Advisory 307 Council may not contain the name of any agency, network 308 information, or system identifying information but must contain 309 sufficient relevant information to allow the Florida 310 Cybersecurity Advisory Council to fulfill its responsibilities 311 as required in s. 282.319(9). 312 8.10.Incorporating information obtained through detection 313 and response activities into the agencys cybersecurity incident 314 response plans. 315 9.11.Developing agency strategic and operational 316 cybersecurity plans required pursuant to this section. 317 10.12.Establishing the managerial, operational, and 318 technical safeguards for protecting state government data and 319 information technology resources that align with the state 320 agency risk management strategy and that protect the 321 confidentiality, integrity, and availability of information and 322 data. 323 11.13.Establishing procedures for procuring information 324 technology commodities and services that require the commodity 325 or service to meet the National Institute of Standards and 326 Technology Cybersecurity Framework. 327 12.14.Submitting after-action reports following a 328 cybersecurity incident or ransomware incident. Such guidelines 329 and processes for submitting after-action reports must be 330 developed and published by December 1, 2023 2022. 331 (d)Assist state agencies in complying with this section. 332 (e)In collaboration with the Cybercrime Office of the 333 Department of Law Enforcement, annually provide training for 334 state agency information security managers and computer security 335 incident response team members that contains training on 336 cybersecurity, including cybersecurity threats, trends, and best 337 practices. 338 (f)Annually review the strategic and operational 339 cybersecurity plans of state agencies. 340 (g)Annually provide cybersecurity training to all state 341 agency technology professionals and employees with access to 342 highly sensitive information which develops, assesses, and 343 documents competencies by role and skill level. The 344 cybersecurity training curriculum must include training on the 345 identification of each cybersecurity incident severity level 346 referenced in sub-subparagraph (c)9.a. The training may be 347 provided in collaboration with the Cybercrime Office of the 348 Department of Law Enforcement, a private sector entity, or an 349 institution of the State University System. 350 (5)The Department of Law Enforcement is the lead entity 351 responsible for enterprise cybersecurity operations and as the 352 lead entity, the Department of Law Enforcement shall: 353 (a)Designate an employee as the state chief information 354 security officer. The state chief information security officer 355 must have experience and expertise in security and risk 356 management for communications and information technology 357 resources. The state chief information security officer is 358 responsible for the development, operation, and oversight of 359 cybersecurity for state technology systems. The state chief 360 information security officer must be notified of all confirmed 361 or suspected incidents involving, or threats to, state agency 362 information technology resources and must report such incidents 363 or threats to the Governor and the state chief information 364 officer. 365 (b)Develop, and annually update by February 1, a state 366 cybersecurity strategic plan that includes security goals and 367 objectives for cybersecurity, including the identification and 368 mitigation of risk, proactive protections against threats, 369 tactical risk detection, threat reporting, and response and 370 recovery protocols for a cyber incident. 371 (c)(h)Operate and maintain a Cybersecurity Operations 372 Center as part of the Florida Fusion Center led by the state 373 chief information security officer, which must be primarily 374 virtual and staffed with tactical detection and incident 375 response personnel. The Cybersecurity Operations Center shall 376 serve as a clearinghouse for threat information and coordinate 377 with the Florida Digital Service Department of Law Enforcement 378 to support state agencies and their response to any confirmed or 379 suspected cybersecurity incident. 380 (d)Before publication, review and approve the 381 cybersecurity governance framework established by the Florida 382 Digital Service. 383 (e)Review and approve all cybersecurity training provided 384 by or facilitated through the Florida Digital Service within the 385 Department of Management Services. 386 (f)(i)Lead an Emergency Support Function, ESF CYBER, under 387 the state comprehensive emergency management plan as described 388 in s. 252.35. 389 (g)Develop and publish for use by state agencies 390 guidelines and processes for establishing a cybersecurity 391 incident reporting process that includes procedures and secure 392 communication mechanisms for notifying the Department of Law 393 Enforcement, the Florida Digital Service, and other stakeholders 394 of cybersecurity incidents. 395 1.The level of severity of the cybersecurity incidents is 396 defined by the National Cyber Incident Response Plan of the 397 United States Department of Homeland Security as follows: 398 a.Level 5 is an emergency-level incident within the 399 specified jurisdiction which poses an imminent threat to the 400 provision of wide-scale critical infrastructure services; 401 national, state, or local government security; or the lives of 402 the countrys, states, or local governments residents. 