CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 1 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity; amending s. 110.205, 2
F.S.; exempting the state chief technology officer 3
from the career service; amending s. 282.0041, F.S.; 4
providing definitions; amending s. 282.0051, F.S.; 5
revising the purposes for which the Florida Digital 6
Service is established; requiring the Florida Digital 7
Service to ensure that independent project oversight 8
on certain state agency information technology 9
projects is performed in a certain manner; revising 10
the date by which the Department of Management 11
Services, acting through the Florida Digital Service, 12
must provide certain recommendations to the Executive 13
Office of the Governor and the Legislature; remo ving 14
certain duties of the Florida Digital Service; 15
revising the total project cost of certain projects 16
for which the Florida Digital Service must provide 17
project oversight; specifying the date by which the 18
Florida Digital Service must provide certain repo rts; 19
requiring the state chief information officer, in 20
consultation with the Secretary of Management 21
Services, to designate a state chief technology 22
officer; providing duties of the state chief 23
technology officer; revising the total project cost of 24
certain projects for which certain procurement actions 25
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 2 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
must be taken; removing provisions prohibiting the 26
department, acting through the Florida Digital 27
Service, from retrieving or disclosing certain data in 28
certain circumstances; amending s. 282.00515, F.S.; 29
conforming a cross-reference; amending s. 282.318, 30
F.S.; providing that the Florida Digital Service is 31
the lead entity for a certain purpose; requiring the 32
Cybersecurity Operations Center to provide certain 33
notifications; requiring the state chief information 34
officer to make certain reports in consultation with 35
the state chief information security officer; 36
requiring a state agency to report ransomware and 37
cybersecurity incidents within certain time periods; 38
requiring the Cybersecurity Operations Center to 39
immediately notify certain entities of reported 40
incidents and take certain actions; requiring the 41
state chief information security officer to notify the 42
Legislature of certain incidents within a certain 43
period; requiring certain notification to be provided 44
in a secure environment; requiring the Cybersecurity 45
Operations Center to provide a certain report to 46
certain entities by a specified date; requiring the 47
Florida Digital Service to provide cybersecurity 48
briefings to certain legislative committees; 49
authorizing the Florida Digital Service to obtain 50
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 3 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
certain access to certain infrastructure and direct 51
certain measures; revising the purpose of an agency's 52
information security manager and the date by which he 53
or she must be designated; authorizing the department 54
to brief certain legislative committees in a closed 55
setting on certain records that are confidential and 56
exempt from public records requirements; requiring 57
such legislative committees to maintain the 58
confidential and exempt status of certain records; 59
authorizing certain legislators to attend meetings of 60
the Florida Cybersecurity Advisory Council; amending 61
s. 282.3185, F.S.; requiring a local government to 62
report ransomware and certain cybersecurity incidents 63
to the Cybersecurity Operations Center within certai n 64
time periods; requiring the Cybersecurity Operations 65
Center to immediately notify certain entities of 66
certain incidents and take certain actions; requiring 67
certain notification to be provided in a secure 68
environment; amending s. 282.319, F.S.; revising t he 69
membership of the Florida Cybersecurity Advisory 70
Council; amending s. 1004.444, F.S.; providing that 71
the Florida Center for Cybersecurity may be referred 72
to in a certain manner; providing that the center is 73
established under the direction of the preside nt of 74
the University of South Florida and may be assigned 75
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 4 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
within a college that meets certain requirements; 76
revising the mission and goals of the center; 77
authorizing the center to take certain actions 78
relating to certain initiatives; providing an 79
effective date. 80
81
Be It Enacted by the Legislature of the State of Florida: 82
83
Section 1. Paragraph (e) of subsection (2) of section 84
110.205, Florida Statutes, is amended to read: 85
110.205 Career service; exemptions. — 86
(2) EXEMPT POSITIONS. —The exempt positions that are not 87
covered by this part include the following: 88
(e) The state chief information officer, the state chief 89
data officer, the state chief technology officer, and the state 90
chief information security officer. The Department of Management 91
Services shall set the salary and benefits of these positions in 92
accordance with the rules of the Senior Management Service. 93
Section 2. Subsections (3) through (5), (6) through (16), 94
and (17) through (38) of section 282.0041, Florida Statutes, are 95
renumbered as subsections (4) through (6), (8) through (18), and 96
(20) through (41), respectively, and new subsections (3), (7), 97
and (19) are added to that section to read: 98
282.0041 Definitions. —As used in this chapter, the term: 99
(3) "As a service" means the contr acting with or 100
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 5 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
