FL
Florida House Bill H1293

Florida 2025 Regular Session

Florida House Bill H1293 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33 HB 1293 2025
44
55
66
77 CODING: Words stricken are deletions; words underlined are additions.
88 hb1293-00
99 Page 1 of 28
1010 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
1111
1212
1313
1414 A bill to be entitled 1
1515 An act relating to cybersecurity; amending s. 2
1616 282.0041, F.S.; providing definitions; amending s. 3
1717 282.0051, F.S.; revising the purposes for which the 4
1818 Florida Digital Service is established; requiring the 5
1919 Florida Digital Service to ensure that independent 6
2020 project oversight on certain state agency information 7
2121 technology projects is performed in a certain manner; 8
2222 revising the date by which the Department of 9
2323 Management Services, acting through the Florida 10
2424 Digital Service, must provide certain recommendations 11
2525 to the Executive Office of the Governor and the 12
2626 Legislature; removing certain duties of the Florida 13
2727 Digital Service; revising the total project cost of 14
2828 certain projects for which the Florida Digital Service 15
2929 must provide project oversight; specifying the date by 16
3030 which the Florida Digital Service must provide certain 17
3131 reports; requiring the state chief information 18
3232 officer, in consultation with the Secretary of 19
3333 Management Services, to designate a state chief 20
3434 technology officer; providing duties of the state 21
3535 chief technology officer; revising the total project 22
3636 cost of certain projects for which certain procurement 23
3737 actions must be taken; removing provisions prohibiting 24
3838 the department, acting through the Florida Digital 25
3939
4040 HB 1293 2025
4141
4242
4343
4444 CODING: Words stricken are deletions; words underlined are additions.
4545 hb1293-00
4646 Page 2 of 28
4747 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
4848
4949
5050
5151 Service, from retrieving or disclosing certain d ata in 26
5252 certain circumstances; amending s. 282.00515, F.S.; 27
5353 conforming a cross-reference; amending s. 282.318, 28
5454 F.S.; providing that the Florida Digital Service is 29
5555 the lead entity for a certain purpose; requiring the 30
5656 Cybersecurity Operations Center to provid e certain 31
5757 notifications; requiring the state chief information 32
5858 officer to make certain reports in consultation with 33
5959 the state chief information security officer; 34
6060 requiring a state agency to report ransomware and 35
6161 cybersecurity incidents within certain time periods; 36
6262 requiring the Cybersecurity Operations Center to 37
6363 immediately notify certain entities of reported 38
6464 incidents and take certain actions; requiring the 39
6565 state chief information security officer to notify the 40
6666 Legislature of certain incidents within a cer tain time 41
6767 period; requiring certain notification to be provided 42
6868 in a secure environment; requiring the Cybersecurity 43
6969 Operations Center to provide a certain report to 44
7070 certain entities by a specified date; requiring the 45
7171 Florida Digital Service to provide cyb ersecurity 46
7272 briefings to certain legislative committees; 47
7373 authorizing the Florida Digital Service to obtain 48
7474 certain access to certain infrastructure and direct 49
7575 certain measures; requiring a state agency head to 50
7676
7777 HB 1293 2025
7878
7979
8080
8181 CODING: Words stricken are deletions; words underlined are additions.
8282 hb1293-00
8383 Page 3 of 28
8484 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
8585
8686
8787
8888 annually designate a chief information security 51
8989 officer by a specified date; revising the purpose of 52
9090 an agency's information security manager and the date 53
9191 by which he or she must be designated; authorizing the 54
9292 department to brief certain legislative committees in 55
9393 a closed setting on certain records tha t are 56
9494 confidential and exempt from public records 57
9595 requirements; requiring such legislative committees to 58
9696 maintain the confidential and exempt status of certain 59
9797 records; authorizing certain legislators to attend 60
9898 meetings of the Florida Cybersecurity Advisor y 61
9999 Council; amending s. 282.3185, F.S.; requiring a local 62
100100 government to report ransomware and certain 63
101101 cybersecurity incidents to the Cybersecurity 64
102102 Operations Center within certain time periods; 65
103103 requiring the Cybersecurity Operations Center to 66
104104 immediately notify certain entities of certain 67
105105 incidents and take certain actions; requiring certain 68
106106 notification to be provided in a secure environment; 69
107107 amending s. 282.319, F.S.; revising the membership of 70
108108 the Florida Cybersecurity Advisory Council; providing 71
109109 an effective date. 72
110110 73
111111 Be It Enacted by the Legislature of the State of Florida: 74
112112 75
113113
114114 HB 1293 2025
115115
116116
117117
118118 CODING: Words stricken are deletions; words underlined are additions.
119119 hb1293-00
120120 Page 4 of 28
121121 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
122122
123123
124124
125125 Section 1. Subsections (3) through (5), (6) through (16), 76
126126 and (17) through (38) of section 282.0041, Florida Statutes, are 77
127127 renumbered as subsections (4) through (6), (8) through (18), and 78
128128 (20) through (41), respectively, and new subsections (3), (7), 79
129129 and (19) are added to that section to read: 80
130130 282.0041 Definitions. —As used in this chapter, the term: 81
131131 (3) "As a service" means the contracting with or 82
132132 outsourcing to a third party of a defined role or function as a 83
133133 means of delivery. 84
134134 (7) "Cloud provider" means an entity that provides cloud -85
135135 computing services. 86
136136 (19) "Enterprise digital data" means information held by a 87
137137 state agency in electronic form that is deemed to be data own ed 88
138138 by the state and held for state purposes by the state agency. 89
139139 Enterprise digital data that is subject to statutory 90
140140 requirements for particular types of sensitive data or to 91
141141 contractual limitations for data marked as trade secrets or 92
142142 sensitive corporate data held by state agencies shall be treated 93
