Florida Senate Bill S1662 Analysis / Analysis

                    The Florida Senate 
BILL ANALYSIS AND FISCAL IMPACT STATEMENT 
(This document is based on the provisions contained in the legislation as of the latest date listed below.) 
Prepared By: The Professional Staff of the Appropriations Committee on Agriculture, Environment, and General 
Government  
BILL: CS/CS/SB 1662 
INTRODUCER:  Appropriations Committee on Agriculture, Environment, and General Government and 
Governmental Oversight and Accountability Committee and Senator Collins 
SUBJECT:  Cybersecurity 
DATE: February 22, 2024 
 
 ANALYST STAFF DIRECTOR  REFERENCE  	ACTION 
1. Harmsen McVaney GO Fav/CS 
2. Hunter Betta AEG  Fav/CS 
3.     AP  
 
Please see Section IX. for Additional Information: 
COMMITTEE SUBSTITUTE - Substantial Changes 
 
I. Summary: 
CS/CS/SB 1662 revises the mission, goals, and responsibilities of the Florida Center for 
Cybersecurity and adds program oversight for the Enterprise Cybersecurity Resiliency program 
within the Department of Management Services. 
 
The bill has no fiscal impact on state revenues or expenditures. See Section V., Fiscal Impact 
Statement.   
 
The bill provides an effective date of July 1, 2024. 
II. Present Situation: 
Over the last decade, cybersecurity has rapidly become a growing concern. Cyberattacks are 
growing in frequency and severity. Cybercrime is expected to inflict $8 trillion worth of damage 
globally in 2023.
1
 The United States is often a target of cyberattacks,
2
 including attacks on 
                                                
1
 Steve Morgan, CYBERCRIME MAGAZINE, Cybercrime to Cost the World $8 Trillion Annually in 2023 (Oct, 17, 2022), 
Cybercrime To Cost The World 8 Trillion Annually In 2023 (cybersecurityventures.com) (last visited Jan. 31, 2024). 
2
 Chris Jaikaran, CONGRESSIONAL RESEARCH SERVICE, Cybersecurity: Selected Cyberattacks, 2012-2022 (Aug. 9, 2023), 
https://crsreports.congress.gov/product/pdf/R/R46974 (last visited Jan. 25, 2024). 
REVISED:   BILL: CS/CS/SB 1662   	Page 2 
 
critical infrastructure, and has been a target of more significant cyberattacks
3
 over the last 14 
years than any other country.
4
 The Colonial Pipeline is an example of critical infrastructure that 
was attacked, disrupting what is arguably the nation’s most important fuel conduit.
5
 
 
Ransomware is a type of cybersecurity incident where malware
6
 that is designed to encrypt files 
on a device and renders the files and the systems that rely on them unusable. In other words, 
critical information is no longer accessible. During a ransomware attack, malicious actors 
demand a ransom in exchange for regained access through decryption. If the ransom is not paid, 
the ransomware actors will often threaten to sell or leak the data or authentication information. 
Even if the ransom is paid, there is no guarantee that the bad actor will follow through with 
decryption. 
 
In recent years, ransomware incidents have become increasingly prevalent among the nation’s 
state, local, tribal, and territorial government entities and critical infrastructure organizations.
7
 
For example, Tallahassee Memorial Hospital was hit by a ransomware attack February 2023, and 
the hospital’s systems were forced to shut down, impacting many local residents in need of 
medical care.
8
  
 
Information Technology and Cybersecurity Management 
The Department of Management Services (DMS) oversees information technology (IT)
9
 
governance and security for the executive branch in Florida.
10
 The Florida Digital Service 
(FLDS) is housed within the DMS and was established in 2020 to replace the Division of State 
                                                
