HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 1 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
A bill to be entitled 1
An act relating to cybersecurity; amending s. 2
282.0041, F.S.; providing definitions; amending s. 3
282.0051, F.S.; revising the purposes for which the 4
Florida Digital Service is established; requiring the 5
Florida Digital Service to ensure that independent 6
project oversight on certain state agency information 7
technology projects is performed in a certain manner; 8
revising the date by which the Department of 9
Management Services, acting through the Florida 10
Digital Service, must provide certain recommendations 11
to the Executive Office of the Governor and the 12
Legislature; removing certain duties of the Florida 13
Digital Service; revising the total project cost of 14
certain projects for which the Florida Digital Service 15
must provide project oversight; specifying the date by 16
which the Florida Digital Service must provide certain 17
reports; requiring the state chief information 18
officer, in consultation with the Secretary of 19
Management Services, to designate a state chief 20
technology officer; providing duties of the state 21
chief technology officer; revising the total project 22
cost of certain projects for which certain procurement 23
actions must be taken; removing provisions prohibiting 24
the department, acting through the Florida Digital 25
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 2 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Service, from retrieving or disclosing certain d ata in 26
certain circumstances; amending s. 282.00515, F.S.; 27
conforming a cross-reference; amending s. 282.318, 28
F.S.; providing that the Florida Digital Service is 29
the lead entity for a certain purpose; requiring the 30
Cybersecurity Operations Center to provid e certain 31
notifications; requiring the state chief information 32
officer to make certain reports in consultation with 33
the state chief information security officer; 34
requiring a state agency to report ransomware and 35
cybersecurity incidents within certain time periods; 36
requiring the Cybersecurity Operations Center to 37
immediately notify certain entities of reported 38
incidents and take certain actions; requiring the 39
state chief information security officer to notify the 40
Legislature of certain incidents within a cer tain time 41
period; requiring certain notification to be provided 42
in a secure environment; requiring the Cybersecurity 43
Operations Center to provide a certain report to 44
certain entities by a specified date; requiring the 45
Florida Digital Service to provide cyb ersecurity 46
briefings to certain legislative committees; 47
authorizing the Florida Digital Service to obtain 48
certain access to certain infrastructure and direct 49
certain measures; requiring a state agency head to 50
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 3 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
annually designate a chief information security 51
officer by a specified date; revising the purpose of 52
an agency's information security manager and the date 53
by which he or she must be designated; authorizing the 54
department to brief certain legislative committees in 55
a closed setting on certain records tha t are 56
confidential and exempt from public records 57
requirements; requiring such legislative committees to 58
maintain the confidential and exempt status of certain 59
records; authorizing certain legislators to attend 60
meetings of the Florida Cybersecurity Advisor y 61
Council; amending s. 282.3185, F.S.; requiring a local 62
government to report ransomware and certain 63
cybersecurity incidents to the Cybersecurity 64
Operations Center within certain time periods; 65
requiring the Cybersecurity Operations Center to 66
immediately notify certain entities of certain 67
incidents and take certain actions; requiring certain 68
notification to be provided in a secure environment; 69
amending s. 282.319, F.S.; revising the membership of 70
the Florida Cybersecurity Advisory Council; providing 71
an effective date. 72
73
Be It Enacted by the Legislature of the State of Florida: 74
75
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 4 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Section 1. Subsections (3) through (5), (6) through (16), 76
and (17) through (38) of section 282.0041, Florida Statutes, are 77
renumbered as subsections (4) through (6), (8) through (18), and 78
(20) through (41), respectively, and new subsections (3), (7), 79
and (19) are added to that section to read: 80
282.0041 Definitions. —As used in this chapter, the term: 81
(3) "As a service" means the contracting with or 82
outsourcing to a third party of a defined role or function as a 83
means of delivery. 84
(7) "Cloud provider" means an entity that provides cloud -85
computing services. 86
(19) "Enterprise digital data" means information held by a 87
state agency in electronic form that is deemed to be data own ed 88
by the state and held for state purposes by the state agency. 89
Enterprise digital data that is subject to statutory 90
requirements for particular types of sensitive data or to 91
contractual limitations for data marked as trade secrets or 92
sensitive corporate data held by state agencies shall be treated 93
