Florida Senate - 2025 SB 1536 By Senator Collins 14-00733A-25 20251536__ 1 A bill to be entitled 2 An act relating to cybersecurity; amending s. 110.205, 3 F.S.; exempting certain personnel from the career 4 service system; providing for the establishment of 5 salary and benefits for certain positions; amending s. 6 282.0041, F.S.; providing definitions; amending s. 7 282.0051, F.S.; revising the purposes for which the 8 Florida Digital Service is established; requiring the 9 Florida Digital Service to ensure that independent 10 project oversight on certain state agency information 11 technology projects is performed in a certain manner; 12 revising the date by which the Department of 13 Management Services, acting through the Florida 14 Digital Service, must provide certain recommendations 15 to the Executive Office of the Governor and the 16 Legislature; deleting certain duties of the Florida 17 Digital Service; revising the total project cost of 18 certain projects for which the Florida Digital Service 19 must provide project oversight; specifying the date by 20 which the Florida Digital Service must provide certain 21 reports; requiring the state chief information 22 officer, in consultation with the Secretary of 23 Management Services, to designate a state chief 24 technology officer; providing duties of the state 25 chief technology officer; revising the total project 26 cost of certain projects for which certain procurement 27 actions must be taken; deleting provisions prohibiting 28 the department, acting through the Florida Digital 29 Service, from retrieving or disclosing certain data in 30 certain circumstances; amending s. 282.00515, F.S.; 31 conforming a cross-reference; amending s. 282.318, 32 F.S.; providing that the Florida Digital Service is 33 the lead entity for a certain purpose; requiring the 34 Cybersecurity Operations Center to provide certain 35 notifications; requiring the state chief information 36 officer to make certain reports in consultation with 37 the state chief information security officer; 38 requiring a state agency to report ransomware and 39 cybersecurity incidents within certain time periods; 40 requiring the Cybersecurity Operations Center to 41 notify certain entities immediately of reported 42 incidents and take certain actions; requiring the 43 state chief information security officer to notify the 44 Legislature of certain incidents within a certain time 45 period; requiring certain notification to be provided 46 in a secure environment; requiring the Cybersecurity 47 Operations Center to provide a certain report to 48 certain entities by a specified date; requiring the 49 Florida Digital Service to provide cybersecurity 50 briefings to certain legislative committees; 51 authorizing the Florida Digital Service to obtain 52 certain access to certain infrastructure and direct 53 certain measures; requiring a state agency head to 54 designate a chief information security officer 55 annually by a specified date; providing that certain 56 agencies shall be under the general supervision of the 57 agency head or designee for administrative purposes 58 but reports to the state chief information officer; 59 authorizing an agency to request that the department 60 procure a chief information security officer; revising 61 the purpose of an agencys information security 62 manager and the date by which he or she must be 63 designated; authorizing the department to brief 64 certain legislative committees in a closed setting on 65 certain records that are confidential and exempt from 66 public records requirements; requiring such 67 legislative committees to maintain the confidential 68 and exempt status of certain records; authorizing 69 certain legislators to attend meetings of the Florida 70 Cybersecurity Advisory Council; amending s. 282.3185, 71 F.S.; requiring a local government to report 72 ransomware and certain cybersecurity incidents to the 73 Cybersecurity Operations Center within certain time 74 periods; requiring the Cybersecurity Operations Center 75 to notify certain entities immediately of certain 76 incidents and take certain actions; requiring that 77 certain notification be provided in a secure 78 environment; amending s. 282.319, F.S.; revising the 79 membership of the Florida Cybersecurity Advisory 80 Council; creating s. 282.3191, F.S.; requiring the 81 Florida Center for Cybersecurity at the University of 82 South Florida to annually conduct certain 83 comprehensive risk assessments; requiring that the 84 center use the data collected and analyzed to provide 85 certain recommendations; requiring the center to 86 submit such assessments and recommendations to the 87 Governor, the Legislature, and the executive director 88 of the Florida Cybersecurity Advisory Council; 89 providing an effective date. 90 91 Be It Enacted by the Legislature of the State of Florida: 92 93 Section 1.Paragraph (e) of subsection (2) of section 94 110.205, Florida Statutes, is amended, and paragraph (y) is 95 added to subsection (2) of that section, to read: 96 110.205Career service; exemptions. 97 (2)EXEMPT POSITIONS.The exempt positions that are not 98 covered by this part include the following: 99 (e)The state chief information officer, the state chief 100 data officer, the state chief technology officer, and the state 101 chief information security officer. The Department of Management 102 Services shall set the salary and benefits of these positions in 103 accordance with the rules of the Senior Management Service. 