3
 “Significant cyber-attacks” are defined as cyber-attacks on a country’s government agencies, defense and high-tech 
companies, or economic crimes with losses equating to more than a million dollars. Kyle Brasseur, FRA CONFERENCES, 
Study: U.S. Largest Target for Significant Cyber-Attacks (Jul. 13, 2020), https://www.fraconferences.com/insights-
articles/compliance/study-us-largest-target-for-significant-cyber-
attacks/#:~:text=The%20United%20States%20has%20been%20on%20the%20receiving,article%20is%20from%20FRA%27s
%20sister%20company%2C%20Compliance%20Week (last visited Jan. 31, 2024). 
4
 Id. 
5
 S&P Global, Pipeline operators must start reporting cyberattacks to government: TSA orders, 
https://www.spglobal.com/commodityinsights/en/market-insights/latest-news/electric-power/052721-pipeline-operators-
must-start-reporting-cyberattacks-to-government-tsa-
orders?utm_campaign=corporatepro&utm_medium=contentdigest&utm_source=esgmay2021 (last visited Jan. 31, 2024). 
6
 “Malware” means hardware, firmware, or software that is intentionally included or inserted in a system for a harmful 
purpose. malware - Glossary | CSRC (nist.gov) (last visited Jan. 31, 2024). 
7
 Cybersecurity and Infrastructure Agency, Ransomware 101, https://www.cisa.gov/stopransomware/ransomware-101 (last 
visited Jan. 31, 2024).  
8
 Caitlyn Stroh-Page, TALLAHASSEE DEMOCRAT, Social Security Numbers, Some Patient Treatment Info Involved in TMH 
Cybersecurity Incident (Apr. 1, 2023) https://www.tallahassee.com/story/news/local/2023/03/31/tmh-updates-what-
information-was-affected-during-cybersecurity-incident/70069655007/ (last visited Jan. 25, 2024). 
9
 The term “information technology” means equipment, hardware, software, firmware, programs, systems, networks, 
infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, 
transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, 
communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form. 
Section 282.0041(19), F.S.  
10
 See s. 20.22, F.S.   BILL: CS/CS/SB 1662   	Page 3 
 
Technology.
11
 The FLDS works under the DMS to implement policies for IT and cybersecurity 
for state agencies.
12
  
 
The head of the FLDS is appointed by the Secretary of Management Services
13
 and serves as the 
state chief information officer (CIO).
14
 The CIO must have at least five years of experience in 
the development of IT system strategic planning and IT policy and, preferably, have leadership-
level experience in the design, development, and deployment of interoperable software and data 
solutions.
15
 The FLDS must propose innovative solutions that securely modernize state 
government, including technology and information services, to achieve value through digital 
transformation and interoperability, and to fully support Florida’s cloud first policy.
16
 
 
The DMS, through the FLDS, has the following powers, duties, and functions:
17
 
 Develop IT policy for the management of the state’s IT resources; 
 Develop an enterprise architecture; 
 Establish IT project management and oversight standards for state agencies; 
 Provide oversight for all state agency IT projects that have a total cost of $10 million or more 
and that are funded in the General Appropriations Act or any other law;
18
 and  
 Standardize and consolidate IT services that support interoperability, Florida’s cloud first 
policy, and business functions and operations that are common across state agencies. 
 
State Cybersecurity Act 
While it has existed in some form for more than 10 years, in 2022, the Legislature passed the 
State Cybersecurity Act,
19
 which requires the DMS and the heads of the state agencies
20
 to meet 
certain requirements to enhance the cybersecurity
21
 of the state agencies. 
 
