HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 1 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity; amending s. 110.205, 2
F.S.; exempting certain personnel from the career 3
service; providing for the establishment of salary and 4
benefits for certain positions; amending s. 282.0041, 5
F.S.; providing definitions; amending s. 2 82.0051, 6
F.S.; revising the purposes for which the Florida 7
Digital Service is established; requiring the Florida 8
Digital Service to ensure that independent project 9
oversight on certain state agency information 10
technology projects is performed in a certain manner; 11
revising the date by which the Department of 12
Management Services, acting through the Florida 13
Digital Service, must provide certain recommendations 14
to the Executive Office of the Governor and the 15
Legislature; removing certain duties of the Florida 16
Digital Service; revising the total project cost of 17
certain projects for which the Florida Digital Service 18
must provide project oversight; specifying the date by 19
which the Florida Digital Service must provide certain 20
reports; requiring the state chief infor mation 21
officer, in consultation with the Secretary of 22
Management Services, to designate a state chief 23
technology officer; providing duties of the state 24
chief technology officer; revising the total project 25
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 2 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cost of certain projects for which certain procurem ent 26
actions must be taken; removing provisions prohibiting 27
the department, acting through the Florida Digital 28
Service, from retrieving or disclosing certain data in 29
certain circumstances; amending s. 282.00515, F.S.; 30
conforming a cross-reference; amending s. 282.318, 31
F.S.; providing that the Florida Digital Service is 32
the lead entity for a certain purpose; requiring the 33
Cybersecurity Operations Center to provide certain 34
notifications; requiring the state chief information 35
officer to make certain reports in consultation with 36
the state chief information security officer; 37
requiring a state agency to report ransomware and 38
cybersecurity incidents within certain time periods; 39
requiring the Cybersecurity Operations Center to 40
immediately notify certain entities of r eported 41
incidents and take certain actions; requiring the 42
state chief information security officer to notify the 43
Legislature of certain incidents within a certain 44
period; requiring certain notification to be provided 45
in a secure environment; requiring the Cybersecurity 46
Operations Center to provide a certain report to 47
certain entities by a specified date; requiring the 48
Florida Digital Service to provide cybersecurity 49
briefings to certain legislative committees; 50
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 3 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
authorizing the Florida Digital Service to obta in 51
certain access to certain infrastructure and direct 52
certain measures; requiring a state agency head to 53
annually designate a chief information security 54
officer by a specified date; revising the purpose of 55
an agency's information security manager and the date 56
by which he or she must be designated; authorizing the 57
department to brief certain legislative committees in 58
a closed setting on certain records that are 59
confidential and exempt from public records 60
requirements; requiring such legislative committees t o 61
maintain the confidential and exempt status of certain 62
records; authorizing certain legislators to attend 63
meetings of the Florida Cybersecurity Advisory 64
Council; amending s. 282.3185, F.S.; requiring a local 65
government to report ransomware and certain 66
cybersecurity incidents to the Cybersecurity 67
Operations Center within certain time periods; 68
requiring the Cybersecurity Operations Center to 69
immediately notify certain entities of certain 70
incidents and take certain actions; requiring certain 71
notification to be provided in a secure environment; 72
amending s. 282.319, F.S.; revising the membership of 73
the Florida Cybersecurity Advisory Council; providing 74
an effective date. 75
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 4 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
76
Be It Enacted by the Legislature of the State of Florida: 77
78
Section 1. Paragraph (e) of subsection (2) of section 79
110.205, Florida Statutes, is amended, and paragraph (y) is 80
added to subsection (2) of that section, to read: 81
110.205 Career service; exemptions. — 82
(2) EXEMPT POSITIONS. —The exempt positions that are not 83
covered by this part include the following: 84
(e) The state chief information officer, the state chief 85
data officer, the state chief technology officer, and the state 86
chief information security officer. The Department of Management 87
Services shall set the salary and benefits of these positions in 88
accordance with the rules of the Senior Management Service. 89
(y) Chief information security officers, information 90
security managers designated pursuant to s. 282.318(4), and 91
personnel employed by or reporting to the state chief 92
information security officer, the state chief data officer, or 93
an agency information security manager. Unless otherwise fixed 94
by law, the department shall establish the salary and benefits 95
for these positions in accordance with the rules of the Selected 96
Exempt Service, except that the salary and benefits for the 97
