Florida Senate - 2025 SB 770 By Senator Harrell 31-00757A-25 2025770__ 1 A bill to be entitled 2 An act relating to cybersecurity; amending s. 110.205, 3 F.S.; exempting the state chief technology officer 4 from the Career Service System; amending s. 282.0041, 5 F.S.; revising definitions of the terms data and 6 open data; defining the terms enterprise digital 7 data; amending s. 282.0051, F.S.; revising the 8 purpose of the Florida Digital Service; revising the 9 timeframes for the Florida Digital Service to issue 10 certain reports to the Governor and the Legislature; 11 requiring that, by a specified date, an annual report 12 on specified alternative standards be provided to the 13 Governor and the Legislature; requiring the Florida 14 Digital Service to support state agencies with the use 15 of electronic credentials in compliance with specified 16 standards; requiring the state chief information 17 officer, in consultation with the Secretary of 18 Management Services, to designate a state chief 19 technology officer; providing requirements for such 20 position; providing the responsibilities of the state 21 chief technology officer; amending s. 282.318, F.S.; 22 revising the standards and processes for assessing 23 state agency cybersecurity risks of the Department of 24 Management Services, acting through the Florida 25 Digital Service; requiring state agencies to report 26 all ransomware and cybersecurity incidents to the 27 Cybersecurity Operations Center and the Cybercrime 28 Office; requiring the Cybersecurity Operations Center 29 to notify the state chief information officer and the 30 state chief information security officer immediately 31 of a reported incident; requiring the state chief 32 information officer, in consultation with the state 33 chief information security officer, to notify the 34 Legislature of certain reported incidents within a 35 specified timeframe; revising the timeframe during 36 which the Cybersecurity Operations Center is required 37 to provide a consolidated incident report to the 38 Governor, the Legislature, and the Florida 39 Cybersecurity Advisory Council; revising the name of 40 an Emergency Support Function from ESF-Cyber to ESF 41 20; revising the specified date by which a state 42 agency head must designate an information security 43 manager; requiring that the agency strategic 44 cybersecurity plan take the statewide cybersecurity 45 strategic plan into consideration; requiring that such 46 agency operational cybersecurity program include a 47 certain set of measures for a specified purpose; 48 requiring agency heads to require that enterprise 49 digital data be maintained in accordance with 50 specified provisions; providing construction; 51 authorizing designated members of the Legislature and 52 designated members of legislative staff to attend 53 portions of meetings where material exempt from public 54 disclosure is discussed, under certain circumstances; 55 amending s. 282.3185, F.S.; revising the timeframes in 56 which a local government must report a discovery of 57 all ransomware incidents and certain cybersecurity 58 incidents; requiring the Cybersecurity Operations 59 Center to notify immediately the state chief 60 information officer and the state chief information 61 security officer of a reported incident; requiring the 62 state chief information officer, in consultation with 63 the state chief information security officer, to 64 notify the Legislature of incidents of certain 65 severity levels within a specified timeframe; revising 66 the timeframe during which the Cybersecurity 67 Operations Center is required to provide a quarterly 68 consolidated incident report to the Legislature and 69 the Florida Cybersecurity Advisory Council; amending 70 s. 282.319, F.S.; revising the membership of the 71 Florida Cybersecurity Advisory Council; providing an 72 effective date. 73 74 Be It Enacted by the Legislature of the State of Florida: 75 76 Section 1.Paragraph (e) of subsection (2) of section 77 110.205, Florida Statutes, is amended to read: 78 110.205Career service; exemptions. 79 (2)EXEMPT POSITIONS.The exempt positions that are not 80 covered by this part include the following: 81 (e)The state chief information officer, the state chief 82 data officer, the state chief technology officer, and the state 83 chief information security officer. The Department of Management 84 Services shall set the salary and benefits of these positions in 85 accordance with the rules of the Senior Management Service. 86 Section 2.Present subsections (17) through (38) of section 87 282.0041, Florida Statutes, are redesignated as subsections (18) 88 through (39), respectively, a new subsection (17) is added to 89 that section, and subsection (9) and present subsection (24) of 90 that section are amended, to read: 91 282.0041Definitions.As used in this chapter, the term: 92 (9)Data means information in a specific representation, 93 usually a sequence of symbols that have meaning. The term 94 includes, but is not limited to, numbers, text, images, audio, 95 and video. The term also includes raw material that is processed 96 and interpreted to gain insights and make decisions a subset of 97 structured information in a format that allows such information 98 to be electronically retrieved and transmitted. 