104 (y)Chief information security officers, information 105 security managers designated pursuant to s. 282.318(4), and 106 personnel employed by or reporting to the state chief 107 information security officer, the state chief data officer, or 108 an agency information security manager. Unless otherwise fixed 109 by law, the department shall establish the salary and benefits 110 for these positions in accordance with the rules of the Selected 111 Exempt Service, except that the salary and benefits for the 112 agency information security manager shall be established by the 113 department in accordance with the rules of the Senior Management 114 Service. 115 Section 2.Present subsections (3), (4), and (5), (6) 116 through (16), and (17) through (38) of section 282.0041, Florida 117 Statutes, are redesignated as subsections (4), (5), and (6), (8) 118 through (18), and (20) through (41), respectively, and new 119 subsections (3), (7), and (19) are added to that section, to 120 read: 121 282.0041Definitions.As used in this chapter, the term: 122 (3)As a service means the contracting with or 123 outsourcing to a third party of a defined role or function as a 124 means of delivery. 125 (7)Cloud provider means an entity that provides cloud 126 computing services. 127 (19)Enterprise digital data means information held by a 128 state agency in electronic form which is deemed to be data owned 129 by the state and held for state purposes by the state agency. 130 Enterprise digital data that is subject to statutory 131 requirements for particular types of sensitive data or to 132 contractual limitations for data marked as trade secrets or 133 sensitive corporate data held by state agencies must be treated 134 in accordance with such requirements or limitations. The 135 department shall maintain personnel with appropriate licenses, 136 certifications, or classifications to steward such enterprise 137 digital data, as necessary. Enterprise digital data must be 138 maintained in accordance with chapter 119. This subsection may 139 not be construed to create or expand an exemption from public 140 records requirements under s. 119.07(1) or s. 24(a), Art. I of 141 the State Constitution. 142 Section 3.Subsections (1), (4), and (5) of section 143 282.0051, Florida Statutes, are amended, and paragraph (c) is 144 added to subsection (2) of that section, to read: 145 282.0051Department of Management Services; Florida Digital 146 Service; powers, duties, and functions. 147 (1)The Florida Digital Service is established has been 148 created within the department to lead enterprise information 149 technology and cybersecurity efforts; to safeguard enterprise 150 digital data; to propose, test, develop, and deploy innovative 151 solutions that securely modernize state government, including 152 technology and information services;, to achieve value through 153 digital transformation and interoperability;, and to fully 154 support the cloud-first policy as specified in s. 282.206. The 155 department, through the Florida Digital Service, shall have the 156 following powers, duties, and functions: 157 (a)Develop and publish information technology policy for 158 the management of the states information technology resources. 159 (b)Develop an enterprise architecture that: 160 1.Acknowledges the unique needs of the entities within the 161 enterprise in the development and publication of standards and 162 terminologies to facilitate digital interoperability; 163 2.Supports the cloud-first policy as specified in s. 164 282.206; and 165 3.Addresses how information technology infrastructure may 166 be modernized to achieve cloud-first objectives. 167 (c)Establish project management and oversight standards 168 with which state agencies must comply when implementing 169 information technology projects. The department, acting through 170 the Florida Digital Service, shall provide training 171 opportunities to state agencies to assist in the adoption of the 172 project management and oversight standards. To support data 173 driven decisionmaking, the standards must include, but are not 174 limited to: 175 1.Performance measurements and metrics that objectively 176 reflect the status of an information technology project based on 177 a defined and documented project scope, cost, and schedule. 178 2.Methodologies for calculating acceptable variances in 179 the projected versus actual scope, schedule, or cost of an 180 information technology project. 181 3.Reporting requirements, including requirements designed 182 to alert all defined stakeholders that an information technology 183 project has exceeded acceptable variances defined and documented 184 in a project plan. 185 4.Content, format, and frequency of project updates. 186 5.Technical standards to ensure an information technology 187 project complies with the enterprise architecture. 