agency information security manager shall be established by the 98
department in accordance with the rules of the Senior Management 99
Service. 100
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 5 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Section 2. Subsections (3) through (5), (6) through (16), 101
and (17) through (38) of section 282.0041, Florida Statutes, are 102
renumbered as subsections (4) through (6), (8) through (18), and 103
(20) through (41), respectively, and new subsections (3), (7), 104
and (19) are added to that section to read: 105
282.0041 Definitions .—As used in this chapter, the term: 106
(3) "As a service" means the contracting with or 107
outsourcing to a third party of a defined role or function as a 108
means of delivery. 109
(7) "Cloud provider" means an entity that provides cloud -110
computing services. 111
(19) "Enterprise digital data" means information held by a 112
state agency in electronic form that is deemed to be data owned 113
by the state and held for state purposes by the state agency. 114
Enterprise digital data that is subject to statutory 115
requirements for parti cular types of sensitive data or to 116
contractual limitations for data marked as trade secrets or 117
sensitive corporate data held by state agencies shall be treated 118
in accordance with such requirements or limitations. The 119
department must maintain personnel wit h appropriate licenses, 120
certifications, or classifications to steward such enterprise 121
digital data, as necessary. Enterprise digital data must be 122
maintained in accordance with chapter 119. This subsection may 123
not be construed to create or expand an exempti on from public 124
records requirements under s. 119.07(1) or s. 24(a), Art. I of 125
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 6 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the State Constitution. 126
Section 3. Subsection (6) of section 282.0051, Florida 127
Statutes, is renumbered as subsection (5), subsections (1) and 128
(4) and present subsection (5) a re amended, and paragraph (c) is 129
added to subsection (2) of that section, to read: 130
282.0051 Department of Management Services; Florida 131
Digital Service; powers, duties, and functions. — 132
(1) The Florida Digital Service is established has been 133
created within the department to lead enterprise information 134
technology and cybersecurity efforts, to safeguard enterprise 135
digital data, to propose, test, develop, and deploy innovative 136
solutions that securely modernize state government, including 137
technology and infor mation services, to achieve value through 138
digital transformation and interoperability, and to fully 139
support the cloud-first policy as specified in s. 282.206. The 140
department, through the Florida Digital Service, shall have the 141
following powers, duties, and functions: 142
(a) Develop and publish information technology policy for 143
the management of the state's information technology resources. 144
(b) Develop an enterprise architecture that: 145
1. Acknowledges the unique needs of the entities within 146
the enterprise in the development and publication of standards 147
and terminologies to facilitate digital interoperability; 148
2. Supports the cloud -first policy as specified in s. 149
282.206; and 150
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 7 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Addresses how information technology infrastructure may 151
be modernized to ach ieve cloud-first objectives. 152
(c) Establish project management and oversight standards 153
with which state agencies must comply when implementing 154
information technology projects. The department, acting through 155
the Florida Digital Service, shall provide train ing 156
opportunities to state agencies to assist in the adoption of the 157
project management and oversight standards. To support data -158
driven decisionmaking, the standards must include, but are not 159
limited to: 160
1. Performance measurements and metrics that objec tively 161
reflect the status of an information technology project based on 162
a defined and documented project scope, cost, and schedule. 163
2. Methodologies for calculating acceptable variances in 164
the projected versus actual scope, schedule, or cost of an 165
information technology project. 166
3. Reporting requirements, including requirements designed 167
to alert all defined stakeholders that an information technology 168
project has exceeded acceptable variances defined and documented 169
in a project plan. 170
4. Content, format, and frequency of project updates. 171
5. Technical standards to ensure an information technology 172
project complies with the enterprise architecture. 173
(d) Ensure that independent Perform project oversight on 174
all state agency information technology projects that have total 175
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 8 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
project costs of $25 $10 million or more and that are funded in 176
the General Appropriations Act or any other law is performed in 177
compliance with applicable state and federal law . The 178
department, acting through the Florida Digital Service, sh all 179
report at least quarterly to the Executive Office of the 180
Governor, the President of the Senate, and the Speaker of the 181
House of Representatives on any information technology project 182
that the department identifies as high -risk due to the project 183
exceeding acceptable variance ranges defined and documented in a 184