99 (17)Enterprise digital data means information in 100 electronic form which is deemed to be data owned by a state 101 agency and held for state purposes by the state agency. For the 102 purposes of this subsection, the term state agency includes 103 the Department of Legal Affairs, the Department of Agriculture 104 and Consumer Services, and the Department of Financial Services. 105 (25)(24)Open data is a subset of data and means data 106 collected or created by a state agency, the Department of Legal 107 Affairs, the Department of Financial Services, and the 108 Department of Agriculture and Consumer Services, and structured 109 in a way that enables the data to be fully discoverable and 110 usable by the public. The term does not include data that are 111 restricted from public disclosure based on federal or state laws 112 and regulations, including, but not limited to, those related to 113 privacy, confidentiality, security, personal health, business or 114 trade secret information, and exemptions from state public 115 records laws; or data for which a state agency, the Department 116 of Legal Affairs, the Department of Financial Services, or the 117 Department of Agriculture and Consumer Services is statutorily 118 authorized to assess a fee for its distribution. 119 Section 3.Subsection (1) of section 282.0051, Florida 120 Statutes, is amended, and paragraph (c) is added to subsection 121 (2) of that section, to read: 122 282.0051Department of Management Services; Florida Digital 123 Service; powers, duties, and functions. 124 (1)The Florida Digital Service is established has been 125 created within the department to lead the creation of enterprise 126 information technology and cybersecurity standards, to propose 127 and evaluate innovative solutions that securely modernize state 128 government, including technology and information services, to 129 achieve value through digital transformation and 130 interoperability, and to fully support the cloud-first policy as 131 specified in s. 282.206. The department, through the Florida 132 Digital Service, shall have the following powers, duties, and 133 functions: 134 (a)Develop and publish information technology policy for 135 the management of the states information technology resources. 136 (b)Develop an enterprise architecture that: 137 1.Acknowledges the unique needs of the entities within the 138 enterprise in the development and publication of standards and 139 terminologies to facilitate digital interoperability; 140 2.Supports the cloud-first policy as specified in s. 141 282.206; and 142 3.Addresses how information technology infrastructure may 143 be modernized to achieve cloud-first objectives. 144 (c)Establish project management and oversight standards 145 with which state agencies must comply when implementing 146 information technology projects. The department, acting through 147 the Florida Digital Service, shall provide training 148 opportunities to state agencies to assist in the adoption of the 149 project management and oversight standards. To support data 150 driven decisionmaking, the standards must include, but are not 151 limited to: 152 1.Performance measurements and metrics that objectively 153 reflect the status of an information technology project based on 154 a defined and documented project scope, cost, and schedule. 155 2.Methodologies for calculating acceptable variances in 156 the projected versus actual scope, schedule, or cost of an 157 information technology project. 158 3.Reporting requirements, including requirements designed 159 to alert all defined stakeholders that an information technology 160 project has exceeded acceptable variances defined and documented 161 in a project plan. 162 4.Content, format, and frequency of project updates. 163 5.Technical standards to ensure an information technology 164 project complies with the enterprise architecture. 165 (d)Perform project oversight on all state agency 166 information technology projects that have total project costs of 167 $10 million or more and that are funded in the General 168 Appropriations Act or any other law. The department, acting 169 through the Florida Digital Service, shall report, by the 30th 170 day after the end of each quarter, at least quarterly to the 171 Executive Office of the Governor, the President of the Senate, 172 and the Speaker of the House of Representatives on any 173 information technology project that the department identifies as 174 high-risk due to the project exceeding acceptable variance 175 ranges defined and documented in a project plan. The report must 176 include a risk assessment, including fiscal risks, associated 177 with proceeding to the next stage of the project, and a 178 recommendation for corrective actions required, including 179 suspension or termination of the project. 