143143 in accordance with such requirements or limitations. The 94
144144 department must maintain personnel with appropriate licenses, 95
145145 certifications, or classifications to steward such enterprise 96
146146 digital data, as necessary. En terprise digital data must be 97
147147 maintained in accordance with chapter 119. This subsection may 98
148148 not be construed to create or expand an exemption from public 99
149149 records requirements under s. 119.07(1) or s. 24(a), Art. I of 100
150150
151151 HB 1293 2025
152152
153153
154154
155155 CODING: Words stricken are deletions; words underlined are additions.
156156 hb1293-00
157157 Page 5 of 28
158158 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
159159
160160
161161
162162 the State Constitution. 101
163163 Section 2. Subsection (6) of section 282.0051, Florida 102
164164 Statutes, is renumbered as subsection (5), subsections (1) and 103
165165 (4) and present subsection (5) are amended, and paragraph (c) is 104
166166 added to subsection (2) of that section, to read: 105
167167 282.0051 Department of Manageme nt Services; Florida 106
168168 Digital Service; powers, duties, and functions. — 107
169169 (1) The Florida Digital Service is established has been 108
170170 created within the department to lead enterprise information 109
171171 technology and cybersecurity efforts; to safeguard enterprise 110
172172 digital data; to propose, test, develop, and deploy innovative 111
173173 solutions that securely modernize state government, including 112
174174 technology and information services ;, to achieve value through 113
175175 digital transformation and interoperability ;, and to fully 114
176176 support the cloud-first policy as specified in s. 282.206. The 115
177177 department, through the Florida Digital Service, shall have the 116
178178 following powers, duties, and functions: 117
179179 (a) Develop and publish information technology policy for 118
180180 the management of the state's information technology resources. 119
181181 (b) Develop an enterprise architecture that: 120
182182 1. Acknowledges the unique needs of the entities within 121
183183 the enterprise in the development and publication of standards 122
184184 and terminologies to facilitate digital interoperability; 123
185185 2. Supports the cloud-first policy as specified in s. 124
186186 282.206; and 125
187187
188188 HB 1293 2025
189189
190190
191191
192192 CODING: Words stricken are deletions; words underlined are additions.
193193 hb1293-00
194194 Page 6 of 28
195195 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
196196
197197
198198
199199 3. Addresses how information technology infrastructure may 126
200200 be modernized to achieve cloud -first objectives. 127
201201 (c) Establish project management and oversight standards 128
202202 with which state agencies must comply when implementing 129
203203 information technology projects. The department, acting through 130
204204 the Florida Digital Service, shall provide training 131
205205 opportunities to state agencies to assist in the adoption of the 132
206206 project management and oversight standards. T o support data-133
207207 driven decisionmaking, the standards must include, but are not 134
208208 limited to: 135
209209 1. Performance measurements and metrics that objectively 136
210210 reflect the status of an information technology project based on 137
211211 a defined and documented project scope, co st, and schedule. 138
212212 2. Methodologies for calculating acceptable variances in 139
213213 the projected versus actual scope, schedule, or cost of an 140
214214 information technology project. 141
215215 3. Reporting requirements, including requirements designed 142
216216 to alert all defined stakeh olders that an information technology 143
217217 project has exceeded acceptable variances defined and documented 144
218218 in a project plan. 145
219219 4. Content, format, and frequency of project updates. 146
220220 5. Technical standards to ensure an information technology 147
221221 project complies with the enterprise architecture. 148
222222 (d) Ensure that independent Perform project oversight on 149
223223 all state agency information technology projects that have total 150
224224
225225 HB 1293 2025
226226
227227
228228
229229 CODING: Words stricken are deletions; words underlined are additions.
230230 hb1293-00
231231 Page 7 of 28
232232 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
233233
234234
235235
236236 project costs of $25 $10 million or more and that are funded in 151
237237 the General Appropriations Act or any other law is performed in 152
238238 compliance with applicable state and federal law . The 153
239239 department, acting through the Florida Digital Service, shall 154
240240 report at least quarterly to the Executive Office of the 155
241241 Governor, the President of the Senate, and the Speake r of the 156
242242 House of Representatives on any information technology project 157
243243 that the department identifies as high -risk due to the project 158
244244 exceeding acceptable variance ranges defined and documented in a 159
245245 project plan. The report must include a risk assessment, 160
246246 including fiscal risks, associated with proceeding to the next 161
247247 stage of the project, and a recommendation for corrective 162
248248 actions required, including suspension or termination of the 163
249249 project. 164
250250 (e) Identify opportunities for standardization and 165
251251 consolidation of information technology services that support 166
252252 interoperability and the cloud -first policy, as specified in s. 167
253253 282.206, and business functions and operations, including 168
254254 administrative functions such as purchasing, accounting and 169
255255 reporting, cash managem ent, and personnel, and that are common 170
256256 across state agencies. The department, acting through the 171
257257 Florida Digital Service, shall biennially on January 15 1 of 172
258258 each even-numbered year provide recommendations for 173
259259 standardization and consolidation to the Exec utive Office of the 174
260260 Governor, the President of the Senate, and the Speaker of the 175
261261
262262 HB 1293 2025
263263
264264
265265
266266 CODING: Words stricken are deletions; words underlined are additions.
267267 hb1293-00
268268 Page 8 of 28