in accordance with such requirements or limitations. The 94
department must maintain personnel with appropriate licenses, 95
certifications, or classifications to steward such enterprise 96
digital data, as necessary. En terprise digital data must be 97
maintained in accordance with chapter 119. This subsection may 98
not be construed to create or expand an exemption from public 99
records requirements under s. 119.07(1) or s. 24(a), Art. I of 100
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 5 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
the State Constitution. 101
Section 2. Subsection (6) of section 282.0051, Florida 102
Statutes, is renumbered as subsection (5), subsections (1) and 103
(4) and present subsection (5) are amended, and paragraph (c) is 104
added to subsection (2) of that section, to read: 105
282.0051 Department of Manageme nt Services; Florida 106
Digital Service; powers, duties, and functions. — 107
(1) The Florida Digital Service is established has been 108
created within the department to lead enterprise information 109
technology and cybersecurity efforts; to safeguard enterprise 110
digital data; to propose, test, develop, and deploy innovative 111
solutions that securely modernize state government, including 112
technology and information services ;, to achieve value through 113
digital transformation and interoperability ;, and to fully 114
support the cloud-first policy as specified in s. 282.206. The 115
department, through the Florida Digital Service, shall have the 116
following powers, duties, and functions: 117
(a) Develop and publish information technology policy for 118
the management of the state's information technology resources. 119
(b) Develop an enterprise architecture that: 120
1. Acknowledges the unique needs of the entities within 121
the enterprise in the development and publication of standards 122
and terminologies to facilitate digital interoperability; 123
2. Supports the cloud-first policy as specified in s. 124
282.206; and 125
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 6 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Addresses how information technology infrastructure may 126
be modernized to achieve cloud -first objectives. 127
(c) Establish project management and oversight standards 128
with which state agencies must comply when implementing 129
information technology projects. The department, acting through 130
the Florida Digital Service, shall provide training 131
opportunities to state agencies to assist in the adoption of the 132
project management and oversight standards. T o support data-133
driven decisionmaking, the standards must include, but are not 134
limited to: 135
1. Performance measurements and metrics that objectively 136
reflect the status of an information technology project based on 137
a defined and documented project scope, co st, and schedule. 138
2. Methodologies for calculating acceptable variances in 139
the projected versus actual scope, schedule, or cost of an 140
information technology project. 141
3. Reporting requirements, including requirements designed 142
to alert all defined stakeh olders that an information technology 143
project has exceeded acceptable variances defined and documented 144
in a project plan. 145
4. Content, format, and frequency of project updates. 146
5. Technical standards to ensure an information technology 147
project complies with the enterprise architecture. 148
(d) Ensure that independent Perform project oversight on 149
all state agency information technology projects that have total 150
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 7 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
project costs of $25 $10 million or more and that are funded in 151
the General Appropriations Act or any other law is performed in 152
compliance with applicable state and federal law . The 153
department, acting through the Florida Digital Service, shall 154
report at least quarterly to the Executive Office of the 155
Governor, the President of the Senate, and the Speake r of the 156
House of Representatives on any information technology project 157
that the department identifies as high -risk due to the project 158
exceeding acceptable variance ranges defined and documented in a 159
project plan. The report must include a risk assessment, 160
including fiscal risks, associated with proceeding to the next 161
stage of the project, and a recommendation for corrective 162
actions required, including suspension or termination of the 163
project. 164
(e) Identify opportunities for standardization and 165
consolidation of information technology services that support 166
interoperability and the cloud -first policy, as specified in s. 167
282.206, and business functions and operations, including 168
administrative functions such as purchasing, accounting and 169
reporting, cash managem ent, and personnel, and that are common 170
across state agencies. The department, acting through the 171
Florida Digital Service, shall biennially on January 15 1 of 172
each even-numbered year provide recommendations for 173
standardization and consolidation to the Exec utive Office of the 174
Governor, the President of the Senate, and the Speaker of the 175
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 8 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
House of Representatives. 176