180 (e)Identify opportunities for standardization and 181 consolidation of information technology services that support 182 interoperability and the cloud-first policy, as specified in s. 183 282.206, and business functions and operations, including 184 administrative functions such as purchasing, accounting and 185 reporting, cash management, and personnel, and that are common 186 across state agencies. The department, acting through the 187 Florida Digital Service, shall biennially on January 31 1 of 188 each even-numbered year provide recommendations for 189 standardization and consolidation to the Executive Office of the 190 Governor, the President of the Senate, and the Speaker of the 191 House of Representatives. 192 (f)Establish best practices for the procurement of 193 information technology products and cloud-computing services in 194 order to reduce costs, increase the quality of data center 195 services, or improve government services. 196 (g)Develop standards for information technology reports 197 and updates, including, but not limited to, operational work 198 plans, project spend plans, and project status reports, for use 199 by state agencies. 200 (h)Upon request, assist state agencies in the development 201 of information technology-related legislative budget requests. 202 (i)Conduct annual assessments of state agencies to 203 determine compliance with all information technology standards 204 and guidelines developed and published by the department and 205 provide results of the assessments to the Executive Office of 206 the Governor, the President of the Senate, and the Speaker of 207 the House of Representatives. 208 (j)Conduct a market analysis not less frequently than 209 every 3 years beginning in 2021 to determine whether the 210 information technology resources within the enterprise are 211 utilized in the most cost-effective and cost-efficient manner, 212 while recognizing that the replacement of certain legacy 213 information technology systems within the enterprise may be cost 214 prohibitive or cost inefficient due to the remaining useful life 215 of those resources; whether the enterprise is complying with the 216 cloud-first policy specified in s. 282.206; and whether the 217 enterprise is utilizing best practices with respect to 218 information technology, information services, and the 219 acquisition of emerging technologies and information services. 220 Each market analysis shall be used to prepare a strategic plan 221 for continued and future information technology and information 222 services for the enterprise, including, but not limited to, 223 proposed acquisition of new services or technologies and 224 approaches to the implementation of any new services or 225 technologies. Copies of each market analysis and accompanying 226 strategic plan must be submitted to the Executive Office of the 227 Governor, the President of the Senate, and the Speaker of the 228 House of Representatives not later than December 31 of each year 229 that a market analysis is conducted. 230 (k)Recommend other information technology services that 231 should be designed, delivered, and managed as enterprise 232 information technology services. Recommendations must include 233 the identification of existing information technology resources 234 associated with the services, if existing services must be 235 transferred as a result of being delivered and managed as 236 enterprise information technology services. 237 (l)In consultation with state agencies, propose a 238 methodology and approach for identifying and collecting both 239 current and planned information technology expenditure data at 240 the state agency level. 241 (m)1.Notwithstanding any other law, provide project 242 oversight on any information technology project of the 243 Department of Financial Services, the Department of Legal 244 Affairs, and the Department of Agriculture and Consumer Services 245 which has a total project cost of $20 million or more. Such 246 information technology projects must also comply with the 247 applicable information technology architecture, project 248 management and oversight, and reporting standards established by 249 the department, acting through the Florida Digital Service. 250 2.When performing the project oversight function specified 251 in subparagraph 1., report, by the 30th day after the end of 252 each quarter, at least quarterly to the Executive Office of the 253 Governor, the President of the Senate, and the Speaker of the 254 House of Representatives on any information technology project 255 that the department, acting through the Florida Digital Service, 256 identifies as high-risk due to the project exceeding acceptable 257 variance ranges defined and documented in the project plan. The 258 report shall include a risk assessment, including fiscal risks, 259 associated with proceeding to the next stage of the project and 260 a recommendation for corrective actions required, including 261 suspension or termination of the project. 