188 (d)Ensure that independent Perform project oversight on 189 all state agency information technology projects that have total 190 project costs of $25 $10 million or more and that are funded in 191 the General Appropriations Act or any other law is performed in 192 compliance with applicable state and federal law. The 193 department, acting through the Florida Digital Service, shall 194 report at least quarterly to the Executive Office of the 195 Governor, the President of the Senate, and the Speaker of the 196 House of Representatives on any information technology project 197 that the department identifies as high-risk due to the project 198 exceeding acceptable variance ranges defined and documented in a 199 project plan. The report must include a risk assessment, 200 including fiscal risks, associated with proceeding to the next 201 stage of the project, and a recommendation for corrective 202 actions required, including suspension or termination of the 203 project. 204 (e)Identify opportunities for standardization and 205 consolidation of information technology services that support 206 interoperability and the cloud-first policy, as specified in s. 207 282.206, and business functions and operations, including 208 administrative functions such as purchasing, accounting and 209 reporting, cash management, and personnel, and that are common 210 across state agencies. The department, acting through the 211 Florida Digital Service, shall biennially on January 15 1 of 212 each even-numbered year provide recommendations for 213 standardization and consolidation to the Executive Office of the 214 Governor, the President of the Senate, and the Speaker of the 215 House of Representatives. 216 (f)Establish best practices for the procurement of 217 information technology products and cloud-computing services in 218 order to reduce costs, increase the quality of data center 219 services, or improve government services. 220 (g)Develop standards for information technology reports 221 and updates, including, but not limited to, operational work 222 plans, project spend plans, and project status reports, for use 223 by state agencies. 224 (h)Upon request, assist state agencies in the development 225 of information technology-related legislative budget requests. 226 (i)Conduct annual assessments of state agencies to 227 determine compliance with all information technology standards 228 and guidelines developed and published by the department and 229 provide results of the assessments to the Executive Office of 230 the Governor, the President of the Senate, and the Speaker of 231 the House of Representatives. 232 (i)(j)Conduct a market analysis not less frequently than 233 every 3 years beginning in 2021 to determine whether the 234 information technology resources within the enterprise are 235 utilized in the most cost-effective and cost-efficient manner, 236 while recognizing that the replacement of certain legacy 237 information technology systems within the enterprise may be cost 238 prohibitive or cost inefficient due to the remaining useful life 239 of those resources; whether the enterprise is complying with the 240 cloud-first policy specified in s. 282.206; and whether the 241 enterprise is utilizing best practices with respect to 242 information technology, information services, and the 243 acquisition of emerging technologies and information services. 244 Each market analysis shall be used to prepare a strategic plan 245 for continued and future information technology and information 246 services for the enterprise, including, but not limited to, 247 proposed acquisition of new services or technologies and 248 approaches to the implementation of any new services or 249 technologies. Copies of each market analysis and accompanying 250 strategic plan must be submitted to the Executive Office of the 251 Governor, the President of the Senate, and the Speaker of the 252 House of Representatives not later than December 31 of each year 253 that a market analysis is conducted. 254 (j)(k)Recommend other information technology services that 255 should be designed, delivered, and managed as enterprise 256 information technology services. Recommendations must include 257 the identification of existing information technology resources 258 associated with the services, if existing services must be 259 transferred as a result of being delivered and managed as 260 enterprise information technology services. 261 (k)(l)In consultation with state agencies, propose a 262 methodology and approach for identifying and collecting both 263 current and planned information technology expenditure data at 264 the state agency level. 265 (l)1.(m)1.Notwithstanding any other law, provide project 266 oversight on any information technology project of the 267 Department of Financial Services, the Department of Legal 268 Affairs, and the Department of Agriculture and Consumer Services 269 which has a total project cost of $25 $20 million or more. Such 270 information technology projects must also comply with the 271 applicable information technology architecture, project 272 management and oversight, and reporting standards established by 273 the department, acting through the Florida Digital Service. 274 2.When ensuring performance of performing the project 275 oversight function specified in subparagraph 1., report by the 276 30th day after the end of each quarter at least quarterly to the 277 Executive Office of the Governor, the President of the Senate, 278 and the Speaker of the House of Representatives on any 279 information technology project that the department, acting 280 through the Florida Digital Service, identifies as high-risk due 281 to the project exceeding acceptable variance ranges defined and 282 documented in the project plan. The report shall include a risk 283 assessment, including fiscal risks, associated with proceeding 284 to the next stage of the project and a recommendation for 285 corrective actions required, including suspension or termination 286 of the project. 