outsourcing to a third party of a defined role or function as a 101
means of delivery. 102
(7) "Cloud provider" means an entity that provides cloud -103
computing services. 104
(19) "Enterprise digital data" means information held by a 105
state agency in electronic form that is deemed to be data owned 106
by the state and held for state purposes by the state agency. 107
Enterprise digital data that is subject to statutory 108
requirements for particular types of sensitive data or to 109
contractual limitations for data mark ed as trade secrets or 110
sensitive corporate data held by state agencies shall be treated 111
in accordance with such requirements or limitations. The 112
department must maintain personnel with appropriate licenses, 113
certifications, or classifications to steward suc h enterprise 114
digital data, as necessary. Enterprise digital data must be 115
maintained in accordance with chapter 119. This subsection may 116
not be construed to create or expand an exemption from public 117
records requirements under s. 119.07(1) or s. 24(a), Art. I of 118
the State Constitution. 119
Section 3. Subsection (6) of section 282.0051, Florida 120
Statutes, is renumbered as subsection (5), subsections (1) and 121
(4) and present subsection (5) are amended, and paragraph (c) is 122
added to subsection (2) of that section, to read: 123
282.0051 Department of Management Services; Florida 124
Digital Service; powers, duties, and functions. — 125
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 6 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(1) The Florida Digital Service is established has been 126
created within the department to lead enterprise information 127
technology and cybersecu rity efforts, to safeguard enterprise 128
digital data, to propose, test, develop, and deploy innovative 129
solutions that securely modernize state government, including 130
technology and information services, to achieve value through 131
digital transformation and inte roperability, and to fully 132
support the cloud-first policy as specified in s. 282.206. The 133
department, through the Florida Digital Service, shall have the 134
following powers, duties, and functions: 135
(a) Develop and publish information technology policy for 136
the management of the state's information technology resources. 137
(b) Develop an enterprise architecture that: 138
1. Acknowledges the unique needs of the entities within 139
the enterprise in the development and publication of standards 140
and terminologies to facilitate digital interoperability; 141
2. Supports the cloud -first policy as specified in s. 142
282.206; and 143
3. Addresses how information technology infrastructure may 144
be modernized to achieve cloud -first objectives. 145
(c) Establish project management and o versight standards 146
with which state agencies must comply when implementing 147
information technology projects. The department, acting through 148
the Florida Digital Service, shall provide training 149
opportunities to state agencies to assist in the adoption of the 150
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 7 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
project management and oversight standards. To support data -151
driven decisionmaking, the standards must include, but are not 152
limited to: 153
1. Performance measurements and metrics that objectively 154
reflect the status of an information technology project based on 155
a defined and documented project scope, cost, and schedule. 156
2. Methodologies for calculating acceptable variances in 157
the projected versus actual scope, schedule, or cost of an 158
information technology project. 159
3. Reporting requirements, including requ irements designed 160
to alert all defined stakeholders that an information technology 161
project has exceeded acceptable variances defined and documented 162
in a project plan. 163
4. Content, format, and frequency of project updates. 164
5. Technical standards to ensur e an information technology 165
project complies with the enterprise architecture. 166
(d) Ensure that independent Perform project oversight on 167
all state agency information technology projects that have total 168
project costs of $25 $10 million or more and that are funded in 169
the General Appropriations Act or any other law is performed in 170
compliance with applicable state and federal law . The 171
department, acting through the Florida Digital Service, shall 172
report at least quarterly to the Executive Office of the 173
Governor, the President of the Senate, and the Speaker of the 174
House of Representatives on any information technology project 175
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 8 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
that the department identifies as high -risk due to the project 176
exceeding acceptable variance ranges defined and documented in a 177
project plan. The report must include a risk assessment, 178
including fiscal risks, associated with proceeding to the next 179
stage of the project, and a recommendation for corrective 180
actions required, including suspension or termination of the 181
project. 182
(e) Identify opportunities for standardization and 183
consolidation of information technology services that support 184
interoperability and the cloud -first policy, as specified in s. 185
282.206, and business functions and operations, including 186
administrative functions such as purch asing, accounting and 187
reporting, cash management, and personnel, and that are common 188
across state agencies. The department, acting through the 189
Florida Digital Service, shall biennially on January 15 1 of 190
each even-numbered year provide recommendations for 191