269269 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
270270
271271
272272
273273 House of Representatives. 176
274274 (f) Establish best practices for the procurement of 177
275275 information technology products and cloud -computing services in 178
276276 order to reduce costs, increas e the quality of data center 179
277277 services, or improve government services. 180
278278 (g) Develop standards for information technology reports 181
279279 and updates, including, but not limited to, operational work 182
280280 plans, project spend plans, and project status reports, for use 183
281281 by state agencies. 184
282282 (h) Upon request, assist state agencies in the development 185
283283 of information technology -related legislative budget requests. 186
284284 (i) Conduct annual assessments of state agencies to 187
285285 determine compliance with all information technology standar ds 188
286286 and guidelines developed and published by the department and 189
287287 provide results of the assessments to the Executive Office of 190
288288 the Governor, the President of the Senate, and the Speaker of 191
289289 the House of Representatives. 192
290290 (i)(j) Conduct a market analysis not less frequently than 193
291291 every 3 years beginning in 2021 to determine whether the 194
292292 information technology resources within the enterprise are 195
293293 utilized in the most cost -effective and cost-efficient manner, 196
294294 while recognizing that the replacement of certain legac y 197
295295 information technology systems within the enterprise may be cost 198
296296 prohibitive or cost inefficient due to the remaining useful life 199
297297 of those resources; whether the enterprise is complying with the 200
298298
299299 HB 1293 2025
300300
301301
302302
303303 CODING: Words stricken are deletions; words underlined are additions.
304304 hb1293-00
305305 Page 9 of 28
306306 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
307307
308308
309309
310310 cloud-first policy specified in s. 282.206; and whether the 201
311311 enterprise is utilizing best practices with respect to 202
312312 information technology, information services, and the 203
313313 acquisition of emerging technologies and information services. 204
314314 Each market analysis shall be used to prepare a strategic plan 205
315315 for continued and fu ture information technology and information 206
316316 services for the enterprise, including, but not limited to, 207
317317 proposed acquisition of new services or technologies and 208
318318 approaches to the implementation of any new services or 209
319319 technologies. Copies of each market ana lysis and accompanying 210
320320 strategic plan must be submitted to the Executive Office of the 211
321321 Governor, the President of the Senate, and the Speaker of the 212
322322 House of Representatives not later than December 31 of each year 213
323323 that a market analysis is conducted. 214
324324 (j)(k) Recommend other information technology services 215
325325 that should be designed, delivered, and managed as enterprise 216
326326 information technology services. Recommendations must include 217
327327 the identification of existing information technology resources 218
328328 associated with the services, if existing services must be 219
329329 transferred as a result of being delivered and managed as 220
330330 enterprise information technology services. 221
331331 (k)(l) In consultation with state agencies, propose a 222
332332 methodology and approach for identifying and collecting both 223
333333 current and planned information technology expenditure data at 224
334334 the state agency level. 225
335335
336336 HB 1293 2025
337337
338338
339339
340340 CODING: Words stricken are deletions; words underlined are additions.
341341 hb1293-00
342342 Page 10 of 28
343343 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
344344
345345
346346
347347 (l)(m)1. Notwithstanding any other law, provide project 226
348348 oversight on any information technology project of the 227
349349 Department of Financial Services, the Department o f Legal 228
350350 Affairs, and the Department of Agriculture and Consumer Services 229
351351 which has a total project cost of $25 $20 million or more. Such 230
352352 information technology projects must also comply with the 231
353353 applicable information technology architecture, project 232
354354 management and oversight, and reporting standards established by 233
355355 the department, acting through the Florida Digital Service. 234
356356 2. When ensuring performance of performing the project 235
357357 oversight function specified in subparagraph 1., report by the 236
358358 30th day after the end of each quarter at least quarterly to the 237
359359 Executive Office of the Governor, the President of the Senate, 238
360360 and the Speaker of the House of Representatives on any 239
361361 information technology project that the department, acting 240
362362 through the Florida Digital Se rvice, identifies as high -risk due 241
363363 to the project exceeding acceptable variance ranges defined and 242
364364 documented in the project plan. The report shall include a risk 243
365365 assessment, including fiscal risks, associated with proceeding 244
366366 to the next stage of the proje ct and a recommendation for 245
367367 corrective actions required, including suspension or termination 246
368368 of the project. 247
369369 (m)(n) If an information technology project implemented by 248
370370 a state agency must be connected to or otherwise accommodated by 249
371371 an information techno logy system administered by the Department 250
372372
373373 HB 1293 2025
374374
375375
376376
377377 CODING: Words stricken are deletions; words underlined are additions.
378378 hb1293-00
379379 Page 11 of 28
380380 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
381381
382382
383383
384384 of Financial Services, the Department of Legal Affairs, or the 251
385385 Department of Agriculture and Consumer Services, consult with 252
386386 these departments regarding the risks and other effects of such 253
387387 projects on their inform ation technology systems and work 254
388388 cooperatively with these departments regarding the connections, 255
389389 interfaces, timing, or accommodations required to implement such 256
390390 projects. 257
391391 (n)(o) If adherence to standards or policies adopted by or 258