403 b.Level 4 is a severe-level incident that is likely to 404 result in a significant impact in the affected jurisdiction to 405 public health or safety; national, state, or local security; 406 economic security; or civil liberties. 407 c.Level 3 is a high-level incident that is likely to 408 result in a demonstrable impact in the affected jurisdiction to 409 public health or safety; national, state, or local security; 410 economic security; civil liberties; or public confidence. 411 d.Level 2 is a medium-level incident that may impact 412 public health or safety; national, state, or local security; 413 economic security; civil liberties; or public confidence. 414 e.Level 1 is a low-level incident that is unlikely to 415 impact public health or safety; national, state, or local 416 security; economic security; civil liberties; or public 417 confidence. 418 2.The cybersecurity incident reporting process must 419 specify the information that must be reported by a state agency 420 following a cybersecurity incident or ransomware incident, which 421 information must, at a minimum, include all of the following: 422 a.A summary of the facts surrounding the cybersecurity 423 incident or ransomware incident. 424 b.The date on which the state agency most recently backed 425 up its data; the physical location of the backup, if the backup 426 was affected; and whether the backup was created using cloud 427 computing. 428 c.The types of data compromised by the cybersecurity 429 incident or ransomware incident. 430 d.The estimated fiscal impact of the cybersecurity 431 incident or ransomware incident. 432 e.In the case of a ransomware incident, the details of the 433 ransom demanded. 434 3.a.A state agency shall report all ransomware incidents 435 and any cybersecurity incident determined by the state agency to 436 be of severity level 3, 4, or 5 to the Cybersecurity Operations 437 Center, the Cybercrime Office within the Department of Law 438 Enforcement, and the Florida Digital Service as soon as possible 439 but no later than 48 hours after discovery of the cybersecurity 440 incident and no later than 12 hours after discovery of the 441 ransomware incident. The report must contain the information 442 required to be reported under subparagraph 2. 443 b.The Cybersecurity Operations Center shall notify the 444 President of the Senate and the Speaker of the House of 445 Representatives of any severity level 3, 4, or 5 incident as 446 soon as possible but no later than 12 hours after receiving a 447 state agencys incident report. The notification must include a 448 high-level description of the incident and the likely effects. 449 4.A state agency shall report a cybersecurity incident 450 determined by the state agency to be of severity level 1 or 2 to 451 the Cybersecurity Operations Center, the Cybercrime Office 452 within the Florida Department of Law Enforcement, and the 453 Florida Digital Service as soon as possible. The report must 454 contain the information required to be reported under 455 subparagraph 2. 456 5.The Florida Digital Service shall provide a consolidated 457 incident report on a quarterly basis to the President of the 458 Senate, the Speaker of the House of Representatives, the state 459 chief information security officer, and the Florida 460 Cybersecurity Advisory Council. The report provided to the 461 Florida Cybersecurity Advisory Council may not contain the name 462 of any agency, network information, or system identifying 463 information, but must contain sufficient relevant information to 464 allow the Florida Cybersecurity Advisory Council to fulfill its 465 responsibilities as required in s. 282.319(9). 466 (6)(4)Each state agency head shall, at a minimum: 467 (a)Designate an information security manager to administer 468 the cybersecurity program of the state agency. This designation 469 must be provided annually in writing to the department by 470 January 1. A state agencys information security manager, for 471 purposes of these information security duties, shall report 472 directly to the agency head. 473 (b)In consultation with the Cybersecurity Operations 474 Center department, through the Florida Digital Service, and the 475 Cybercrime Office within of the Department of Law Enforcement 476 and the Florida Digital Service within the Department of 477 Management Services, establish an agency cybersecurity response 478 team to respond to a cybersecurity incident. The agency 479 cybersecurity response team shall convene upon notification of a 480 cybersecurity incident and must immediately report all confirmed 481 or suspected incidents to the state chief information security 482 officer, or his or her designee, and comply with all applicable 483 guidelines and processes established pursuant to paragraph 484 (5)(g) (3)(c). 485 (c)Submit to the department annually by July 31, the state 486 agencys strategic and operational cybersecurity plans developed 487 pursuant to rules and guidelines established by the department, 488 through the Florida Digital Service. 