CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 1 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity; amending s. 110.205, 2
F.S.; exempting the state chief technology officer 3
from the career service; amending s. 282.0041, F.S.; 4
providing definitions; amending s. 282.0051, F.S.; 5
revising the purposes for which the Florida Di gital 6
Service is established; revising the date by which 7
Department of Management Services, acting through the 8
Florida Digital Service, must provide certain 9
recommendations to the Executive Office of the 10
Governor and the Legislature; requiring the state 11
chief information officer, in consultation with the 12
Secretary of Management Services, to designate a state 13
chief technology officer; providing duties of the 14
state chief technology officer; amending s. 282.318, 15
F.S.; providing that the Florida Digital Service is 16
the lead entity for a certain purpose; requiring the 17
Cybersecurity Operations Center to provide certain 18
notifications; requiring the state chief information 19
officer to make certain reports in consultation with 20
the state chief information security offic er; 21
requiring a state agency to report ransomware and 22
cybersecurity incidents within certain time periods; 23
requiring the Cybersecurity Operations Center to 24
immediately notify a certain entity of reported 25
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 2 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incidents and take certain actions; requiring the 26
department to preserve certain data and provide 27
certain aid in certain circumstances; requiring the 28
state chief information security officer to notify the 29
Legislature of certain incidents within a certain 30
period; requiring the Cybersecurity Operations Center 31
to provide a certain report to certain entities by a 32
specified date; authorizing the Florida Digital 33
Service to obtain certain access to certain state 34
agency accounts and instances and direct certain 35
measures; prohibiting the department from taking 36
certain actions; providing applicability; revising the 37
purpose of an agency's information security manager 38
and the date by which he or she must be designated; 39
amending s. 282.3185, F.S.; requiring a local 40
government to report ransomware and certain 41
cybersecurity incidents to the Cybersecurity 42
Operations Center within certain time periods; 43
requiring the Cybersecurity Operations Center to 44
immediately notify certain entities of certain 45
incidents and take certain actions; requiring the 46
Department of Law Enforcement t o coordinate certain 47
incident responses; amending s. 1004.444, F.S.; 48
providing that the Florida Center for Cybersecurity 49
may be referred to in a certain manner; providing that 50
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 3 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the center is established under the direction of the 51
president of the University of South Florida and may 52
be assigned within a college that meets certain 53
requirements; revising the mission and goals of the 54
center; authorizing the center to take certain actions 55
relating to certain initiatives; providing an 56
effective date. 57
58
Be It Enacted by the Legislature of the State of Florida: 59
60
Section 1. Paragraph (e) of subsection (2) of section 61
110.205, Florida Statutes, is amended to read: 62
110.205 Career service; exemptions. — 63
(2) EXEMPT POSITIONS. —The exempt positions that are not 64
covered by this part include the following: 65
(e) The state chief information officer, the state chief 66
data officer, the state chief technology officer, and the state 67
chief information security officer. The Department of Management 68
Services shall set the sala ry and benefits of these positions in 69
accordance with the rules of the Senior Management Service. 70
Section 2. Subsections (3) through (5), (6), (7) through 71
(16), and (17) through (38) of section 282.0041, Florida 72
Statutes, are renumbered as subsections (4) through (6), (8), 73
(10) through (19), and (21) through (42), respectively, and new 74
subsections (3), (7), (9), and (20) are added to that section to 75
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 4 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
read: 76
282.0041 Definitions. —As used in this chapter, the term: 77
(3) "As a service" means the contracti ng with or 78
outsourcing to a third party of a defined role or function as a 79
means of delivery. 80
(7) "Cloud provider" means an entity that provides cloud -81
computing services. 82
(9) "Criminal justice agency" has the same meaning as in 83
s. 943.045. 84
(20) "Enterprise digital data" means information held by a 85
state agency in electronic form that is deemed to be data owned 86
by the state and held for state purposes by the state agency. 87
Enterprise digital data must be maintained in accordance with 88
chapter 119. This subsection may not be construed to create, 89
modify, abrogate, or expand an exemption from public records 90
requirements under s. 119.07(1) or s. 24(a), Art. I of the State 91
Constitution. 92
Section 3. Subsection (1) of section 282.0051, Florida 93
Statutes, is amended, and paragraph (c) is added to subsection 94
(2) of that section, to read: 95
282.0051 Department of Management Services; Florida 96
Digital Service; powers, duties, and functions. — 97
(1) The Florida Digital Service is established has been 98
created within the department to lead enterprise information 99
technology and cybersecurity efforts, to propose and evaluate 100
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 5 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
innovative solutions pursuant to interagency agreements that 101
securely modernize state government, including technology and 102