project plan. The report must include a risk assessment, 185
including fiscal risks, associated with proceeding to the next 186
stage of the project, and a recommendation for corrective 187
actions required, in cluding suspension or termination of the 188
project. 189
(e) Identify opportunities for standardization and 190
consolidation of information technology services that support 191
interoperability and the cloud -first policy, as specified in s. 192
282.206, and business funct ions and operations, including 193
administrative functions such as purchasing, accounting and 194
reporting, cash management, and personnel, and that are common 195
across state agencies. The department, acting through the 196
Florida Digital Service, shall biennially on January 15 1 of 197
each even-numbered year provide recommendations for 198
standardization and consolidation to the Executive Office of the 199
Governor, the President of the Senate, and the Speaker of the 200
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 9 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
House of Representatives. 201
(f) Establish best practices for the procurement of 202
information technology products and cloud -computing services in 203
order to reduce costs, increase the quality of data center 204
services, or improve government services. 205
(g) Develop standards for information technology reports 206
and updates, including, but not limited to, operational work 207
plans, project spend plans, and project status reports, for use 208
by state agencies. 209
(h) Upon request, assist state agencies in the development 210
of information technology -related legislative budget requests. 211
(i) Conduct annual assessments of state agencies to 212
determine compliance with all information technology standards 213
and guidelines developed and published by the department and 214
provide results of the assessments to the Executive Office of 215
the Governor, the President of the Senate, and the Speaker of 216
the House of Representatives. 217
(i)(j) Conduct a market analysis not less frequently than 218
every 3 years beginning in 2021 to determine whether the 219
information technology resources within the enterprise are 220
utilized in the most cost -effective and cost-efficient manner, 221
while recognizing that the replacement of certain legacy 222
information technology systems within the enterprise may be cost 223
prohibitive or cost inefficient due to the remaining useful life 224
of those resources; whether the enterprise is complying with the 225
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 10 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cloud-first policy specified in s. 282.206; and whether the 226
enterprise is utilizing best practices with respect to 227
information technology, information services, and the 228
acquisition of emerging technolo gies and information services. 229
Each market analysis shall be used to prepare a strategic plan 230
for continued and future information technology and information 231
services for the enterprise, including, but not limited to, 232
proposed acquisition of new services o r technologies and 233
approaches to the implementation of any new services or 234
technologies. Copies of each market analysis and accompanying 235
strategic plan must be submitted to the Executive Office of the 236
Governor, the President of the Senate, and the Speaker of the 237
House of Representatives not later than December 31 of each year 238
that a market analysis is conducted. 239
(j)(k) Recommend other information technology services 240
that should be designed, delivered, and managed as enterprise 241
information technology servi ces. Recommendations must include 242
the identification of existing information technology resources 243
associated with the services, if existing services must be 244
transferred as a result of being delivered and managed as 245
enterprise information technology service s. 246
(k)(l) In consultation with state agencies, propose a 247
methodology and approach for identifying and collecting both 248
current and planned information technology expenditure data at 249
the state agency level. 250
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 11 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(l)(m)1. Notwithstanding any other law, provide project 251
oversight on any information technology project of the 252
Department of Financial Services, the Department of Legal 253
Affairs, and the Department of Agriculture and Consumer Services 254
which has a total project cost of $25 $20 million or more. Such 255
information technology projects must also comply with the 256
applicable information technology architecture, project 257
management and oversight, and reporting standards established by 258
the department, acting through the Florida Digital Service. 259
2. When ensuring performance of performing the project 260
oversight function specified in subparagraph 1., report by the 261
30th day after the end of each quarter at least quarterly to the 262
Executive Office of the Governor, the President of the Senate, 263
and the Speaker of the House o f Representatives on any 264
information technology project that the department, acting 265
through the Florida Digital Service, identifies as high -risk due 266
to the project exceeding acceptable variance ranges defined and 267
documented in the project plan. The report shall include a risk 268
assessment, including fiscal risks, associated with proceeding 269
to the next stage of the project and a recommendation for 270