489 1.The state agency strategic cybersecurity plan must cover 490 a 3-year period and, at a minimum, define security goals, 491 intermediate objectives, and projected agency costs for the 492 strategic issues of agency information security policy, risk 493 management, security training, security incident response, and 494 disaster recovery. The plan must be based on the statewide 495 cybersecurity strategic plan created by the Department of Law 496 Enforcement and include performance metrics that can be 497 objectively measured to reflect the status of the state agencys 498 progress in meeting security goals and objectives identified in 499 the agencys strategic information security plan. 500 2.The state agency operational cybersecurity plan must 501 include a progress report that objectively measures progress 502 made towards the prior operational cybersecurity plan and a 503 project plan that includes activities, timelines, and 504 deliverables for security objectives that the state agency will 505 implement during the current fiscal year. 506 3.State agencies must submit a corrective action plan for 507 all findings confirmed by the state chief information security 508 officer to the Florida Digital Service within 90 days after 509 notifications. Implementation plans that report the status of 510 the corrective action plans must be submitted on a quarterly 511 basis to the state chief information officer until fully 512 implemented. 513 (d)Annually conduct, and update every 3 years, a 514 comprehensive risk assessment, which may be completed by a 515 private sector vendor, to determine the security threats to the 516 data, information, and information technology resources, 517 including mobile devices and print environments, of the agency. 518 The risk assessment must comply with the risk assessment 519 methodology developed by the department and is confidential and 520 exempt from s. 119.07(1), except that such information must 521 shall be available to the Auditor General, the Florida Digital 522 Service within the department, the Cybercrime Office and the 523 Cybersecurity Operations Center within of the Department of Law 524 Enforcement, and, for state agencies under the jurisdiction of 525 the Governor, the Chief Inspector General. If a private sector 526 vendor is used to complete a comprehensive risk assessment, it 527 must attest to the validity of the risk assessment findings. 528 (e)Develop, and periodically update, written internal 529 policies and procedures, which include procedures for reporting 530 cybersecurity incidents and breaches to the Cybercrime Office 531 and the Cybersecurity Operations Center within of the Department 532 of Law Enforcement and the Florida Digital Service within the 533 department. Such policies and procedures must be consistent with 534 the rules, guidelines, and processes established by the 535 department to ensure the security of the data, information, and 536 information technology resources of the agency. The internal 537 policies and procedures that, if disclosed, could facilitate the 538 unauthorized modification, disclosure, or destruction of data or 539 information technology resources are confidential information 540 and exempt from s. 119.07(1), except that such information must 541 shall be available to the Auditor General, the Cybercrime Office 542 and the Cybersecurity Operations Center within of the Department 543 of Law Enforcement, the Florida Digital Service within the 544 department, and, for state agencies under the jurisdiction of 545 the Governor, the Chief Inspector General. 546 (f)Implement managerial, operational, and technical 547 safeguards and risk assessment remediation plans recommended by 548 the department to address identified risks to the data, 549 information, and information technology resources of the agency. 550 The department, through the Florida Digital Service, shall track 551 implementation by state agencies upon development of such 552 remediation plans in coordination with agency inspectors 553 general. 554 (g)Ensure that periodic internal audits and evaluations of 555 the agencys cybersecurity program for the data, information, 556 and information technology resources of the agency are 557 conducted. The results of such audits and evaluations are 558 confidential information and exempt from s. 119.07(1), except 559 that such information must shall be available to the Auditor 560 General, the Cybercrime Office and the Cybersecurity Operations 561 Center within of the Department of Law Enforcement, the Florida 562 Digital Service within the department, and, for agencies under 563 the jurisdiction of the Governor, the Chief Inspector General. 564 (h)Ensure that the cybersecurity requirements in the 565 written specifications for the solicitation, contracts, and 566 service-level agreement of information technology and 567 information technology resources and services meet or exceed the 568 applicable state and federal laws, regulations, and standards 569 for cybersecurity, including the National Institute of Standards 570 and Technology Cybersecurity Framework. Service-level agreements 571 must identify service provider and state agency responsibilities 572 for privacy and security, protection of government data, 573 personnel background screening, and security deliverables with 574 associated frequencies. 575 (i)Provide cybersecurity awareness training to all state 576 agency employees within 30 days after commencing employment, and 577 annually thereafter, concerning cybersecurity risks and the 578 responsibility of employees to comply with policies, standards, 579 guidelines, and operating procedures adopted by the state agency 580 to reduce those risks. The training may be provided in 581 collaboration with the Cybercrime Office and the Cybersecurity 582 Operations Center within of the Department of Law Enforcement, 583 the Florida Digital Service, a private sector entity, or an 584 institution of the State University System. 