287 (m)(n)If an information technology project implemented by 288 a state agency must be connected to or otherwise accommodated by 289 an information technology system administered by the Department 290 of Financial Services, the Department of Legal Affairs, or the 291 Department of Agriculture and Consumer Services, consult with 292 these departments regarding the risks and other effects of such 293 projects on their information technology systems and work 294 cooperatively with these departments regarding the connections, 295 interfaces, timing, or accommodations required to implement such 296 projects. 297 (n)(o)If adherence to standards or policies adopted by or 298 established pursuant to this section causes conflict with 299 federal regulations or requirements imposed on an entity within 300 the enterprise and results in adverse action against an entity 301 or federal funding, work with the entity to provide alternative 302 standards, policies, or requirements that do not conflict with 303 the federal regulation or requirement. The department, acting 304 through the Florida Digital Service, shall annually by January 305 15 report such alternative standards to the Executive Office of 306 the Governor, the President of the Senate, and the Speaker of 307 the House of Representatives. 308 (o)1.(p)1.Establish an information technology policy for 309 all information technology-related state contracts, including 310 state term contracts for information technology commodities, 311 consultant services, and staff augmentation services. The 312 information technology policy must include: 313 a.Identification of the information technology product and 314 service categories to be included in state term contracts. 315 b.Requirements to be included in solicitations for state 316 term contracts. 317 c.Evaluation criteria for the award of information 318 technology-related state term contracts. 319 d.The term of each information technology-related state 320 term contract. 321 e.The maximum number of vendors authorized on each state 322 term contract. 323 f.At a minimum, a requirement that any contract for 324 information technology commodities or services meet the National 325 Institute of Standards and Technology Cybersecurity Framework. 326 g.For an information technology project wherein project 327 oversight is required pursuant to paragraph (d) or paragraph (l) 328 (m), a requirement that independent verification and validation 329 be employed throughout the project life cycle with the primary 330 objective of independent verification and validation being to 331 provide an objective assessment of products and processes 332 throughout the project life cycle. An entity providing 333 independent verification and validation may not have technical, 334 managerial, or financial interest in the project and may not 335 have responsibility for, or participate in, any other aspect of 336 the project. 337 2.Evaluate vendor responses for information technology 338 related state term contract solicitations and invitations to 339 negotiate. 340 3.Answer vendor questions on information technology 341 related state term contract solicitations. 342 4.Ensure that the information technology policy 343 established pursuant to subparagraph 1. is included in all 344 solicitations and contracts that are administratively executed 345 by the department. 346 (p)(q)Recommend potential methods for standardizing data 347 across state agencies which will promote interoperability and 348 reduce the collection of duplicative data. 349 (q)(r)Recommend open data technical standards and 350 terminologies for use by the enterprise. 351 (r)(s)Ensure that enterprise information technology 352 solutions are capable of utilizing an electronic credential and 353 comply with the enterprise architecture standards. 354 (2) 355 (c)The state chief information officer, in consultation 356 with the Secretary of Management Services, shall designate a 357 state chief technology officer who shall be responsible for all 358 of the following: 359 1.Establishing and maintaining an enterprise architecture 360 framework that ensures information technology investments align 361 with the states strategic objectives and initiatives pursuant 362 to paragraph (1)(b). 363 2.Conducting comprehensive evaluations of potential 364 technological solutions and cultivating strategic partnerships, 365 internally with state enterprise agencies and externally with 366 the private sector, to leverage collective expertise, foster 367 collaboration, and advance the states technological 368 capabilities. 369 3.Supervising program management of enterprise information 370 technology initiatives pursuant to paragraphs (1)(c), (d), and 371 (l); providing advisory support and oversight for technology 372 related projects; and continuously identifying and recommending 373 best practices to optimize outcomes of technology projects and 374 enhance the enterprises technological efficiency and 375 effectiveness. 376 (4)For information technology projects that have a total 377 project cost of $25 $10 million or more: 378 (a)State agencies must provide the Florida Digital Service 379 with written notice of any planned procurement of an information 380 technology project. 