corrective actions required, including suspension or termination 271
of the project. 272
(m)(n) If an information techno logy project implemented by 273
a state agency must be connected to or otherwise accommodated by 274
an information technology system administered by the Department 275
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 12 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
of Financial Services, the Department of Legal Affairs, or the 276
Department of Agriculture and Consum er Services, consult with 277
these departments regarding the risks and other effects of such 278
projects on their information technology systems and work 279
cooperatively with these departments regarding the connections, 280
interfaces, timing, or accommodations requir ed to implement such 281
projects. 282
(n)(o) If adherence to standards or policies adopted by or 283
established pursuant to this section causes conflict with 284
federal regulations or requirements imposed on an entity within 285
the enterprise and results in adverse acti on against an entity 286
or federal funding, work with the entity to provide alternative 287
standards, policies, or requirements that do not conflict with 288
the federal regulation or requirement. The department, acting 289
through the Florida Digital Service, shall ann ually by January 290
15 report such alternative standards to the Executive Office of 291
the Governor, the President of the Senate, and the Speaker of 292
the House of Representatives. 293
(o)(p)1. Establish an information technology policy for 294
all information technolog y-related state contracts, including 295
state term contracts for information technology commodities, 296
consultant services, and staff augmentation services. The 297
information technology policy must include: 298
a. Identification of the information technology produc t 299
and service categories to be included in state term contracts. 300
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 13 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
b. Requirements to be included in solicitations for state 301
term contracts. 302
c. Evaluation criteria for the award of information 303
technology-related state term contracts. 304
d. The term of each information technology -related state 305
term contract. 306
e. The maximum number of vendors authorized on each state 307
term contract. 308
f. At a minimum, a requirement that any contract for 309
information technology commodities or services meet the National 310
Institute of Standards and Technology Cybersecurity Framework. 311
g. For an information technology project wherein project 312
oversight is required pursuant to paragraph (d) or paragraph (l) 313
(m), a requirement that independent verification and validation 314
be employed throughout the project life cycle with the primary 315
objective of independent verification and validation being to 316
provide an objective assessment of products and processes 317
throughout the project life cycle. An entity providing 318
independent verificatio n and validation may not have technical, 319
managerial, or financial interest in the project and may not 320
have responsibility for, or participate in, any other aspect of 321
the project. 322
2. Evaluate vendor responses for information technology -323
related state term contract solicitations and invitations to 324
negotiate. 325
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 14 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Answer vendor questions on information technology -326
related state term contract solicitations. 327
4. Ensure that the information technology policy 328
established pursuant to subparagraph 1. is included in all 329
solicitations and contracts that are administratively executed 330
by the department. 331
(p)(q) Recommend potential methods for standardizing data 332
across state agencies which will promote interoperability and 333
reduce the collection of duplicative data. 334
(q)(r) Recommend open data technical standards and 335
terminologies for use by the enterprise. 336
(r)(s) Ensure that enterprise information technology 337
solutions are capable of utilizing an electronic credential and 338
comply with the enterprise architecture standar ds. 339
(2) 340
(c) The state chief information officer, in consultation 341
with the Secretary of Management Services, shall designate a 342
state chief technology officer who shall be responsible for all 343
of the following: 344
1. Establishing and maintaining an enterpri se architecture 345
framework that ensures information technology investments align 346
with the state's strategic objectives and initiatives pursuant 347
to paragraph (1)(b). 348
2. Conducting comprehensive evaluations of potential 349
technological solutions and cultivati ng strategic partnerships, 350
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 15 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
internally with state enterprise agencies and externally with 351
the private sector, to leverage collective expertise, foster 352
collaboration, and advance the state's technological 353
capabilities. 354
3. Supervising program management of enterprise 355
information technology initiatives pursuant to paragraphs 356
(1)(c), (d), and (l); providing advisory support and oversight 357
for technology-related projects; and continuously identifying 358
and recommending best practices to optimize outcomes of 359
technology projects and enhance the enterprise's technological 360
efficiency and effectiveness. 361