standardization and consolidation to the Executive Office of the 192
Governor, the President of the Senate, and the Speaker of the 193
House of Representatives. 194
(f) Establish best practices for the procurement of 195
information technology products and cloud -computing services in 196
order to reduce costs, increase the quality of data center 197
services, or improve government services. 198
(g) Develop standards for information technology reports 199
and updates, including, but not limited to, operational work 200
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 9 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
plans, project spend plans, and project status reports, for use 201
by state agencies. 202
(h) Upon request, assist state agencies in the development 203
of information technology -related legislative budget requests. 204
(i) Conduct annual assessments of state agencies to 205
determine compliance with all information technology standards 206
and guidelines developed and published by the department and 207
provide results of the assessments to the Executive Office of 208
the Governor, the President of the Senate, and the Speaker of 209
the House of Representa tives. 210
(i)(j) Conduct a market analysis not less frequently than 211
every 3 years beginning in 2021 to determine whether the 212
information technology resources within the enterprise are 213
utilized in the most cost -effective and cost-efficient manner, 214
while recognizing that the replacement of certain legacy 215
information technology systems within the enterprise may be cost 216
prohibitive or cost inefficient due to the remaining useful life 217
of those resources; whether the enterprise is complying with the 218
cloud-first policy specified in s. 282.206; and whether the 219
enterprise is utilizing best practices with respect to 220
information technology, information services, and the 221
acquisition of emerging technologies and information services. 222
Each market analysis shall be used to prepare a strategic plan 223
for continued and future information technology and information 224
services for the enterprise, including, but not limited to, 225
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 10 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
proposed acquisition of new services or technologies and 226
approaches to the implementation of any new servic es or 227
technologies. Copies of each market analysis and accompanying 228
strategic plan must be submitted to the Executive Office of the 229
Governor, the President of the Senate, and the Speaker of the 230
House of Representatives not later than December 31 of each ye ar 231
that a market analysis is conducted. 232
(j)(k) Recommend other information technology services 233
that should be designed, delivered, and managed as enterprise 234
information technology services. Recommendations must include 235
the identification of existing info rmation technology resources 236
associated with the services, if existing services must be 237
transferred as a result of being delivered and managed as 238
enterprise information technology services. 239
(k)(l) In consultation with state agencies, propose a 240
methodology and approach for identifying and collecting both 241
current and planned information technology expenditure data at 242
the state agency level. 243
(l)(m)1. Notwithstanding any other law, provide project 244
oversight on any information technology project of the 245
Department of Financial Services, the Department of Legal 246
Affairs, and the Department of Agriculture and Consumer Services 247
which has a total project cost of $25 $20 million or more. Such 248
information technology projects must also comply with the 249
applicable information technology architecture, project 250
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 11 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
management and oversight, and reporting standards established by 251
the department, acting through the Florida Digital Service. 252
2. When ensuring performance of performing the project 253
oversight function specified in su bparagraph 1., report by the 254
30th day after the end of each quarter at least quarterly to the 255
Executive Office of the Governor, the President of the Senate, 256
and the Speaker of the House of Representatives on any 257
information technology project that the depa rtment, acting 258
through the Florida Digital Service, identifies as high -risk due 259
to the project exceeding acceptable variance ranges defined and 260
documented in the project plan. The report shall include a risk 261
assessment, including fiscal risks, associated w ith proceeding 262
to the next stage of the project and a recommendation for 263
corrective actions required, including suspension or termination 264
of the project. 265
(m)(n) If an information technology project implemented by 266
a state agency must be connected to or ot herwise accommodated by 267
an information technology system administered by the Department 268
of Financial Services, the Department of Legal Affairs, or the 269
Department of Agriculture and Consumer Services, consult with 270
these departments regarding the risks and o ther effects of such 271
projects on their information technology systems and work 272
cooperatively with these departments regarding the connections, 273
interfaces, timing, or accommodations required to implement such 274
projects. 275
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 12 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(n)(o) If adherence to standards or policies adopted by or 276
established pursuant to this section causes conflict with 277
federal regulations or requirements imposed on an entity within 278