381 (b)The Florida Digital Service must participate in the 382 development of specifications and recommend modifications to any 383 planned procurement of an information technology project by 384 state agencies so that the procurement complies with the 385 enterprise architecture. 386 (c)The Florida Digital Service must participate in post 387 award contract monitoring. 388 (5)The department, acting through the Florida Digital 389 Service, may not retrieve or disclose any data without a shared 390 data agreement in place between the department and the 391 enterprise entity that has primary custodial responsibility of, 392 or data-sharing responsibility for, that data. 393 Section 4.Subsection (1) of section 282.00515, Florida 394 Statutes, is amended to read: 395 282.00515Duties of Cabinet agencies. 396 (1)The Department of Legal Affairs, the Department of 397 Financial Services, and the Department of Agriculture and 398 Consumer Services shall adopt the standards established in s. 399 282.0051(1)(b), (c), and (q) (r) and (3)(e) or adopt alternative 400 standards based on best practices and industry standards that 401 allow for open data interoperability. 402 Section 5.Present paragraphs (a) through (k) of subsection 403 (4) and subsection (10) of section 282.318, Florida Statutes, 404 are redesignated as paragraphs (b) through (l) of subsection (4) 405 and subsection (11), respectively, a new paragraph (a) is added 406 to subsection (4) and a new subsection (10) is added to that 407 section, and subsection (3) and present paragraph (a) of 408 subsection (4) of that section are amended, to read: 409 282.318Cybersecurity. 410 (3)The department, acting through the Florida Digital 411 Service, is the lead entity responsible for leading enterprise 412 information technology and cybersecurity efforts, safeguarding 413 enterprise digital data, and establishing standards and 414 processes for assessing state agency cybersecurity risks and 415 determining appropriate security measures. Such standards and 416 processes must be consistent with generally accepted technology 417 best practices, including the National Institute for Standards 418 and Technology Cybersecurity Framework, for cybersecurity. The 419 department, acting through the Florida Digital Service, shall 420 adopt rules that mitigate risks; safeguard state agency digital 421 assets, data, information, and information technology resources 422 to ensure availability, confidentiality, and integrity; and 423 support a security governance framework. The department, acting 424 through the Florida Digital Service, shall also: 425 (a)Designate an employee of the Florida Digital Service as 426 the state chief information security officer. The state chief 427 information security officer must have experience and expertise 428 in security and risk management for communications and 429 information technology resources. The state chief information 430 security officer is responsible for the development, operation, 431 and oversight of cybersecurity for state technology systems. The 432 Cybersecurity Operations Center shall immediately notify the 433 state chief information officer and the state chief information 434 security officer shall be notified of all confirmed or suspected 435 incidents or threats of state agency information technology 436 resources. The state chief information officer, in consultation 437 with the state chief information security officer, and must 438 report such incidents or threats to the state chief information 439 officer and the Governor. 440 (b)Develop, and annually update by February 1, a statewide 441 cybersecurity strategic plan that includes security goals and 442 objectives for cybersecurity, including the identification and 443 mitigation of risk, proactive protections against threats, 444 tactical risk detection, threat reporting, and response and 445 recovery protocols for a cyber incident. 446 (c)Develop and publish for use by state agencies a 447 cybersecurity governance framework that, at a minimum, includes 448 guidelines and processes for: 449 1.Establishing asset management procedures to ensure that 450 an agencys information technology resources are identified and 451 managed consistent with their relative importance to the 452 agencys business objectives. 453 2.Using a standard risk assessment methodology that 454 includes the identification of an agencys priorities, 455 constraints, risk tolerances, and assumptions necessary to 456 support operational risk decisions. 457 3.Completing comprehensive risk assessments and 458 cybersecurity audits, which may be completed by a private sector 459 vendor, and submitting completed assessments and audits to the 460 department. 461 4.Identifying protection procedures to manage the 462 protection of an agencys information, data, and information 463 technology resources. 464 5.Establishing procedures for accessing information and 465 data to ensure the confidentiality, integrity, and availability 466 of such information and data. 467 6.Detecting threats through proactive monitoring of 468 events, continuous security monitoring, and defined detection 469 processes. 