Florida Senate - 2024 SB 1662 By Senator Collins 14-00407A-24 20241662__ 1 A bill to be entitled 2 An act relating to cybersecurity; amending s. 110.205, 3 F.S.; exempting certain personnel from the career 4 service; providing for the establishment of salary and 5 benefits for certain positions; amending s. 282.0041, 6 F.S.; providing definitions; amending s. 282.0051, 7 F.S.; revising the purposes for which the Florida 8 Digital Service is established; requiring the Florida 9 Digital Service to ensure that independent project 10 oversight on certain state agency information 11 technology projects is performed in a certain manner; 12 revising the date by which the Department of 13 Management Services, acting through the Florida 14 Digital Service, must provide certain recommendations 15 to the Executive Office of the Governor and the 16 Legislature; removing certain duties of the Florida 17 Digital Service; revising the total project cost of 18 certain projects for which the Florida Digital Service 19 must provide project oversight; specifying the date by 20 which the Florida Digital Service must provide certain 21 reports; requiring the state chief information 22 officer, in consultation with the Secretary of 23 Management Services, to designate a state chief 24 technology officer; providing duties of the state 25 chief technology officer; revising the total project 26 cost of certain projects for which certain procurement 27 actions must be taken; removing provisions prohibiting 28 the department, acting through the Florida Digital 29 Service, from retrieving or disclosing certain data in 30 certain circumstances; amending s. 282.00515, F.S.; 31 conforming a cross-reference; amending s. 282.318, 32 F.S.; providing that the Florida Digital Service is 33 the lead entity for a certain purpose; requiring the 34 Cybersecurity Operations Center to provide certain 35 notifications; requiring the state chief information 36 officer to make certain reports in consultation with 37 the state chief information security officer; revising 38 the timeframe for a state agency to report ransomware 39 and cybersecurity incidents to the Cybersecurity 40 Operations Center; requiring the Cybersecurity 41 Operations Center to immediately notify certain 42 entities of reported incidents and take certain 43 actions; requiring the state chief information 44 security officer to notify the Legislature of certain 45 incidents within a certain period; requiring that 46 certain notification be provided in a secure 47 environment; requiring the Cybersecurity Operations 48 Center to provide a certain report to certain entities 49 by a specified date; requiring the department, acting 50 through the Florida Digital Service, to provide 51 cybersecurity briefings to certain legislative 52 committees; authorizing the department, acting through 53 the Florida Digital Service, to obtain certain access 54 to certain infrastructure and direct certain measures; 55 requiring state agency heads to annually designate a 56 chief information security officer by a specified 57 date; revising the purpose of an agencys information 58 security manager and the date by which he or she must 59 be designated; authorizing the department to brief 60 certain legislative committees in a closed setting on 61 certain records that are confidential and exempt from 62 public records requirements; requiring such 63 legislative committees to maintain the confidential 64 and exempt status of certain records; authorizing 65 certain legislators to attend meetings of the Florida 66 Cybersecurity Advisory Council; amending s. 282.3185, 67 F.S.; requiring local governments to report ransomware 68 and certain cybersecurity incidents to the 69 Cybersecurity Operations Center within certain time 70 periods; requiring the Cybersecurity Operations Center 71 to immediately notify certain entities of certain 72 incidents and take certain actions; requiring the 73 state chief information security officer to provide 74 certain notification to the Legislature within a 75 certain timeframe and in a secure environment; 76 amending s. 282.319, F.S.; revising the membership of 77 the Florida Cybersecurity Advisory Council; providing 78 an effective date. 79 80 Be It Enacted by the Legislature of the State of Florida: 81 82 Section 1.Paragraph (y) is added to subsection (2) of 83 section 110.205, Florida Statutes, to read: 84 110.205Career service; exemptions. 85 (2)EXEMPT POSITIONS.The exempt positions that are not 86 covered by this part include the following: 87 (y)Chief information security officers, information 88 security managers designated pursuant to s. 282.318(4), and 89 personnel employed by or reporting to the state chief 90 information security officer, the state chief data officer, or 91 an agency information security manager. Unless otherwise fixed 92 by law, the department shall establish the salary and benefits 93 for these positions in accordance with the rules of the Selected 94 Exempt Service, except that the salary and benefits for agency 95 information security managers shall be established by the 96 department in accordance with the rules of the Senior Management 97 Service. 