the enterprise and results in adverse action against an entity 279
or federal funding, work with the entity to prov ide alternative 280
standards, policies, or requirements that do not conflict with 281
the federal regulation or requirement. The department, acting 282
through the Florida Digital Service, shall annually by January 283
15 report such alternative standards to the Executiv e Office of 284
the Governor, the President of the Senate, and the Speaker of 285
the House of Representatives. 286
(o)(p)1. Establish an information technology policy for 287
all information technology -related state contracts, including 288
state term contracts for informa tion technology commodities, 289
consultant services, and staff augmentation services. The 290
information technology policy must include: 291
a. Identification of the information technology product 292
and service categories to be included in state term contracts. 293
b. Requirements to be included in solicitations for state 294
term contracts. 295
c. Evaluation criteria for the award of information 296
technology-related state term contracts. 297
d. The term of each information technology -related state 298
term contract. 299
e. The maximum number of vendors authorized on each state 300
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 13 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
term contract. 301
f. At a minimum, a requirement that any contract for 302
information technology commodities or services meet the National 303
Institute of Standards and Technology Cybersecurity Framework. 304
g. For an information technology project wherein project 305
oversight is required pursuant to paragraph (d) or paragraph (l) 306
(m), a requirement that independent verification and validation 307
be employed throughout the project life cycle with the primary 308
objective of independent verification and validation being to 309
provide an objective assessment of products and processes 310
throughout the project life cycle. An entity providing 311
independent verification and validation may not have technical, 312
managerial, or financia l interest in the project and may not 313
have responsibility for, or participate in, any other aspect of 314
the project. 315
2. Evaluate vendor responses for information technology -316
related state term contract solicitations and invitations to 317
negotiate. 318
3. Answer vendor questions on information technology -319
related state term contract solicitations. 320
4. Ensure that the information technology policy 321
established pursuant to subparagraph 1. is included in all 322
solicitations and contracts that are administratively execu ted 323
by the department. 324
(p)(q) Recommend potential methods for standardizing data 325
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 14 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
across state agencies which will promote interoperability and 326
reduce the collection of duplicative data. 327
(q)(r) Recommend open data technical standards and 328
terminologies for use by the enterprise. 329
(r)(s) Ensure that enterprise information technology 330
solutions are capable of utilizing an electronic credential and 331
comply with the enterprise architecture standards. 332
(2) 333
(c) The state chief information officer, in consulta tion 334
with the Secretary of Management Services, shall designate a 335
state chief technology officer who shall be responsible for all 336
of the following: 337
1. Establishing and maintaining an enterprise architecture 338
framework that ensures information technology i nvestments align 339
with the state's strategic objectives and initiatives pursuant 340
to paragraph (1)(b). 341
2. Conducting comprehensive evaluations of potential 342
technological solutions and cultivating strategic partnerships, 343
internally with state enterprise age ncies and externally with 344
the private sector, to leverage collective expertise, foster 345
collaboration, and advance the state's technological 346
capabilities. 347
3. Supervising program management of enterprise 348
information technology initiatives pursuant to parag raphs 349
(1)(c), (d), and (l); providing advisory support and oversight 350
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 15 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
for technology-related projects; and continuously identifying 351
and recommending best practices to optimize outcomes of 352
technology projects and enhance the enterprise's technological 353
efficiency and effectiveness. 354
(4) For information technology projects that have a total 355
project cost of $25 $10 million or more: 356
(a) State agencies must provide the Florida Digital 357
Service with written notice of any planned procurement of an 358
information technology project. 359
(b) The Florida Digital Service must participate in the 360
development of specifications and recommend modifications to any 361
planned procurement of an information technology project by 362
state agencies so that the procurement complies with the 363
enterprise architecture. 364
(c) The Florida Digital Service must participate in post -365
award contract monitoring. 366
(5) The department, acting through the Florida Digital 367
Service, may not retrieve or disclose any data without a shared -368
data agreement in place between the department and the 369
enterprise entity that has primary custodial responsibility of, 370
or data-sharing responsibility for, that data. 371
Section 4. Subsection (1) of section 282.00515, Florida 372
Statutes, is amended to read: 373
282.00515 Duties of Ca binet agencies.— 374
(1) The Department of Legal Affairs, the Department of 375
