CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 1 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity; amending s. 110.205, 2
F.S.; exempting the state chief technology officer 3
from the career service; amending s. 282.0041, F.S.; 4
providing definitions; amending s. 282.0051, F.S.; 5
revising the purposes for which the Florida Di gital 6
Service is established; revising the date by which 7
Department of Management Services, acting through the 8
Florida Digital Service, must provide certain 9
recommendations to the Executive Office of the 10
Governor and the Legislature; requiring the state 11
chief information officer, in consultation with the 12
Secretary of Management Services, to designate a state 13
chief technology officer; providing duties of the 14
state chief technology officer; amending s. 282.318, 15
F.S.; providing that the Florida Digital Service is 16
the lead entity for a certain purpose; requiring the 17
Cybersecurity Operations Center to provide certain 18
notifications; requiring the state chief information 19
officer to make certain reports in consultation with 20
the state chief information security offic er; 21
requiring a state agency to report ransomware and 22
cybersecurity incidents within certain time periods; 23
requiring the Cybersecurity Operations Center to 24
immediately notify a certain entity of reported 25
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 2 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incidents and take certain actions; requiring the 26
department to preserve certain data and provide 27
certain aid in certain circumstances; requiring the 28
state chief information security officer to notify the 29
Legislature of certain incidents within a certain 30
period; requiring the Cybersecurity Operations Center 31
to provide a certain report to certain entities by a 32
specified date; authorizing the Florida Digital 33
Service to obtain certain access to certain state 34
agency accounts and instances and direct certain 35
measures; prohibiting the department from taking 36
certain actions; providing applicability; revising the 37
purpose of an agency's information security manager 38
and the date by which he or she must be designated; 39
authorizing the chairs of certain legislative 40
committees or subcommittees to attend exempt portions 41
of meetings of the Florida Cybersecurity Advisory 42
Council if authorized by the President of the Senate 43
or Speaker of the House of Representatives, as 44
applicable; amending s. 282.3185, F.S.; requiring a 45
local government to report ransomware and certain 46
cybersecurity incidents to the Cybersecurity 47
Operations Center within certain time periods; 48
requiring the Cybersecurity Operations Center to 49
immediately notify certain entities of certain 50
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 3 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incidents and take certain actions; requiring the 51
Department of Law Enforce ment to coordinate certain 52
incident responses; amending s. 282.319, F.S.; 53
revising the membership of the Florida Cybersecurity 54
Advisory Council; amending s. 1004.444, F.S.; 55
providing that the Florida Center for Cybersecurity 56
may be referred to in a certain manner; providing that 57
the center is established under the direction of the 58
president of the University of South Florida and may 59
be assigned within a college that meets certain 60
requirements; revising the mission and goals of the 61
center; authorizing the ce nter to take certain actions 62
relating to certain initiatives; providing an 63
effective date. 64
65
Be It Enacted by the Legislature of the State of Florida: 66
67
Section 1. Paragraph (e) of subsection (2) of section 68
110.205, Florida Statutes, is amended to re ad: 69
110.205 Career service; exemptions. — 70
(2) EXEMPT POSITIONS. —The exempt positions that are not 71
covered by this part include the following: 72
(e) The state chief information officer, the state chief 73
data officer, the state chief technology officer, and the state 74
chief information security officer. The Department of Management 75
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 4 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Services shall set the salary and benefits of these positions in 76
accordance with the rules of the Senior Management Service. 77
Section 2. Subsections (7) through (16) and (17) t hrough 78
(38) of section 282.0041, Florida Statutes, are renumbered as 79
subsections (8) through (17) and (19) through (40), 80
respectively, and new subsections (7) and (18) are added to that 81
section to read: 82
282.0041 Definitions. —As used in this chapter, the term: 83
(7) "Criminal justice agency" has the same meaning as in 84
s. 943.045. 85
(18) "Enterprise digital data" means information held by a 86
state agency in electronic form that is deemed to be data owned 87
by the state and held for state purposes by the state agency. 88
Enterprise digital data must be maintained in accordance with 89
chapter 119. This subsection may not be construed to create, 90
modify, abrogate, or expand an exemption from public records 91
requirements under s. 119.07(1) or s. 24(a), Art. I of the State 92
Constitution. 93
Section 3. Subsection (1) of section 282.0051, Florida 94
Statutes, is amended, and paragraph (c) is added to subsection 95