(f) Establish best practices for the procurement of 177
information technology products and cloud -computing services in 178
order to reduce costs, increas e the quality of data center 179
services, or improve government services. 180
(g) Develop standards for information technology reports 181
and updates, including, but not limited to, operational work 182
plans, project spend plans, and project status reports, for use 183
by state agencies. 184
(h) Upon request, assist state agencies in the development 185
of information technology -related legislative budget requests. 186
(i) Conduct annual assessments of state agencies to 187
determine compliance with all information technology standar ds 188
and guidelines developed and published by the department and 189
provide results of the assessments to the Executive Office of 190
the Governor, the President of the Senate, and the Speaker of 191
the House of Representatives. 192
(i)(j) Conduct a market analysis not less frequently than 193
every 3 years beginning in 2021 to determine whether the 194
information technology resources within the enterprise are 195
utilized in the most cost -effective and cost-efficient manner, 196
while recognizing that the replacement of certain legac y 197
information technology systems within the enterprise may be cost 198
prohibitive or cost inefficient due to the remaining useful life 199
of those resources; whether the enterprise is complying with the 200
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 9 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
cloud-first policy specified in s. 282.206; and whether the 201
enterprise is utilizing best practices with respect to 202
information technology, information services, and the 203
acquisition of emerging technologies and information services. 204
Each market analysis shall be used to prepare a strategic plan 205
for continued and fu ture information technology and information 206
services for the enterprise, including, but not limited to, 207
proposed acquisition of new services or technologies and 208
approaches to the implementation of any new services or 209
technologies. Copies of each market ana lysis and accompanying 210
strategic plan must be submitted to the Executive Office of the 211
Governor, the President of the Senate, and the Speaker of the 212
House of Representatives not later than December 31 of each year 213
that a market analysis is conducted. 214
(j)(k) Recommend other information technology services 215
that should be designed, delivered, and managed as enterprise 216
information technology services. Recommendations must include 217
the identification of existing information technology resources 218
associated with the services, if existing services must be 219
transferred as a result of being delivered and managed as 220
enterprise information technology services. 221
(k)(l) In consultation with state agencies, propose a 222
methodology and approach for identifying and collecting both 223
current and planned information technology expenditure data at 224
the state agency level. 225
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 10 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(l)(m)1. Notwithstanding any other law, provide project 226
oversight on any information technology project of the 227
Department of Financial Services, the Department o f Legal 228
Affairs, and the Department of Agriculture and Consumer Services 229
which has a total project cost of $25 $20 million or more. Such 230
information technology projects must also comply with the 231
applicable information technology architecture, project 232
management and oversight, and reporting standards established by 233
the department, acting through the Florida Digital Service. 234
2. When ensuring performance of performing the project 235
oversight function specified in subparagraph 1., report by the 236
30th day after the end of each quarter at least quarterly to the 237
Executive Office of the Governor, the President of the Senate, 238
and the Speaker of the House of Representatives on any 239
information technology project that the department, acting 240
through the Florida Digital Se rvice, identifies as high -risk due 241
to the project exceeding acceptable variance ranges defined and 242
documented in the project plan. The report shall include a risk 243
assessment, including fiscal risks, associated with proceeding 244
to the next stage of the proje ct and a recommendation for 245
corrective actions required, including suspension or termination 246
of the project. 247
(m)(n) If an information technology project implemented by 248
a state agency must be connected to or otherwise accommodated by 249
an information techno logy system administered by the Department 250
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 11 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
of Financial Services, the Department of Legal Affairs, or the 251
Department of Agriculture and Consumer Services, consult with 252
these departments regarding the risks and other effects of such 253
projects on their inform ation technology systems and work 254
cooperatively with these departments regarding the connections, 255
interfaces, timing, or accommodations required to implement such 256
projects. 257
(n)(o) If adherence to standards or policies adopted by or 258