262 (n)If an information technology project implemented by a 263 state agency must be connected to or otherwise accommodated by 264 an information technology system administered by the Department 265 of Financial Services, the Department of Legal Affairs, or the 266 Department of Agriculture and Consumer Services, consult with 267 these departments regarding the risks and other effects of such 268 projects on their information technology systems and work 269 cooperatively with these departments regarding the connections, 270 interfaces, timing, or accommodations required to implement such 271 projects. 272 (o)If adherence to standards or policies adopted by or 273 established pursuant to this section causes conflict with 274 federal regulations or requirements imposed on an entity within 275 the enterprise and results in adverse action against an entity 276 or federal funding, work with the entity to provide alternative 277 standards, policies, or requirements that do not conflict with 278 the federal regulation or requirement. The department, acting 279 through the Florida Digital Service, shall annually report, by 280 January 31, such alternative standards to the Executive Office 281 of the Governor, the President of the Senate, and the Speaker of 282 the House of Representatives. 283 (p)1.Establish an information technology policy for all 284 information technology-related state contracts, including state 285 term contracts for information technology commodities, 286 consultant services, and staff augmentation services. The 287 information technology policy must include: 288 a.Identification of the information technology product and 289 service categories to be included in state term contracts. 290 b.Requirements to be included in solicitations for state 291 term contracts. 292 c.Evaluation criteria for the award of information 293 technology-related state term contracts. 294 d.The term of each information technology-related state 295 term contract. 296 e.The maximum number of vendors authorized on each state 297 term contract. 298 f.At a minimum, a requirement that any contract for 299 information technology commodities or services meet the National 300 Institute of Standards and Technology Cybersecurity Framework. 301 g.For an information technology project wherein project 302 oversight is required pursuant to paragraph (d) or paragraph 303 (m), a requirement that independent verification and validation 304 be employed throughout the project life cycle with the primary 305 objective of independent verification and validation being to 306 provide an objective assessment of products and processes 307 throughout the project life cycle. An entity providing 308 independent verification and validation may not have technical, 309 managerial, or financial interest in the project and may not 310 have responsibility for, or participate in, any other aspect of 311 the project. 312 2.Evaluate vendor responses for information technology 313 related state term contract solicitations and invitations to 314 negotiate. 315 3.Answer vendor questions on information technology 316 related state term contract solicitations. 317 4.Ensure that the information technology policy 318 established pursuant to subparagraph 1. is included in all 319 solicitations and contracts that are administratively executed 320 by the department. 321 (q)Recommend potential methods for standardizing data 322 across state agencies which will promote interoperability and 323 reduce the collection of duplicative data. 324 (r)Recommend open data technical standards and 325 terminologies for use by the enterprise. 326 (s)Support state agencies with the use of Ensure that 327 enterprise information technology solutions are capable of 328 utilizing an electronic credentials in compliance credential and 329 comply with the enterprise architecture standards. 330 (2) 331 (c)The state chief information officer, in consultation 332 with the Secretary of Management Services, shall designate a 333 state chief technology officer who must have significant and 334 substantive experience in information technology, operational 335 technology, technology-related projects, and enterprise 336 architecture. The state chief technology officer is responsible 337 for all of the following: 338 1.Conducting comprehensive evaluations of potential 339 technological solutions and cultivating strategic partnerships 340 with state enterprise agencies and to leverage the states 341 technological capabilities. 342 2.Supporting program management of enterprise information 343 technology initiatives; providing advisory support for 344 technology-related projects; and continuously identifying and 345 recommending best practices to optimize outcomes of technology 346 projects and enhance the enterprises technological efficiency 347 and effectiveness. 