98 Section 2.Present subsections (3) through (5), (6) through 99 (16), and (17) through (38) of section 282.0041, Florida 100 Statutes, are redesignated as subsections (4) through (6), (8) 101 through (18), and (20) through (41), respectively, and new 102 subsections (3), (7), and (19) are added to that section, to 103 read: 104 282.0041Definitions.As used in this chapter, the term: 105 (3)As a service means the contracting with or 106 outsourcing to a third party of a defined role or function as a 107 means of delivery. 108 (7)Cloud provider means an entity that provides cloud 109 computing services. 110 (19)Enterprise digital data means information held by a 111 state agency in electronic form that is deemed to be data owned 112 by the state and held for state purposes by the state agency. 113 Enterprise digital data that is subject to statutory 114 requirements for particular types of sensitive data or to 115 contractual limitations for data marked as trade secrets or 116 sensitive corporate data held by state agencies shall be treated 117 in accordance with such requirements or limitations. The 118 department must maintain personnel with appropriate licenses, 119 certifications, or classifications to steward such enterprise 120 digital data, as necessary. Enterprise digital data must be 121 maintained in accordance with chapter 119. This subsection may 122 not be construed to create or expand an exemption from public 123 records requirements under s. 119.07(1) or s. 24(a), Art. I of 124 the State Constitution. 125 Section 3.Subsections (1), (4), and (5) of section 126 282.0051, Florida Statutes, are amended, and paragraph (c) is 127 added to subsection (2) of that section, to read: 128 282.0051Department of Management Services; Florida Digital 129 Service; powers, duties, and functions. 130 (1)The Florida Digital Service is established has been 131 created within the department to lead enterprise cybersecurity 132 efforts, to safeguard enterprise digital data, to propose, test, 133 develop, and deploy innovative solutions that securely modernize 134 state government, including technology and information services, 135 to achieve value through digital transformation and 136 interoperability, and to fully support the cloud-first policy as 137 specified in s. 282.206. The department, through the Florida 138 Digital Service, shall have the following powers, duties, and 139 functions: 140 (a)Develop and publish information technology policy for 141 the management of the states information technology resources. 142 (b)Develop an enterprise architecture that: 143 1.Acknowledges the unique needs of the entities within the 144 enterprise in the development and publication of standards and 145 terminologies to facilitate digital interoperability; 146 2.Supports the cloud-first policy as specified in s. 147 282.206; and 148 3.Addresses how information technology infrastructure may 149 be modernized to achieve cloud-first objectives. 150 (c)Establish project management and oversight standards 151 with which state agencies must comply when implementing 152 information technology projects. The department, acting through 153 the Florida Digital Service, shall provide training 154 opportunities to state agencies to assist in the adoption of the 155 project management and oversight standards. To support data 156 driven decisionmaking, the standards must include, but are not 157 limited to: 158 1.Performance measurements and metrics that objectively 159 reflect the status of an information technology project based on 160 a defined and documented project scope, cost, and schedule. 161 2.Methodologies for calculating acceptable variances in 162 the projected versus actual scope, schedule, or cost of an 163 information technology project. 164 3.Reporting requirements, including requirements designed 165 to alert all defined stakeholders that an information technology 166 project has exceeded acceptable variances defined and documented 167 in a project plan. 168 4.Content, format, and frequency of project updates. 169 5.Technical standards to ensure an information technology 170 project complies with the enterprise architecture. 171 (d)Ensure that independent Perform project oversight on 172 all state agency information technology projects that have total 173 project costs of $25 $10 million or more and that are funded in 174 the General Appropriations Act or any other law is performed in 175 compliance with applicable state and federal law. The 176 department, acting through the Florida Digital Service, shall 177 report at least quarterly to the Executive Office of the 178 Governor, the President of the Senate, and the Speaker of the 179 House of Representatives on any information technology project 180 that the department identifies as high-risk due to the project 181 exceeding acceptable variance ranges defined and documented in a 182 project plan. The report must include a risk assessment, 183 including fiscal risks, associated with proceeding to the next 184 stage of the project, and a recommendation for corrective 185 actions required, including suspension or termination of the 186 project. 