585 (j)Develop a process for detecting, reporting, and 586 responding to threats, breaches, or cybersecurity incidents 587 which is consistent with the security rules, guidelines, and 588 processes established by the Department of Law Enforcement 589 through the Florida Digital Service. 590 1.All cybersecurity incidents and ransomware incidents 591 must be reported by state agencies. Such reports must comply 592 with the notification procedures and reporting timeframes 593 established pursuant to paragraph (5)(g) (3)(c). 594 2.For cybersecurity breaches, state agencies shall provide 595 notice in accordance with s. 501.171. 596 (k)Submit to the Department of Law Enforcement and the 597 Florida Digital Service, within 1 week after the remediation of 598 a cybersecurity incident or ransomware incident, an after-action 599 report that summarizes the incident, the incidents resolution, 600 and any insights gained as a result of the incident. 601 (7)(5)The portions of risk assessments, evaluations, 602 external audits, and other reports of a state agencys 603 cybersecurity program for the data, information, and information 604 technology resources of the state agency which are held by a 605 state agency are confidential and exempt from s. 119.07(1) and 606 s. 24(a), Art. I of the State Constitution if the disclosure of 607 such portions of records would facilitate unauthorized access to 608 or the unauthorized modification, disclosure, or destruction of: 609 (a)Data or information, whether physical or virtual; or 610 (b)Information technology resources, which include: 611 1.Information relating to the security of the agencys 612 technologies, processes, and practices designed to protect 613 networks, computers, data processing software, and data from 614 attack, damage, or unauthorized access; or 615 2.Security information, whether physical or virtual, which 616 relates to the agencys existing or proposed information 617 technology systems. 618 619 For purposes of this subsection, external audit means an audit 620 that is conducted by an entity other than the state agency that 621 is the subject of the audit. 622 (8)(6)Those portions of a public meeting as specified in 623 s. 286.011 which would reveal records which are confidential and 624 exempt under subsection (7) (5) are exempt from s. 286.011 and 625 s. 24(b), Art. I of the State Constitution. No exempt portion of 626 an exempt meeting may be off the record. All exempt portions of 627 such meeting must shall be recorded and transcribed. Such 628 recordings and transcripts are confidential and exempt from 629 disclosure under s. 119.07(1) and s. 24(a), Art. I of the State 630 Constitution unless a court of competent jurisdiction, after an 631 in camera review, determines that the meeting was not restricted 632 to the discussion of data and information made confidential and 633 exempt by this section. In the event of such a judicial 634 determination, only that portion of the recording and transcript 635 which reveals nonexempt data and information may be disclosed to 636 a third party. 637 (9)(7)The portions of records made confidential and exempt 638 in subsections (7) (5) and (8) must (6) shall be available to 639 the Auditor General, the Cybercrime Office and the state chief 640 information officer within of the Department of Law Enforcement, 641 the Florida Digital Service within the department, and, for 642 agencies under the jurisdiction of the Governor, the Chief 643 Inspector General. Such portions of records may be made 644 available to a local government, another state agency, or a 645 federal agency for cybersecurity purposes or in furtherance of 646 the state agencys official duties. 647 (10)(8)The exemptions contained in subsections (7) (5) and 648 (8) (6) apply to records held by a state agency before, on, or 649 after the effective date of this exemption. 650 (11)(9)Subsections (7) (5) and (8) (6) are subject to the 651 Open Government Sunset Review Act in accordance with s. 119.15 652 and shall stand repealed on October 2, 2025, unless reviewed and 653 saved from repeal through reenactment by the Legislature. 654 (12)(10)The department and the Department of Law 655 Enforcement shall adopt rules relating to cybersecurity and to 656 administer this section. 657 Section 3.Section 282.3185, Florida Statutes, is amended 658 to read: 659 282.3185Local government cybersecurity. 660 (1)SHORT TITLE.This section may be cited as the Local 661 Government Cybersecurity Act. 662 (2)DEFINITION.As used in this section, the term local 663 government means any county or municipality. 664 (3)CYBERSECURITY TRAINING. 665 (a)The Florida Digital Service shall: 666 1.Develop a basic cybersecurity training curriculum for 667 local government employees which must be approved by the state 668 chief information security officer. All local government 669 employees with access to the local governments network must 670 complete the basic cybersecurity training within 30 days after 671 commencing employment and annually thereafter. 672 2.Develop an advanced cybersecurity training curriculum 673 for local governments which is consistent with the cybersecurity 674 training required under s. 282.318(3)(e) and which must be 675 approved by the state chief information security officer s. 676 282.318(3)(g). All local government technology professionals and 677 employees with access to highly sensitive information must 678 complete the advanced cybersecurity training within 30 days 679 after commencing employment and annually thereafter. 