(2) of that section, to read: 96
282.0051 Department of Management Services; Florida 97
Digital Service; powers, duties, an d functions.— 98
(1) The Florida Digital Service is established has been 99
created within the department to lead enterprise information 100
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 5 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
technology and cybersecurity efforts, to propose and evaluate 101
innovative solutions pursuant to interagency agreements that 102
securely modernize state government, including technology and 103
information services, to achieve value through digital 104
transformation and interoperability, and to fully support the 105
cloud-first policy as specified in s. 282.206. The department, 106
through the Florida Digital Service, shall have the following 107
powers, duties, and functions: 108
(a) Develop and publish information technology policy for 109
the management of the state's information technology resources. 110
(b) Develop an enterprise architecture that: 111
1. Acknowledges the unique needs of the entities within 112
the enterprise in the development and publication of standards 113
and terminologies to facilitate digital interoperability; 114
2. Supports the cloud -first policy as specified in s. 115
282.206; and 116
3. Addresses how information technology infrastructure may 117
be modernized to achieve cloud -first objectives. 118
(c) Establish project management and oversight standards 119
with which state agencies must comply when implementing 120
information technology projects. The departm ent, acting through 121
the Florida Digital Service, shall provide training 122
opportunities to state agencies to assist in the adoption of the 123
project management and oversight standards. To support data -124
driven decisionmaking, the standards must include, but are not 125
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 6 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
limited to: 126
1. Performance measurements and metrics that objectively 127
reflect the status of an information technology project based on 128
a defined and documented project scope, cost, and schedule. 129
2. Methodologies for calculating acceptable variances in 130
the projected versus actual scope, schedule, or cost of an 131
information technology project. 132
3. Reporting requirements, including requirements designed 133
to alert all defined stakeholders that an information technology 134
project has exceeded acceptable vari ances defined and documented 135
in a project plan. 136
4. Content, format, and frequency of project updates. 137
5. Technical standards to ensure an information technology 138
project complies with the enterprise architecture. 139
(d) Perform project oversight on all s tate agency 140
information technology projects that have total project costs of 141
$10 million or more and that are funded in the General 142
Appropriations Act or any other law. The department, acting 143
through the Florida Digital Service, shall report at least 144
quarterly to the Executive Office of the Governor, the President 145
of the Senate, and the Speaker of the House of Representatives 146
on any information technology project that the department 147
identifies as high-risk due to the project exceeding acceptable 148
variance ranges defined and documented in a project plan. The 149
report must include a risk assessment, including fiscal risks, 150
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 7 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
associated with proceeding to the next stage of the project, and 151
a recommendation for corrective actions required, including 152
suspension or termination of the project. 153
(e) Identify opportunities for standardization and 154
consolidation of information technology services that support 155
interoperability and the cloud -first policy, as specified in s. 156
282.206, and business functions and operations, inc luding 157
administrative functions such as purchasing, accounting and 158
reporting, cash management, and personnel, and that are common 159
across state agencies. The department, acting through the 160
Florida Digital Service, shall biennially on January 15 1 of 161
each even-numbered year provide recommendations for 162
standardization and consolidation to the Executive Office of the 163
Governor, the President of the Senate, and the Speaker of the 164
House of Representatives. 165
(f) Establish best practices for the procurement of 166
information technology products and cloud -computing services in 167
order to reduce costs, increase the quality of data center 168
services, or improve government services. 169
(g) Develop standards for information technology reports 170
and updates, including, but not limi ted to, operational work 171
plans, project spend plans, and project status reports, for use 172
by state agencies. 173
(h) Upon request, assist state agencies in the development 174
of information technology -related legislative budget requests. 175
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 8 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(i) Conduct annual ass essments of state agencies to 176
determine compliance with all information technology standards 177
and guidelines developed and published by the department and 178