information services, to achieve value through digital 103
transformation and interoperability, and to fully support the 104
cloud-first policy as specified in s. 282.206. The department, 105
through the Florida Digital Service, shall have the following 106
powers, duties, and functions: 107
(a) Develop and publish information technology policy for 108
the management of the state's information technology resources. 109
(b) Develop an enterprise architecture that: 110
1. Acknowledges the unique needs of the entities within 111
the enterprise in the devel opment and publication of standards 112
and terminologies to facilitate digital interoperability; 113
2. Supports the cloud -first policy as specified in s. 114
282.206; and 115
3. Addresses how information technology infrastructure may 116
be modernized to achieve cloud -first objectives. 117
(c) Establish project management and oversight standards 118
with which state agencies must comply when implementing 119
information technology projects. The department, acting through 120
the Florida Digital Service, shall provide training 121
opportunities to state agencies to assist in the adoption of the 122
project management and oversight standards. To support data -123
driven decisionmaking, the standards must include, but are not 124
limited to: 125
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 6 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1. Performance measurements and metrics that objectively 126
reflect the status of an information technology project based on 127
a defined and documented project scope, cost, and schedule. 128
2. Methodologies for calculating acceptable variances in 129
the projected versus actual scope, schedule, or cost of an 130
information technology project. 131
3. Reporting requirements, including requirements designed 132
to alert all defined stakeholders that an information technology 133
project has exceeded acceptable variances defined and documented 134
in a project plan. 135
4. Content, format, and freque ncy of project updates. 136
5. Technical standards to ensure an information technology 137
project complies with the enterprise architecture. 138
(d) Perform project oversight on all state agency 139
information technology projects that have total project costs of 140
$10 million or more and that are funded in the General 141
Appropriations Act or any other law. The department, acting 142
through the Florida Digital Service, shall report at least 143
quarterly to the Executive Office of the Governor, the President 144
of the Senate, and the Speaker of the House of Representatives 145
on any information technology project that the department 146
identifies as high-risk due to the project exceeding acceptable 147
variance ranges defined and documented in a project plan. The 148
report must include a risk a ssessment, including fiscal risks, 149
associated with proceeding to the next stage of the project, and 150
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 7 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
a recommendation for corrective actions required, including 151
suspension or termination of the project. 152
(e) Identify opportunities for standardization and 153
consolidation of information technology services that support 154
interoperability and the cloud -first policy, as specified in s. 155
282.206, and business functions and operations, including 156
administrative functions such as purchasing, accounting and 157
reporting, cash management, and personnel, and that are common 158
across state agencies. The department, acting through the 159
Florida Digital Service, shall biennially on January 15 1 of 160
each even-numbered year provide recommendations for 161
standardization and consolidation t o the Executive Office of the 162
Governor, the President of the Senate, and the Speaker of the 163
House of Representatives. 164
(f) Establish best practices for the procurement of 165
information technology products and cloud -computing services in 166
order to reduce cost s, increase the quality of data center 167
services, or improve government services. 168
(g) Develop standards for information technology reports 169
and updates, including, but not limited to, operational work 170
plans, project spend plans, and project status reports, for use 171
by state agencies. 172
(h) Upon request, assist state agencies in the development 173
of information technology -related legislative budget requests. 174
(i) Conduct annual assessments of state agencies to 175
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 8 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
determine compliance with all information technolo gy standards 176
and guidelines developed and published by the department and 177
provide results of the assessments to the Executive Office of 178
the Governor, the President of the Senate, and the Speaker of 179
the House of Representatives. 180
(j) Conduct a market analy sis not less frequently than 181
every 3 years beginning in 2021 to determine whether the 182
information technology resources within the enterprise are 183
utilized in the most cost -effective and cost-efficient manner, 184
while recognizing that the replacement of certai n legacy 185
information technology systems within the enterprise may be cost 186
prohibitive or cost inefficient due to the remaining useful life 187
of those resources; whether the enterprise is complying with the 188
cloud-first policy specified in s. 282.206; and whet her the 189
enterprise is utilizing best practices with respect to 190
information technology, information services, and the 191
acquisition of emerging technologies and information services. 192
Each market analysis shall be used to prepare a strategic plan 193
for continued and future information technology and information 194