The DMS through FLDS is tasked with completing the following:
22
  
 Establish standards for assessing agency cybersecurity risks; 
                                                
11
 Chapter 2020-161, Laws of Fla.  
12
 See s. 20.22(2)(b), F.S. 
13
 The Secretary of Management Services serves as the head of the DMS and is appointed by the Governor, subject to 
confirmation by the Senate. Section 20.22(1), F.S. 
14
 Section 282.0051(2)(a), F.S. 
15
 Id. 
16
 Section 282.0051(1), F.S. 
17
 Id. 
18
 The FLDS provides project oversight on IT projects that have a total cost of $20 million or more for the Department of 
Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer Services. 
Section 282.0051(1)(m), F.S. 
19 
Section 282.318, F.S.  
20 
For purposes of the State Cybersecurity Act, the term “state agency” includes the Department of Legal Affairs, the 
Department of Agriculture and Consumer Services, and the Department of Financial Services. Section 282.318(2), F.S.  
21 
“Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable 
objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology 
resources. Section 282.0041(8), F.S.  
22
 Section 282.318(3), F.S.  BILL: CS/CS/SB 1662   	Page 4 
 
 Adopt rules to mitigate risk, support a security governance framework, and safeguard agency 
digital assets, data,
23
 information, and IT resources;
24
  
 Designate a chief information security officer (CISO); 
 Develop and annually update a statewide cybersecurity strategic plan such as identification 
and mitigation of risk, protections against threats, and tactical risk detection for cyber 
incidents;
25
 
 Develop and publish for use by state agencies a cybersecurity governance framework; 
 Assist the state agencies in complying with the State Cybersecurity Act; 
 Provide annual training on cybersecurity for information security managers and computer 
security incident response team members; 
 Annually review the strategic and operational cybersecurity plans of state agencies; 
 Track the state agencies’ implementation of remediation plans; 
 Provide cybersecurity training to all state agency technology professionals that develops, 
assesses, and documents competencies by role and skill level; 
 Maintain a Cybersecurity Operations Center (CSOC) led by the CISO to serve as a 
clearinghouse for threat information and coordinate with the FDLE to support responses to 
incidents; and  
 Lead an Emergency Support Function under the state emergency management plan.  
 
The State Cybersecurity Act requires the head of each state agency to designate an information 
security manager to administer the state agency’s cybersecurity program.
26
 The head of the 
agency has additional tasks in protecting against cybersecurity threats as follows:
27
 
 Establish a cybersecurity incident response team with the FLDS and the Cybercrime Office, 
which must immediately report all confirmed or suspected incidents to the CISO;  
 Annually submit to the DMS the state agency’s strategic and operational cybersecurity plans; 
 Conduct and update a comprehensive risk assessment to determine the security threats once 
every three years; 
 Develop and update written internal policies and procedures for reporting cyber incidents;  
 Implement safeguards and risk assessment remediation plans to address identified risks; 
 Ensure internal audits and evaluations of the agency’s cybersecurity program are conducted; 
 Ensure that the cybersecurity requirements for the solicitation, contracts, and service-level 
agreement of IT and IT resources meet or exceed applicable state and federal laws, 
regulations, and standards for cybersecurity, including the National Institute of Standards and 
Technology (NIST)
28
 cybersecurity framework; 
                                                
23 
“Data” means a subset of structured information in a format that allows such information to be electronically retrieved and 
transmitted. Section 282.0041(9), F.S.  
24
 “Information technology resources” means data processing hardware and software and services, communications, supplies, 
personnel, facility resources, maintenance, and training. Section 282.0041(22), F.S.  
25
 “Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of 
information technology resources, security, policies, or practices. An imminent threat of violation refers to a situation in 
which the state agency has a factual basis for believing that a specific incident is about to occur. Section 282.0041(19), F.S. 
26
 Section 282.318(4)(a), F.S.  
27
 Section 282.318(4), F.S. 
28
 NIST, otherwise known as the National Institute of Standards and Technology, “is a non-regulatory government agency 
that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based 
organizations in the science and technology industry.” Nate Lord, What is NIST Compliance, DataInsider (May. 6, 2023), 
https://www.digitalguardian.com/blog/what-nist-compliance (last visited Jan. 31, 2024).   BILL: CS/CS/SB 1662   	Page 5 
 
 Provide cybersecurity training to all agency employees within 30 days of employment;  
 Develop a process that is consistent with the rules and guidelines established by the FLDS 
for detecting, reporting, and responding to threats, breaches, or cybersecurity incidents; and 
 Submit an after-action report to the FLDS within one week after remediation of a 
cybersecurity incident or ransomware incident. 
 