provide results of the assessments to the Executive Office of 179
the Governor, the President of the Senat e, and the Speaker of 180
the House of Representatives. 181
(j) Conduct a market analysis not less frequently than 182
every 3 years beginning in 2021 to determine whether the 183
information technology resources within the enterprise are 184
utilized in the most cost -effective and cost-efficient manner, 185
while recognizing that the replacement of certain legacy 186
information technology systems within the enterprise may be cost 187
prohibitive or cost inefficient due to the remaining useful life 188
of those resources; whether the enter prise is complying with the 189
cloud-first policy specified in s. 282.206; and whether the 190
enterprise is utilizing best practices with respect to 191
information technology, information services, and the 192
acquisition of emerging technologies and information servic es. 193
Each market analysis shall be used to prepare a strategic plan 194
for continued and future information technology and information 195
services for the enterprise, including, but not limited to, 196
proposed acquisition of new services or technologies and 197
approaches to the implementation of any new services or 198
technologies. Copies of each market analysis and accompanying 199
strategic plan must be submitted to the Executive Office of the 200
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 9 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Governor, the President of the Senate, and the Speaker of the 201
House of Representat ives not later than December 31 of each year 202
that a market analysis is conducted. 203
(k) Recommend other information technology services that 204
should be designed, delivered, and managed as enterprise 205
information technology services. Recommendations must incl ude 206
the identification of existing information technology resources 207
associated with the services, if existing services must be 208
transferred as a result of being delivered and managed as 209
enterprise information technology services. 210
(l) In consultation with state agencies, propose a 211
methodology and approach for identifying and collecting both 212
current and planned information technology expenditure data at 213
the state agency level. 214
(m)1. Notwithstanding any other law, provide project 215
oversight on any informatio n technology project of the 216
Department of Financial Services, the Department of Legal 217
Affairs, and the Department of Agriculture and Consumer Services 218
which has a total project cost of $20 million or more. Such 219
information technology projects must also com ply with the 220
applicable information technology architecture, project 221
management and oversight, and reporting standards established by 222
the department, acting through the Florida Digital Service. 223
2. When performing the project oversight function 224
specified in subparagraph 1., report at least quarterly to the 225
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 10 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Executive Office of the Governor, the President of the Senate, 226
and the Speaker of the House of Representatives on any 227
information technology project that the department, acting 228
through the Florida Digita l Service, identifies as high -risk due 229
to the project exceeding acceptable variance ranges defined and 230
documented in the project plan. The report shall include a risk 231
assessment, including fiscal risks, associated with proceeding 232
to the next stage of the p roject and a recommendation for 233
corrective actions required, including suspension or termination 234
of the project. 235
(n) If an information technology project implemented by a 236
state agency must be connected to or otherwise accommodated by 237
an information techn ology system administered by the Department 238
of Financial Services, the Department of Legal Affairs, or the 239
Department of Agriculture and Consumer Services, consult with 240
these departments regarding the risks and other effects of such 241
projects on their infor mation technology systems and work 242
cooperatively with these departments regarding the connections, 243
interfaces, timing, or accommodations required to implement such 244
projects. 245
(o) If adherence to standards or policies adopted by or 246
established pursuant to this section causes conflict with 247
federal regulations or requirements imposed on an entity within 248
the enterprise and results in adverse action against an entity 249
or federal funding, work with the entity to provide alternative 250
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 11 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
standards, policies, or require ments that do not conflict with 251
the federal regulation or requirement. The department, acting 252
through the Florida Digital Service, shall annually by January 253
15 report such alternative standards to the Executive Office of 254
the Governor, the President of the Senate, and the Speaker of 255
the House of Representatives. 256
(p)1. Establish an information technology policy for all 257
information technology -related state contracts, including state 258
term contracts for information technology commodities, 259
consultant services, and staff augmentation services. The 260