services for the enterprise, including, but not limited to, 195
proposed acquisition of new services or technologies and 196
approaches to the implementation of any new services or 197
technologies. Copies of each mar ket analysis and accompanying 198
strategic plan must be submitted to the Executive Office of the 199
Governor, the President of the Senate, and the Speaker of the 200
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 9 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
House of Representatives not later than December 31 of each year 201
that a market analysis is conducted . 202
(k) Recommend other information technology services that 203
should be designed, delivered, and managed as enterprise 204
information technology services. Recommendations must include 205
the identification of existing information technology resources 206
associated with the services, if existing services must be 207
transferred as a result of being delivered and managed as 208
enterprise information technology services. 209
(l) In consultation with state agencies, propose a 210
methodology and approach for identifying and collectin g both 211
current and planned information technology expenditure data at 212
the state agency level. 213
(m)1. Notwithstanding any other law, provide project 214
oversight on any information technology project of the 215
Department of Financial Services, the Department of Legal 216
Affairs, and the Department of Agriculture and Consumer Services 217
which has a total project cost of $20 million or more. Such 218
information technology projects must also comply with the 219
applicable information technology architecture, project 220
management and oversight, and reporting standards established by 221
the department, acting through the Florida Digital Service. 222
2. When performing the project oversight function 223
specified in subparagraph 1., report at least quarterly to the 224
Executive Office of the Gov ernor, the President of the Senate, 225
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 10 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
and the Speaker of the House of Representatives on any 226
information technology project that the department, acting 227
through the Florida Digital Service, identifies as high -risk due 228
to the project exceeding acceptable varia nce ranges defined and 229
documented in the project plan. The report shall include a risk 230
assessment, including fiscal risks, associated with proceeding 231
to the next stage of the project and a recommendation for 232
corrective actions required, including suspensio n or termination 233
of the project. 234
(n) If an information technology project implemented by a 235
state agency must be connected to or otherwise accommodated by 236
an information technology system administered by the Department 237
of Financial Services, the Departmen t of Legal Affairs, or the 238
Department of Agriculture and Consumer Services, consult with 239
these departments regarding the risks and other effects of such 240
projects on their information technology systems and work 241
cooperatively with these departments regardin g the connections, 242
interfaces, timing, or accommodations required to implement such 243
projects. 244
(o) If adherence to standards or policies adopted by or 245
established pursuant to this section causes conflict with 246
federal regulations or requirements imposed on an entity within 247
the enterprise and results in adverse action against an entity 248
or federal funding, work with the entity to provide alternative 249
standards, policies, or requirements that do not conflict with 250
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 11 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the federal regulation or requirement. The depar tment, acting 251
through the Florida Digital Service, shall annually by January 252
15 report such alternative standards to the Executive Office of 253
the Governor, the President of the Senate, and the Speaker of 254
the House of Representatives. 255
(p)1. Establish an in formation technology policy for all 256
information technology -related state contracts, including state 257
term contracts for information technology commodities, 258
consultant services, and staff augmentation services. The 259
information technology policy must include: 260
a. Identification of the information technology product 261
and service categories to be included in state term contracts. 262
b. Requirements to be included in solicitations for state 263
term contracts. 264
c. Evaluation criteria for the award of information 265
technology-related state term contracts. 266
d. The term of each information technology -related state 267
term contract. 268
e. The maximum number of vendors authorized on each state 269
term contract. 270
f. At a minimum, a requirement that any contract for 271
information technology commodities or services meet the National 272
Institute of Standards and Technology Cybersecurity Framework. 273
g. For an information technology project wherein project 274
oversight is required pursuant to paragraph (d) or paragraph 275
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 12 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(m), a requirement t hat independent verification and validation 276
be employed throughout the project life cycle with the primary 277
objective of independent verification and validation being to 278
provide an objective assessment of products and processes 279
throughout the project life c ycle. An entity providing 280
independent verification and validation may not have technical, 281
managerial, or financial interest in the project and may not 282
have responsibility for, or participate in, any other aspect of 283
the project. 284
2. Evaluate vendor respons es for information technology -285