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 16 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Financial Services, and the Department of Agriculture and 376
Consumer Services shall adopt the standards established in s. 377
282.0051(1)(b), (c), and (q) (r) and (3)(e) or adopt alternati ve 378
standards based on best practices and industry standards that 379
allow for open data interoperability. 380
Section 5. Subsection (10) of section 282.318, Florida 381
Statutes, is renumbered as subsection (11), subsection (3) and 382
paragraph (a) of subsection (4) are amended, and a new 383
subsection (10) is added to that section, to read: 384
282.318 Cybersecurity. — 385
(3) The department, acting through the Florida Digital 386
Service, is the lead entity responsible for leading enterprise 387
information technology and cybersec urity efforts, safeguarding 388
enterprise digital data, establishing standards and processes 389
for assessing state agency cybersecurity risks , and determining 390
appropriate security measures. Such standards and processes must 391
be consistent with generally accepted technology best practices, 392
including the National Institute for Standards and Technology 393
Cybersecurity Framework, for cybersecurity. The department, 394
acting through the Florida Digital Service, shall adopt rules 395
that mitigate risks; safeguard state agency digital assets, 396
data, information, and information technology resources to 397
ensure availability, confidentiality, and integrity; and support 398
a security governance framework. The department, acting through 399
the Florida Digital Service, shall also: 400
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 17 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(a) Designate an employee of the Florida Digital Service 401
as the state chief information security officer. The state chief 402
information security officer must have experience and expertise 403
in security and risk management for communications and 404
information technology r esources. The state chief information 405
security officer is responsible for the development, operation, 406
and oversight of cybersecurity for state technology systems. The 407
Cybersecurity Operations Center shall immediately notify the 408
state chief information offi cer and the state chief information 409
security officer shall be notified of all confirmed or suspected 410
incidents or threats of state agency information technology 411
resources. The state chief information officer, in consultation 412
with the state chief informatio n security officer, and must 413
report such incidents or threats to the state chief information 414
officer and the Governor. 415
(b) Develop, and annually update by February 1, a 416
statewide cybersecurity strategic plan that includes security 417
goals and objectives fo r cybersecurity, including the 418
identification and mitigation of risk, proactive protections 419
against threats, tactical risk detection, threat reporting, and 420
response and recovery protocols for a cyber incident. 421
(c) Develop and publish for use by state age ncies a 422
cybersecurity governance framework that, at a minimum, includes 423
guidelines and processes for: 424
1. Establishing asset management procedures to ensure that 425
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 18 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
an agency's information technology resources are identified and 426
managed consistent with their relative importance to the 427
agency's business objectives. 428
2. Using a standard risk assessment methodology that 429
includes the identification of an agency's priorities, 430
constraints, risk tolerances, and assumptions necessary to 431
support operational risk deci sions. 432
3. Completing comprehensive risk assessments and 433
cybersecurity audits, which may be completed by a private sector 434
vendor, and submitting completed assessments and audits to the 435
department. 436
4. Identifying protection procedures to manage the 437
protection of an agency's information, data, and information 438
technology resources. 439
5. Establishing procedures for accessing information and 440
data to ensure the confidentiality, integrity, and availability 441
of such information and data. 442
6. Detecting threats through proactive monitoring of 443
events, continuous security monitoring, and defined detection 444
processes. 445
7. Establishing agency cybersecurity incident response 446
teams and describing their responsibilities for responding to 447
cybersecurity incidents, incl uding breaches of personal 448
information containing confidential or exempt data. 449
8. Recovering information and data in response to a 450
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 19 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cybersecurity incident. The recovery may include recommended 451
improvements to the agency processes, policies, or guidelines. 452
9. Establishing a cybersecurity incident reporting process 453
that includes procedures for notifying the department and the 454
Department of Law Enforcement of cybersecurity incidents. 455
a. The level of severity of the cybersecurity incident is 456
defined by the National Cyber Incident Response Plan of the 457
United States Department of Homeland Security as follows: 458
(I) Level 5 is an emergency -level incident within the 459
specified jurisdiction that poses an imminent threat to the 460
provision of wide-scale critical infrastructure services; 461
national, state, or local government security; or the lives of 462
the country's, state's, or local government's residents. 463
(II) Level 4 is a severe -level incident that is likely to 464
result in a significant impact in the affected jurisdi ction to 465
public health or safety; national, state, or local security; 466