information technology policy must include: 261
a. Identification of the information technology product 262
and service categories to be included in state term contracts. 263
b. Requirements to be included in solicitations for state 264
term contracts. 265
c. Evaluation criteria for the award of information 266
technology-related state term contracts. 267
d. The term of each information technology -related state 268
term contract. 269
e. The maximum number of vendors authorized on each state 270
term contract. 271
f. At a minimum, a requirement that any contract for 272
information technology commodities or services meet the National 273
Institute of Standards and Technology Cybersecurity Framework. 274
g. For an information technology project wherein project 275
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 12 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
oversight is required pursuant to paragraph (d) or paragraph 276
(m), a requirement that independent verification and validation 277
be employed throughout the project life cycle with the primary 278
objective of independent verification and validation being to 279
provide an objective assessment of products and processes 280
throughout the project life cycle. An entity providing 281
independent verification and validation may not have technical, 282
managerial, or financial interest in the project and may not 283
have responsibility for, or participate in, any other aspect of 284
the project. 285
2. Evaluate vendor responses for information technology -286
related state term contract solicitations and invitations to 287
negotiate. 288
3. Answer vendor questions on information technology -289
related state term contract solicitations. 290
4. Ensure that the information technology policy 291
established pursuant to subparagraph 1. is included in all 292
solicitations and contracts that are administratively executed 293
by the department. 294
(q) Recommend potential methods for s tandardizing data 295
across state agencies which will promote interoperability and 296
reduce the collection of duplicative data. 297
(r) Recommend open data technical standards and 298
terminologies for use by the enterprise. 299
(s) Ensure that enterprise information t echnology 300
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 13 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
solutions are capable of utilizing an electronic credential and 301
comply with the enterprise architecture standards. 302
(2) 303
(c) The state chief information officer, in consultation 304
with the Secretary of Management Services, shall designate a 305
state chief technology officer who shall be responsible for all 306
of the following: 307
1. Establishing and maintaining an enterprise architecture 308
framework that ensures information technology investments align 309
with the state's strategic objectives and initiatives p ursuant 310
to paragraph (1)(b). 311
2. Conducting comprehensive evaluations of potential 312
technological solutions and cultivating strategic partnerships, 313
internally with state enterprise agencies and externally with 314
the private sector, to leverage collective exp ertise, foster 315
collaboration, and advance the state's technological 316
capabilities. 317
3. Supervising program management of enterprise 318
information technology initiatives pursuant to paragraphs 319
(1)(c), (d), and (l); providing advisory support and oversight 320
for technology-related projects; and continuously identifying 321
and recommending best practices to optimize outcomes of 322
technology projects and enhance the enterprise's technological 323
efficiency and effectiveness. 324
Section 4. Subsection (3), paragraph (a) of subsection 325
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 14 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(4), and subsection (6) of section 282.318, Florida Statutes, 326
are amended to read: 327
282.318 Cybersecurity. — 328
(3) The department, acting through the Florida Digital 329
Service, is the lead entity responsible for leading enterprise 330
information technology and cybersecurity efforts, establishing 331
standards and processes for assessing state agency cybersecurity 332
risks, and determining appropriate security measures. Such 333
standards and processes must be consistent with generally 334
accepted technology best pr actices, including the National 335
Institute for Standards and Technology Cybersecurity Framework, 336
for cybersecurity. The department, acting through the Florida 337
Digital Service, shall adopt rules that mitigate risks; 338
safeguard state agency digital assets, dat a, information, and 339
information technology resources to ensure availability, 340
confidentiality, and integrity; and support a security 341
governance framework. The department, acting through the Florida 342
Digital Service, shall also: 343
(a) Designate an employee of the Florida Digital Service 344
as the state chief information security officer. The state chief 345
information security officer must have experience and expertise 346
in security and risk management for communications and 347
information technology resources. The state chief information 348
security officer is responsible for the development, operation, 349
and oversight of cybersecurity for state technology systems. The 350