related state term contract solicitations and invitations to 286
negotiate. 287
3. Answer vendor questions on information technology -288
related state term contract solicitations. 289
4. Ensure that the information technology policy 290
established pursuant to subparagraph 1. is included in all 291
solicitations and contracts that are administratively executed 292
by the department. 293
(q) Recommend potential methods for standardizing data 294
across state agencies which will promote interoperability and 295
reduce the collection of duplicative data. 296
(r) Recommend open data technical standards and 297
terminologies for use by the enterprise. 298
(s) Ensure that enterprise information technology 299
solutions are capable of utilizing an electronic credential and 300
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 13 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
comply with the enterprise architecture standards. 301
(2) 302
(c) The state chief information officer, in consultation 303
with the Secretary of Management Services, shall designate a 304
state chief technology officer who shall be responsible for all 305
of the following: 306
1. Establishing and maintaining an enterprise architecture 307
framework that ensures information technology investments align 308
with the state's strategic objectives and initiatives pursuant 309
to paragraph (1)(b). 310
2. Conducting comprehensive evaluations of potenti al 311
technological solutions and cultivating strategic partnerships, 312
internally with state enterprise agencies and externally with 313
the private sector, to leverage collective expertise, foster 314
collaboration, and advance the state's technological 315
capabilities. 316
3. Supervising program management of enterprise 317
information technology initiatives pursuant to paragraphs 318
(1)(c), (d), and (l); providing advisory support and oversight 319
for technology-related projects; and continuously identifying 320
and recommending best practices to optimize outcomes of 321
technology projects and enhance the enterprise's technological 322
efficiency and effectiveness. 323
Section 4. Subsection (3) and paragraph (a) of subsection 324
(4) of section 282.318, Florida Statutes, are amended to read: 325
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 14 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
282.318 Cybersecurity. — 326
(3) The department, acting through the Florida Digital 327
Service, is the lead entity responsible for leading enterprise 328
information technology and cybersecurity efforts, establishing 329
standards and processes for assessing state agency cybersecurity 330
risks, and determining appropriate security measures. Such 331
standards and processes must be consistent with generally 332
accepted technology best practices, including the National 333
Institute for Standards and Technology Cybersecurity Framework, 334
for cybersecurity. The department, acting through the Florida 335
Digital Service, shall adopt rules that mitigate risks; 336
safeguard state agency digital assets, data, information, and 337
information technology resources to ensure availability, 338
confidentiality, and integrity; and support a security 339
governance framework. The department, acting through the Florida 340
Digital Service, shall also: 341
(a) Designate an employee of the Florida Digital Service 342
as the state chief information security officer. The state chief 343
information security officer must have experience and expertise 344
in security and risk management for communications and 345
information technology resources. The state chief information 346
security officer is responsible for the development, operation, 347
and oversight of cybersecurity for state technology systems. The 348
Cybersecurity Operations Center shall immediately notify the 349
state chief information officer and the state chief information 350
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 15 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
security officer shall be notified of all confirmed or suspected 351
incidents or threats of state agency information technology 352
resources. The state chief information officer, in consultation 353
with the state chief information security officer, and must 354
report such incidents or threats to the state chief information 355
officer and the Governor. 356
(b) Develop, and annually update by February 1, a 357
statewide cybersecurity strategic plan that includes security 358
goals and objectives for cybersecurity, including the 359
identification and mitigation of risk, proactive protections 360
against threats, tactical risk detection, threat reporting, and 361
response and recovery protocols for a cyber incident. 362
(c) Develop and publish for use by state agencies a 363
cybersecurity governance framework that, at a minimum, includes 364
guidelines and processes for: 365
1. Establishing asset management procedures to ensure that 366
an agency's information technology resources are identified and 367
managed consistent with their relative importance to the 368
agency's business objectives. 369
2. Using a standard risk assessment methodology that 370
includes the identification of an agency's priorities, 371
constraints, risk tolerances, and assumptions necessary to 372
support operational risk decisions. 373
3. Completing comprehensive risk assessments and 374
cybersecurity audits, which may be completed by a private s ector 375
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 16 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
vendor, and submitting completed assessments and audits to the 376
department. 377
4. Identifying protection procedures to manage the 378
protection of an agency's information, data, and information 379
technology resources. 380