392392 established pursuant t o this section causes conflict with 259
393393 federal regulations or requirements imposed on an entity within 260
394394 the enterprise and results in adverse action against an entity 261
395395 or federal funding, work with the entity to provide alternative 262
396396 standards, policies, or requi rements that do not conflict with 263
397397 the federal regulation or requirement. The department, acting 264
398398 through the Florida Digital Service, shall annually by January 265
399399 15 report such alternative standards to the Executive Office of 266
400400 the Governor, the President of th e Senate, and the Speaker of 267
401401 the House of Representatives. 268
402402 (o)(p)1. Establish an information technology policy for 269
403403 all information technology -related state contracts, including 270
404404 state term contracts for information technology commodities, 271
405405 consultant services, and staff augmentation services. The 272
406406 information technology policy must include: 273
407407 a. Identification of the information technology product 274
408408 and service categories to be included in state term contracts. 275
409409
410410 HB 1293 2025
411411
412412
413413
414414 CODING: Words stricken are deletions; words underlined are additions.
415415 hb1293-00
416416 Page 12 of 28
417417 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
418418
419419
420420
421421 b. Requirements to be included in solicita tions for state 276
422422 term contracts. 277
423423 c. Evaluation criteria for the award of information 278
424424 technology-related state term contracts. 279
425425 d. The term of each information technology -related state 280
426426 term contract. 281
427427 e. The maximum number of vendors authorized on each s tate 282
428428 term contract. 283
429429 f. At a minimum, a requirement that any contract for 284
430430 information technology commodities or services meet the National 285
431431 Institute of Standards and Technology Cybersecurity Framework. 286
432432 g. For an information technology project wherein pr oject 287
433433 oversight is required pursuant to paragraph (d) or paragraph (l) 288
434434 (m), a requirement that independent verification and validation 289
435435 be employed throughout the project life cycle with the primary 290
436436 objective of independent verification and validation being to 291
437437 provide an objective assessment of products and processes 292
438438 throughout the project life cycle. An entity providing 293
439439 independent verification and validation may not have technical, 294
440440 managerial, or financial interest in the project and may not 295
441441 have responsibility for, or participate in, any other aspect of 296
442442 the project. 297
443443 2. Evaluate vendor responses for information technology -298
444444 related state term contract solicitations and invitations to 299
445445 negotiate. 300
446446
447447 HB 1293 2025
448448
449449
450450
451451 CODING: Words stricken are deletions; words underlined are additions.
452452 hb1293-00
453453 Page 13 of 28
454454 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
455455
456456
457457
458458 3. Answer vendor questions on information technology -301
459459 related state term contract solicitations. 302
460460 4. Ensure that the information technology policy 303
461461 established pursuant to subparagraph 1. is included in all 304
462462 solicitations and contracts that are administratively executed 305
463463 by the department. 306
464464 (p)(q) Recommend potential methods for standardizing data 307
465465 across state agencies which will promote interoperability and 308
466466 reduce the collection of duplicative data. 309
467467 (q)(r) Recommend open data technical standards and 310
468468 terminologies for use by the enterprise. 311
469469 (r)(s) Ensure that enterprise information technology 312
470470 solutions are capable of utilizing an electronic credential and 313
471471 comply with the enterprise architecture standards. 314
472472 (2) 315
473473 (c) The state chief information officer, in consultation 316
474474 with the Secretary of Mana gement Services, shall designate a 317
475475 state chief technology officer who shall be responsible for all 318
476476 of the following: 319
477477 1. Establishing and maintaining an enterprise architecture 320
478478 framework that ensures information technology investments align 321
479479 with the state's strategic objectives and initiatives pursuant 322
480480 to paragraph (1)(b). 323
481481 2. Conducting comprehensive evaluations of potential 324
482482 technological solutions and cultivating strategic partnerships, 325
483483
484484 HB 1293 2025
485485
486486
487487
488488 CODING: Words stricken are deletions; words underlined are additions.
489489 hb1293-00
490490 Page 14 of 28
491491 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
492492
493493
494494
495495 internally with state enterprise agencies and externally with 326
496496 the private sector, to leverage collective expertise, foster 327
497497 collaboration, and advance the state's technological 328
498498 capabilities. 329
499499 3. Supervising program management of enterprise 330
500500 information technology initiatives pursuant to paragraphs 331
501501 (1)(c), (d), and (l); pro viding advisory support and oversight 332
502502 for technology-related projects; and continuously identifying 333
503503 and recommending best practices to optimize outcomes of 334
504504 technology projects and enhance the enterprise's technological 335
505505 efficiency and effectiveness. 336
506506 (4) For information technology projects that have a total 337
507507 project cost of $25 $10 million or more: 338
508508 (a) State agencies must provide the Florida Digital 339
509509 Service with written notice of any planned procurement of an 340
510510 information technology project. 341
511511 (b) The Florida Digital Service must participate in the 342
512512 development of specifications and recommend modifications to any 343
513513 planned procurement of an information technology project by 344
514514 state agencies so that the procurement complies with the 345
515515 enterprise architecture. 346
516516 (c) The Florida Digital Service must participate in post -347
517517 award contract monitoring. 348
518518 (5) The department, acting through the Florida Digital 349