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 15 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Cybersecurity Operations Center shall immediately notify the 351
state chief information officer and the state chief information 352
security officer shall be notified of all confirmed or suspected 353
incidents or threats of state agency information technology 354
resources. The state chief information officer, in consultation 355
with the state chief information security officer, and must 356
report such incidents or threats to the state chief information 357
officer and the Governor. 358
(b) Develop, and annually update by February 1, a 359
statewide cybersecurity strategic plan that includes security 360
goals and objectives for cybersecurity, in cluding the 361
identification and mitigation of risk, proactive protections 362
against threats, tactical risk detection, threat reporting, and 363
response and recovery protocols for a cyber incident. 364
(c) Develop and publish for use by state agencies a 365
cybersecurity governance framework that, at a minimum, includes 366
guidelines and processes for: 367
1. Establishing asset management procedures to ensure that 368
an agency's information technology resources are identified and 369
managed consistent with their relative importanc e to the 370
agency's business objectives. 371
2. Using a standard risk assessment methodology that 372
includes the identification of an agency's priorities, 373
constraints, risk tolerances, and assumptions necessary to 374
support operational risk decisions. 375
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 16 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Completing comprehensive risk assessments and 376
cybersecurity audits, which may be completed by a private sector 377
vendor, and submitting completed assessments and audits to the 378
department. 379
4. Identifying protection procedures to manage the 380
protection of an agency' s information, data, and information 381
technology resources. 382
5. Establishing procedures for accessing information and 383
data to ensure the confidentiality, integrity, and availability 384
of such information and data. 385
6. Detecting threats through proactive mon itoring of 386
events, continuous security monitoring, and defined detection 387
processes. 388
7. Establishing agency cybersecurity incident response 389
teams and describing their responsibilities for responding to 390
cybersecurity incidents, including breaches of person al 391
information containing confidential or exempt data. 392
8. Recovering information and data in response to a 393
cybersecurity incident. The recovery may include recommended 394
improvements to the agency processes, policies, or guidelines. 395
9. Establishing a cyb ersecurity incident reporting process 396
that includes procedures for notifying the department and the 397
Department of Law Enforcement of cybersecurity incidents. 398
a. The level of severity of the cybersecurity incident is 399
defined by the National Cyber Incident Response Plan of the 400
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 17 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
United States Department of Homeland Security as follows: 401
(I) Level 5 is an emergency -level incident within the 402
specified jurisdiction that poses an imminent threat to the 403
provision of wide-scale critical infrastructure services; 404
national, state, or local government security; or the lives of 405
the country's, state's, or local government's residents. 406
(II) Level 4 is a severe -level incident that is likely to 407
result in a significant impact in the affected jurisdiction to 408
public health or safety; national, state, or local security; 409
economic security; or civil liberties. 410
(III) Level 3 is a high -level incident that is likely to 411
result in a demonstrable impact in the affected jurisdiction to 412
public health or safety; national, state, or l ocal security; 413
economic security; civil liberties; or public confidence. 414
(IV) Level 2 is a medium -level incident that may impact 415
public health or safety; national, state, or local security; 416
economic security; civil liberties; or public confidence. 417
(V) Level 1 is a low-level incident that is unlikely to 418
impact public health or safety; national, state, or local 419
security; economic security; civil liberties; or public 420
confidence. 421
b. The cybersecurity incident reporting process must 422
specify the information that must be reported by a state agency 423
following a cybersecurity incident or ransomware incident, 424
which, at a minimum, must include the following: 425
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 18 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(I) A summary of the facts surrounding the cybersecurity 426
incident or ransomware incident. 427
(II) The date on which the state agency most recently 428
backed up its data; the physical location of the backup, if the 429
backup was affected; and if the backup was created using cloud 430
computing. 431
(III) The types of data compromised by the cybersecurity 432
incident or ransomware incident. 433
(IV) The estimated fiscal impact of the cybersecurity 434
incident or ransomware incident. 435
(V) In the case of a ransomware incident, the details of 436
the ransom demanded. 437
c.(I) A state agency shall report all ransomware incidents 438