established pursuant t o this section causes conflict with 259
federal regulations or requirements imposed on an entity within 260
the enterprise and results in adverse action against an entity 261
or federal funding, work with the entity to provide alternative 262
standards, policies, or requi rements that do not conflict with 263
the federal regulation or requirement. The department, acting 264
through the Florida Digital Service, shall annually by January 265
15 report such alternative standards to the Executive Office of 266
the Governor, the President of th e Senate, and the Speaker of 267
the House of Representatives. 268
(o)(p)1. Establish an information technology policy for 269
all information technology -related state contracts, including 270
state term contracts for information technology commodities, 271
consultant services, and staff augmentation services. The 272
information technology policy must include: 273
a. Identification of the information technology product 274
and service categories to be included in state term contracts. 275
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 12 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
b. Requirements to be included in solicita tions for state 276
term contracts. 277
c. Evaluation criteria for the award of information 278
technology-related state term contracts. 279
d. The term of each information technology -related state 280
term contract. 281
e. The maximum number of vendors authorized on each s tate 282
term contract. 283
f. At a minimum, a requirement that any contract for 284
information technology commodities or services meet the National 285
Institute of Standards and Technology Cybersecurity Framework. 286
g. For an information technology project wherein pr oject 287
oversight is required pursuant to paragraph (d) or paragraph (l) 288
(m), a requirement that independent verification and validation 289
be employed throughout the project life cycle with the primary 290
objective of independent verification and validation being to 291
provide an objective assessment of products and processes 292
throughout the project life cycle. An entity providing 293
independent verification and validation may not have technical, 294
managerial, or financial interest in the project and may not 295
have responsibility for, or participate in, any other aspect of 296
the project. 297
2. Evaluate vendor responses for information technology -298
related state term contract solicitations and invitations to 299
negotiate. 300
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 13 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
3. Answer vendor questions on information technology -301
related state term contract solicitations. 302
4. Ensure that the information technology policy 303
established pursuant to subparagraph 1. is included in all 304
solicitations and contracts that are administratively executed 305
by the department. 306
(p)(q) Recommend potential methods for standardizing data 307
across state agencies which will promote interoperability and 308
reduce the collection of duplicative data. 309
(q)(r) Recommend open data technical standards and 310
terminologies for use by the enterprise. 311
(r)(s) Ensure that enterprise information technology 312
solutions are capable of utilizing an electronic credential and 313
comply with the enterprise architecture standards. 314
(2) 315
(c) The state chief information officer, in consultation 316
with the Secretary of Mana gement Services, shall designate a 317
state chief technology officer who shall be responsible for all 318
of the following: 319
1. Establishing and maintaining an enterprise architecture 320
framework that ensures information technology investments align 321
with the state's strategic objectives and initiatives pursuant 322
to paragraph (1)(b). 323
2. Conducting comprehensive evaluations of potential 324
technological solutions and cultivating strategic partnerships, 325
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 14 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
internally with state enterprise agencies and externally with 326
the private sector, to leverage collective expertise, foster 327
collaboration, and advance the state's technological 328
capabilities. 329
3. Supervising program management of enterprise 330
information technology initiatives pursuant to paragraphs 331
(1)(c), (d), and (l); pro viding advisory support and oversight 332
for technology-related projects; and continuously identifying 333
and recommending best practices to optimize outcomes of 334
technology projects and enhance the enterprise's technological 335
efficiency and effectiveness. 336
(4) For information technology projects that have a total 337
project cost of $25 $10 million or more: 338
(a) State agencies must provide the Florida Digital 339
Service with written notice of any planned procurement of an 340
information technology project. 341
(b) The Florida Digital Service must participate in the 342
development of specifications and recommend modifications to any 343
planned procurement of an information technology project by 344
state agencies so that the procurement complies with the 345
enterprise architecture. 346
(c) The Florida Digital Service must participate in post -347
award contract monitoring. 348
(5) The department, acting through the Florida Digital 349