348 Section 4.Subsection (3), paragraphs (a) and (c) of 349 subsection (4), and subsection (6) of section 282.318, Florida 350 Statutes, are amended, and paragraph (j) is added to subsection 351 (4) of that section, to read: 352 282.318Cybersecurity. 353 (3)The department, acting through the Florida Digital 354 Service, is the lead entity responsible for establishing 355 standards and processes for assessing state agency cybersecurity 356 risks, including threats to enterprise digital data, and 357 determining appropriate security measures that comply with all 358 national and state data compliance security standards. Such 359 standards and processes must be consistent with generally 360 accepted technology best practices, including the National 361 Institute for Standards and Technology Cybersecurity Framework, 362 for cybersecurity. The department, acting through the Florida 363 Digital Service, shall adopt rules that mitigate risks; 364 safeguard state agency digital assets, data, information, and 365 information technology resources to ensure availability, 366 confidentiality, and integrity; and support a security 367 governance framework. The department, acting through the Florida 368 Digital Service, shall also: 369 (a)Designate an employee of the Florida Digital Service as 370 the state chief information security officer. The state chief 371 information security officer must have experience and expertise 372 in security and risk management for communications and 373 information technology resources. The state chief information 374 security officer is responsible for the development, operation, 375 and oversight of cybersecurity for state technology systems. The 376 state chief information security officer shall be notified of 377 all confirmed or suspected incidents or threats of state agency 378 information technology resources and must report such incidents 379 or threats to the state chief information officer and the 380 Governor. 381 (b)Develop, and annually update by February 1, a statewide 382 cybersecurity strategic plan that includes security goals and 383 objectives for cybersecurity, including the identification and 384 mitigation of risk, proactive protections against threats, 385 tactical risk detection, threat reporting, and response and 386 recovery protocols for a cyber incident. 387 (c)Develop and publish for use by state agencies a 388 cybersecurity governance framework that, at a minimum, includes 389 guidelines and processes for: 390 1.Establishing asset management procedures to ensure that 391 an agencys information technology resources are identified and 392 managed consistent with their relative importance to the 393 agencys business objectives. 394 2.Using a standard risk assessment methodology that 395 includes the identification of an agencys priorities, 396 constraints, risk tolerances, and assumptions necessary to 397 support operational risk decisions. 398 3.Completing comprehensive risk assessments and 399 cybersecurity audits, which may be completed by a private sector 400 vendor, and submitting completed assessments and audits to the 401 department. 402 4.Identifying protection procedures to manage the 403 protection of an agencys information, data, and information 404 technology resources. 405 5.Establishing procedures for accessing information and 406 data to ensure the confidentiality, integrity, and availability 407 of such information and data. 408 6.Detecting threats through proactive monitoring of 409 events, continuous security monitoring, and defined detection 410 processes. 411 7.Establishing agency cybersecurity incident response 412 teams and describing their responsibilities for responding to 413 cybersecurity incidents, including breaches of personal 414 information containing confidential or exempt data. 415 8.Recovering information and data in response to a 416 cybersecurity incident. The recovery may include recommended 417 improvements to the agency processes, policies, or guidelines. 418 9.Establishing a cybersecurity incident reporting process 419 that includes procedures for notifying the department and the 420 Department of Law Enforcement of cybersecurity incidents. 421 a.The level of severity of the cybersecurity incident is 422 defined by the National Cyber Incident Response Plan of the 423 United States Department of Homeland Security as follows: 424 (I)Level 5 is an emergency-level incident within the 425 specified jurisdiction that poses an imminent threat to the 426 provision of wide-scale critical infrastructure services; 427 national, state, or local government security; or the lives of 428 the countrys, states, or local governments residents. 429 (II)Level 4 is a severe-level incident that is likely to 430 result in a significant impact in the affected jurisdiction to 431 public health or safety; national, state, or local security; 432 economic security; or civil liberties. 433 (III)Level 3 is a high-level incident that is likely to 434 result in a demonstrable impact in the affected jurisdiction to 435 public health or safety; national, state, or local security; 436 economic security; civil liberties; or public confidence. 