and any cybersecurity incidents incident determined by the state 439
agency to be of severity level 3, 4, or 5 to the Cybersecurity 440
Operations Center and the Cybercrime Office of the Department of 441
Law Enforcement as soon as possible but no later than 12 48 442
hours after discovery of the cybersecurity incident and no later 443
than 6 12 hours after discovery of the ransomware incident. The 444
report must contain the information required in sub -subparagraph 445
b. 446
(II) The Cybersecurity Operations Center shall : 447
(A) Immediately notif y the Cybercrime Office of the 448
Department of Law Enforcement of a reported incident and provide 449
to the Cybercrime Office of the Department of Law Enforcement 450
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 19 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
regular reports on the status of the incident. The department 451
shall preserve forensic data to supp ort a subsequent 452
investigation and provide aid to the investigative efforts of 453
the Cybercrime Office of the Department of Law Enforcement upon 454
the office's request if the investigation does not impede 455
remediation of the incident and there is no risk to the public 456
and no risk to critical state functions. 457
(B) Immediately notify the state chief information officer 458
and the state chief information security officer of a reported 459
incident. The state chief information security officer shall 460
notify the President o f the Senate and the Speaker of the House 461
of Representatives of any severity level 3, 4, or 5 incident as 462
soon as possible but no later than 12 hours after receiving a 463
state agency's incident report. The notification must include a 464
high-level description of the incident and the likely effects. 465
d. A state agency shall report a cybersecurity incident 466
determined by the state agency to be of severity level 1 or 2 to 467
the Cybersecurity Operations Center and the Cybercrime Office of 468
the Department of Law Enforce ment as soon as possible. The 469
report must contain the information required in sub -subparagraph 470
b. 471
d.e. The Cybersecurity Operations Center shall provide a 472
consolidated incident report by the 30th day after the end of 473
each quarter on a quarterly basis to the Governor, the Attorney 474
General, the executive director of the Department of Law 475
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 20 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Enforcement, the President of the Senate, the Speaker of the 476
House of Representatives, and the Florida Cybersecurity Advisory 477
Council. The report provided to the Florida Cy bersecurity 478
Advisory Council may not contain the name of any agency, network 479
information, or system identifying information but must contain 480
sufficient relevant information to allow the Florida 481
Cybersecurity Advisory Council to fulfill its responsibilities 482
as required in s. 282.319(9). 483
10. Incorporating information obtained through detection 484
and response activities into the agency's cybersecurity incident 485
response plans. 486
11. Developing agency strategic and operational 487
cybersecurity plans required pursua nt to this section. 488
12. Establishing the managerial, operational, and 489
technical safeguards for protecting state government data and 490
information technology resources that align with the state 491
agency risk management strategy and that protect the 492
confidentiality, integrity, and availability of information and 493
data. 494
13. Establishing procedures for procuring information 495
technology commodities and services that require the commodity 496
or service to meet the National Institute of Standards and 497
Technology Cybersecurity Framework. 498
14. Submitting after -action reports following a 499
cybersecurity incident or ransomware incident. Such guidelines 500
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 21 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
and processes for submitting after -action reports must be 501
developed and published by December 1, 2022. 502
(d) Assist state age ncies in complying with this section. 503
(e) In collaboration with the Cybercrime Office of the 504
Department of Law Enforcement, annually provide training for 505
state agency information security managers and computer security 506
incident response team members that contains training on 507
cybersecurity, including cybersecurity threats, trends, and best 508
practices. 509
(f) Annually review the strategic and operational 510
cybersecurity plans of state agencies. 511
(g) Annually provide cybersecurity training to all state 512
agency technology professionals and employees with access to 513
highly sensitive information which develops, assesses, and 514
documents competencies by role and skill level. The 515
cybersecurity training curriculum must include training on the 516
identification of each cybers ecurity incident severity level 517
referenced in sub-subparagraph (c)9.a. The training may be 518
provided in collaboration with the Cybercrime Office of the 519
Department of Law Enforcement, a private sector entity, or an 520
institution of the State University System. 521
(h) Operate and maintain a Cybersecurity Operations Center 522
led by the state chief information security officer, which must 523