Florida Cybersecurity Advisory Council 
The Florida Cybersecurity Advisory Council
29
 (CAC) within the DMS
30
 assists state agencies in 
protecting IT resources from cyber threats and incidents.
31
 The CAC must assist the FLDS in 
implementing best cybersecurity practices, taking into consideration the final recommendations 
of the Florida Cybersecurity Task Force – a task force created to review and assess the state’s 
cybersecurity infrastructure, governance, and operations.
32
 The CAC meets at least quarterly to:
33
  
 Review existing state agency cybersecurity policies;  
 Assess ongoing risks to state agency IT;  
 Recommend a reporting and information sharing system to notify state agencies of new risks; 
 Recommend data breach simulation exercises; 
 Assist the FLDS in developing cybersecurity best practice recommendations; and  
 Examine inconsistencies between state and federal law regarding cybersecurity.  
 
The CAC must work with NIST and other federal agencies, private sector businesses, and private 
security experts to identify which local infrastructure sectors, not covered by federal law, are at 
the greatest risk of cyber-attacks and to identify categories of critical infrastructure as critical 
cyber infrastructure if cyber damage to the infrastructure could result in catastrophic 
consequences.
34
  
 
The CAC must also prepare and submit a comprehensive report to the Governor, the President of 
the Senate, and the Speaker of the House of Representatives that includes data, trends, analysis, 
findings, and recommendations for state and local action regarding ransomware incidents as 
stated below:
35
 
 Descriptive statistics, including the amount of ransom requested, duration of the incident, and 
overall monetary cost to taxpayers of the incident; 
 A detailed statistical analysis of the circumstances that led to the ransomware incident which 
does not include the name of the state agency or local government, network information, or 
system identifying information; 
 Statistical analysis of the level of cybersecurity employee training and frequency of data 
backup for the state agencies or local governments that reported incidents; 
                                                
29
 Under Florida law, an “advisory council” means an advisory body created by specific statutory enactment and appointed to 
function on a continuing basis. Generally, an advisory council is enacted to study the problems arising in a specified 
functional or program area of state government and to provide recommendations and policy alternatives. Section 20.03(7), 
F.S.; See also s. 20.052, F.S. 
30 
Section 282.319(1), F.S.  
31 
Section 282.319(2), F.S.  
32
 Section 282.319(2)-(3), F.S.  
33
 Section 282.319(9), F.S. 
34
 Section 282.319(10), F.S.  
35
 Section 282.319(11), F.S.  BILL: CS/CS/SB 1662   	Page 6 
 
 Specific issues identified with current policy, procedure, rule, or statute and 
recommendations to address those issues; and 
 Other recommendations to prevent ransomware incidents. 
 
Cyber Incident Response  
The National Cyber Incident Response Plan (NCIRP) was developed by the U.S. Department of 
Homeland Security, according to the direction of Presidential Policy Directive (PPD)-41.
36
 The 
NCIRP is part of the broader National Preparedness System and establishes the strategic 
framework for a whole-of-Nation approach to mitigating, responding to, and recovering from 
cybersecurity incidents posing risk to critical infrastructure.
37
 The NCIRP was developed in 
coordination with federal, state, local, and private sector entities and is designed to interface with 
industry best practice standards for cybersecurity, including the NIST Cybersecurity Framework. 
 