economic security; or civil liberties. 467
(III) Level 3 is a high -level incident that is likely to 468
result in a demonstrable impact in the affected jurisdiction to 469
public health or safety; national, state, or local security; 470
economic security; civil liberties; or public confidence. 471
(IV) Level 2 is a medium -level incident that may impact 472
public health or safety; national, state, or local security; 473
economic security; civil liberties; or pub lic confidence. 474
(V) Level 1 is a low -level incident that is unlikely to 475
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 20 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
impact public health or safety; national, state, or local 476
security; economic security; civil liberties; or public 477
confidence. 478
b. The cybersecurity incident reporting process must 479
specify the information that must be reported by a state agency 480
following a cybersecurity incident or ransomware incident, 481
which, at a minimum, must include the following: 482
(I) A summary of the facts surrounding the cybersecurity 483
incident or ransomware inc ident. 484
(II) The date on which the state agency most recently 485
backed up its data; the physical location of the backup, if the 486
backup was affected; and if the backup was created using cloud 487
computing. 488
(III) The types of data compromised by the cybersecur ity 489
incident or ransomware incident. 490
(IV) The estimated fiscal impact of the cybersecurity 491
incident or ransomware incident. 492
(V) In the case of a ransomware incident, the details of 493
the ransom demanded. 494
c.(I) A state agency shall report all ransomware incidents 495
and any cybersecurity incidents incident determined by the state 496
agency to be of severity level 3, 4, or 5 to the Cybersecurity 497
Operations Center and the Cybercrime Office of the Department of 498
Law Enforcement as soon as possible but no later tha n 12 48 499
hours after discovery of the cybersecurity incident and no later 500
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 21 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
than 6 12 hours after discovery of the ransomware incident. The 501
report must contain the information required in sub -subparagraph 502
b. 503
(II) The Cybersecurity Operations Center shall : 504
(A) Immediately notify the Cybercrime Office of the 505
Department of Law Enforcement of a reported incident and provide 506
to the Cybercrime Office of the Department of Law Enforcement 507
regular reports on the status of the incident, preserve forensic 508
data to support a subsequent investigation, and provide aid to 509
the investigative efforts of the Cybercrime Office of the 510
Department of Law Enforcement upon the office's request if the 511
state chief information security officer finds that the 512
investigation does not impe de remediation of the incident and 513
that there is no risk to the public and no risk to critical 514
state functions. 515
(B) Immediately notify the state chief information officer 516
and the state chief information security officer of a reported 517
incident. The state chief information security officer shall 518
notify the President of the Senate and the Speaker of the House 519
of Representatives of any severity level 3, 4, or 5 incident as 520
soon as possible but no later than 24 12 hours after receiving a 521
state agency's inciden t report. The notification must include a 522
high-level description of the incident and the likely effects 523
and must be provided in a secure environment . 524
d. A state agency shall report a cybersecurity incident 525
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 22 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
determined by the state agency to be of severity level 1 or 2 to 526
the Cybersecurity Operations Center and the Cybercrime Office of 527
the Department of Law Enforcement as soon as possible. The 528
report must contain the information required in sub -subparagraph 529
b. 530
d.e. The Cybersecurity Operations Center shal l provide a 531
consolidated incident report by the 30th day after the end of 532
each quarter on a quarterly basis to the Governor, the Attorney 533
General, the executive director of the Department of Law 534
Enforcement, the President of the Senate, the Speaker of the 535
House of Representatives, and the Florida Cybersecurity Advisory 536
Council. The report provided to the Florida Cybersecurity 537
Advisory Council may not contain the name of any agency, network 538
information, or system identifying information but must contain 539
sufficient relevant information to allow the Florida 540
Cybersecurity Advisory Council to fulfill its responsibilities 541
as required in s. 282.319(9). 542
10. Incorporating information obtained through detection 543
and response activities into the agency's cybersecurity incident 544
response plans. 545
11. Developing agency strategic and operational 546
cybersecurity plans required pursuant to this section. 547
12. Establishing the managerial, operational, and 548
technical safeguards for protecting state government data and 549
information technology resources that align with the state 550
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 23 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
agency risk management strategy and that protect the 551
confidentiality, integrity, and availability of information and 552
data. 553
13. Establishing procedures for procuring information 554
technology commodities and se rvices that require the commodity 555
or service to meet the National Institute of Standards and 556
Technology Cybersecurity Framework. 557
14. Submitting after -action reports following a 558