470 7.Establishing agency cybersecurity incident response 471 teams and describing their responsibilities for responding to 472 cybersecurity incidents, including breaches of personal 473 information containing confidential or exempt data. 474 8.Recovering information and data in response to a 475 cybersecurity incident. The recovery may include recommended 476 improvements to the agency processes, policies, or guidelines. 477 9.Establishing a cybersecurity incident reporting process 478 that includes procedures for notifying the department and the 479 Department of Law Enforcement of cybersecurity incidents. 480 a.The level of severity of the cybersecurity incident is 481 defined by the National Cyber Incident Response Plan of the 482 United States Department of Homeland Security as follows: 483 (I)Level 5 is an emergency-level incident within the 484 specified jurisdiction that poses an imminent threat to the 485 provision of wide-scale critical infrastructure services; 486 national, state, or local government security; or the lives of 487 the countrys, states, or local governments residents. 488 (II)Level 4 is a severe-level incident that is likely to 489 result in a significant impact in the affected jurisdiction to 490 public health or safety; national, state, or local security; 491 economic security; or civil liberties. 492 (III)Level 3 is a high-level incident that is likely to 493 result in a demonstrable impact in the affected jurisdiction to 494 public health or safety; national, state, or local security; 495 economic security; civil liberties; or public confidence. 496 (IV)Level 2 is a medium-level incident that may impact 497 public health or safety; national, state, or local security; 498 economic security; civil liberties; or public confidence. 499 (V)Level 1 is a low-level incident that is unlikely to 500 impact public health or safety; national, state, or local 501 security; economic security; civil liberties; or public 502 confidence. 503 b.The cybersecurity incident reporting process must 504 specify the information that must be reported by a state agency 505 following a cybersecurity incident or ransomware incident, 506 which, at a minimum, must include the following: 507 (I)A summary of the facts surrounding the cybersecurity 508 incident or ransomware incident. 509 (II)The date on which the state agency most recently 510 backed up its data; the physical location of the backup, if the 511 backup was affected; and if the backup was created using cloud 512 computing. 513 (III)The types of data compromised by the cybersecurity 514 incident or ransomware incident. 515 (IV)The estimated fiscal impact of the cybersecurity 516 incident or ransomware incident. 517 (V)In the case of a ransomware incident, the details of 518 the ransom demanded. 519 c.(I)A state agency shall report all ransomware incidents 520 and any cybersecurity incidents incident determined by the state 521 agency to be of severity level 3, 4, or 5 to the Cybersecurity 522 Operations Center and the Cybercrime Office of the Department of 523 Law Enforcement as soon as possible but no later than 12 48 524 hours after discovery of the cybersecurity incident and no later 525 than 6 12 hours after discovery of the ransomware incident. The 526 report must contain the information required in sub-subparagraph 527 b. 528 (II)The Cybersecurity Operations Center shall: 529 (A)Immediately notify the Cybercrime Office of the 530 Department of Law Enforcement of a reported incident and provide 531 to the office regular reports on the status of the incident, 532 preserve forensic data to support a subsequent investigation, 533 and provide aid to the investigative efforts of the office upon 534 the offices request if the state chief information security 535 officer finds that the investigation does not impede remediation 536 of the incident and that there is no risk to the public and no 537 risk to critical state functions. 538 (B)Immediately notify the state chief information officer 539 and the state chief information security officer of a reported 540 incident. The state chief information security officer shall 541 notify the President of the Senate and the Speaker of the House 542 of Representatives of any severity level 3, 4, or 5 incident as 543 soon as possible but no later than 24 12 hours after receiving a 544 state agencys incident report. The notification must include a 545 high-level description of the incident and the likely effects 546 and must be provided in a secure environment. 547 d.A state agency shall report a cybersecurity incident 548 determined by the state agency to be of severity level 1 or 2 to 549 the Cybersecurity Operations Center and the Cybercrime Office of 550 the Department of Law Enforcement as soon as possible. The 551 report must contain the information required in sub-subparagraph 552 b. 553 d.e.The Cybersecurity Operations Center shall provide a 554 consolidated incident report by the 30th day after the end of 555 each quarter on a quarterly basis to the Governor, the Attorney 556 General, the executive director of the Department of Law 557 Enforcement, the President of the Senate, the Speaker of the 558 House of Representatives, and the Florida Cybersecurity Advisory 559 Council. The report provided to the Florida Cybersecurity 560 Advisory Council may not contain the name of any agency, network 561 information, or system identifying information but must contain 562 sufficient relevant information to allow the Florida 563 Cybersecurity Advisory Council to fulfill its responsibilities 564 as required in s. 282.319(9). 