Florida Senate - 2025 (PROPOSED BILL) SPB 7026 FOR CONSIDERATION By the Committee on Appropriations 576-02447-25 20257026pb 1 A bill to be entitled 2 An act relating to information technology; creating s. 3 20.70, F.S.; creating the Agency for State Systems and 4 Enterprise Technology (ASSET); providing that the 5 Governor and Cabinet are the head of the agency; 6 establishing divisions and offices of the agency; 7 providing for an executive director of the agency; 8 providing that the executive director also serves as 9 the state chief information officer; providing for the 10 appointment and removal of such executive director; 11 prohibiting the state chief information officer from 12 having financial, personal, or business conflicts of 13 interest related to certain vendors, contractors, and 14 service providers of the state; requiring that the 15 state chief information officer selection committee 16 within ASSET be appointed and provide a specified 17 number of nominees upon a vacancy of such officer; 18 providing the composition of such committee; providing 19 the qualifications for the state chief information 20 officer; providing that persons who currently serve, 21 or have served, as state agency heads are ineligible 22 to serve as the state chief information officer; 23 transferring the state chief information officer of 24 the Department of Management Services to ASSET until 25 the Governor and the Cabinet appoint a permanent 26 officer; requiring that such appointment occur by a 27 specified date; amending s. 97.0525, F.S.; requiring 28 that the Division of Elections comprehensive risk 29 assessment comply with the risk assessment methodology 30 developed by ASSET; amending s. 112.22, F.S.; defining 31 the term ASSET; deleting the term department; 32 revising the definition of the term prohibited 33 application; authorizing public employers to request 34 a certain waiver from ASSET; requiring ASSET to take 35 specified actions; deleting obsolete language; 36 requiring ASSET to adopt rules; amending s. 119.0725, 37 F.S.; providing that confidential and exempt 38 information must be made available to ASSET; amending 39 s. 216.023, F.S.; requiring agencies and the judicial 40 branch to include a cumulative inventory and a certain 41 status report of specified projects with their 42 legislative budget requests; defining the term 43 technology-related project; deleting a provision 44 requiring state agencies and the judicial branch to 45 include a cumulative inventory and a certain status 46 report of specified projects as part of a budget 47 request; conforming a cross-reference; amending s. 48 282.0041, F.S.; deleting and revising definitions; 49 defining the terms ASSET and technical debt; 50 amending s. 282.0051, F.S.; deleting obsolete 51 language; revising the powers, duties, and functions 52 of the Department of Management Services, through the 53 Florida Digital Service; deleting a requirement that 54 the state chief information officer, in consultation 55 with the Secretary of Management Services, designate a 56 state chief data officer; deleting requirements of the 57 department, acting through the Florida Digital 58 Service, relating to the use of appropriated funds for 59 certain actions; deleting provisions related to 60 information technology projects that have a total 61 project cost in excess of $10 million; providing for 62 the future repeal of the section; deleting a 63 requirement to adopt rules; repealing s. 282.00515, 64 F.S., relating to duties of Cabinet agencies; creating 65 s. 282.006, F.S.; requiring ASSET to operate as the 66 state enterprise organization for information 67 technology governance and as the lead entity 68 responsible for understanding needs and environments, 69 creating standards and strategy, supporting state 70 agency technology efforts, and reporting on the state 71 of information technology in this state; providing 72 legislative intent; requiring ASSET to establish the 73 strategic direction of information technology in the 74 state; requiring ASSET to develop and publish 75 information technology policy for a specified purpose; 76 requiring that such policy be updated as necessary to 77 meet certain requirements and advancements in 78 technology; requiring ASSET to take specified actions 79 related to oversight of the states technology 80 enterprise; requiring ASSET to produce specified 81 reports, recommendations, and analyses and provide 82 such reports, recommendations, and analyses to the 83 Governor, the Commissioner of Agriculture, the Chief 84 Executive Officer, the Attorney General, and the 85 Legislature by specified dates and at specified 86 intervals; providing requirements for such reports; 87 requiring ASSET to conduct a market analysis at a 88 certain interval beginning on a specified date; 89 providing requirements for the market analysis; 90 requiring that each market analysis be used to prepare 91 a strategic plan for specified purposes; requiring 92 that copies of the market analysis and strategic plan 93 be submitted by a specified date; authorizing ASSET to 94 adopt rules; creating s. 