Service, may not retrieve or disclose any data without a shared -350
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 15 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
data agreement in place between the department and the 351
enterprise entity that has primary custodial responsibility of, 352
or data-sharing responsibility for, that data. 353
Section 3. Subsection (1) of section 282.00515, Florida 354
Statutes, is amended to read: 355
282.00515 Duties of Cabinet agencies. — 356
(1) The Department of Legal Affairs, the Department of 357
Financial Services, and the Department of Agriculture and 358
Consumer Services shall adopt the standards established in s. 359
282.0051(1)(b), (c), and (q) (r) and (3)(e) or adopt alternative 360
standards based on best prac tices and industry standards that 361
allow for open data interoperability. 362
Section 4. Paragraphs (a) through (k) of subsection (4) of 363
section 282.318, Florida Statutes, are redesignated as 364
paragraphs (b) through (l), respectively, subsection (10) is 365
renumbered as subsection (11), subsection (3) and present 366
paragraph (a) of subsection (4) are amended, a new paragraph (a) 367
is added to subsection (4), and a new subsection (10) is added 368
to that section, to read: 369
282.318 Cybersecurity. — 370
(3) The department, acting through the Florida Digital 371
Service, is the lead entity responsible for leading enterprise 372
information technology and cybersecurity efforts, safeguarding 373
enterprise digital data, establishing standards and processes 374
for assessing state agency cyberse curity risks, and determining 375
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 16 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
appropriate security measures. Such standards and processes must 376
be consistent with generally accepted technology best practices, 377
including the National Institute for Standards and Technology 378
Cybersecurity Framework, for cyber security. The department, 379
acting through the Florida Digital Service, shall adopt rules 380
that mitigate risks; safeguard state agency digital assets, 381
data, information, and information technology resources to 382
ensure availability, confidentiality, and integri ty; and support 383
a security governance framework. The department, acting through 384
the Florida Digital Service, shall also: 385
(a) Designate an employee of the Florida Digital Service 386
as the state chief information security officer. The state chief 387
information security officer must have experience and expertise 388
in security and risk management for communications and 389
information technology resources. The state chief information 390
security officer is responsible for the development, operation, 391
and oversight of cyber security for state technology systems. The 392
Cybersecurity Operations Center shall immediately notify the 393
state chief information officer and the state chief information 394
security officer shall be notified of all confirmed or suspected 395
incidents or threats of state agency information technology 396
resources. The state chief information officer, in consultation 397
with the state chief information security officer, and must 398
report such incidents or threats to the state chief information 399
officer and the Governor. 400
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 17 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(b) Develop, and annually update by February 1, a 401
statewide cybersecurity strategic plan that includes security 402
goals and objectives for cybersecurity, including the 403
identification and mitigation of risk, proactive protections 404
against threats, tactical risk d etection, threat reporting, and 405
response and recovery protocols for a cyber incident. 406
(c) Develop and publish for use by state agencies a 407
cybersecurity governance framework that, at a minimum, includes 408
guidelines and processes for: 409
1. Establishing asse t management procedures to ensure that 410
an agency's information technology resources are identified and 411
managed consistent with their relative importance to the 412
agency's business objectives. 413
2. Using a standard risk assessment methodology that 414
includes the identification of an agency's priorities, 415
constraints, risk tolerances, and assumptions necessary to 416
support operational risk decisions. 417
3. Completing comprehensive risk assessments and 418
cybersecurity audits, which may be completed by a private sector 419
vendor, and submitting completed assessments and audits to the 420
department. 421
4. Identifying protection procedures to manage the 422
protection of an agency's information, data, and information 423
technology resources. 424
5. Establishing procedures for accessing inf ormation and 425
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 18 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
data to ensure the confidentiality, integrity, and availability 426
of such information and data. 427
6. Detecting threats through proactive monitoring of 428
events, continuous security monitoring, and defined detection 429
processes. 430
7. Establishing agency cybersecurity incident response 431
teams and describing their responsibilities for responding to 432
cybersecurity incidents, including breaches of personal 433
information containing confidential or exempt data. 434