The NCIRP adopted a common schema for describing the severity of cybersecurity incidents 
affecting the U.S. The schema establishes a common framework to evaluate and assess 
cybersecurity incidents to ensure that all departments and agencies have a common view of the 
severity of a given incident; urgency required for responding to a given incident; seniority level 
necessary for coordinating response efforts; and level of investment required for response 
efforts.
38
 
 
The severity level of a cybersecurity incident in accordance with the NCIRP is determined as 
follows: 
 Level 5: An emergency-level incident within the specified jurisdiction if the incident poses 
an imminent threat to the provision of wide-scale critical infrastructure services; national, 
state, or local security; or the lives of the country’s, state’s, or local government’s citizens. 
 Level 4: A severe-level incident if the incident is likely to result in a significant impact 
within the affected jurisdiction which affects the public health or safety; national, state, or 
local security; economic security; or individual civil liberties. 
 Level 3: A high-level incident if the incident is likely to result in a demonstrable impact in 
the affected jurisdiction to public health or safety; national, state, or local security; economic 
security; civil liberties; or public confidence. 
 Level 2: A medium-level incident if the incident may impact public health or safety; national, 
state, or local security; economic security; civil liberties; or public confidence. 
 Level 1: A low-level incident if the incident is unlikely to impact public health or safety; 
national, state, or local security; economic security; or public confidence.
39
 
 
State agencies and local governments in Florida, must report to the CSOC all ransomware 
incidents and any cybersecurity incidents at severity levels of three, four, or five as soon as 
                                                
36
 Annex for PPD-41: U.S. Cyber Incident Coordination, https://obamawhitehouse.archives.gov/the-press-
office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident (last visited Jan. 31, 2024). 
37
 Cybersecurity & Infrastructure Security Agency, Cybersecurity Incident Response, 
https://www.cisa.gov/topics/cybersecurity-best-practices/organizations-and-cyber-safety/cybersecurity-incident-
response#:~:text=%20National%20Cyber%20Incident%20Response%20Plan%20%28NCIRP%29%20The,incidents%20and
%20how%20those%20activities%20all%20fit%20together (last visited Jan. 31, 2024). 
38
 Id.  
39
 Section 282.318(3)(c)9.a, F.S.  BILL: CS/CS/SB 1662   	Page 7 
 
possible, but no later than 48 hours after discovery of a cybersecurity incident and no later than 
12 hours after discovery of a ransomware incident.
40
 The CSOC is required to notify the 
President of the Senate and the Speaker of the House of Representatives of any incidents at 
severity levels of three, four, or five as soon as possible, but no later than 12 hours after 
receiving the incident report from the state agency or local government.
41
 For state agency 
incidents at severity levels one and two, they must report these to the CSOC and the Cybercrime 
Office at the FDLE as soon as possible.
42
  
 
The notification must include a high-level description of the incident and the likely effects. An 
incident report for a cybersecurity or ransomware incident by a state agency or local government 
must include, at a minimum: 
 A summary of the facts surrounding the cybersecurity or ransomware incident; 
 The date on which the state agency or local government most recently backed up its data, the 
physical location of the backup, if the backup was affected, and if the backup was created 
using cloud computing; 
 The types of data compromised by the cybersecurity or ransomware incident; 
 The estimated fiscal impact of the cybersecurity or ransomware incident; 
 In the case of a ransomware incident, the details of the ransom demanded; and 
 If the reporting entity is a local government, a statement requesting or declining assistance 
from the CSOC, FDLE Cybercrime Office, or sheriff.
43
 
 
In addition, the CSOC must provide consolidated incident reports to the President of the Senate, 
Speaker of the House of Representatives, and the CAC on a quarterly basis.
44
 The consolidated 
incident reports to the CAC may not contain any state agency or local government name, 
network information, or system identifying information, but must contain sufficient relevant 
information to allow the CAC to fulfill its responsibilities.
45
  
 
State agencies and local governments must submit an after-action report to the FLDS within one 
week of the remediation of a cybersecurity or ransomware incident.
46
 The report must summarize 
the incident, state the resolution, and any insights from the incident. 
 