282.0061, F.S.; providing 95 legislative intent; requiring ASSET to complete a 96 certain full baseline needs assessment of state 97 agencies, develop a specified plan to conduct such 98 assessments, and submit such plan to the Governor, the 99 Commissioner of Agriculture, the Chief Financial 100 Officer, the Attorney General, and the Legislature 101 within a specified timeframe; requiring ASSET to 102 support state agency strategic planning efforts and 103 assist such agencies with a certain phased roadmap; 104 providing requirements for such roadmaps; requiring 105 ASSET to make recommendations for standardizing data 106 across state agencies for a specified purpose and 107 identify any opportunities for standardization and 108 consolidation of information technology services 109 across state agencies and support specified functions; 110 requiring ASSET to develop standards for use by state 111 agencies and enforce consistent standards and promote 112 best practices across all state agencies; requiring 113 ASSET to provide a certain report to the Governor, the 114 Commissioner of Agriculture, the Chief Financial 115 Officer, the Attorney General, and the Legislature by 116 a specified date; providing requirements of the 117 report; providing the duties and responsibilities of 118 ASSET related to state agency technology projects; 119 requiring ASSET, in consultation with state agencies, 120 to create a methodology, approach, and applicable 121 templates and formats for identifying and collecting 122 information technology expenditure data at the state 123 agency level; requiring ASSET to obtain, review, and 124 maintain records of the appropriations, expenditures, 125 and revenues for information technology for each state 126 agency; requiring ASSET to prescribe the format for 127 state agencies to provide financial information to 128 ASSET for inclusion in a certain annual report; 129 requiring state agencies to submit such information by 130 a specified date annually; requiring that such 131 information be reported to ASSET to determine all 132 costs and expenditures of information technology 133 assets and resources provided to state agencies; 134 requiring ASSET to work with state agencies to provide 135 alternative standards, policies, or requirements under 136 specified circumstances; creating s. 282.0062, F.S.; 137 establishing workgroups within ASSET to facilitate 138 coordination with state agencies; providing for the 139 membership and duties of such workgroups; creating s. 140 282.0063, F.S.; requiring ASSET to perform specified 141 actions to develop and manage career paths, 142 progressions, and training programs for the benefit of 143 state agency personnel; creating s. 282.0064, F.S.; 144 requiring ASSET, in coordination with the Department 145 of Management Services, to establish a policy for all 146 information technology-related solicitations, 147 contracts, and procurements; providing requirements 148 for the policy related to state term contracts, all 149 contracts, and information technology projects that 150 require oversight; prohibiting entities providing 151 independent verification and validation from having 152 certain interests, responsibilities, or other 153 participation in the project; providing the primary 154 objective of independent verification and validation; 155 requiring the entity performing such verification and 156 validation to provide specified regular reports and 157 assessments; requiring the Division of State 158 Purchasing within the Department of Management 159 Services to coordinate with ASSET on state term 160 contract solicitations and invitations to negotiate; 161 requiring ASSET to evaluate vendor responses and 162 answer vendor questions on such solicitations and 163 invitations; creating s. 282.0065, F.S.; requiring 164 ASSET to establish, maintain, and manage a certain 165 test laboratory, beginning at a specified time; 166 providing the purpose of the laboratory; requiring 167 ASSET to take specified actions relating to the 168 laboratory; creating s. 282.0066, F.S.; requiring 169 ASSET to develop, implement, and maintain a certain 170 library; providing requirements for the library; 171 requiring ASSET to establish procedures that ensure 172 the integrity, security, and availability of the 173 library; requiring ASSET to regularly update documents 174 and materials in the library to reflect current state 175 and federal requirements, industry best practices, and 176 emerging technologies; requiring state agencies to 177 reference and adhere to the policies, standards, and 178 guidelines of the library in specified tasks; 179 requiring ASSET to create mechanisms for state 180 agencies to submit feedback, request clarifications, 181 and recommend updates; authorizing state agencies to 182 request exemptions to specific policies, standards, or 183 guidelines under specified circumstances; providing 184 the mechanism for a state agency to request such 185 exemption; requiring ASSET to review the request and 186 make a recommendation to the state chief information 187 officer; requiring the state chief information officer 188 to