8. Recovering information and data in respons e to a 435
cybersecurity incident. The recovery may include recommended 436
improvements to the agency processes, policies, or guidelines. 437
9. Establishing a cybersecurity incident reporting process 438
that includes procedures for notifying the department and the 439
Department of Law Enforcement of cybersecurity incidents. 440
a. The level of severity of the cybersecurity incident is 441
defined by the National Cyber Incident Response Plan of the 442
United States Department of Homeland Security as follows: 443
(I) Level 5 is an em ergency-level incident within the 444
specified jurisdiction that poses an imminent threat to the 445
provision of wide-scale critical infrastructure services; 446
national, state, or local government security; or the lives of 447
the country's, state's, or local governme nt's residents. 448
(II) Level 4 is a severe -level incident that is likely to 449
result in a significant impact in the affected jurisdiction to 450
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 19 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
public health or safety; national, state, or local security; 451
economic security; or civil liberties. 452
(III) Level 3 is a high-level incident that is likely to 453
result in a demonstrable impact in the affected jurisdiction to 454
public health or safety; national, state, or local security; 455
economic security; civil liberties; or public confidence. 456
(IV) Level 2 is a medium -level incident that may impact 457
public health or safety; national, state, or local security; 458
economic security; civil liberties; or public confidence. 459
(V) Level 1 is a low -level incident that is unlikely to 460
impact public health or safety; national, state, or local 461
security; economic security; civil liberties; or public 462
confidence. 463
b. The cybersecurity incident reporting process must 464
specify the information that must be reported by a state agency 465
following a cybersecurity incident or ransomware incident, 466
which, at a minimum, must include the following: 467
(I) A summary of the facts surrounding the cybersecurity 468
incident or ransomware incident. 469
(II) The date on which the state agency most recently 470
backed up its data; the physical location of the backup, if the 471
backup was affected; and if the backup was created using cloud 472
computing. 473
(III) The types of data compromised by the cybersecurity 474
incident or ransomware incident. 475
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 20 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
(IV) The estimated fiscal impact of the cybersecurity 476
incident or ransomware incident. 477
(V) In the case of a ransomware incident, the details of 478
the ransom demanded. 479
c.(I) A state agency shall report all ransomware incidents 480
and any cybersecurity incidents incident determined by the state 481
agency to be of severity level 3, 4, or 5 to the Cybersecurity 482
Operations Center and the Cybercrime Office of the Department of 483
Law Enforcement as soon as possible but no later than 12 48 484
hours after discovery of the cybersecurity incident and no later 485
than 6 12 hours after discovery of the ransomware inc ident. The 486
report must contain the information required in sub -subparagraph 487
b. 488
(II) The Cybersecurity Operations Center shall : 489
(A) Immediately notify the Cybercrime Office of the 490
Department of Law Enforcement of a reported incident and provide 491
to the office regular reports on the status of the incident, 492
preserve forensic data to support a subsequent investigation, 493
and provide aid to the investigative efforts of the office upon 494
the office's request if the state chief information security 495
officer finds that the investigation does not impede remediation 496
of the incident and that there is no risk to the public and no 497
risk to critical state functions. 498
(B) Immediately notify the state chief information officer 499
and the state chief information security officer of a reported 500
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 21 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incident. The state chief information security officer shall 501
notify the President of the Senate and the Speaker of the House 502
of Representatives of any severity level 3, 4, or 5 incident as 503
soon as possible but no later than 24 12 hours after receiving a 504
state agency's incident report. The notification must include a 505
high-level description of the incident and the likely effects 506
and must be provided in a secure environment . 507
d. A state agency shall report a cybersecurity incident 508
determined by the state agency to be of severity level 1 or 2 to 509
the Cybersecurity Operations Center and the Cybercrime Office of 510
the Department of Law Enforcement as soon as possible. The 511
report must contain the information required in sub -subparagraph 512
b. 513
d.e. The Cybersecurity Operations Center shall provide a 514
consolidated incident report by the 30th day after the end of 515
each quarter on a quarterly basis to the Governor, the Attorney 516
General, the executive director of the Department of Law 517
Enforcement, the President of the Senate, the Speaker of the 518
House of Representatives, and the Florida Cybersecurity Advisory 519