be primarily virtual and staffed with tactical detection and 524
incident response personnel. The Cybersecurity Operations Center 525
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 22 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
shall serve as a clearinghouse for threat information and 526
coordinate with the Department of Law Enforcement to support 527
state agencies and their response to any confirmed or suspected 528
cybersecurity incident. 529
(i) Lead an Emergency Support Function, ESF-20 ESF CYBER, 530
under the state comprehensive emergency management plan as 531
described in s. 252.35. 532
(j) During a cyber incident or as otherwise agreed to in 533
writing by the state agency that holds the particular enterprise 534
digital data, have the authority to obtain immediate and 535
complete access to state agency accounts and instances that hold 536
enterprise digital data and to direct, in consultation with the 537
state agency that holds the particular enterprise digital data, 538
measures to assess, monitor, and protect the sec urity of 539
enterprise digital data. The department may not view, modify, 540
transfer, or otherwise duplicate enterprise digital data except 541
as required to respond to a cyber incident or as agreed to in 542
writing by the state agency that holds the particular enter prise 543
digital data. This paragraph does not apply to a criminal 544
justice agency. 545
(4) Each state agency head shall, at a minimum: 546
(a) Designate an information security manager to ensure 547
compliance with cybersecurity governance and with the state's 548
enterprise security program and incident response plan. The 549
information security manager must coordinate with the agency's 550
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 23 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
information security personnel and the Cybersecurity Operations 551
Center to ensure that the unique needs of the agency are met 552
administer the cybersecurity program of the state agency . This 553
designation must be provided annually in writing to the 554
department by January 15 1. A state agency's information 555
security manager, for purposes of these information security 556
duties, shall report directly to the agency head. 557
(6)(a) Those portions of a public meeting as specified in 558
s. 286.011 which would reveal records which are confidential and 559
exempt under subsection (5) are exempt from s. 286.011 and s. 560
24(b), Art. I of the State Constitution. No exempt portion of an 561
exempt meeting may be off the record. All exempt portions of 562
such meeting shall be recorded and transcribed. Such recordings 563
and transcripts are confidential and exempt from disclosure 564
under s. 119.07(1) and s. 24(a), Art. I of the State 565
Constitution unless a court of competent jurisdiction, after an 566
in camera review, determines that the meeting was not restricted 567
to the discussion of data and information made confidenti al and 568
exempt by this section. In the event of such a judicial 569
determination, only that portion of the recording and transcript 570
which reveals nonexempt data and information may be disclosed to 571
a third party. 572
(b) If authorized by the President of the Sena te or the 573
Speaker of the House of Representatives, as applicable, the 574
chair of a standing or select committee of the Legislature, or a 575
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 24 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
subcommittee thereof, with responsibility over the subject area 576
of cybersecurity may attend those portions of a meeting t hat are 577
exempt under paragraph (a). 578
Section 5. Paragraphs (b) and (c) of subsection (5) of 579
section 282.3185, Florida Statutes, are amended to read: 580
282.3185 Local government cybersecurity. — 581
(5) INCIDENT NOTIFICATION. — 582
(b)1. A local government sha ll report all ransomware 583
incidents and any cybersecurity incident determined by the local 584
government to be of severity level 3, 4, or 5 as provided in s. 585
282.318(3)(c) to the Cybersecurity Operations Center , the 586
Cybercrime Office of the Department of Law E nforcement, and the 587
sheriff who has jurisdiction over the local government as soon 588
as possible but no later than 12 48 hours after discovery of the 589
cybersecurity incident and no later than 6 12 hours after 590
discovery of the ransomware incident. The report m ust contain 591
the information required in paragraph (a). 592
2. The Cybersecurity Operations Center shall : 593
a. Immediately notify the Cybercrime Office of the 594
Department of Law Enforcement and provide to the Cybercrime 595
Office of the Department of Law Enforcem ent and the sheriff who 596
has jurisdiction over the local government regular reports on 597
the status of the incident, preserve forensic data to support a 598
subsequent investigation, and provide aid to the investigative 599
efforts of the Cybercrime Office of the Dep artment of Law 600
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 25 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Enforcement upon the office's request. The Department of Law 601
Enforcement shall coordinate the response to an incident in 602
which a law enforcement agency is the subject of the incident 603