present the exemption to the chief information 189 officer workgroup; requiring that approval of the 190 exemption be by majority vote; requiring that state 191 agencies granted an exemption be reviewed periodically 192 to determine whether such exemption is necessary or if 193 compliance can be achieved; amending s. 282.318, F.S.; 194 revising the duties of the Department of Management 195 Services, acting through the Florida Digital Service, 196 relating to cybersecurity; requiring state agencies to 197 report all ransomware incidents to the state chief 198 information security officer instead of the 199 Cybersecurity Operations Center; requiring the state 200 chief information security officer, instead of the 201 Cybersecurity Operations Center, to notify the 202 Legislature of certain incidents; requiring state 203 agencies to notify the state chief information 204 security officer within specified timeframes after the 205 discovery of a specified cybersecurity incident or 206 ransomware incident; requiring the state chief 207 information security officer, instead of the 208 Cybersecurity Operations Center, to provide a certain 209 report on a quarterly basis to the Legislature; 210 revising the actions that state agency heads are 211 required to perform relating to cybersecurity; 212 reducing the timeframe that the state agency strategic 213 cybersecurity plan must cover; requiring that a 214 specified comprehensive risk assessment be done 215 biennially; providing requirements for such 216 assessment; revising the definition of the term state 217 agency; providing that ASSET is the lead entity 218 responsible for establishing enterprise technology and 219 cybersecurity standards and processes and security 220 measures that comply with specified standards; 221 requiring ASSET to adopt specified rules; requiring 222 that ASSET take specified actions; revising the 223 responsibilities of the state chief information 224 security officer; requiring that ASSET develop and 225 publish a specified framework that includes certain 226 guidelines and processes for use by state agencies; 227 requiring that ASSET, in consultation with the state 228 chief information technology procurement officer, 229 establish specified procedures for procuring 230 information technology commodities and services; 231 requiring ASSET, thorough the state chief information 232 security officer and the Division of Enterprise 233 Information Technology Workforce Development, to 234 provide a certain annual training to specified 235 persons; conforming provisions to changes made by the 236 act; amending s. 282.3185, F.S.; requiring the state 237 chief information security officer to perform 238 specified actions relating to cybersecurity training 239 for state employees; requiring local governments to 240 notify the state chief information security officer of 241 compliance with specified provisions as soon as 242 possible; requiring local governments to notify the 243 state chief information security officer, instead of 244 the Cybersecurity Operations Center, of cybersecurity 245 or ransomware incidents; revising the timeframes in 246 which such notifications must be made; requiring the 247 state chief information security officer to notify the 248 state chief information officer, the Governor, the 249 Commissioner of Agriculture, the Chief Financial 250 Officer, the Attorney General, and the Legislature of 251 certain incidents within a specified timeframe; 252 authorizing local governments to report certain 253 cybersecurity incidents to the state chief information 254 security officer instead of the Cybersecurity 255 Operations Center; requiring the state chief 256 information security officer to provide a certain 257 consolidated incident report within a specified 258 timeframe to the Governor, the Commissioner of 259 Agriculture, the Chief Financial Officer, the Attorney 260 General, and the Legislature; conforming provisions to 261 changes made by the act; requiring the state chief 262 information security officer to establish certain 263 guidelines and processes by a specified date; 264 conforming cross-references; repealing s. 282.319, 265 F.S., relating to the Florida Cybersecurity Advisory 266 Council; establishing positions within ASSET; 267 establishing the Division of Enterprise Information 268 Technology Services and the Division of Enterprise 269 Information Technology Purchasing and associated 270 bureaus; providing the responsibilities of the 271 bureaus; establishing the chief information officer 272 policy workgroup; providing the membership, purpose, 273 chair, and duties of the workgroup; providing for the 274 expiration of the workgroup upon completion of its 275 duties; amending s. 282.201, F.S.; revising 276 requirements of the state data center; abrogating the 277 scheduled repeal of the Division of Emergency 278 Managements exemption from using the state data 279 center; deleting Department of Management Services 280 responsibilities related to the state data center; 281 deleting provisions relating to contracting with the 282 Northwest Regional Data Center; transferring, 