Public Record and Public Meetings Exemption for Specific Cybersecurity Records Held by 
Agencies 
The State Cybersecurity Act makes confidential and exempt from public records copying and 
inspection requirements the portions of risk assessments, evaluations, external audits, and other 
agency cybersecurity program reports that are held by an agency, if the disclosure would 
facilitate unauthorized access to, modification, disclosure, or destruction of data or IT 
resources.
47
 However, this information must be shared with the Auditor General, DLE 
                                                
40
 Sections 282.318(3)(c)9.c(I), F.S. and 282.3185(5)(b)1., F.S. 
41
 Section 282.318(3)(c)9.c.(II), F.S. 
42
 Section 282.318(3)(c)(9)(d), F.S. 
43 
Section 282.318(3)(c)9.b, F.S. 
44
 Section 282.318(3)(c)9.e, F.S. 
45
 Id. 
46
 Section 282.318(4)(k), F.S. 
47
 Section 282.318(5), F.S.  BILL: CS/CS/SB 1662   	Page 8 
 
Cybercrime Office, FLDS, and the Chief Inspector General. An agency may share its 
confidential and exempt documents with a local government, another agency, or a federal agency 
if given for a cybersecurity purpose, or in furtherance of the agency’s official duties.
48
 
Additionally, any document that, when held by an agency, is exempt or confidential and exempt 
under s. 119.07(1), F.S., maintains its exempt status when the custodian agency shares it with the 
legislature.
49
  
 
The State Cybersecurity Act also exempts portions of any public meeting that would reveal 
records that it makes confidential and exempt.
50
 
 
Florida Fusion Center  
To help unify the Nation’s efforts to share information and exchange intelligence, the 
Intelligence Reform and Terrorism Prevention Act of 2004 (Act) was passed. The Act provides 
guidance to agencies at all levels about information sharing, access and collaboration. Part of this 
guidance is the need to designate a single fusion center in each state to serve as the “hub” for 
these activities.
51
 
 
The Florida Fusion Center (FFC), began operations in 2007 and is located in Tallahassee, 
Florida. The FFC was designated as the state’s primary fusion center by the Governor in March 
of 2008 and serves as the head of the Network of Florida Fusion Centers. There are regional 
fusion centers in each of the seven FDLE regions to support local and state intelligence needs.
 52
   
 
The FFC provides connectivity and coordinates intelligence sharing among seven regional fusion 
centers located throughout the state. Operations are guided by the understanding that the key to 
effectiveness is the development and sharing of information to the fullest extent permitted by law 
and agency policy. The FFC consists of approximately 45 FDLE members, federal agencies, and 
twelve multi-disciplinary state agency partners; and includes outreach to private sector entities.
53
 
 
Florida Center for Cybersecurity 
The Florida Center for Cybersecurity (Cyber Florida) is housed within the University of South 
Florida (USF) and was first established in 2014.
54
 The goals of Cyber Florida are to:
55
 
 Position Florida as the national leader in cybersecurity and its related workforce through 
education, research, and community engagement. 
 Assist in the creation of jobs in the state’s cybersecurity industry and enhance the 
existing cybersecurity workforce. 
                                                
48
 Section 282.318(7), F.S. 
49
 Section 11.0431(2)(a), F.S. 
50
 Section 282.318(6), F.S. 
51
 Florida Department of Law Enforcement, Florida Fusion Center History, 
https://www.fdle.state.fl.us/FFC/FusionCenterHistory (last visited January 31, 2024). 
52
 Id. 
53
 Florida Department of Law Enforcement, Long-Range Program Plan Fiscal Years 2010-2011 through 2014-2015, 
September 30, 2009, available at http://floridafiscalportal.state.fl.us/Document.aspx?ID=2215&DocType=PDF (last visited 
Jan. 31, 2024). 
54
 Section 282.318(4)(k), F.S. 
55
 Section 1004.444, F.S.  BILL: CS/CS/SB 1662   	Page 9 
 
 Act as a cooperative facilitator for state business and higher education communities to 
share cybersecurity knowledge, resources, and training. 
 Seek out partnerships with major military installations to assist, when possible, in 
homeland cybersecurity defense initiatives. 
 Attract cybersecurity companies to the state with an emphasis on defense, finance, 
health care, transportation, and utility sectors. 
 