(4) For information technology projects that have a total 362
project cost of $25 $10 million or more: 363
(a) State agencies must provide the Florida Digital 364
Service with written notice of any planned procurement of an 365
information technology project. 366
(b) The Florida Digital Service must participate in the 367
development of specifications and recommend modifications to any 368
planned procurement of an information technology proje ct by 369
state agencies so that the procurement complies with the 370
enterprise architecture. 371
(c) The Florida Digital Service must participate in post -372
award contract monitoring. 373
(5) The department, acting through the Florida Digital 374
Service, may not retrieve or disclose any data without a shared -375
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 16 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
data agreement in place between the department and the 376
enterprise entity that has primary custodial responsibility of, 377
or data-sharing responsibility for, that data. 378
Section 4. Subsection (1) of section 282.00515, Florida 379
Statutes, is amended to read: 380
282.00515 Duties of Cabinet agencies. — 381
(1) The Department of Legal Affairs, the Department of 382
Financial Services, and the Department of Agriculture and 383
Consumer Services shall adopt the standards established in s. 384
282.0051(1)(b), (c), and (q) (r) and (3)(e) or adopt alternative 385
standards based on best practices and industry standards that 386
allow for open data interoperability. 387
Section 5. Paragraphs (a) through (k) of subsection (4) of 388
section 282.318, Florida St atutes, are redesignated as 389
paragraphs (b) through (l), respectively, subsection (10) is 390
renumbered as subsection (11), subsection (3) and present 391
paragraph (a) of subsection (4) are amended, a new paragraph (a) 392
is added to subsection (4), and a new subsec tion (10) is added 393
to that section, to read: 394
282.318 Cybersecurity. — 395
(3) The department, acting through the Florida Digital 396
Service, is the lead entity responsible for leading enterprise 397
information technology and cybersecurity efforts, safeguarding 398
enterprise digital data, establishing standards and processes 399
for assessing state agency cybersecurity risks , and determining 400
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 17 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
appropriate security measures. Such standards and processes must 401
be consistent with generally accepted technology best practices, 402
including the National Institute for Standards and Technology 403
Cybersecurity Framework, for cybersecurity. The department, 404
acting through the Florida Digital Service, shall adopt rules 405
that mitigate risks; safeguard state agency digital assets, 406
data, information, and information technology resources to 407
ensure availability, confidentiality, and integrity; and support 408
a security governance framework. The department, acting through 409
the Florida Digital Service, shall also: 410
(a) Designate an employee of the Florid a Digital Service 411
as the state chief information security officer. The state chief 412
information security officer must have experience and expertise 413
in security and risk management for communications and 414
information technology resources. The state chief info rmation 415
security officer is responsible for the development, operation, 416
and oversight of cybersecurity for state technology systems. The 417
Cybersecurity Operations Center shall immediately notify the 418
state chief information officer and the state chief information 419
security officer shall be notified of all confirmed or suspected 420
incidents or threats of state agency information technology 421
resources. The state chief information officer, in consultation 422
with the state chief information security officer, and must 423
report such incidents or threats to the state chief information 424
officer and the Governor. 425
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 18 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(b) Develop, and annually update by February 1, a 426
statewide cybersecurity strategic plan that includes security 427
goals and objectives for cybersecurity, including the 428
identification and mitigation of risk, proactive protections 429
against threats, tactical risk detection, threat reporting, and 430
response and recovery protocols for a cyber incident. 431
(c) Develop and publish for use by state agencies a 432
cybersecurity governan ce framework that, at a minimum, includes 433
guidelines and processes for: 434
1. Establishing asset management procedures to ensure that 435
an agency's information technology resources are identified and 436
managed consistent with their relative importance to the 437
agency's business objectives. 438
2. Using a standard risk assessment methodology that 439
includes the identification of an agency's priorities, 440
constraints, risk tolerances, and assumptions necessary to 441
support operational risk decisions. 442
3. Completing comprehensive risk assessments and 443
cybersecurity audits, which may be completed by a private sector 444
vendor, and submitting completed assessments and audits to the 445
department. 446
4. Identifying protection procedures to manage the 447
protection of an agency's in formation, data, and information 448
technology resources. 449
5. Establishing procedures for accessing information and 450
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 19 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