283 renumbering, and amending s. 1004.649, F.S.; requiring 284 the Northwest Regional Data Center, by a specified 285 date annually, to provide the projected costs of 286 providing data center services for the following 287 fiscal year to the Office of Policy and Budget in the 288 Executive Office of the Governor and to the chairs of 289 the legislative appropriations committees; deleting a 290 requirement that the data center prepare and submit 291 certain invoices to the Department of Management 292 Services for approval; conforming a cross-reference; 293 amending s. 20.22, F.S.; deleting the Florida Digital 294 Service from the list of divisions, programs, and 295 services of the Department of Management Services; 296 amending s. 282.802, F.S.; providing that the 297 Government Technology Modernization Council is located 298 within ASSET; providing that the state chief 299 information officer, or his or her designee, is the ex 300 officio executive director of the council; conforming 301 provisions to changes made by the act; requiring the 302 council annually to submit to the Commissioner of 303 Agriculture, the Chief Financial Officer, and the 304 Attorney General certain legislative recommendations; 305 amending s. 282.604, F.S.; requiring ASSET, with input 306 from stakeholders, to adopt rules; amending s. 307 287.0591, F.S.; requiring the state chief information 308 officer, instead of the Florida Digital Service, to 309 participate in certain solicitations; amending s. 310 288.012, F.S.; conforming a cross-reference; amending 311 s. 443.1113, F.S.; requiring the Department of 312 Commerce to seek input on recommended enhancements 313 from ASSET instead of the Florida Digital Service; 314 amending s. 943.0415, F.S.; authorizing the Cybercrime 315 Office to consult with the state chief information 316 security officer of ASSET instead of the Florida 317 Digital Service; amending s. 1004.444, F.S.; 318 authorizing the Florida Center for Cybersecurity to 319 conduct, consult, or assist state agencies upon 320 receiving a request for assistance from such agencies; 321 providing effective dates. 322 323 Be It Enacted by the Legislature of the State of Florida: 324 325 Section 1.Section 20.70, Florida Statutes, is created to 326 read: 327 20.70Agency for State Systems and Enterprise Technology. 328 There is created the Agency for State Systems and Enterprise 329 Technology. The head of the agency is the Governor and Cabinet. 330 (1)DIVISIONS AND OFFICES.The following divisions and 331 offices of the Agency for State Systems and Enterprise 332 Technology are established: 333 (a)The Division of Administrative Services. 334 (b)The Office of Information Technology. 335 (c)Beginning July 1, 2026: 336 1.The Division of Enterprise Data and Interoperability. 337 2.The Division of Enterprise Security. 338 3.The Division of Enterprise Information Technology 339 Services. 340 4.The Division of Enterprise Information Technology 341 Purchasing. 342 5.The Division of Enterprise Information Technology 343 Workforce Development. 344 (2)EXECUTIVE DIRECTOR.The executive director of the 345 Agency for State Systems and Enterprise Technology also serves 346 as the state chief information officer. The Governor and Cabinet 347 shall appoint a state chief information officer from nominees of 348 the state chief information officer selection committee. The 349 appointment must be made by a majority vote of the Governor and 350 Cabinet and is subject to confirmation by the Senate. Removal of 351 the state chief information officer is subject to a majority 352 vote of the Governor and Cabinet. The state chief information 353 officer is prohibited from having any financial, personal, or 354 business conflicts of interest related to technology vendors, 355 contractors, or other information technology service providers 356 doing business with the state. 357 (3)STATE CHIEF INFORMATION OFFICER SELECTION COMMITTEE. 358 (a)Upon a vacancy or anticipated vacancy, the state chief 359 information officer selection committee within the Agency for 360 State Systems and Enterprise Technology shall be appointed to 361 nominate up to three qualified appointees for the position of 362 state chief information officer to the Governor and Cabinet for 363 appointment. 364 (b)The selection committee shall be composed of the 365 following members: 366 1.A state agency chief information officer of an executive 367 agency, appointed by the Governor and who shall serve as chair 368 of the committee. 369 2.The chief information officer of the Department of 370 Agriculture and Consumer Services, appointed by the Commissioner 371 of Agriculture. 372 3.The chief information officer of the Department of 373 Financial Services, appointed by the Chief Financial Officer. 374 4.The chief information officer of the Department of Legal 375 Affairs, appointed by the Attorney General. 376 (4)QUALIFICATIONS FOR THE STATE CHIEF INFORMATION 377 OFFICER. 