187 (e)Identify opportunities for standardization and 188 consolidation of information technology services that support 189 interoperability and the cloud-first policy, as specified in s. 190 282.206, and business functions and operations, including 191 administrative functions such as purchasing, accounting and 192 reporting, cash management, and personnel, and that are common 193 across state agencies. The department, acting through the 194 Florida Digital Service, shall biennially on January 15 1 of 195 each even-numbered year provide recommendations for 196 standardization and consolidation to the Executive Office of the 197 Governor, the President of the Senate, and the Speaker of the 198 House of Representatives. 199 (f)Establish best practices for the procurement of 200 information technology products and cloud-computing services in 201 order to reduce costs, increase the quality of data center 202 services, or improve government services. 203 (g)Develop standards for information technology reports 204 and updates, including, but not limited to, operational work 205 plans, project spend plans, and project status reports, for use 206 by state agencies. 207 (h)Upon request, assist state agencies in the development 208 of information technology-related legislative budget requests. 209 (i)Conduct annual assessments of state agencies to 210 determine compliance with all information technology standards 211 and guidelines developed and published by the department and 212 provide results of the assessments to the Executive Office of 213 the Governor, the President of the Senate, and the Speaker of 214 the House of Representatives. 215 (i)(j)Conduct a market analysis not less frequently than 216 every 3 years beginning in 2021 to determine whether the 217 information technology resources within the enterprise are 218 utilized in the most cost-effective and cost-efficient manner, 219 while recognizing that the replacement of certain legacy 220 information technology systems within the enterprise may be cost 221 prohibitive or cost inefficient due to the remaining useful life 222 of those resources; whether the enterprise is complying with the 223 cloud-first policy specified in s. 282.206; and whether the 224 enterprise is utilizing best practices with respect to 225 information technology, information services, and the 226 acquisition of emerging technologies and information services. 227 Each market analysis shall be used to prepare a strategic plan 228 for continued and future information technology and information 229 services for the enterprise, including, but not limited to, 230 proposed acquisition of new services or technologies and 231 approaches to the implementation of any new services or 232 technologies. Copies of each market analysis and accompanying 233 strategic plan must be submitted to the Executive Office of the 234 Governor, the President of the Senate, and the Speaker of the 235 House of Representatives not later than December 31 of each year 236 that a market analysis is conducted. 237 (j)(k)Recommend other information technology services that 238 should be designed, delivered, and managed as enterprise 239 information technology services. Recommendations must include 240 the identification of existing information technology resources 241 associated with the services, if existing services must be 242 transferred as a result of being delivered and managed as 243 enterprise information technology services. 244 (k)(l)In consultation with state agencies, propose a 245 methodology and approach for identifying and collecting both 246 current and planned information technology expenditure data at 247 the state agency level. 248 (l)1.(m)1.Notwithstanding any other law, provide project 249 oversight on any information technology project of the 250 Department of Financial Services, the Department of Legal 251 Affairs, and the Department of Agriculture and Consumer Services 252 which has a total project cost of $25 $20 million or more. Such 253 information technology projects must also comply with the 254 applicable information technology architecture, project 255 management and oversight, and reporting standards established by 256 the department, acting through the Florida Digital Service. 257 2.When performing the project oversight function specified 258 in subparagraph 1., report by the 30th day after the end of each 259 quarter at least quarterly to the Executive Office of the 260 Governor, the President of the Senate, and the Speaker of the 261 House of Representatives on any information technology project 262 that the department, acting through the Florida Digital Service, 263 identifies as high-risk due to the project exceeding acceptable 264 variance ranges defined and documented in the project plan. The 265 report shall include a risk assessment, including fiscal risks, 266 associated with proceeding to the next stage of the project and 267 a recommendation for corrective actions required, including 268 suspension or termination of the project. 