data to ensure the confidentiality, integrity, and availability 451
of such information and data. 452
6. Detecting threats through proactive monitor ing of 453
events, continuous security monitoring, and defined detection 454
processes. 455
7. Establishing agency cybersecurity incident response 456
teams and describing their responsibilities for responding to 457
cybersecurity incidents, including breaches of personal 458
information containing confidential or exempt data. 459
8. Recovering information and data in response to a 460
cybersecurity incident. The recovery may include recommended 461
improvements to the agency processes, policies, or guidelines. 462
9. Establishing a cyberse curity incident reporting process 463
that includes procedures for notifying the department and the 464
Department of Law Enforcement of cybersecurity incidents. 465
a. The level of severity of the cybersecurity incident is 466
defined by the National Cyber Incident Res ponse Plan of the 467
United States Department of Homeland Security as follows: 468
(I) Level 5 is an emergency -level incident within the 469
specified jurisdiction that poses an imminent threat to the 470
provision of wide-scale critical infrastructure services; 471
national, state, or local government security; or the lives of 472
the country's, state's, or local government's residents. 473
(II) Level 4 is a severe -level incident that is likely to 474
result in a significant impact in the affected jurisdiction to 475
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 20 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
public health or safety; national, state, or local security; 476
economic security; or civil liberties. 477
(III) Level 3 is a high -level incident that is likely to 478
result in a demonstrable impact in the affected jurisdiction to 479
public health or safety; national, state, or local s ecurity; 480
economic security; civil liberties; or public confidence. 481
(IV) Level 2 is a medium -level incident that may impact 482
public health or safety; national, state, or local security; 483
economic security; civil liberties; or public confidence. 484
(V) Level 1 is a low-level incident that is unlikely to 485
impact public health or safety; national, state, or local 486
security; economic security; civil liberties; or public 487
confidence. 488
b. The cybersecurity incident reporting process must 489
specify the information that must be reported by a state agency 490
following a cybersecurity incident or ransomware incident, 491
which, at a minimum, must include the following: 492
(I) A summary of the facts surrounding the cybersecurity 493
incident or ransomware incident. 494
(II) The date on wh ich the state agency most recently 495
backed up its data; the physical location of the backup, if the 496
backup was affected; and if the backup was created using cloud 497
computing. 498
(III) The types of data compromised by the cybersecurity 499
incident or ransomware i ncident. 500
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 21 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(IV) The estimated fiscal impact of the cybersecurity 501
incident or ransomware incident. 502
(V) In the case of a ransomware incident, the details of 503
the ransom demanded. 504
c.(I) A state agency shall report all ransomware incidents 505
and any cybersecurity incidents incident determined by the state 506
agency to be of severity level 3, 4, or 5 to the Cybersecurity 507
Operations Center and the Cybercrime Office of the Department of 508
Law Enforcement as soon as possible but no later than 12 48 509
hours after discover y of the cybersecurity incident and no later 510
than 6 12 hours after discovery of the ransomware incident. The 511
report must contain the information required in sub -subparagraph 512
b. 513
(II) The Cybersecurity Operations Center shall : 514
(A) Immediately notify the Cybercrime Office of the 515
Department of Law Enforcement of a reported incident and provide 516
to the Cybercrime Office of the Department of Law Enforcement 517
regular reports on the status of the incident, preserve forensic 518
data to support a subsequent investigat ion, and provide aid to 519
the investigative efforts of the Cybercrime Office of the 520
Department of Law Enforcement upon the office's request if the 521
state chief information security officer finds that the 522
investigation does not impede remediation of the incide nt and 523
that there is no risk to the public and no risk to critical 524
state functions. 525
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 22 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(B) Immediately notify the state chief information officer 526
and the state chief information security officer of a reported 527
incident. The state chief information security o fficer shall 528
notify the President of the Senate and the Speaker of the House 529
of Representatives of any severity level 3, 4, or 5 incident as 530
soon as possible but no later than 24 12 hours after receiving a 531
state agency's incident report. The notification m ust include a 532
high-level description of the incident and the likely effects 533
and must be provided in a secure environment . 534
d. A state agency shall report a cybersecurity incident 535
determined by the state agency to be of severity level 1 or 2 to 536
the Cybersecurity Operations Center and the Cybercrime Office of 537
the Department of Law Enforcement as soon as possible. The 538
report must contain the information required in sub -subparagraph 539