437 (IV)Level 2 is a medium-level incident that may impact 438 public health or safety; national, state, or local security; 439 economic security; civil liberties; or public confidence. 440 (V)Level 1 is a low-level incident that is unlikely to 441 impact public health or safety; national, state, or local 442 security; economic security; civil liberties; or public 443 confidence. 444 b.The cybersecurity incident reporting process must 445 specify the information that must be reported by a state agency 446 following a cybersecurity incident or ransomware incident, 447 which, at a minimum, must include the following: 448 (I)A summary of the facts surrounding the cybersecurity 449 incident or ransomware incident. 450 (II)The date on which the state agency most recently 451 backed up its data; the physical location of the backup, if the 452 backup was affected; and if the backup was created using cloud 453 computing. 454 (III)The types of data compromised by the cybersecurity 455 incident or ransomware incident. 456 (IV)The estimated fiscal impact of the cybersecurity 457 incident or ransomware incident. 458 (V)In the case of a ransomware incident, the details of 459 the ransom demanded. 460 c.(I)A state agency shall report all ransomware incidents 461 and any cybersecurity incidents incident determined by the state 462 agency to be of severity level 3, 4, or 5 to the Cybersecurity 463 Operations Center and the Cybercrime Office of the Department of 464 Law Enforcement as soon as possible but no later than 48 hours 465 after discovery of the cybersecurity incident and no later than 466 12 hours after discovery of the ransomware incident. The report 467 must contain the information required in sub-subparagraph b. 468 (II)The Cybersecurity Operations Center shall immediately 469 notify the state chief information officer and the state chief 470 information security officer of a reported incident. The state 471 chief information officer, in consultation with the state chief 472 information security officer, shall notify the President of the 473 Senate and the Speaker of the House of Representatives of any 474 severity level 3, 4, or 5 incident as soon as possible but no 475 later than 12 hours after receiving a state agencys incident 476 report. The notification must include a high-level description 477 of the incident and the likely effects. 478 d.A state agency shall report a cybersecurity incident 479 determined by the state agency to be of severity level 1 or 2 to 480 the Cybersecurity Operations Center and the Cybercrime Office of 481 the Department of Law Enforcement as soon as possible. The 482 report must contain the information required in sub-subparagraph 483 b. 484 e.The Cybersecurity Operations Center shall provide a 485 consolidated incident report by the 30th day after the end of 486 each quarter to the Governor, on a quarterly basis to the 487 President of the Senate, the Speaker of the House of 488 Representatives, and the Florida Cybersecurity Advisory Council. 489 The report provided to the Florida Cybersecurity Advisory 490 Council may not contain the name of any agency, network 491 information, or system identifying information but must contain 492 sufficient relevant information to allow the Florida 493 Cybersecurity Advisory Council to fulfill its responsibilities 494 as required in s. 282.319(9). 495 10.Incorporating information obtained through detection 496 and response activities into the agencys cybersecurity incident 497 response plans. 498 11.Developing agency strategic and operational 499 cybersecurity plans required pursuant to this section. 500 12.Establishing the managerial, operational, and technical 501 safeguards for protecting state government data and information 502 technology resources that align with the state agency risk 503 management strategy and that protect the confidentiality, 504 integrity, and availability of information and data. 505 13.Establishing procedures for procuring information 506 technology commodities and services that require the commodity 507 or service to meet the National Institute of Standards and 508 Technology Cybersecurity Framework. 509 14.Submitting after-action reports following a 510 cybersecurity incident or ransomware incident. Such guidelines 511 and processes for submitting after-action reports must be 512 developed and published by December 1, 2022. 513 (d)Assist state agencies in complying with this section. 514 (e)In collaboration with the Cybercrime Office of the 515 Department of Law Enforcement, annually provide training for 516 state agency information security managers and computer security 517 incident response team members that contains training on 518 cybersecurity, including cybersecurity threats, trends, and best 519 practices. 520 (f)Annually review the strategic and operational 521 cybersecurity plans of state agencies. 