Council. The report provided to the Florida Cybersecurity 520
Advisory Council may not contain the name of any agency, network 521
information, or system identifying information but must contain 522
sufficient relevant information to allow the Florida 523
Cybersecurity Advisory Council to fulfill its responsibilities 524
as required in s. 282.319(9). 525
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 22 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
10. Incorporating information obtained through detection 526
and response activiti es into the agency's cybersecurity incident 527
response plans. 528
11. Developing agency strategic and operational 529
cybersecurity plans required pursuant to this section. 530
12. Establishing the managerial, operational, and 531
technical safeguards for protecting sta te government data and 532
information technology resources that align with the state 533
agency risk management strategy and that protect the 534
confidentiality, integrity, and availability of information and 535
data. 536
13. Establishing procedures for procuring informa tion 537
technology commodities and services that require the commodity 538
or service to meet the National Institute of Standards and 539
Technology Cybersecurity Framework. 540
14. Submitting after -action reports following a 541
cybersecurity incident or ransomware incide nt. Such guidelines 542
and processes for submitting after -action reports must be 543
developed and published by December 1, 2022. 544
(d) Assist state agencies in complying with this section. 545
(e) In collaboration with the Cybercrime Office of the 546
Department of Law Enforcement, annually provide training for 547
state agency information security managers and computer security 548
incident response team members that contains training on 549
cybersecurity, including cybersecurity threats, trends, and best 550
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 23 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
practices. 551
(f) Annually review the strategic and operational 552
cybersecurity plans of state agencies. 553
(g) Annually provide cybersecurity training to all state 554
agency technology professionals and employees with access to 555
highly sensitive information which develops, assesses, and 556
documents competencies by role and skill level. The 557
cybersecurity training curriculum must include training on the 558
identification of each cybersecurity incident severity level 559
referenced in sub-subparagraph (c)9.a. The training may be 560
provided in collabor ation with the Cybercrime Office of the 561
Department of Law Enforcement, a private sector entity, or an 562
institution of the State University System. 563
(h) Operate and maintain a Cybersecurity Operations Center 564
led by the state chief information security offic er, which must 565
be primarily virtual and staffed with tactical detection and 566
incident response personnel. The Cybersecurity Operations Center 567
shall serve as a clearinghouse for threat information and 568
coordinate with the Department of Law Enforcement to supp ort 569
state agencies and their response to any confirmed or suspected 570
cybersecurity incident. 571
(i) Lead an Emergency Support Function, ESF-20 ESF CYBER, 572
under the state comprehensive emergency management plan as 573
described in s. 252.35. 574
(j) Provide cyberse curity briefings to the members of any 575
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 24 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
legislative committee or subcommittee responsible for policy 576
matters relating to cybersecurity. 577
(k) Have the authority to obtain immediate access to 578
public or private infrastructure hosting enterprise digital data 579
and to direct, in consultation with the state agency that holds 580
the particular enterprise digital data, measures to assess, 581
monitor, and safeguard the enterprise digital data. 582
(4) Each state agency head shall, at a minimum: 583
(a) Designate a chief informa tion security officer to 584
integrate the agency's technical and operational cybersecurity 585
efforts with the Cybersecurity Operations Center. This 586
designation must be provided annually in writing to the Florida 587
Digital Service by January 15. For a state agency under the 588
jurisdiction of the Governor, the agency's chief information 589
security officer shall be under the general supervision of the 590
agency head or designee for administrative purposes but shall 591
report to the state chief information officer. An agency ma y 592
request that the department procure a chief information security 593
officer as a service to fulfill the agency's duties under this 594
paragraph. 595
(b)(a) Designate an information security manager to ensure 596
compliance with cybersecurity governance and with the state's 597
enterprise security program and incident response plan. The 598
information security manager must coordinate with the agency's 599
chief information security officer and the Cybersecurity 600
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 25 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Operations Center to ensure that the unique needs of the agency 601
are met administer the cybersecurity program of the state 602
agency. This designation must be provided annually in writing to 603