cybersecurity incident or ransomware incident. Such guidelines 559
and processes for submitting after -action reports must be 560
developed and published by December 1, 2022. 561
(d) Assist state agencies in complying with this section. 562
(e) In collaboration with the Cybercrime Office of the 563
Department of Law Enforcement, annua lly provide training for 564
state agency information security managers and computer security 565
incident response team members that contains training on 566
cybersecurity, including cybersecurity threats, trends, and best 567
practices. 568
(f) Annually review the strateg ic and operational 569
cybersecurity plans of state agencies. 570
(g) Annually provide cybersecurity training to all state 571
agency technology professionals and employees with access to 572
highly sensitive information which develops, assesses, and 573
documents competencies by role and skill level. The 574
cybersecurity training curriculum must include training on the 575
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 24 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
identification of each cybersecurity incident severity level 576
referenced in sub-subparagraph (c)9.a. The training may be 577
provided in collaboration with the Cyber crime Office of the 578
Department of Law Enforcement, a private sector entity, or an 579
institution of the State University System. 580
(h) Operate and maintain a Cybersecurity Operations Center 581
led by the state chief information security officer, which must 582
be primarily virtual and staffed with tactical detection and 583
incident response personnel. The Cybersecurity Operations Center 584
shall serve as a clearinghouse for threat information and 585
coordinate with the Department of Law Enforcement to support 586
state agencies and their response to any confirmed or suspected 587
cybersecurity incident. 588
(i) Lead an Emergency Support Function, ESF-20 ESF CYBER, 589
under the state comprehensive emergency management plan as 590
described in s. 252.35. 591
(j) Provide cybersecurity briefings to the members of any 592
legislative committee or subcommittee responsible for policy 593
matters relating to cybersecurity. 594
(k) Have the authority to obtain immediate access to 595
public or private infrastructure hosting enter prise digital data 596
and to direct, in consultation with the state agency that holds 597
the particular enterprise digital data, measures to assess, 598
monitor, and safeguard the enterprise digital data. 599
(4) Each state agency head shall, at a minimum: 600
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 25 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(a) Designate an information security manager to ensure 601
compliance with cybersecurity governance and with the state's 602
enterprise security program and incident response plan. The 603
information security manager must coordinate with the agency's 604
information security per sonnel and the Cybersecurity Operations 605
Center to ensure that the unique needs of the agency are met 606
administer the cybersecurity program of the state agency . This 607
designation must be provided annually in writing to the 608
department by January 15 1. A state agency's information 609
security manager, for purposes of these information security 610
duties, shall report directly to the agency head. 611
(10) The department may brief any legislative committee or 612
subcommittee responsible for cybersecurity policy in a meeting 613
or other setting closed by the respective body under the rules 614
of such legislative body at which the legislative committee or 615
subcommittee is briefed on records made confidential and exempt 616
under subsections (5) and (6). The legislative committee or 617
subcommittee must maintain the confidential and exempt status of 618
such records. A legislator serving on a legislative committee or 619
subcommittee responsible for cybersecurity policy may also 620
attend meetings of the Florida Cybersecurity Advisory Council, 621
including any portions of such meetings that are exempt from s. 622
286.011 and s. 24(b), Art. I of the State Constitution. 623
Section 6. Paragraph (d) of subsection (5) of section 624
282.3185, Florida Statutes, is redesignated as paragraph (c), 625
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 26 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
and paragraph (b) and pre sent paragraph (c) of that subsection 626
are amended to read: 627
282.3185 Local government cybersecurity. — 628
(5) INCIDENT NOTIFICATION. — 629
(b)1. A local government shall report all ransomware 630
incidents and any cybersecurity incident determined by the local 631
government to be of severity level 3, 4, or 5 as provided in s. 632
282.318(3)(c) to the Cybersecurity Operations Center , the 633
Cybercrime Office of the Department of Law Enforcement, and the 634
sheriff who has jurisdiction over the local government as soon 635
as possible but no later than 12 48 hours after discovery of the 636
cybersecurity incident and no later than 6 12 hours after 637
discovery of the ransomware incident. The report must contain 638
the information required in paragraph (a). 639
2. The Cybersecurity Operations Cent er shall: 640
a. Immediately notify the Cybercrime Office of the 641
Department of Law Enforcement and the sheriff who has 642
jurisdiction over the local government of a reported incident 643
and provide to the Cybercrime Office of the Department of Law 644
Enforcement and the sheriff who has jurisdiction over the local 645
government regular reports on the status of the incident, 646
preserve forensic data to support a subsequent investigation, 647
and provide aid to the investigative efforts of the Cybercrime 648