565 10.Incorporating information obtained through detection 566 and response activities into the agencys cybersecurity incident 567 response plans. 568 11.Developing agency strategic and operational 569 cybersecurity plans required pursuant to this section. 570 12.Establishing the managerial, operational, and technical 571 safeguards for protecting state government data and information 572 technology resources that align with the state agency risk 573 management strategy and that protect the confidentiality, 574 integrity, and availability of information and data. 575 13.Establishing procedures for procuring information 576 technology commodities and services that require the commodity 577 or service to meet the National Institute of Standards and 578 Technology Cybersecurity Framework. 579 14.Submitting after-action reports following a 580 cybersecurity incident or ransomware incident. Such guidelines 581 and processes for submitting after-action reports must be 582 developed and published by December 1, 2022. 583 (d)Assist state agencies in complying with this section. 584 (e)In collaboration with the Cybercrime Office of the 585 Department of Law Enforcement, annually provide training for 586 state agency information security managers and computer security 587 incident response team members that contains training on 588 cybersecurity, including cybersecurity threats, trends, and best 589 practices. 590 (f)Annually review the strategic and operational 591 cybersecurity plans of state agencies. 592 (g)Annually provide cybersecurity training to all state 593 agency technology professionals and employees with access to 594 highly sensitive information which develops, assesses, and 595 documents competencies by role and skill level. The 596 cybersecurity training curriculum must include training on the 597 identification of each cybersecurity incident severity level 598 referenced in sub-subparagraph (c)9.a. The training may be 599 provided in collaboration with the Cybercrime Office of the 600 Department of Law Enforcement, a private sector entity, or an 601 institution of the State University System. 602 (h)Operate and maintain a Cybersecurity Operations Center 603 led by the state chief information security officer, which must 604 be primarily virtual and staffed with tactical detection and 605 incident response personnel. The Cybersecurity Operations Center 606 shall serve as a clearinghouse for threat information and 607 coordinate with the Department of Law Enforcement to support 608 state agencies and their response to any confirmed or suspected 609 cybersecurity incident. 610 (i)Lead an Emergency Support Function, ESF-20 ESF CYBER, 611 under the state comprehensive emergency management plan as 612 described in s. 252.35. 613 (j)Provide cybersecurity briefings to the members of any 614 legislative committee or subcommittee responsible for policy 615 matters relating to cybersecurity. 616 (k)Have the authority to obtain immediate access to public 617 or private infrastructure hosting enterprise digital data and to 618 direct, in consultation with the state agency that holds the 619 particular enterprise digital data, measures to assess, monitor, 620 and safeguard the enterprise digital data. 621 (4)Each state agency head shall, at a minimum: 622 (a)Designate a chief information security officer to 623 integrate the agencys technical and operational cybersecurity 624 efforts with the Cybersecurity Operations Center. This 625 designation must be provided annually in writing to the Florida 626 Digital Service by January 15. For a state agency under the 627 jurisdiction of the Governor, the agencys chief information 628 security officer shall be under the general supervision of the 629 agency head or designee for administrative purposes but shall 630 report to the state chief information officer. An agency may 631 request that the department procure a chief information security 632 officer as a service to fulfill the agencys duties under this 633 paragraph. 634 (b)(a)Designate an information security manager to ensure 635 compliance with cybersecurity governance and with the states 636 enterprise security program and incident response plan. The 637 information security manager must coordinate with the agencys 638 chief information security officer and the Cybersecurity 639 Operations Center to ensure that the unique needs of the agency 640 are met administer the cybersecurity program of the state 641 agency. This designation must be provided annually in writing to 642 the department by January 15 1. A state agencys information 643 security manager, for purposes of these information security 644 duties, shall work in collaboration with the agencys chief 645 information security officer and report directly to the agency 646 head. 647 (10)The department may brief any legislative committee or 648 subcommittee responsible for cybersecurity policy in a meeting 649 or other setting closed by the respective body under the rules 650 of such legislative body at which the legislative committee or 651 subcommittee is briefed on records made confidential and exempt 652 under subsections (5) and (6). The legislative committee or 653 subcommittee must maintain the confidential and exempt status of 654 such records. A legislator serving on a legislative committee or 655 subcommittee responsible for cybersecurity policy may also 656 attend meetings of the Florida Cybersecurity Advisory Council, 657 including any portions of such meetings that are exempt from s. 658 286.011 and s. 24(b), Art. I of the State Constitution. 