378 (a)Education requirements.The state chief information 379 officer must meet one of the following criteria: 380 1.Hold a bachelors degree from an accredited institution 381 in information technology, computer science, business 382 administration, public administration, or a related field; or 383 2.Hold a masters degree in any of the fields listed 384 above, which may be substituted for a portion of the experience 385 requirement, as determined by the selection committee. 386 (b)Professional experience requirements.The state chief 387 information officer must have at least 10 years of progressively 388 responsible experience in information technology management, 389 digital transformation, cybersecurity, or information technology 390 governance, including: 391 1.A minimum of 5 years in an executive or senior 392 leadership role, overseeing information technology strategy, 393 operations, or enterprise technology management in either the 394 public or private sector; 395 2.Managing large-scale information technology projects, 396 enterprise infrastructure, and implementation of emerging 397 technologies; 398 3.Budget planning, procurement oversight, and financial 399 management of information technology investments; and 400 4.Working with state and federal information technology 401 regulations, digital services, and cybersecurity compliance 402 frameworks. 403 (c)Technical and policy expertise.The state chief 404 information officer must have demonstrated expertise in: 405 1.Cybersecurity and data protection by demonstrating 406 knowledge of cybersecurity risk management, compliance with 407 NIST, ISO 27001, and applicable federal and state security 408 regulations; 409 2.Cloud and digital services with experience with cloud 410 computing, enterprise systems modernization, digital 411 transformation, and emerging information technology trends; 412 3.Information technology governance and policy development 413 by demonstrating an understanding of statewide information 414 technology governance structures, digital services, and 415 information technology procurement policies; and 416 4.Public sector information technology management by 417 demonstrating familiarity with government information technology 418 funding models, procurement requirements, and legislative 419 processes affecting information technology strategy. 420 (d)Leadership and administrative competencies.The state 421 chief information officer must demonstrate: 422 1.Strategic vision and innovation by possessing the 423 capability to modernize information technology systems, drive 424 digital transformation, and align information technology 425 initiatives with state goals; 426 2.Collaboration and engagement with stakeholders by 427 working with legislators, state agency heads, local governments, 428 and private sector partners to implement information technology 429 initiatives; 430 3.Crisis management and cyber resilience by possessing the 431 capability to develop and lead cyber incident response, disaster 432 recovery, and information technology continuity plans; and 433 4.Fiscal management and budget expertise managing multi 434 million-dollar information technology budgets, cost-control 435 strategies, and financial oversight of information technology 436 projects. 437 (e)Previous appointment or service.A person who is 438 currently serving or has previously served as the head of a 439 state agency in the state is ineligible for nomination, 440 appointment, or service as the state chief information officer. 441 Section 2.Until a state chief information officer is 442 appointed pursuant to s. 20.70, Florida Statutes, the current 443 state chief information officer of the Department of Management 444 Services shall be transferred to the Agency for State Systems 445 and Enterprise Technology and serve as interim state chief 446 information officer. A state chief information officer for the 447 Agency for State Systems and Enterprise Technology must be 448 appointed by the Governor and Cabinet by January 2, 2026. 449 Appointments to the state chief information officer selection 450 committee must be made by August 1, 2025. 451 Section 3.Effective July 1, 2026, paragraph (b) of 452 subsection (3) of section 97.0525, Florida Statutes, is amended 453 to read: 454 97.0525Online voter registration. 455 (3) 456 (b)The division shall conduct a comprehensive risk 457 assessment of the online voter registration system every 2 458 years. The comprehensive risk assessment must comply with the 459 risk assessment methodology developed by the Agency for State 460 Systems and Enterprise Technology Department of Management 461 Services for identifying security risks, determining the 462 magnitude of such risks, and identifying areas that require 463 safeguards. In addition, the comprehensive risk assessment must 464 incorporate all of the following: 465 1.Load testing and stress testing to ensure that the 466 online voter registration system has sufficient capacity to 467 accommodate foreseeable use, including during periods of high 468 volume of website users in the week immediately preceding the 469 book-closing deadline for an election. 470 2.Screening of computers and networks used to support the 471 online voter registration system for malware and other 472 vulnerabilities. 