Office of the Department of Law Enforcement upon the office's 649
request if the state chief information security officer finds 650
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 27 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
that the investigation does not impede remediation of the 651
incident and that there is no risk to the public and no risk to 652
critical state functions. 653
b. Immediately notify the state chief information security 654
officer of a reported incident. The state chief information 655
security officer shall notify the President of the Senate and 656
the Speaker of the House of Representatives of any severity 657
level 3, 4, or 5 inci dent as soon as possible but no later than 658
24 12 hours after receiving a local government's incident 659
report. The notification must include a high -level description 660
of the incident and the likely effects and must be provided in a 661
secure environment. 662
(c) A local government may report a cybersecurity incident 663
determined by the local government to be of severity level 1 or 664
2 as provided in s. 282.318(3)(c) to the Cybersecurity 665
Operations Center, the Cybercrime Office of the Department of 666
Law Enforcement, and the sheriff who has jurisdiction over the 667
local government. The report shall contain the information 668
required in paragraph (a). The Cybersecurity Operations Center 669
shall immediately notify the Cybercrime Office of the Department 670
of Law Enforcement and the sheriff who has jurisdiction over the 671
local government of a reported incident and provide regular 672
reports on the status of the cybersecurity incident, preserve 673
forensic data to support a subsequent investigation, and provide 674
aid to the investigative effort s of the Cybercrime Office of the 675
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 28 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Department of Law Enforcement upon request if the state chief 676
information security officer finds that the investigation does 677
not impede remediation of the cybersecurity incident and that 678
there is no risk to the public and no risk to critical state 679
functions. 680
Section 7. Paragraph (j) of subsection (4) of section 681
282.319, Florida Statutes, is amended, and paragraph (m) is 682
added to that subsection, to read: 683
282.319 Florida Cybersecurity Advisory Council. — 684
(4) The council shall be comprised of the following 685
members: 686
(j) Three representatives from critical infrastructure 687
sectors, one of whom must be from a utility provider water 688
treatment facility, appointed by the Governor. 689
(m) A representative of local government. 690
Section 8. Section 1004.444, Florida Statutes, is amended 691
to read: 692
1004.444 Florida Center for Cybersecurity. — 693
(1) The Florida Center for Cybersecurity , which may also 694
be referred to as "Cyber Florida," is established as a center 695
within the University of South Florida under the direction of 696
the president of the university or the president's designee. The 697
president may assign the center within a college of the 698
university if the college has a strong emphasis in 699
cybersecurity, technology, or computer sc iences and engineering 700
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 29 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
as determined and approved by the university's board of 701
trustees. 702
(2) The mission and goals of the center are to: 703
(a) Position Florida as the national leader in 704
cybersecurity and its related workforce primarily through 705
advancing and funding education and, research and development 706
initiatives in cybersecurity and related fields, with a 707
secondary emphasis on , and community engagement and 708
cybersecurity awareness . 709
(b) Assist in the creation of jobs in the state's 710
cybersecurity industry and enhance the existing cybersecurity 711
workforce through education, research, applied science, and 712
engagements and partnerships with the private and military 713
sectors. 714
(c) Act as a cooperative facilitator for state business 715
and higher education commun ities to share cybersecurity 716
knowledge, resources, and training. 717
(d) Seek out research and development agreements and other 718
partnerships with major military installations and affiliated 719
contractors to assist, when possible, in homeland cybersecurity 720
defense initiatives. 721
(e) Attract cybersecurity companies and jobs to the state 722
with an emphasis on defense, finance, health care, 723
transportation, and utility sectors. 724
(f) Conduct, fund, and facilitate research and applied 725
CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-01-c1
Page 30 of 30
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
science that leads to the creation of new technologies and 726
software packages that have military and civilian applications 727
and which can be transferred for military and homeland defense 728
purposes or for sale or use in the private sector. 729
(3) Upon receiving a request for assistance from the 730
Department of Management Services, the Florida Digital Service, 731
or another state agency, the center is authorized, but may not 732
be compelled by the agency, to conduct, consult on, or otherwise 733
assist any state-funded initiatives related to: 734
(a) Cybersecurity training, professional development, and 735
education for state and local government employees, including 736
school districts and the judicial branch. 737
(b) Increasing the cybersecurity effectiveness of the 738
state's and local governments' technology platforms and 739
infrastructure, including school districts and the judicial 740
branch. 741
Section 9. This act shall take effect July 1, 2024. 742