659 Section 6.Paragraphs (b) and (c) of subsection (5) of 660 section 282.3185, Florida Statutes, are amended to read: 661 282.3185Local government cybersecurity. 662 (5)INCIDENT NOTIFICATION. 663 (b)1.A local government shall report all ransomware 664 incidents and any cybersecurity incident determined by the local 665 government to be of severity level 3, 4, or 5 as provided in s. 666 282.318(3)(c) to the Cybersecurity Operations Center, the 667 Cybercrime Office of the Department of Law Enforcement, and the 668 sheriff who has jurisdiction over the local government as soon 669 as possible but no later than 12 48 hours after discovery of the 670 cybersecurity incident and no later than 6 12 hours after 671 discovery of the ransomware incident. The report must contain 672 the information required in paragraph (a). 673 2.The Cybersecurity Operations Center shall: 674 a.Immediately notify the Cybercrime Office of the 675 Department of Law Enforcement and the sheriff who has 676 jurisdiction over the local government of a reported incident 677 and provide to the Cybercrime Office of the Department of Law 678 Enforcement and the sheriff who has jurisdiction over the local 679 government regular reports on the status of the incident, 680 preserve forensic data to support a subsequent investigation, 681 and provide aid to the investigative efforts of the Cybercrime 682 Office of the Department of Law Enforcement upon the offices 683 request if the state chief information security officer finds 684 that the investigation does not impede remediation of the 685 incident and that there is no risk to the public and no risk to 686 critical state functions. 687 b.Immediately notify the state chief information security 688 officer of a reported incident. The state chief information 689 security officer shall notify the President of the Senate and 690 the Speaker of the House of Representatives of any severity 691 level 3, 4, or 5 incident as soon as possible but no later than 692 24 12 hours after receiving a local governments incident 693 report. The notification must include a high-level description 694 of the incident and the likely effects and must be provided in a 695 secure environment. 696 (c)A local government may report a cybersecurity incident 697 determined by the local government to be of severity level 1 or 698 2 as provided in s. 282.318(3)(c) to the Cybersecurity 699 Operations Center, the Cybercrime Office of the Department of 700 Law Enforcement, and the sheriff who has jurisdiction over the 701 local government. The report shall contain the information 702 required in paragraph (a). The Cybersecurity Operations Center 703 shall immediately notify the Cybercrime Office of the Department 704 of Law Enforcement and the sheriff who has jurisdiction over the 705 local government of a reported incident and provide regular 706 reports on the status of the cybersecurity incident, preserve 707 forensic data to support a subsequent investigation, and provide 708 aid to the investigative efforts of the Cybercrime Office of the 709 Department of Law Enforcement upon request if the state chief 710 information security officer finds that the investigation does 711 not impede remediation of the cybersecurity incident and that 712 there is no risk to the public and no risk to critical state 713 functions. 714 Section 7.Paragraph (j) of subsection (4) of section 715 282.319, Florida Statutes, is amended, and paragraph (m) is 716 added to that subsection, to read: 717 282.319Florida Cybersecurity Advisory Council. 718 (4)The council shall be comprised of the following 719 members: 720 (j)Three representatives from critical infrastructure 721 sectors, one of whom must be from a utility provider water 722 treatment facility, appointed by the Governor. 723 (m)A representative of local government. 724 Section 8.Section 282.3191, Florida Statutes, is created 725 to read: 726 282.3191Comprehensive risk assessments; recommendations. 727 (1)To position this state as the national leader in 728 cybersecurity readiness and resilience to cybersecurity attacks, 729 the Florida Center for Cybersecurity at the University of South 730 Florida, also known as Cyber Florida at USF, shall annually 731 conduct, on a regular rolling basis by infrastructure sector or 732 in response to immediate needs and threats, comprehensive risk 733 assessments of the states critical infrastructure. Cyber 734 Florida at USF shall use the data collected and analyzed to 735 develop and provide recommendations to improve the states 736 preparedness and resilience to significant cybersecurity 737 incidents and potential vulnerabilities. 738 (2)Beginning on January 31, 2026, and each January 31 739 thereafter, Cyber Florida at USF shall submit a copy of the 740 assessments conducted and recommendations developed pursuant to 741 subsection (1) to the Governor, the President of the Senate, the 742 Speaker of the House of Representatives, and the executive 743 director of the Florida Cybersecurity Advisory Council. 744 Section 9.This act shall take effect July 1, 2025.