269 (m)(n)If an information technology project implemented by 270 a state agency must be connected to or otherwise accommodated by 271 an information technology system administered by the Department 272 of Financial Services, the Department of Legal Affairs, or the 273 Department of Agriculture and Consumer Services, consult with 274 these departments regarding the risks and other effects of such 275 projects on their information technology systems and work 276 cooperatively with these departments regarding the connections, 277 interfaces, timing, or accommodations required to implement such 278 projects. 279 (n)(o)If adherence to standards or policies adopted by or 280 established pursuant to this section causes conflict with 281 federal regulations or requirements imposed on an entity within 282 the enterprise and results in adverse action against an entity 283 or federal funding, work with the entity to provide alternative 284 standards, policies, or requirements that do not conflict with 285 the federal regulation or requirement. The department, acting 286 through the Florida Digital Service, shall annually by January 287 15 report such alternative standards to the Executive Office of 288 the Governor, the President of the Senate, and the Speaker of 289 the House of Representatives. 290 (o)1.(p)1.Establish an information technology policy for 291 all information technology-related state contracts, including 292 state term contracts for information technology commodities, 293 consultant services, and staff augmentation services. The 294 information technology policy must include: 295 a.Identification of the information technology product and 296 service categories to be included in state term contracts. 297 b.Requirements to be included in solicitations for state 298 term contracts. 299 c.Evaluation criteria for the award of information 300 technology-related state term contracts. 301 d.The term of each information technology-related state 302 term contract. 303 e.The maximum number of vendors authorized on each state 304 term contract. 305 f.At a minimum, a requirement that any contract for 306 information technology commodities or services meet the National 307 Institute of Standards and Technology Cybersecurity Framework. 308 g.For an information technology project wherein project 309 oversight is required pursuant to paragraph (d) or paragraph (l) 310 (m), a requirement that independent verification and validation 311 be employed throughout the project life cycle with the primary 312 objective of independent verification and validation being to 313 provide an objective assessment of products and processes 314 throughout the project life cycle. An entity providing 315 independent verification and validation may not have technical, 316 managerial, or financial interest in the project and may not 317 have responsibility for, or participate in, any other aspect of 318 the project. 319 2.Evaluate vendor responses for information technology 320 related state term contract solicitations and invitations to 321 negotiate. 322 3.Answer vendor questions on information technology 323 related state term contract solicitations. 324 4.Ensure that the information technology policy 325 established pursuant to subparagraph 1. is included in all 326 solicitations and contracts that are administratively executed 327 by the department. 328 (p)(q)Recommend potential methods for standardizing data 329 across state agencies which will promote interoperability and 330 reduce the collection of duplicative data. 331 (q)(r)Recommend open data technical standards and 332 terminologies for use by the enterprise. 333 (r)(s)Ensure that enterprise information technology 334 solutions are capable of utilizing an electronic credential and 335 comply with the enterprise architecture standards. 336 (2) 337 (c)The state chief information officer, in consultation 338 with the Secretary of Management Services, shall designate a 339 state chief technology officer who shall be responsible for all 340 of the following: 341 1.Establishing and maintaining an enterprise architecture 342 framework that ensures information technology investments align 343 with the states strategic objectives and initiatives pursuant 344 to paragraph (1)(b). 345 2.Conducting comprehensive evaluations of potential 346 technological solutions and cultivating strategic partnerships, 347 internally with state enterprise agencies and externally with 348 the private sector, to leverage collective expertise, foster 349 collaboration, and advance the states technological 350 capabilities. 351 3.Supervising program management of enterprise information 352 technology initiatives pursuant to paragraphs (1)(c), (d), and 353 (l); providing advisory support and oversight for technology 354 related projects; and continuously identifying and recommending 355 best practices to optimize outcomes of technology projects and 356 enhance the enterprises technological efficiency and 357 effectiveness. 