and must provide updates to the Cybersecurity Operations C enter. 604
b. Immediately notify the state chief information security 605
officer of a reported incident. The state chief information 606
security officer shall notify the President of the Senate and 607
the Speaker of the House of Representatives of any severity 608
level 3, 4, or 5 incident as soon as possible but no later than 609
12 hours after receiving a local government's incident report. 610
The notification must include a high -level description of the 611
incident and the likely effects. 612
(c) A local government may report a cy bersecurity incident 613
determined by the local government to be of severity level 1 or 614
2 as provided in s. 282.318(3)(c) to the Cybersecurity 615
Operations Center, the Cybercrime Office of the Department of 616
Law Enforcement, and the sheriff who has jurisdiction over the 617
local government. The report shall contain the information 618
required in paragraph (a). The Cybersecurity Operations Center 619
shall immediately notify the Cybercrime Office of the Department 620
of Law Enforcement and the sheriff who has jurisdiction over the 621
local government of a reported incident and provide regular 622
reports on the status of the cybersecurity incident, preserve 623
forensic data to support a subsequent investigation, and provide 624
aid to the investigative efforts of the Cybercrime Office of the 625
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 26 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Department of Law Enforcement upon request if the investigation 626
does not impede remediation of the cybersecurity incident and 627
there is no risk to the public and no risk to critical state 628
functions. 629
Section 6. Paragraph (j) of subsection (4) of section 630
282.319, Florida Statutes, is amended, and paragraph (m) is 631
added to that subsection, to read: 632
282.319 Florida Cybersecurity Advisory Council. — 633
(4) The council shall be comprised of the following 634
members: 635
(j) Three representatives from critical infr astructure 636
sectors, one of whom must be from a utility provider water 637
treatment facility, appointed by the Governor. 638
(m) A representative of local government. 639
Section 7. Section 1004.444, Florida Statutes, is amended 640
to read: 641
1004.444 Florida Cente r for Cybersecurity. — 642
(1) The Florida Center for Cybersecurity , which may also 643
be referred to as "Cyber Florida," is established as a center 644
within the University of South Florida under the direction of 645
the president of the university or the president's designee. The 646
president may assign the center within a college of the 647
university if the college has a strong emphasis in 648
cybersecurity, technology, or computer sciences and engineering 649
as determined and approved by the university's board of 650
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 27 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
trustees. 651
(2) The mission and goals of the center are to: 652
(a) Position Florida as the national leader in 653
cybersecurity and its related workforce primarily through 654
advancing and funding education and, research and development 655
initiatives in cybersecurity and related f ields, with a 656
secondary emphasis on , and community engagement and 657
cybersecurity awareness . 658
(b) Assist in the creation of jobs in the state's 659
cybersecurity industry and enhance the existing cybersecurity 660
workforce through education, research, applied scie nce, and 661
engagements and partnerships with the private and military 662
sectors. 663
(c) Act as a cooperative facilitator for state business 664
and higher education communities to share cybersecurity 665
knowledge, resources, and training. 666
(d) Seek out research and development agreements and other 667
partnerships with major military installations and affiliated 668
contractors to assist, when possible, in homeland cybersecurity 669
defense initiatives. 670
(e) Attract cybersecurity companies and jobs to the state 671
with an emphasis on defense, finance, health care, 672
transportation, and utility sectors. 673
(f) Conduct, fund, and facilitate research and applied 674
science that leads to the creation of new technologies and 675
CS/CS/CS/HB 1555 2024
CODING: Words stricken are deletions; words underlined are additions.
hb1555-03-c3
Page 28 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
software packages that have military and civilian applications 676
and which can be transferred for military and homeland defense 677
purposes or for sale or use in the private sector. 678
(3) Upon receiving a request for assistance from the 679
Department of Management Services, the Florida Digital Service, 680
or another state agency, the center is authorized, but may not 681
be compelled by the agency, to conduct, consult on, or otherwise 682
assist any state-funded initiatives related to: 683
(a) Cybersecurity training, professional development, and 684
education for state and local government employee s, including 685
school districts and the judicial branch. 686
(b) Increasing the cybersecurity effectiveness of the 687
state's and local governments' technology platforms and 688
infrastructure, including school districts and the judicial 689
branch. 690
Section 8. This act shall take effect July 1, 2024. 691