5. Establishing procedures for access ing information and 381
data to ensure the confidentiality, integrity, and availability 382
of such information and data. 383
6. Detecting threats through proactive monitoring of 384
events, continuous security monitoring, and defined detection 385
processes. 386
7. Establishing agency cybersecurity incident response 387
teams and describing their responsibilities for responding to 388
cybersecurity incidents, including breaches of personal 389
information containing confidential or exempt data. 390
8. Recovering information and data in res ponse to a 391
cybersecurity incident. The recovery may include recommended 392
improvements to the agency processes, policies, or guidelines. 393
9. Establishing a cybersecurity incident reporting process 394
that includes procedures for notifying the department and the 395
Department of Law Enforcement of cybersecurity incidents. 396
a. The level of severity of the cybersecurity incident is 397
defined by the National Cyber Incident Response Plan of the 398
United States Department of Homeland Security as follows: 399
(I) Level 5 is an emergency-level incident within the 400
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 17 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
specified jurisdiction that poses an imminent threat to the 401
provision of wide-scale critical infrastructure services; 402
national, state, or local government security; or the lives of 403
the country's, state's, or local go vernment's residents. 404
(II) Level 4 is a severe -level incident that is likely to 405
result in a significant impact in the affected jurisdiction to 406
public health or safety; national, state, or local security; 407
economic security; or civil liberties. 408
(III) Level 3 is a high-level incident that is likely to 409
result in a demonstrable impact in the affected jurisdiction to 410
public health or safety; national, state, or local security; 411
economic security; civil liberties; or public confidence. 412
(IV) Level 2 is a mediu m-level incident that may impact 413
public health or safety; national, state, or local security; 414
economic security; civil liberties; or public confidence. 415
(V) Level 1 is a low -level incident that is unlikely to 416
impact public health or safety; national, stat e, or local 417
security; economic security; civil liberties; or public 418
confidence. 419
b. The cybersecurity incident reporting process must 420
specify the information that must be reported by a state agency 421
following a cybersecurity incident or ransomware incident , 422
which, at a minimum, must include the following: 423
(I) A summary of the facts surrounding the cybersecurity 424
incident or ransomware incident. 425
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 18 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(II) The date on which the state agency most recently 426
backed up its data; the physical location of the backup, if the 427
backup was affected; and if the backup was created using cloud 428
computing. 429
(III) The types of data compromised by the cybersecurity 430
incident or ransomware incident. 431
(IV) The estimated fiscal impact of the cybersecurity 432
incident or ransomware inci dent. 433
(V) In the case of a ransomware incident, the details of 434
the ransom demanded. 435
c.(I) A state agency shall report all ransomware incidents 436
and any cybersecurity incidents incident determined by the state 437
agency to be of severity level 3, 4, or 5 to the Cybersecurity 438
Operations Center and the Cybercrime Office of the Department of 439
Law Enforcement as soon as possible but no later than 12 48 440
hours after discovery of the cybersecurity incident and no later 441
than 6 12 hours after discovery of the ransomwa re incident. The 442
report must contain the information required in sub -subparagraph 443
b. 444
(II) The Cybersecurity Operations Center shall : 445
(A) Immediately notify the Cybercrime Office of the 446
Department of Law Enforcement of a reported incident and provide 447
to the Cybercrime Office of the Department of Law Enforcement 448
regular reports on the status of the incident. The department 449
shall preserve forensic data to support a subsequent 450
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 19 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
investigation and provide aid to the investigative efforts of 451
the Cybercrime Office of the Department of Law Enforcement upon 452
the office's request if the investigation does not impede 453
remediation of the incident and there is no risk to the public 454
and no risk to critical state functions. 455
(B) Immediately notify the state chief information officer 456
and the state chief information security officer of a reported 457
incident. The state chief information security officer shall 458
notify the President of the Senate and the Speaker of the House 459
of Representatives of any severity level 3, 4, o r 5 incident as 460
soon as possible but no later than 12 hours after receiving a 461
state agency's incident report. The notification must include a 462
high-level description of the incident and the likely effects. 463
d. A state agency shall report a cybersecurity in cident 464
determined by the state agency to be of severity level 1 or 2 to 465
the Cybersecurity Operations Center and the Cybercrime Office of 466
the Department of Law Enforcement as soon as possible. The 467
report must contain the information required in sub -subparagraph 468
b. 469
d.e. The Cybersecurity Operations Center shall provide a 470
consolidated incident report by the 30th day after the end of 471
each quarter on a quarterly basis to the Governor, the Attorney 472
General, the executive director of the Department of Law 473
Enforcement, the President of the Senate, the Speaker of the 474