358 (4)For information technology projects that have a total 359 project cost of $25 $10 million or more: 360 (a)State agencies must provide the Florida Digital Service 361 with written notice of any planned procurement of an information 362 technology project. 363 (b)The Florida Digital Service must participate in the 364 development of specifications and recommend modifications to any 365 planned procurement of an information technology project by 366 state agencies so that the procurement complies with the 367 enterprise architecture. 368 (c)The Florida Digital Service must participate in post 369 award contract monitoring. 370 (5)The department, acting through the Florida Digital 371 Service, may not retrieve or disclose any data without a shared 372 data agreement in place between the department and the 373 enterprise entity that has primary custodial responsibility of, 374 or data-sharing responsibility for, that data. 375 Section 4.Subsection (1) of section 282.00515, Florida 376 Statutes, is amended to read: 377 282.00515Duties of Cabinet agencies. 378 (1)The Department of Legal Affairs, the Department of 379 Financial Services, and the Department of Agriculture and 380 Consumer Services shall adopt the standards established in s. 381 282.0051(1)(b), (c), and (q) and (3)(e) s. 282.0051(1)(b), (c), 382 and (r) and (3)(e) or adopt alternative standards based on best 383 practices and industry standards that allow for open data 384 interoperability. 385 Section 5.Present paragraphs (a) through (k) of subsection 386 (4) and subsection (10) of section 282.318, Florida Statutes, 387 are redesignated as paragraphs (b) through (l) of subsection (4) 388 and subsection (11), respectively, a new paragraph (a) is added 389 to subsection (4) and a new subsection (10) is added to that 390 section, and subsection (3) and present paragraph (a) of 391 subsection (4) of that section are amended, to read: 392 282.318Cybersecurity. 393 (3)The department, acting through the Florida Digital 394 Service, is the lead entity responsible for leading 395 cybersecurity efforts, safeguarding enterprise digital data, 396 establishing standards and processes for assessing state agency 397 cybersecurity risks, and determining appropriate security 398 measures. Such standards and processes must be consistent with 399 generally accepted technology best practices, including the 400 National Institute for Standards and Technology Cybersecurity 401 Framework, for cybersecurity. The department, acting through the 402 Florida Digital Service, shall adopt rules that mitigate risks; 403 safeguard state agency digital assets, data, information, and 404 information technology resources to ensure availability, 405 confidentiality, and integrity; and support a security 406 governance framework. The department, acting through the Florida 407 Digital Service, shall also: 408 (a)Designate an employee of the Florida Digital Service as 409 the state chief information security officer. The state chief 410 information security officer must have experience and expertise 411 in security and risk management for communications and 412 information technology resources. The state chief information 413 security officer is responsible for the development, operation, 414 and oversight of cybersecurity for state technology systems. The 415 Cybersecurity Operations Center shall immediately notify the 416 state chief information officer and the state chief information 417 security officer shall be notified of all confirmed or suspected 418 incidents or threats of state agency information technology 419 resources. The state chief information officer, in consultation 420 with the state chief information security officer, and must 421 report such incidents or threats to the state chief information 422 officer and the Governor. 423 (b)Develop, and annually update by February 1, a statewide 424 cybersecurity strategic plan that includes security goals and 425 objectives for cybersecurity, including the identification and 426 mitigation of risk, proactive protections against threats, 427 tactical risk detection, threat reporting, and response and 428 recovery protocols for a cyber incident. 429 (c)Develop and publish for use by state agencies a 430 cybersecurity governance framework that, at a minimum, includes 431 guidelines and processes for: 432 1.Establishing asset management procedures to ensure that 433 an agencys information technology resources are identified and 434 managed consistent with their relative importance to the 435 agencys business objectives. 436 2.Using a standard risk assessment methodology that 437 includes the identification of an agencys priorities, 438 constraints, risk tolerances, and assumptions necessary to 439 support operational risk decisions. 440 3.Completing comprehensive risk assessments and 441 cybersecurity audits, which may be completed by a private sector 442 vendor, and submitting completed assessments and audits to the 443 department. 