b. 540
d.e. The Cybersecurity Operations Center shall provide a 541
consolidated incident report by the 30th day after the end of 542
each quarter on a quarterly basis to the Governor, the Attorney 543
General, the executive director of the Department of Law 544
Enforcement, the President of the Senate, the Speaker of the 545
House of Representatives, an d the Florida Cybersecurity Advisory 546
Council. The report provided to the Florida Cybersecurity 547
Advisory Council may not contain the name of any agency, network 548
information, or system identifying information but must contain 549
sufficient relevant information to allow the Florida 550
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 23 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Cybersecurity Advisory Council to fulfill its responsibilities 551
as required in s. 282.319(9). 552
10. Incorporating information obtained through detection 553
and response activities into the agency's cybersecurity incident 554
response plans. 555
11. Developing agency strategic and operational 556
cybersecurity plans required pursuant to this section. 557
12. Establishing the managerial, operational, and 558
technical safeguards for protecting state government data and 559
information technology resources that a lign with the state 560
agency risk management strategy and that protect the 561
confidentiality, integrity, and availability of information and 562
data. 563
13. Establishing procedures for procuring information 564
technology commodities and services that require the commodity 565
or service to meet the National Institute of Standards and 566
Technology Cybersecurity Framework. 567
14. Submitting after -action reports following a 568
cybersecurity incident or ransomware incident. Such guidelines 569
and processes for submitting after -action reports must be 570
developed and published by December 1, 2022. 571
(d) Assist state agencies in complying with this section. 572
(e) In collaboration with the Cybercrime Office of the 573
Department of Law Enforcement, annually provide training for 574
state agency information security managers and computer security 575
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 24 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incident response team members that contains training on 576
cybersecurity, including cybersecurity threats, trends, and best 577
practices. 578
(f) Annually review the strategic and operational 579
cybersecurity plans of state agencies. 580
(g) Annually provide cybersecurity training to all state 581
agency technology professionals and employees with access to 582
highly sensitive information which develops, assesses, and 583
documents competencies by role and skill level. The 584
cybersecurity training curriculum must include training on the 585
identification of each cybersecurity incident severity level 586
referenced in sub-subparagraph (c)9.a. The training may be 587
provided in collaboration with the Cybercrime Office of the 588
Department of Law Enforcement, a private sector entity, or an 589
institution of the State University System. 590
(h) Operate and maintain a Cybersecurity Operations Center 591
led by the state chief information security officer, which must 592
be primarily virtual and staffed with tacti cal detection and 593
incident response personnel. The Cybersecurity Operations Center 594
shall serve as a clearinghouse for threat information and 595
coordinate with the Department of Law Enforcement to support 596
state agencies and their response to any confirmed or suspected 597
cybersecurity incident. 598
(i) Lead an Emergency Support Function, ESF-20 ESF CYBER, 599
under the state comprehensive emergency management plan as 600
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 25 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
described in s. 252.35. 601
(j) Provide cybersecurity briefings to the members of any 602
legislative committee or subcommittee responsible for policy 603
matters relating to cybersecurity. 604
(k) Have the authority to obtain immediate access to 605
public or private infrastructure hosting enterprise digital data 606
and to direct, in consultation with the state agency that holds 607
the particular enterprise digital data, measures to assess, 608
monitor, and safeguard the enterprise digital data. 609
(4) Each state agency head shall, at a minimum: 610
(a) Designate a chief information security officer to 611
integrate the agency's tec hnical and operational cybersecurity 612
efforts with the Cybersecurity Operations Center. This 613
designation must be provided annually in writing to the Florida 614
Digital Service by January 15. For a state agency under the 615
jurisdiction of the Governor, the agency 's chief information 616
security officer shall be under the general supervision of the 617
agency head or designee for administrative purposes but shall 618
report to the state chief information officer. An agency may 619
request that the department procure a chief infor mation security 620
officer as a service to fulfill the agency's duties under this 621
paragraph. 622
(b)(a) Designate an information security manager to ensure 623
compliance with cybersecurity governance and with the state's 624
enterprise security program and incident re sponse plan. The 625
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 26 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information security manager must coordinate with the agency's 626
chief information security officer and the Cybersecurity 627