House of Representatives, and the Florida Cybersecurity Advisory 475
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 20 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Council. The report provided to the Florida Cybersecurity 476
Advisory Council may not contain the name of any agency, network 477
information, or system identifying information but must contain 478
sufficient relevant information to allow the Florida 479
Cybersecurity Advisory Council to fulfill its responsibilities 480
as required in s. 282.319(9). 481
10. Incorporating information obtained through detection 482
and response activities into the agency's cybersecurity incident 483
response plans. 484
11. Developing agency strategic and operational 485
cybersecurity plans required pursuant to this section. 486
12. Establishing the managerial, operational, and 487
technical safeguards for protecting state government data and 488
information technology resources that align with the state 489
agency risk management strategy and that protect the 490
confidentiality, integrity, and availability of information and 491
data. 492
13. Establishing procedures for procuring information 493
technology commodities and services that require the commodity 494
or service to meet the National Institute of Standards and 495
Technology Cybersecurity Framework. 496
14. Submitting after -action reports following a 497
cybersecurity incident or ransomware incident. Such guidelines 498
and processes for submitting after -action reports must be 499
developed and published by December 1, 2022. 500
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 21 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(d) Assist state agencies in complying with this section. 501
(e) In collaboration with the Cybercrime Office of the 502
Department of Law Enforcement, annually provide training for 503
state agency information security managers and computer security 504
incident response team members that contains training on 505
cybersecurity, including cybersecurity threats, trends, and best 506
practices. 507
(f) Annually review the strategic and operational 508
cybersecurity plans of state agencies. 509
(g) Annually provide cybersecurity training to all state 510
agency technology professionals and employees with access to 511
highly sensitive information which de velops, assesses, and 512
documents competencies by role and skill level. The 513
cybersecurity training curriculum must include training on the 514
identification of each cybersecurity incident severity level 515
referenced in sub-subparagraph (c)9.a. The training may be 516
provided in collaboration with the Cybercrime Office of the 517
Department of Law Enforcement, a private sector entity, or an 518
institution of the State University System. 519
(h) Operate and maintain a Cybersecurity Operations Center 520
led by the state chief infor mation security officer, which must 521
be primarily virtual and staffed with tactical detection and 522
incident response personnel. The Cybersecurity Operations Center 523
shall serve as a clearinghouse for threat information and 524
coordinate with the Department of La w Enforcement to support 525
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 22 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
state agencies and their response to any confirmed or suspected 526
cybersecurity incident. 527
(i) Lead an Emergency Support Function, ESF-20 ESF CYBER, 528
under the state comprehensive emergency management plan as 529
described in s. 252.35. 530
(j) During a cyber incident or as otherwise agreed to in 531
writing by the state agency that holds the particular enterprise 532
digital data, have the authority to obtain immediate and 533
complete access to state agency accounts and instances that hold 534
enterprise digital data and to direct, in consultation with the 535
state agency that holds the particular enterprise digital data, 536
measures to assess, monitor, and protect the security of 537
enterprise digital data. The department may not view, modify, 538
transfer, or otherwise duplicate enterprise digital data except 539
as required to respond to a cyber incident or as agreed to in 540
writing by the state agency that holds the particular enterprise 541
digital data. This paragraph does not apply to a criminal 542
justice entity. 543
(4) Each state agency head shall, at a minimum: 544
(a) Designate an information security manager to ensure 545
compliance with cybersecurity governance and with the state's 546
enterprise security program and incident response plan. The 547
information security manager must co ordinate with the agency's 548
information security personnel and the Cybersecurity Operations 549
Center to ensure that the unique needs of the agency are met 550
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 23 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
administer the cybersecurity program of the state agency . This 551
designation must be provided annually in writing to the 552
department by January 15 1. A state agency's information 553
security manager, for purposes of these information security 554
duties, shall report directly to the agency head. 555
Section 5. Paragraphs (b) and (c) of subsection (5) of 556
section 282.3185, Florida Statutes, are amended to read: 557
282.3185 Local government cybersecurity. — 558
(5) INCIDENT NOTIFICATION. — 559
(b)1. A local government shall report all ransomware 560
incidents and any cybersecurity incident determined by the local 561
government to be of severity level 3, 4, or 5 as provided in s. 562
282.318(3)(c) to the Cybersecurity Operations Center , the 563
Cybercrime Office of the Department of Law Enforcement, and the 564
sheriff who has jurisdiction over the local government as soon 565
as possible but no later t han 12 48 hours after discovery of the 566