444 4.Identifying protection procedures to manage the 445 protection of an agencys information, data, and information 446 technology resources. 447 5.Establishing procedures for accessing information and 448 data to ensure the confidentiality, integrity, and availability 449 of such information and data. 450 6.Detecting threats through proactive monitoring of 451 events, continuous security monitoring, and defined detection 452 processes. 453 7.Establishing agency cybersecurity incident response 454 teams and describing their responsibilities for responding to 455 cybersecurity incidents, including breaches of personal 456 information containing confidential or exempt data. 457 8.Recovering information and data in response to a 458 cybersecurity incident. The recovery may include recommended 459 improvements to the agency processes, policies, or guidelines. 460 9.Establishing a cybersecurity incident reporting process 461 that includes procedures for notifying the department and the 462 Department of Law Enforcement of cybersecurity incidents. 463 a.The level of severity of the cybersecurity incident is 464 defined by the National Cyber Incident Response Plan of the 465 United States Department of Homeland Security as follows: 466 (I)Level 5 is an emergency-level incident within the 467 specified jurisdiction that poses an imminent threat to the 468 provision of wide-scale critical infrastructure services; 469 national, state, or local government security; or the lives of 470 the countrys, states, or local governments residents. 471 (II)Level 4 is a severe-level incident that is likely to 472 result in a significant impact in the affected jurisdiction to 473 public health or safety; national, state, or local security; 474 economic security; or civil liberties. 475 (III)Level 3 is a high-level incident that is likely to 476 result in a demonstrable impact in the affected jurisdiction to 477 public health or safety; national, state, or local security; 478 economic security; civil liberties; or public confidence. 479 (IV)Level 2 is a medium-level incident that may impact 480 public health or safety; national, state, or local security; 481 economic security; civil liberties; or public confidence. 482 (V)Level 1 is a low-level incident that is unlikely to 483 impact public health or safety; national, state, or local 484 security; economic security; civil liberties; or public 485 confidence. 486 b.The cybersecurity incident reporting process must 487 specify the information that must be reported by a state agency 488 following a cybersecurity incident or ransomware incident, 489 which, at a minimum, must include the following: 490 (I)A summary of the facts surrounding the cybersecurity 491 incident or ransomware incident. 492 (II)The date on which the state agency most recently 493 backed up its data; the physical location of the backup, if the 494 backup was affected; and if the backup was created using cloud 495 computing. 496 (III)The types of data compromised by the cybersecurity 497 incident or ransomware incident. 498 (IV)The estimated fiscal impact of the cybersecurity 499 incident or ransomware incident. 500 (V)In the case of a ransomware incident, the details of 501 the ransom demanded. 502 c.(I)A state agency shall report all ransomware incidents 503 and any cybersecurity incidents incident determined by the state 504 agency to be of severity level 3, 4, or 5 to the Cybersecurity 505 Operations Center and the Cybercrime Office of the Department of 506 Law Enforcement as soon as possible but no later than 12 48 507 hours after discovery of the cybersecurity incident and no later 508 than 6 12 hours after discovery of the ransomware incident. The 509 report must contain the information required in sub-subparagraph 510 b. 511 (II)The Cybersecurity Operations Center shall: 512 (A)Immediately notify the Cybercrime Office of the 513 Department of Law Enforcement of a reported incident and provide 514 to the Cybercrime Office of the Department of Law Enforcement 515 regular reports on the status of the incident, preserve forensic 516 data to support a subsequent investigation, and provide aid to 517 the investigative efforts of the Cybercrime Office of the 518 Department of Law Enforcement upon the offices request if the 519 state chief information security officer finds that the 520 investigation does not impede remediation of the incident and 521 that there is no risk to the public and no risk to critical 522 state functions. 523 (B)Immediately notify the state chief information officer 524 and the state chief information security officer of a reported 525 incident. The state chief information security officer shall 526 notify the President of the Senate and the Speaker of the House 527 of Representatives of any severity level 3, 4, or 5 incident as 528 soon as possible but no later than 24 12 hours after receiving a 529 state agencys incident report. The notification must include a 530 high-level description of the incident and the likely effects 531 and must be provided in a secure environment. 