519519 Service, may not retrieve or disclose any data without a shared -350
520520
521521 HB 1293 2025
522522
523523
524524
525525 CODING: Words stricken are deletions; words underlined are additions.
526526 hb1293-00
527527 Page 15 of 28
528528 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
529529
530530
531531
532532 data agreement in place between the department and the 351
533533 enterprise entity that has primary custodial responsibility of, 352
534534 or data-sharing responsibility for, that data. 353
535535 Section 3. Subsection (1) of section 282.00515, Florida 354
536536 Statutes, is amended to read: 355
537537 282.00515 Duties of Cabinet agencies. — 356
538538 (1) The Department of Legal Affairs, the Department of 357
539539 Financial Services, and the Department of Agriculture and 358
540540 Consumer Services shall adopt the standards established in s. 359
541541 282.0051(1)(b), (c), and (q) (r) and (3)(e) or adopt alternative 360
542542 standards based on best prac tices and industry standards that 361
543543 allow for open data interoperability. 362
544544 Section 4. Paragraphs (a) through (k) of subsection (4) of 363
545545 section 282.318, Florida Statutes, are redesignated as 364
546546 paragraphs (b) through (l), respectively, subsection (10) is 365
547547 renumbered as subsection (11), subsection (3) and present 366
548548 paragraph (a) of subsection (4) are amended, a new paragraph (a) 367
549549 is added to subsection (4), and a new subsection (10) is added 368
550550 to that section, to read: 369
551551 282.318 Cybersecurity. — 370
552552 (3) The department, acting through the Florida Digital 371
553553 Service, is the lead entity responsible for leading enterprise 372
554554 information technology and cybersecurity efforts, safeguarding 373
555555 enterprise digital data, establishing standards and processes 374
556556 for assessing state agency cyberse curity risks, and determining 375
557557
558558 HB 1293 2025
559559
560560
561561
562562 CODING: Words stricken are deletions; words underlined are additions.
563563 hb1293-00
564564 Page 16 of 28
565565 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
566566
567567
568568
569569 appropriate security measures. Such standards and processes must 376
570570 be consistent with generally accepted technology best practices, 377
571571 including the National Institute for Standards and Technology 378
572572 Cybersecurity Framework, for cyber security. The department, 379
573573 acting through the Florida Digital Service, shall adopt rules 380
574574 that mitigate risks; safeguard state agency digital assets, 381
575575 data, information, and information technology resources to 382
576576 ensure availability, confidentiality, and integri ty; and support 383
577577 a security governance framework. The department, acting through 384
578578 the Florida Digital Service, shall also: 385
579579 (a) Designate an employee of the Florida Digital Service 386
580580 as the state chief information security officer. The state chief 387
581581 information security officer must have experience and expertise 388
582582 in security and risk management for communications and 389
583583 information technology resources. The state chief information 390
584584 security officer is responsible for the development, operation, 391
585585 and oversight of cyber security for state technology systems. The 392
586586 Cybersecurity Operations Center shall immediately notify the 393
587587 state chief information officer and the state chief information 394
588588 security officer shall be notified of all confirmed or suspected 395
589589 incidents or threats of state agency information technology 396
590590 resources. The state chief information officer, in consultation 397
591591 with the state chief information security officer, and must 398
592592 report such incidents or threats to the state chief information 399
593593 officer and the Governor. 400
594594
595595 HB 1293 2025
596596
597597
598598
599599 CODING: Words stricken are deletions; words underlined are additions.
600600 hb1293-00
601601 Page 17 of 28
602602 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
603603
604604
605605
606606 (b) Develop, and annually update by February 1, a 401
607607 statewide cybersecurity strategic plan that includes security 402
608608 goals and objectives for cybersecurity, including the 403
609609 identification and mitigation of risk, proactive protections 404
610610 against threats, tactical risk d etection, threat reporting, and 405
611611 response and recovery protocols for a cyber incident. 406
612612 (c) Develop and publish for use by state agencies a 407
613613 cybersecurity governance framework that, at a minimum, includes 408
614614 guidelines and processes for: 409
615615 1. Establishing asse t management procedures to ensure that 410
616616 an agency's information technology resources are identified and 411
617617 managed consistent with their relative importance to the 412
618618 agency's business objectives. 413
619619 2. Using a standard risk assessment methodology that 414
620620 includes the identification of an agency's priorities, 415
621621 constraints, risk tolerances, and assumptions necessary to 416
622622 support operational risk decisions. 417
623623 3. Completing comprehensive risk assessments and 418
624624 cybersecurity audits, which may be completed by a private sector 419
625625 vendor, and submitting completed assessments and audits to the 420
626626 department. 421
627627 4. Identifying protection procedures to manage the 422
628628 protection of an agency's information, data, and information 423
629629 technology resources. 424
630630 5. Establishing procedures for accessing inf ormation and 425
631631
632632 HB 1293 2025
633633
634634
635635
636636 CODING: Words stricken are deletions; words underlined are additions.
637637 hb1293-00
638638 Page 18 of 28
639639 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
640640
641641
642642
643643 data to ensure the confidentiality, integrity, and availability 426
644644 of such information and data. 427
645645 6. Detecting threats through proactive monitoring of 428
646646 events, continuous security monitoring, and defined detection 429
647647 processes. 430
648648 7. Establishing agency cybersecurity incident response 431
649649 teams and describing their responsibilities for responding to 432