522 (g)Annually provide cybersecurity training to all state 523 agency technology professionals and employees with access to 524 highly sensitive information which develops, assesses, and 525 documents competencies by role and skill level. The 526 cybersecurity training curriculum must include training on the 527 identification of each cybersecurity incident severity level 528 referenced in sub-subparagraph (c)9.a. The training may be 529 provided in collaboration with the Cybercrime Office of the 530 Department of Law Enforcement, a private sector entity, or an 531 institution of the State University System. 532 (h)Operate and maintain a Cybersecurity Operations Center 533 led by the state chief information security officer, which must 534 be primarily virtual and staffed with tactical detection and 535 incident response personnel. The Cybersecurity Operations Center 536 shall serve as a clearinghouse for threat information and 537 coordinate with the Department of Law Enforcement to support 538 state agencies and their response to any confirmed or suspected 539 cybersecurity incident. 540 (i)Lead an Emergency Support Function, ESF-20 ESF CYBER, 541 under the state comprehensive emergency management plan as 542 described in s. 252.35. 543 (4)Each state agency head shall, at a minimum: 544 (a)Designate an information security manager to administer 545 the cybersecurity program of the state agency. This designation 546 must be provided annually in writing to the department by 547 January 31 1. A state agencys information security manager, for 548 purposes of these information security duties, shall report 549 directly to the agency head. 550 (c)Submit to the department annually by July 31, the state 551 agencys strategic and operational cybersecurity plans developed 552 pursuant to rules and guidelines established by the department, 553 through the Florida Digital Service. 554 1.The state agency strategic cybersecurity plan must cover 555 a 3-year period and, at a minimum, define security goals, 556 intermediate objectives, and projected agency costs for the 557 strategic issues of agency information security policy, risk 558 management, security training, security incident response, and 559 disaster recovery. The plan must take be based on the statewide 560 cybersecurity strategic plan created by the department into 561 consideration and include performance metrics that can be 562 objectively measured to reflect the status of the state agencys 563 progress in meeting security goals and objectives identified in 564 the agencys strategic information security plan. 565 2.The state agency operational cybersecurity plan must 566 include a set of measures that objectively assess the 567 performance of the agencys cybersecurity program in accordance 568 with its risk management plan progress report that objectively 569 measures progress made towards the prior operational 570 cybersecurity plan and a project plan that includes activities, 571 timelines, and deliverables for security objectives that the 572 state agency will implement during the current fiscal year. 573 (j)Require that enterprise digital data be maintained in 574 accordance with chapter 119. This paragraph may not be construed 575 to create, modify, abrogate, or expand an exemption from public 576 records requirements under s. 119.07(1) or s. 24(a), Art. I of 577 the State Constitution. 578 (6)(a)Those portions of a public meeting as specified in 579 s. 286.011 which would reveal records which are confidential and 580 exempt under subsection (5) are exempt from s. 286.011 and s. 581 24(b), Art. I of the State Constitution. No exempt portion of an 582 exempt meeting may be off the record. All exempt portions of 583 such meeting shall be recorded and transcribed. Such recordings 584 and transcripts are confidential and exempt from disclosure 585 under s. 119.07(1) and s. 24(a), Art. I of the State 586 Constitution unless a court of competent jurisdiction, after an 587 in camera review, determines that the meeting was not restricted 588 to the discussion of data and information made confidential and 589 exempt by this section. In the event of such a judicial 590 determination, only that portion of the recording and transcript 591 which reveals nonexempt data and information may be disclosed to 592 a third party. 593 (b)If authorized in writing by the President of the Senate 594 or the Speaker of the House of Representatives, as applicable, 595 designated members of the Legislature and legislative staff may 596 attend those portions of a meeting which are exempt under 597 paragraph (a). 598 Section 5.Subsection (5) of section 282.3185, Florida 599 Statutes, is amended to read: 600 282.3185Local government cybersecurity. 601 (5)INCIDENT NOTIFICATION. 602 (a)A local government shall provide notification of a 603 cybersecurity incident or ransomware incident to the 604 Cybersecurity Operations Center, Cybercrime Office of the 605 Department of Law Enforcement, and sheriff who has jurisdiction 606 over the local government in accordance with paragraph (b). The 607 notification must include, at a minimum, the following 608 information: 609 1.A summary of the facts surrounding the cybersecurity 610 incident or ransomware incident. 