532 d.A state agency shall report a cybersecurity incident 533 determined by the state agency to be of severity level 1 or 2 to 534 the Cybersecurity Operations Center and the Cybercrime Office of 535 the Department of Law Enforcement as soon as possible. The 536 report must contain the information required in sub-subparagraph 537 b. 538 d.e.The Cybersecurity Operations Center shall provide a 539 consolidated incident report by the 30th day after the end of 540 each quarter on a quarterly basis to the Governor, the Attorney 541 General, the executive director of the Department of Law 542 Enforcement, the President of the Senate, the Speaker of the 543 House of Representatives, and the Florida Cybersecurity Advisory 544 Council. The report provided to the Florida Cybersecurity 545 Advisory Council may not contain the name of any agency, network 546 information, or system identifying information but must contain 547 sufficient relevant information to allow the Florida 548 Cybersecurity Advisory Council to fulfill its responsibilities 549 as required in s. 282.319(9). 550 10.Incorporating information obtained through detection 551 and response activities into the agencys cybersecurity incident 552 response plans. 553 11.Developing agency strategic and operational 554 cybersecurity plans required pursuant to this section. 555 12.Establishing the managerial, operational, and technical 556 safeguards for protecting state government data and information 557 technology resources that align with the state agency risk 558 management strategy and that protect the confidentiality, 559 integrity, and availability of information and data. 560 13.Establishing procedures for procuring information 561 technology commodities and services that require the commodity 562 or service to meet the National Institute of Standards and 563 Technology Cybersecurity Framework. 564 14.Submitting after-action reports following a 565 cybersecurity incident or ransomware incident. Such guidelines 566 and processes for submitting after-action reports must be 567 developed and published by December 1, 2022. 568 (d)Assist state agencies in complying with this section. 569 (e)In collaboration with the Cybercrime Office of the 570 Department of Law Enforcement, annually provide training for 571 state agency information security managers and computer security 572 incident response team members that contains training on 573 cybersecurity, including cybersecurity threats, trends, and best 574 practices. 575 (f)Annually review the strategic and operational 576 cybersecurity plans of state agencies. 577 (g)Annually provide cybersecurity training to all state 578 agency technology professionals and employees with access to 579 highly sensitive information which develops, assesses, and 580 documents competencies by role and skill level. The 581 cybersecurity training curriculum must include training on the 582 identification of each cybersecurity incident severity level 583 referenced in sub-subparagraph (c)9.a. The training may be 584 provided in collaboration with the Cybercrime Office of the 585 Department of Law Enforcement, a private sector entity, or an 586 institution of the State University System. 587 (h)Operate and maintain a Cybersecurity Operations Center 588 led by the state chief information security officer, which must 589 be primarily virtual and staffed with tactical detection and 590 incident response personnel. The Cybersecurity Operations Center 591 shall serve as a clearinghouse for threat information and 592 coordinate with the Department of Law Enforcement to support 593 state agencies and their response to any confirmed or suspected 594 cybersecurity incident. 595 (i)Lead an Emergency Support Function, ESF-20 ESF CYBER, 596 under the state comprehensive emergency management plan as 597 described in s. 252.35. 598 (j)Provide cybersecurity briefings to the members of any 599 legislative committee or subcommittee responsible for policy 600 matters relating to cybersecurity. 601 (k)Have the authority to obtain immediate access to public 602 or private infrastructure hosting enterprise digital data and to 603 direct, in consultation with the state agency that holds the 604 particular enterprise digital data, measures to assess, monitor, 605 and safeguard the enterprise digital data. 606 (4)Each state agency head shall, at a minimum: 607 (a)Designate a chief information security officer to 608 integrate the agencys technical and operational cybersecurity 609 efforts with the Cybersecurity Operations Center. This 610 designation must be provided annually in writing to the Florida 611 Digital Service by January 15. For a state agency under the 612 jurisdiction of the Governor, the agencys chief information 613 security officer shall be under the general supervision of the 614 agency head or designee for administrative purposes but shall 615 report to the state chief information officer. An agency may 616 request that the department procure a chief information security 617 officer as a service to fulfill the agencys duties under this 618 paragraph. 