650650 cybersecurity incidents, including breaches of personal 433
651651 information containing confidential or exempt data. 434
652652 8. Recovering information and data in respons e to a 435
653653 cybersecurity incident. The recovery may include recommended 436
654654 improvements to the agency processes, policies, or guidelines. 437
655655 9. Establishing a cybersecurity incident reporting process 438
656656 that includes procedures for notifying the department and the 439
657657 Department of Law Enforcement of cybersecurity incidents. 440
658658 a. The level of severity of the cybersecurity incident is 441
659659 defined by the National Cyber Incident Response Plan of the 442
660660 United States Department of Homeland Security as follows: 443
661661 (I) Level 5 is an em ergency-level incident within the 444
662662 specified jurisdiction that poses an imminent threat to the 445
663663 provision of wide-scale critical infrastructure services; 446
664664 national, state, or local government security; or the lives of 447
665665 the country's, state's, or local governme nt's residents. 448
666666 (II) Level 4 is a severe -level incident that is likely to 449
667667 result in a significant impact in the affected jurisdiction to 450
668668
669669 HB 1293 2025
670670
671671
672672
673673 CODING: Words stricken are deletions; words underlined are additions.
674674 hb1293-00
675675 Page 19 of 28
676676 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
677677
678678
679679
680680 public health or safety; national, state, or local security; 451
681681 economic security; or civil liberties. 452
682682 (III) Level 3 is a high-level incident that is likely to 453
683683 result in a demonstrable impact in the affected jurisdiction to 454
684684 public health or safety; national, state, or local security; 455
685685 economic security; civil liberties; or public confidence. 456
686686 (IV) Level 2 is a medium -level incident that may impact 457
687687 public health or safety; national, state, or local security; 458
688688 economic security; civil liberties; or public confidence. 459
689689 (V) Level 1 is a low -level incident that is unlikely to 460
690690 impact public health or safety; national, state, or local 461
691691 security; economic security; civil liberties; or public 462
692692 confidence. 463
693693 b. The cybersecurity incident reporting process must 464
694694 specify the information that must be reported by a state agency 465
695695 following a cybersecurity incident or ransomware incident, 466
696696 which, at a minimum, must include the following: 467
697697 (I) A summary of the facts surrounding the cybersecurity 468
698698 incident or ransomware incident. 469
699699 (II) The date on which the state agency most recently 470
700700 backed up its data; the physical location of the backup, if the 471
701701 backup was affected; and if the backup was created using cloud 472
702702 computing. 473
703703 (III) The types of data compromised by the cybersecurity 474
704704 incident or ransomware incident. 475
705705
706706 HB 1293 2025
707707
708708
709709
710710 CODING: Words stricken are deletions; words underlined are additions.
711711 hb1293-00
712712 Page 20 of 28
713713 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
714714
715715
716716
717717 (IV) The estimated fiscal impact of the cybersecurity 476
718718 incident or ransomware incident. 477
719719 (V) In the case of a ransomware incident, the details of 478
720720 the ransom demanded. 479
721721 c.(I) A state agency shall report all ransomware incidents 480
722722 and any cybersecurity incidents incident determined by the state 481
723723 agency to be of severity level 3, 4, or 5 to the Cybersecurity 482
724724 Operations Center and the Cybercrime Office of the Department of 483
725725 Law Enforcement as soon as possible but no later than 12 48 484
726726 hours after discovery of the cybersecurity incident and no later 485
727727 than 6 12 hours after discovery of the ransomware inc ident. The 486
728728 report must contain the information required in sub -subparagraph 487
729729 b. 488
730730 (II) The Cybersecurity Operations Center shall : 489
731731 (A) Immediately notify the Cybercrime Office of the 490
732732 Department of Law Enforcement of a reported incident and provide 491
733733 to the office regular reports on the status of the incident, 492
734734 preserve forensic data to support a subsequent investigation, 493
735735 and provide aid to the investigative efforts of the office upon 494
736736 the office's request if the state chief information security 495
737737 officer finds that the investigation does not impede remediation 496
738738 of the incident and that there is no risk to the public and no 497
739739 risk to critical state functions. 498
740740 (B) Immediately notify the state chief information officer 499
741741 and the state chief information security officer of a reported 500
742742
743743 HB 1293 2025
744744
745745
746746
747747 CODING: Words stricken are deletions; words underlined are additions.
748748 hb1293-00
749749 Page 21 of 28
750750 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
751751
752752
753753
754754 incident. The state chief information security officer shall 501
755755 notify the President of the Senate and the Speaker of the House 502
756756 of Representatives of any severity level 3, 4, or 5 incident as 503
757757 soon as possible but no later than 24 12 hours after receiving a 504
758758 state agency's incident report. The notification must include a 505
759759 high-level description of the incident and the likely effects 506
760760 and must be provided in a secure environment . 507
761761 d. A state agency shall report a cybersecurity incident 508
762762 determined by the state agency to be of severity level 1 or 2 to 509
763763 the Cybersecurity Operations Center and the Cybercrime Office of 510
764764 the Department of Law Enforcement as soon as possible. The 511
765765 report must contain the information required in sub -subparagraph 512
766766 b. 513
767767 d.e. The Cybersecurity Operations Center shall provide a 514
768768 consolidated incident report by the 30th day after the end of 515
769769 each quarter on a quarterly basis to the Governor, the Attorney 516
770770 General, the executive director of the Department of Law 517
771771 Enforcement, the President of the Senate, the Speaker of the 518