680 (b)The Florida Digital Service may provide the 681 cybersecurity training required by this subsection in 682 collaboration with the Cybercrime Office and the Cybersecurity 683 Operations Center within of the Department of Law Enforcement, a 684 private sector entity, or an institution of the State University 685 System. 686 (4)CYBERSECURITY STANDARDS. 687 (a)Each local government shall adopt cybersecurity 688 standards that safeguard its data, information technology, and 689 information technology resources to ensure availability, 690 confidentiality, and integrity. The cybersecurity standards must 691 be consistent with generally accepted best practices for 692 cybersecurity, including the National Institute of Standards and 693 Technology Cybersecurity Framework. 694 (b)Each county with a population of 75,000 or more must 695 adopt the cybersecurity standards required by this subsection by 696 January 1, 2024. Each county with a population of less than 697 75,000 must adopt the cybersecurity standards required by this 698 subsection by January 1, 2025. 699 (c)Each municipality with a population of 25,000 or more 700 must adopt the cybersecurity standards required by this 701 subsection by January 1, 2024. Each municipality with a 702 population of less than 25,000 must adopt the cybersecurity 703 standards required by this subsection by January 1, 2025. 704 (d)Each local government shall notify the Florida Digital 705 Service of its compliance with this subsection as soon as 706 possible. 707 (5)INCIDENT NOTIFICATION. 708 (a)A local government shall provide notification of a 709 cybersecurity incident or ransomware incident to the 710 Cybersecurity Operations Center and the, Cybercrime Office 711 within of the Department of Law Enforcement, the Florida Digital 712 Service, and the sheriff who has jurisdiction over the local 713 government in accordance with paragraph (b). The notification 714 must include, at a minimum, the following information: 715 1.A summary of the facts surrounding the cybersecurity 716 incident or ransomware incident. 717 2.The date on which the local government most recently 718 backed up its data; the physical location of the backup, if the 719 backup was affected; and if the backup was created using cloud 720 computing. 721 3.The types of data compromised by the cybersecurity 722 incident or ransomware incident. 723 4.The estimated fiscal impact of the cybersecurity 724 incident or ransomware incident. 725 5.In the case of a ransomware incident, the details of the 726 ransom demanded. 727 6.A statement requesting or declining assistance from the 728 Cybersecurity Operations Center and, the Cybercrime Office 729 within of the Department of Law Enforcement, the Florida Digital 730 Service, or the sheriff who has jurisdiction over the local 731 government. 732 (b)1.A local government shall report all ransomware 733 incidents and any cybersecurity incident determined by the local 734 government to be of severity level 3, 4, or 5 as provided in s. 735 282.318(5)(g) s. 282.318(3)(c) to the Cybersecurity Operations 736 Center and, the Cybercrime Office within of the Department of 737 Law Enforcement, the Florida Digital Service, and the sheriff 738 who has jurisdiction over the local government as soon as 739 possible but no later than 48 hours after discovery of the 740 cybersecurity incident and no later than 12 hours after 741 discovery of the ransomware incident. The report must contain 742 the information required in paragraph (a). 743 2.The Cybersecurity Operations Center shall notify the 744 President of the Senate and the Speaker of the House of 745 Representatives of any severity level 3, 4, or 5 incident as 746 soon as possible but no later than 12 hours after receiving a 747 local governments incident report. The notification must 748 include a high-level description of the incident and the likely 749 effects. 750 (c)A local government may report a cybersecurity incident 751 determined by the local government to be of severity level 1 or 752 2 as provided in s. 282.318(5)(g) s. 282.318(3)(c) to the 753 Cybersecurity Operations Center and, the Cybercrime Office 754 within of the Department of Law Enforcement, the Florida Digital 755 Service, and the sheriff who has jurisdiction over the local 756 government. The report must shall contain the information 757 required in paragraph (a). 758 (d)The Florida Digital Service Cybersecurity Operations 759 Center shall provide a consolidated incident report on a 760 quarterly basis to the President of the Senate, the Speaker of 761 the House of Representatives, the state chief information 762 security officer, and the Florida Cybersecurity Advisory 763 Council. The report provided to the Florida Cybersecurity 764 Advisory Council may not contain the name of any local 765 government, network information, or system identifying 766 information but must contain sufficient relevant information to 767 allow the Florida Cybersecurity Advisory Council to fulfill its 768 responsibilities as required in s. 282.319(9). 769 (6)AFTER-ACTION REPORT.A local government must submit to 770 the Cybersecurity Operations Center and the Florida Digital 771 Service, within 1 week after the remediation of a cybersecurity 772 incident or ransomware incident, an after-action report that 773 summarizes the incident, the incidents resolution, and any 774 insights gained as a result of the incident. By December 1, 2023 775 2022, the Florida Digital Service shall collaborate with the 776 state chief information security officer to establish guidelines 777 and processes for submitting an after-action report. 778 Section 4.This act shall take effect July 1, 2023.