619 (b)(a)Designate an information security manager to ensure 620 compliance with cybersecurity governance and with the states 621 enterprise security program and incident response plan 622 administer the cybersecurity program of the state agency. This 623 designation must be provided annually in writing to the 624 department by January 15 1. A state agencys information 625 security manager, for purposes of these information security 626 duties, shall report directly to the agency head. 627 (10)The department may brief any legislative committee or 628 subcommittee responsible for cybersecurity policy in a meeting 629 or other setting closed by the respective body under the rules 630 of such legislative body at which the legislative committee or 631 subcommittee is briefed on records made confidential and exempt 632 under subsections (5) and (6). The legislative committee or 633 subcommittee must maintain the confidential and exempt status of 634 such records. A legislator serving on a legislative committee or 635 subcommittee responsible for cybersecurity policy may also 636 attend meetings of the Florida Cybersecurity Advisory Council, 637 including any portions of such meetings that are exempt from s. 638 286.011 and s. 24(b), Art. I of the State Constitution. 639 Section 6.Paragraphs (b) and (c) of subsection (5) of 640 section 282.3185, Florida Statutes, are amended to read: 641 282.3185Local government cybersecurity. 642 (5)INCIDENT NOTIFICATION. 643 (b)1.A local government shall report all ransomware 644 incidents and any cybersecurity incident determined by the local 645 government to be of severity level 3, 4, or 5 as provided in s. 646 282.318(3)(c) to the Cybersecurity Operations Center, the 647 Cybercrime Office of the Department of Law Enforcement, and the 648 sheriff who has jurisdiction over the local government as soon 649 as possible but no later than 12 48 hours after discovery of the 650 cybersecurity incident and no later than 6 12 hours after 651 discovery of the ransomware incident. The report must contain 652 the information required in paragraph (a). 653 2.The Cybersecurity Operations Center shall: 654 a.Immediately notify the Cybercrime Office of the 655 Department of Law Enforcement and the sheriff who has 656 jurisdiction over the local government of a reported incident 657 and provide to the Cybercrime Office of the Department of Law 658 Enforcement and the sheriff who has jurisdiction over the local 659 government regular reports on the status of the incident, 660 preserve forensic data to support a subsequent investigation, 661 and provide aid to the investigative efforts of the Cybercrime 662 Office of the Department of Law Enforcement upon the offices 663 request if the state chief information security officer finds 664 that the investigation does not impede remediation of the 665 incident and that there is no risk to the public and no risk to 666 critical state functions. 667 b.Immediately notify the state chief information security 668 officer of a reported incident. The state chief information 669 security officer shall notify the President of the Senate and 670 the Speaker of the House of Representatives of any severity 671 level 3, 4, or 5 incident as soon as possible but no later than 672 24 12 hours after receiving a local governments incident 673 report. The notification must include a high-level description 674 of the incident and the likely effects and must be provided in a 675 secure environment. 676 (c)A local government may report a cybersecurity incident 677 determined by the local government to be of severity level 1 or 678 2 as provided in s. 282.318(3)(c) to the Cybersecurity 679 Operations Center, the Cybercrime Office of the Department of 680 Law Enforcement, and the sheriff who has jurisdiction over the 681 local government. The report shall contain the information 682 required in paragraph (a). The Cybersecurity Operations Center 683 shall immediately notify the Cybercrime Office of the Department 684 of Law Enforcement and the sheriff who has jurisdiction over the 685 local government of a reported incident and provide regular 686 reports on the status of the cybersecurity incident, preserve 687 forensic data to support a subsequent investigation, and provide 688 aid to the investigative efforts of the Cybercrime Office of the 689 Department of Law Enforcement upon request if the state chief 690 information security officer finds that the investigation does 691 not impede remediation of the cybersecurity incident and that 692 there is no risk to the public and no risk to critical state 693 functions. 694 Section 7.Paragraph (j) of subsection (4) of section 695 282.319, Florida Statutes, is amended, and paragraph (m) is 696 added to that subsection, to read: 697 282.319Florida Cybersecurity Advisory Council. 698 (4)The council shall be comprised of the following 699 members: 700 (j)Three representatives from critical infrastructure 701 sectors, one of whom must be from a utility provider water 702 treatment facility, appointed by the Governor. 703 (m)A representative of local government. 704 Section 8.This act shall take effect July 1, 2024.