772772 House of Representatives, and the Florida Cybersecurity Advisory 519
773773 Council. The report provided to the Florida Cybersecurity 520
774774 Advisory Council may not contain the name of any agency, network 521
775775 information, or system identifying information but must contain 522
776776 sufficient relevant information to allow the Florida 523
777777 Cybersecurity Advisory Council to fulfill its responsibilities 524
778778 as required in s. 282.319(9). 525
779779
780780 HB 1293 2025
781781
782782
783783
784784 CODING: Words stricken are deletions; words underlined are additions.
785785 hb1293-00
786786 Page 22 of 28
787787 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
788788
789789
790790
791791 10. Incorporating information obtained through detection 526
792792 and response activiti es into the agency's cybersecurity incident 527
793793 response plans. 528
794794 11. Developing agency strategic and operational 529
795795 cybersecurity plans required pursuant to this section. 530
796796 12. Establishing the managerial, operational, and 531
797797 technical safeguards for protecting sta te government data and 532
798798 information technology resources that align with the state 533
799799 agency risk management strategy and that protect the 534
800800 confidentiality, integrity, and availability of information and 535
801801 data. 536
802802 13. Establishing procedures for procuring informa tion 537
803803 technology commodities and services that require the commodity 538
804804 or service to meet the National Institute of Standards and 539
805805 Technology Cybersecurity Framework. 540
806806 14. Submitting after -action reports following a 541
807807 cybersecurity incident or ransomware incide nt. Such guidelines 542
808808 and processes for submitting after -action reports must be 543
809809 developed and published by December 1, 2022. 544
810810 (d) Assist state agencies in complying with this section. 545
811811 (e) In collaboration with the Cybercrime Office of the 546
812812 Department of Law Enforcement, annually provide training for 547
813813 state agency information security managers and computer security 548
814814 incident response team members that contains training on 549
815815 cybersecurity, including cybersecurity threats, trends, and best 550
816816
817817 HB 1293 2025
818818
819819
820820
821821 CODING: Words stricken are deletions; words underlined are additions.
822822 hb1293-00
823823 Page 23 of 28
824824 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
825825
826826
827827
828828 practices. 551
829829 (f) Annually review the strategic and operational 552
830830 cybersecurity plans of state agencies. 553
831831 (g) Annually provide cybersecurity training to all state 554
832832 agency technology professionals and employees with access to 555
833833 highly sensitive information which develops, assesses, and 556
834834 documents competencies by role and skill level. The 557
835835 cybersecurity training curriculum must include training on the 558
836836 identification of each cybersecurity incident severity level 559
837837 referenced in sub-subparagraph (c)9.a. The training may be 560
838838 provided in collabor ation with the Cybercrime Office of the 561
839839 Department of Law Enforcement, a private sector entity, or an 562
840840 institution of the State University System. 563
841841 (h) Operate and maintain a Cybersecurity Operations Center 564
842842 led by the state chief information security offic er, which must 565
843843 be primarily virtual and staffed with tactical detection and 566
844844 incident response personnel. The Cybersecurity Operations Center 567
845845 shall serve as a clearinghouse for threat information and 568
846846 coordinate with the Department of Law Enforcement to supp ort 569
847847 state agencies and their response to any confirmed or suspected 570
848848 cybersecurity incident. 571
849849 (i) Lead an Emergency Support Function, ESF-20 ESF CYBER, 572
850850 under the state comprehensive emergency management plan as 573
851851 described in s. 252.35. 574
852852 (j) Provide cyberse curity briefings to the members of any 575
853853
854854 HB 1293 2025
855855
856856
857857
858858 CODING: Words stricken are deletions; words underlined are additions.
859859 hb1293-00
860860 Page 24 of 28
861861 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
862862
863863
864864
865865 legislative committee or subcommittee responsible for policy 576
866866 matters relating to cybersecurity. 577
867867 (k) Have the authority to obtain immediate access to 578
868868 public or private infrastructure hosting enterprise digital data 579
869869 and to direct, in consultation with the state agency that holds 580
870870 the particular enterprise digital data, measures to assess, 581
871871 monitor, and safeguard the enterprise digital data. 582
872872 (4) Each state agency head shall, at a minimum: 583
873873 (a) Designate a chief informa tion security officer to 584
874874 integrate the agency's technical and operational cybersecurity 585
875875 efforts with the Cybersecurity Operations Center. This 586
876876 designation must be provided annually in writing to the Florida 587
877877 Digital Service by January 15. For a state agency under the 588
878878 jurisdiction of the Governor, the agency's chief information 589
879879 security officer shall be under the general supervision of the 590
880880 agency head or designee for administrative purposes but shall 591
881881 report to the state chief information officer. An agency ma y 592
882882 request that the department procure a chief information security 593
883883 officer as a service to fulfill the agency's duties under this 594
884884 paragraph. 595
885885 (b)(a) Designate an information security manager to ensure 596
886886 compliance with cybersecurity governance and with the state's 597
887887 enterprise security program and incident response plan. The 598
888888 information security manager must coordinate with the agency's 599
889889 chief information security officer and the Cybersecurity 600
890890
891891 HB 1293 2025
892892
893893
894894
895895 CODING: Words stricken are deletions; words underlined are additions.
896896 hb1293-00
897897 Page 25 of 28
898898 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
899899
900900
901901
902902 Operations Center to ensure that the unique needs of the agency 601
903903 are met administer the cybersecurity program of the state 602