611 2.The date on which the local government most recently 612 backed up its data; the physical location of the backup, if the 613 backup was affected; and if the backup was created using cloud 614 computing. 615 3.The types of data compromised by the cybersecurity 616 incident or ransomware incident. 617 4.The estimated fiscal impact of the cybersecurity 618 incident or ransomware incident. 619 5.In the case of a ransomware incident, the details of the 620 ransom demanded. 621 6.A statement requesting or declining assistance from the 622 Cybersecurity Operations Center, the Cybercrime Office of the 623 Department of Law Enforcement, or the sheriff who has 624 jurisdiction over the local government. 625 (b)1.A local government shall report all ransomware 626 incidents and any cybersecurity incident determined by the local 627 government to be of severity level 3, 4, or 5 as provided in s. 628 282.318(3)(c) to the Cybersecurity Operations Center, the 629 Cybercrime Office of the Department of Law Enforcement, and the 630 sheriff who has jurisdiction over the local government as soon 631 as possible but no later than 12 48 hours after discovery of the 632 cybersecurity incident and no later than 6 12 hours after 633 discovery of the ransomware incident. The report must contain 634 the information required in paragraph (a). 635 2.The Cybersecurity Operations Center shall immediately 636 notify the state chief information officer and state chief 637 information security officer of a reported incident. The state 638 chief information officer, in consultation with the state chief 639 information security officer, shall notify the President of the 640 Senate and the Speaker of the House of Representatives of any 641 severity level 3, 4, or 5 incident as soon as possible but no 642 later than 12 hours after receiving a local governments 643 incident report. The notification must include a high-level 644 description of the incident and the likely effects. 645 (c)A local government may report a cybersecurity incident 646 determined by the local government to be of severity level 1 or 647 2 as provided in s. 282.318(3)(c) to the Cybersecurity 648 Operations Center, the Cybercrime Office of the Department of 649 Law Enforcement, and the sheriff who has jurisdiction over the 650 local government. The report must shall contain the information 651 required in paragraph (a). 652 (d)The Cybersecurity Operations Center shall provide a 653 consolidated incident report by the 30th day after the end of 654 each quarter on a quarterly basis to the President of the 655 Senate, the Speaker of the House of Representatives, and the 656 Florida Cybersecurity Advisory Council. The report provided to 657 the Florida Cybersecurity Advisory Council may not contain the 658 name of any local government, network information, or system 659 identifying information but must contain sufficient relevant 660 information to allow the Florida Cybersecurity Advisory Council 661 to fulfill its responsibilities as required in s. 282.319(9). 662 Section 6.Subsection (4) of section 282.319, Florida 663 Statutes, is amended to read: 664 282.319Florida Cybersecurity Advisory Council. 665 (4)The council shall be composed comprised of the 666 following members: 667 (a)The Lieutenant Governor, or his or her designee. 668 (b)The state chief information officer. 669 (c)The state chief information security officer. 670 (d)The director of the Division of Emergency Management, 671 or his or her designee. 672 (e)A representative of the computer crime center of the 673 Department of Law Enforcement, appointed by the executive 674 director of the Department of Law Enforcement. 675 (f)A representative of the Florida Fusion Center of the 676 Department of Law Enforcement, appointed by the executive 677 director of the Department of Law Enforcement. 678 (g)No more than two representatives from local government, 679 appointed by the Governor The Chief Inspector General. 680 (h)A representative from the Public Service Commission. 681 (i)No more than Up to two representatives from 682 institutions of higher education located in this state, 683 appointed by the Governor. 684 (j)Three representatives from critical infrastructure 685 sectors, one of whom must be from a water treatment facility, 686 appointed by the Governor. 687 (k)Four representatives of the private sector with senior 688 level experience in cybersecurity or software engineering from 689 within the finance, energy, health care, and transportation 690 sectors, appointed by the Governor. 691 (l)Two representatives with expertise on emerging 692 technology, with one appointed by the President of the Senate 693 and one appointed by the Speaker of the House of 694 Representatives. 695 (m)The Chief Inspector General, who shall serve as an ex 696 officio, nonvoting member of the council. 697 Section 7.This act shall take effect July 1, 2025.