Operations Center to ensure that the unique needs of the agency 628
are met administer the cybersecurity program of the sta te 629
agency. This designation must be provided annually in writing to 630
the department by January 15 1. A state agency's information 631
security manager, for purposes of these information security 632
duties, shall work in collaboration with the agency's chief 633
information security officer and report directly to the agency 634
head. 635
(10) The department may brief any legislative committee or 636
subcommittee responsible for cybersecurity policy in a meeting 637
or other setting closed by the respective body under the rules 638
of such legislative body at which the legislative committee or 639
subcommittee is briefed on records made confidential and exempt 640
under subsections (5) and (6). The legislative committee or 641
subcommittee must maintain the confidential and exempt status of 642
such records. A legislator serving on a legislative committee or 643
subcommittee responsible for cybersecurity policy may also 644
attend meetings of the Florida Cybersecurity Advisory Council, 645
including any portions of such meetings that are exempt from s. 646
286.011 and s. 24(b), Art. I of the State Constitution. 647
Section 6. Paragraph (d) of subsection (5) of section 648
282.3185, Florida Statutes, is redesignated as paragraph (c), 649
and paragraph (b) and present paragraph (c) of that subsection 650
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 27 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
are amended to read: 651
282.3185 Local government cybersecurity. — 652
(5) INCIDENT NOTIFICATION. — 653
(b)1. A local government shall report all ransomware 654
incidents and any cybersecurity incident determined by the local 655
government to be of severity level 3, 4, or 5 as provided in s. 656
282.318(3)(c) to the Cybersecurity Operations Center , the 657
Cybercrime Office of the Department of Law Enforcement, and the 658
sheriff who has jurisdiction over the local government as soon 659
as possible but no later than 12 48 hours after discovery of the 660
cybersecurity incident and no later than 6 12 hours after 661
discovery of the ransomware incident. The report must contain 662
the information required in paragraph (a). 663
2. The Cybersecurity Operations Center shall : 664
a. Immediately notify the Cybercrime Office of the 665
Department of Law Enforcement and the sheriff who has 666
jurisdiction over the local government of a reported incident 667
and provide to the Cybercrime Office of the Department of Law 668
Enforcement and the sheriff who has jurisdiction over the local 669
government regular r eports on the status of the incident, 670
preserve forensic data to support a subsequent investigation, 671
and provide aid to the investigative efforts of the Cybercrime 672
Office of the Department of Law Enforcement upon the office's 673
request if the state chief info rmation security officer finds 674
that the investigation does not impede remediation of the 675
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 28 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incident and that there is no risk to the public and no risk to 676
critical state functions. 677
b. Immediately notify the state chief information security 678
officer of a reported incident. The state chief information 679
security officer shall notify the President of the Senate and 680
the Speaker of the House of Representatives of any severity 681
level 3, 4, or 5 incident as soon as possible but no later than 682
24 12 hours after receivin g a local government's incident 683
report. The notification must include a high -level description 684
of the incident and the likely effects and must be provided in a 685
secure environment. 686
(c) A local government may report a cybersecurity incident 687
determined by the local government to be of severity level 1 or 688
2 as provided in s. 282.318(3)(c) to the Cybersecurity 689
Operations Center, the Cybercrime Office of the Department of 690
Law Enforcement, and the sheriff who has jurisdiction over the 691
local government. The repor t shall contain the information 692
required in paragraph (a). The Cybersecurity Operations Center 693
shall immediately notify the Cybercrime Office of the Department 694
of Law Enforcement and the sheriff who has jurisdiction over the 695
local government of a reported incident and provide regular 696
reports on the status of the cybersecurity incident, preserve 697
forensic data to support a subsequent investigation, and provide 698
aid to the investigative efforts of the Cybercrime Office of the 699
Department of Law Enforcement upon request if the state chief 700
HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-00
Page 29 of 29
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information security officer finds that the investigation does 701
not impede remediation of the cybersecurity incident and that 702
there is no risk to the public and no risk to critical state 703
functions. 704
Section 7. Paragraph (j) of subsection (4) of section 705
282.319, Florida Statutes, is amended, and paragraph (m) is 706
added to that subsection, to read: 707
282.319 Florida Cybersecurity Advisory Council. — 708
(4) The council shall be comprised of the following 709
members: 710
(j) Three represent atives from critical infrastructure 711
sectors, one of whom must be from a utility provider water 712
treatment facility, appointed by the Governor. 713
(m) A representative of local government. 714
Section 8. This act shall take effect July 1, 2024. 715