904904 agency. This designation must be provided annually in writing to 603
905905 the department by January 15 1. A state agency's information 604
906906 security manager, for purposes of these information security 605
907907 duties, shall work in collaboration with the agency's chief 606
908908 information security officer and report directly to the agency 607
909909 head. 608
910910 (10) The department may brief any legislative committee or 609
911911 subcommittee responsible for cybersecurity policy in a meeting 610
912912 or other setting closed by the respective body under the rules 611
913913 of such legislative body at which the legislative committee or 612
914914 subcommittee is briefed on records made confidential and exempt 613
915915 under subsections (5) and (6). The legislative committee or 614
916916 subcommittee must mainta in the confidential and exempt status of 615
917917 such records. A legislator serving on a legislative committee or 616
918918 subcommittee responsible for cybersecurity policy may also 617
919919 attend meetings of the Florida Cybersecurity Advisory Council, 618
920920 including any portions of su ch meetings that are exempt from s. 619
921921 286.011 and s. 24(b), Art. I of the State Constitution. 620
922922 Section 5. Paragraphs (b) and (c) of subsection (5) of 621
923923 section 282.3185, Florida Statutes, are amended to read: 622
924924 282.3185 Local government cybersecurity. — 623
925925 (5) INCIDENT NOTIFICATION. — 624
926926 (b)1. A local government shall report all ransomware 625
927927
928928 HB 1293 2025
929929
930930
931931
932932 CODING: Words stricken are deletions; words underlined are additions.
933933 hb1293-00
934934 Page 26 of 28
935935 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
936936
937937
938938
939939 incidents and any cybersecurity incident determined by the local 626
940940 government to be of severity level 3, 4, or 5 as provided in s. 627
941941 282.318(3)(c) to the Cybersecurity Operations Center, the 628
942942 Cybercrime Office of the Department of Law Enforcement, and the 629
943943 sheriff who has jurisdiction over the local government as soon 630
944944 as possible but no later than 12 48 hours after discovery of the 631
945945 cybersecurity incident and no later than 6 12 hours after 632
946946 discovery of the ransomware incident. The report must contain 633
947947 the information required in paragraph (a). 634
948948 2. The Cybersecurity Operations Center shall : 635
949949 a. Immediately notify the Cybercrime Office of the 636
950950 Department of Law Enforcement and the sheri ff who has 637
951951 jurisdiction over the local government of a reported incident 638
952952 and provide to the Cybercrime Office of the Department of Law 639
953953 Enforcement and the sheriff who has jurisdiction over the local 640
954954 government regular reports on the status of the incident, 641
955955 preserve forensic data to support a subsequent investigation, 642
956956 and provide aid to the investigative efforts of the Cybercrime 643
957957 Office of the Department of Law Enforcement upon the office's 644
958958 request if the state chief information security officer finds 645
959959 that the investigation does not impede remediation of the 646
960960 incident and that there is no risk to the public and no risk to 647
961961 critical state functions. 648
962962 b. Immediately notify the state chief information security 649
963963 officer of a reported incident. The state chief infor mation 650
964964
965965 HB 1293 2025
966966
967967
968968
969969 CODING: Words stricken are deletions; words underlined are additions.
970970 hb1293-00
971971 Page 27 of 28
972972 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
973973
974974
975975
976976 security officer shall notify the President of the Senate and 651
977977 the Speaker of the House of Representatives of any severity 652
978978 level 3, 4, or 5 incident as soon as possible but no later than 653
979979 24 12 hours after receiving a local government's incident 654
980980 report. The notification must include a high -level description 655
981981 of the incident and the likely effects and must be provided in a 656
982982 secure environment. 657
983983 (c) A local government may report a cybersecurity incident 658
984984 determined by the local government to be of severity level 1 or 659
985985 2 as provided in s. 282.318(3)(c) to the Cybersecurity 660
986986 Operations Center, the Cybercrime Office of the Department of 661
987987 Law Enforcement, and the sheriff who has jurisdiction over the 662
988988 local government. The report shall contain the information 663
989989 required in paragraph (a). The Cybersecurity Operations Center 664
990990 shall immediately notify the Cybercrime Office of the Department 665
991991 of Law Enforcement and the sheriff who has jurisdiction over the 666
992992 local government of a reported incident and provide regular 667
993993 reports on the status of the cybersecurity incident, preserve 668
994994 forensic data to support a subsequent investigation, and provide 669
995995 aid to the investigative efforts of the Cybercrime Office of the 670
996996 Department of Law Enforcement upon request if the state chief 671
997997 information security officer finds that the investigation does 672
998998 not impede remediation of the cybersecurity incident and that 673
999999 there is no risk to the public and no risk to critical state 674
10001000 functions. 675
10011001
10021002 HB 1293 2025
10031003
10041004
10051005
10061006 CODING: Words stricken are deletions; words underlined are additions.
10071007 hb1293-00
10081008 Page 28 of 28
10091009 F L O R I D A H O U S E O F R E P R E S E N T A T I V E S
10101010
10111011
10121012
10131013 Section 6. Paragraph (j) of subsection (4) of section 676
10141014 282.319, Florida Statutes, is amended, and paragraph (m) is 677
10151015 added to that subsection, to read: 678
10161016 282.319 Florida Cybersecurity Advisory Council. — 679
10171017 (4) The council shall be comprised of the following 680
10181018 members: 681
10191019 (j) Three representatives from critical infrastructure 682
10201020 sectors, one of whom must be from a utility provider water 683
10211021 treatment facility, appointed by the Governor. 684
10221022 (m) A representative of local government. 685
10231023 Section 7. This act shall take effect July 1, 2025. 686