III. Effect of Proposed Changes: 
 
Florida Center for Cybersecurity 
Section 1 provides that the Florida Center for Cybersecurity may also be referred to as “Cyber 
Florida.” The bill clarifies that Cyber Florida operates under the discretion of the University of 
South Florida’s (USF) president or designee. The USF president may assign, with the USF board 
of trustee’s approval, Cyber Florida to a college within USF that has a strong emphasis on 
cybersecurity, technology, or computer sciences and engineering. 
 
The bill allows Cyber Florida, at the request of the DMS, FLDS, or other state agency, to assist 
any state-funded initiatives that relate to: (1) cybersecurity training, professional development, 
and education for state and local government employees, and (2) increasing the cybersecurity 
effectiveness of the state and local government technology platforms and infrastructure.  
  
The bill also clarifies the mission and goals of Cyber Florida.  
 
 
Enterprise Cybersecurity Resiliency Program Oversight 
Section 2 instructs the Department of Management Services to contract with an independent 
verification and validation (IV&V) provider to provide program oversight for the Enterprise 
Cybersecurity Resiliency Program. It further requires the IV&V vendor to complete a program 
assessment and provide recommendations to the legislature and Office of Policy and Budget by 
December 1, 2024, based on specific evaluation criteria. 
 
 
Section 3 provides that the bill takes effect July 1, 2024. 
IV. Constitutional Issues: 
A. Municipality/County Mandates Restrictions: 
Not applicable. The mandate restrictions do not apply because the bill does not require 
counties and municipalities to spend funds, reduce counties’ or municipalities’ ability to 
raise revenue, or reduce the percentage of state tax shared with counties and 
municipalities.  BILL: CS/CS/SB 1662   	Page 10 
 
B. Public Records/Open Meetings Issues: 
None. 
C. Trust Funds Restrictions: 
None. 
D. State Tax or Fee Increases: 
None. 
E. Other Constitutional Issues: 
None. 
V. Fiscal Impact Statement: 
A. Tax/Fee Issues: 
None. 
B. Private Sector Impact: 
None. 
C. Government Sector Impact: 
None. 
VI. Technical Deficiencies: 
None. 
VII. Related Issues: 
None. 
VIII. Statutes Affected: 
This bill substantially amends section 1004.444 of the Florida Statutes. 
IX. Additional Information: 
A. Committee Substitute – Statement of Changes: 
(Summarizing differences between the Committee Substitute and the prior version of the bill.) 
CS by Aprropriations Committee on Agriculture, Environment, and General 
Government on February 20, 2024: 
  BILL: CS/CS/SB 1662   	Page 11 
 
 Removes all statutory revisions related to the Florida Digital Service. 
 Requires the Department of Management Services to contract with an independent 
verification and validation provider to provide program oversight and an assessment 
of the Enterprise Cybersecurity Resiliency program.  
 
CS by Governmental Oversight and Accountability on January 29, 2024: 
 Removes provisions of the bill that designate certain information security personnel 
positions as selected exempt positions.  
 Removes provisions of the bill that require each state agency head to designate a chief 
information security officer that reports to the Florida Digital Services’ (FLDS) chief 
information officer, and instead amends the role of the currently-serving agency 
information security manager to “ensure compliance with cybersecurity governance 
and with the state’s enterprise security program and incident response plan.” This 
amendment also requires the agency information security manager to coordinate with 
information security personnel within his or her agency and the Cybersecurity 
Operations Center within the FLDS. 
 Updates the mission, goals, and responsibilities of the Florida Center for 
Cybersecurity (“Cyber Florida”) housed within University of South Florida (USF), 
and authorizes the USF president to assign the Center to an appropriate college within 
the university, with approval of the board of trustees. 
B. Amendments: 
None. 
This Senate Bill Analysis does not reflect the intent or official position of the bill’s introducer or the Florida Senate.