the department by January 15 1. A state agency's information 604
security manager, for purposes of these information security 605
duties, shall work in collaboration with the agency's chief 606
information security officer and report directly to the agency 607
head. 608
(10) The department may brief any legislative committee or 609
subcommittee responsible for cybersecurity policy in a meeting 610
or other setting closed by the respective body under the rules 611
of such legislative body at which the legislative committee or 612
subcommittee is briefed on records made confidential and exempt 613
under subsections (5) and (6). The legislative committee or 614
subcommittee must mainta in the confidential and exempt status of 615
such records. A legislator serving on a legislative committee or 616
subcommittee responsible for cybersecurity policy may also 617
attend meetings of the Florida Cybersecurity Advisory Council, 618
including any portions of su ch meetings that are exempt from s. 619
286.011 and s. 24(b), Art. I of the State Constitution. 620
Section 5. Paragraphs (b) and (c) of subsection (5) of 621
section 282.3185, Florida Statutes, are amended to read: 622
282.3185 Local government cybersecurity. — 623
(5) INCIDENT NOTIFICATION. — 624
(b)1. A local government shall report all ransomware 625
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 26 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
incidents and any cybersecurity incident determined by the local 626
government to be of severity level 3, 4, or 5 as provided in s. 627
282.318(3)(c) to the Cybersecurity Operations Center, the 628
Cybercrime Office of the Department of Law Enforcement, and the 629
sheriff who has jurisdiction over the local government as soon 630
as possible but no later than 12 48 hours after discovery of the 631
cybersecurity incident and no later than 6 12 hours after 632
discovery of the ransomware incident. The report must contain 633
the information required in paragraph (a). 634
2. The Cybersecurity Operations Center shall : 635
a. Immediately notify the Cybercrime Office of the 636
Department of Law Enforcement and the sheri ff who has 637
jurisdiction over the local government of a reported incident 638
and provide to the Cybercrime Office of the Department of Law 639
Enforcement and the sheriff who has jurisdiction over the local 640
government regular reports on the status of the incident, 641
preserve forensic data to support a subsequent investigation, 642
and provide aid to the investigative efforts of the Cybercrime 643
Office of the Department of Law Enforcement upon the office's 644
request if the state chief information security officer finds 645
that the investigation does not impede remediation of the 646
incident and that there is no risk to the public and no risk to 647
critical state functions. 648
b. Immediately notify the state chief information security 649
officer of a reported incident. The state chief infor mation 650
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 27 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
security officer shall notify the President of the Senate and 651
the Speaker of the House of Representatives of any severity 652
level 3, 4, or 5 incident as soon as possible but no later than 653
24 12 hours after receiving a local government's incident 654
report. The notification must include a high -level description 655
of the incident and the likely effects and must be provided in a 656
secure environment. 657
(c) A local government may report a cybersecurity incident 658
determined by the local government to be of severity level 1 or 659
2 as provided in s. 282.318(3)(c) to the Cybersecurity 660
Operations Center, the Cybercrime Office of the Department of 661
Law Enforcement, and the sheriff who has jurisdiction over the 662
local government. The report shall contain the information 663
required in paragraph (a). The Cybersecurity Operations Center 664
shall immediately notify the Cybercrime Office of the Department 665
of Law Enforcement and the sheriff who has jurisdiction over the 666
local government of a reported incident and provide regular 667
reports on the status of the cybersecurity incident, preserve 668
forensic data to support a subsequent investigation, and provide 669
aid to the investigative efforts of the Cybercrime Office of the 670
Department of Law Enforcement upon request if the state chief 671
information security officer finds that the investigation does 672
not impede remediation of the cybersecurity incident and that 673
there is no risk to the public and no risk to critical state 674
functions. 675
HB 1293 2025
CODING: Words stricken are deletions; words underlined are additions.
hb1293-00
Page 28 of 28
F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
Section 6. Paragraph (j) of subsection (4) of section 676
282.319, Florida Statutes, is amended, and paragraph (m) is 677
added to that subsection, to read: 678
282.319 Florida Cybersecurity Advisory Council. — 679
(4) The council shall be comprised of the following 680
members: 681
(j) Three representatives from critical infrastructure 682
sectors, one of whom must be from a utility provider water 683
treatment facility, appointed by the Governor. 684
(m) A representative of local government. 685
Section 7. This act shall take effect July 1, 2025. 686