cybersecurity incident and no later than 6 12 hours after 567
discovery of the ransomware incident. The report must contain 568
the information required in paragraph (a). 569
2. The Cybersecurity Operations Center shall : 570
a. Immediately notify the Cybercrime Office of the 571
Department of Law Enforcement and provide to the Cybercrime 572
Office of the Department of Law Enforcement and the sheriff who 573
has jurisdiction over the local government regular reports on 574
the status of the incid ent, preserve forensic data to support a 575
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 24 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
subsequent investigation, and provide aid to the investigative 576
efforts of the Cybercrime Office of the Department of Law 577
Enforcement upon the office's request. The Department of Law 578
Enforcement shall coordinate the response to an incident in 579
which a law enforcement agency is the subject of the incident 580
and must provide updates to the Cybersecurity Operations Center. 581
b. Immediately notify the state chief information security 582
officer of a reported incident. The state chief information 583
security officer shall notify the President of the Senate and 584
the Speaker of the House of Representatives of any severity 585
level 3, 4, or 5 incident as soon as possible but no later than 586
12 hours after receiving a local government's incid ent report. 587
The notification must include a high -level description of the 588
incident and the likely effects. 589
(c) A local government may report a cybersecurity incident 590
determined by the local government to be of severity level 1 or 591
2 as provided in s. 282. 318(3)(c) to the Cybersecurity 592
Operations Center, the Cybercrime Office of the Department of 593
Law Enforcement, and the sheriff who has jurisdiction over the 594
local government. The report shall contain the information 595
required in paragraph (a). The Cybersecurity Operations Center 596
shall immediately notify the Cybercrime Office of the Department 597
of Law Enforcement and the sheriff who has jurisdiction over the 598
local government of a reported incident and provide regular 599
reports on the status of the cybersecurity i ncident, preserve 600
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 25 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
forensic data to support a subsequent investigation, and provide 601
aid to the investigative efforts of the Cybercrime Office of the 602
Department of Law Enforcement upon request if the investigation 603
does not impede remediation of the cybersecu rity incident and 604
there is no risk to the public and no risk to critical state 605
functions. 606
Section 6. Section 1004.444, Florida Statutes, is amended 607
to read: 608
1004.444 Florida Center for Cybersecurity. — 609
(1) The Florida Center for Cybersecurity , which may also 610
be referred to as "Cyber Florida," is established as a center 611
within the University of South Florida under the direction of 612
the president of the university or the president's designee. The 613
president may assign the center within a college of the 614
university if the college has a strong emphasis in 615
cybersecurity, technology, or computer sciences and engineering 616
as determined and approved by the university's board of 617
trustees. 618
(2) The mission and goals of the center are to: 619
(a) Position Florida as the national leader in 620
cybersecurity and its related workforce primarily through 621
advancing and funding education and, research and development 622
initiatives in cybersecurity and related fields, with a 623
secondary emphasis on , and community engagement and 624
cybersecurity awareness. 625
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 26 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(b) Assist in the creation of jobs in the state's 626
cybersecurity industry and enhance the existing cybersecurity 627
workforce through education, research, applied science, and 628
engagements and partnerships with the private and military 629
sectors. 630
(c) Act as a cooperative facilitator for state business 631
and higher education communities to share cybersecurity 632
knowledge, resources, and training. 633
(d) Seek out research and development agreements and other 634
partnerships with major military instal lations and affiliated 635
contractors to assist, when possible, in homeland cybersecurity 636
defense initiatives. 637
(e) Attract cybersecurity companies and jobs to the state 638
with an emphasis on defense, finance, health care, 639
transportation, and utility sectors. 640
(f) Conduct, fund, and facilitate research and applied 641
science that leads to the creation of new technologies and 642
software packages that have military and civilian applications 643
and which can be transferred for military and homeland defense 644
purposes or for sale or use in the private sector. 645
(3) Upon receiving a request for assistance from the 646
Department of Management Services, the Florida Digital Service, 647
or another state agency, the center is authorized, but may not 648
be compelled by the agency, to conduc t, consult on, or otherwise 649
assist any state-funded initiatives related to: 650
CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-02-c2
Page 27 of 27
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(a) Cybersecurity training, professional development, and 651
education for state and local government employees, including 652
school districts and the judicial branch. 653
(b) Increasing the cybersecurity effectiveness of the 654
state's and local governments' technology platforms and 655
infrastructure, including school districts and the judicial 656
branch. 657
Section 7. This act shall take effect July 1, 2024. 658