473 3.Evaluation of database infrastructure, including 474 software and operating systems, in order to fortify defenses 475 against cyberattacks. 476 4.Identification of any anticipated threats to the 477 security and integrity of data collected, maintained, received, 478 or transmitted by the online voter registration system. 479 Section 4.Effective July 1, 2026, paragraphs (a) and (f) 480 of subsection (1), paragraphs (b) and (c) of subsection (2), and 481 subsections (3) and (4) of section 112.22, Florida Statutes, are 482 amended to read: 483 112.22Use of applications from foreign countries of 484 concern prohibited. 485 (1)As used in this section, the term: 486 (a)ASSET means the Agency for State Systems and 487 Enterprise Technology Department means the Department of 488 Management Services. 489 (f)Prohibited application means an application that 490 meets the following criteria: 491 1.Any Internet application that is created, maintained, or 492 owned by a foreign principal and that participates in activities 493 that include, but are not limited to: 494 a.Collecting keystrokes or sensitive personal, financial, 495 proprietary, or other business data; 496 b.Compromising e-mail and acting as a vector for 497 ransomware deployment; 498 c.Conducting cyber-espionage against a public employer; 499 d.Conducting surveillance and tracking of individual 500 users; or 501 e.Using algorithmic modifications to conduct 502 disinformation or misinformation campaigns; or 503 2.Any Internet application ASSET the department deems to 504 present a security risk in the form of unauthorized access to or 505 temporary unavailability of the public employers records, 506 digital assets, systems, networks, servers, or information. 507 (2) 508 (b)A person, including an employee or officer of a public 509 employer, may not download or access any prohibited application 510 on any government-issued device. 511 1.This paragraph does not apply to a law enforcement 512 officer as defined in s. 943.10(1) if the use of the prohibited 513 application is necessary to protect the public safety or conduct 514 an investigation within the scope of his or her employment. 515 2.A public employer may request a waiver from ASSET the 516 department to allow designated employees or officers to download 517 or access a prohibited application on a government-issued 518 device. 519 (c)Within 15 calendar days after ASSET the department 520 issues or updates its list of prohibited applications pursuant 521 to paragraph (3)(a), an employee or officer of a public employer 522 who uses a government-issued device must remove, delete, or 523 uninstall any prohibited applications from his or her 524 government-issued device. 525 (3)ASSET The department shall do all of the following: 526 (a)Compile and maintain a list of prohibited applications 527 and publish the list on its website. ASSET The department shall 528 update this list quarterly and shall provide notice of any 529 update to public employers. 530 (b)Establish procedures for granting or denying requests 531 for waivers pursuant to subparagraph (2)(b)2. The request for a 532 waiver must include all of the following: 533 1.A description of the activity to be conducted and the 534 state interest furthered by the activity. 535 2.The maximum number of government-issued devices and 536 employees or officers to which the waiver will apply. 537 3.The length of time necessary for the waiver. Any waiver 538 granted pursuant to subparagraph (2)(b)2. must be limited to a 539 timeframe of no more than 1 year, but ASSET the department may 540 approve an extension. 541 4.Risk mitigation actions that will be taken to prevent 542 access to sensitive data, including methods to ensure that the 543 activity does not connect to a state system, network, or server. 544 5.A description of the circumstances under which the 545 waiver applies. 546 (4)(a)Notwithstanding s. 120.74(4) and (5), the department 547 is authorized, and all conditions are deemed met, to adopt 548 emergency rules pursuant to s. 120.54(4) and to implement 549 paragraph (3)(a). Such rulemaking must occur initially by filing 550 emergency rules within 30 days after July 1, 2023. 551 (b)ASSET The department shall adopt rules necessary to 552 administer this section. 553 Section 5.Effective July 1, 2026, paragraph (a) of 554 subsection (5) of section 119.0725, Florida Statutes, is amended 555 to read: 556 119.0725Agency cybersecurity information; public records 557 exemption; public meetings exemption. 558 (5)(a)Information made confidential and exempt pursuant to 559 this section must shall be made available to a law enforcement 560 agency, the Auditor General, the Cybercrime Office of the 561 Department of Law Enforcement, the Agency for State Systems and 562 Enterprise Technology Florida Digital Service within the 563 Department of Management Services, and, for agencies under the 564 jurisdiction of the Governor, the Chief Inspector General. 565 Section 6.Subsection (7) of section 216.023, Florida 566 Statutes, is amended to read: 567 216.023Legislative budget requests to be furnished to 568 Legislature by agencies. 569 (7)As part of the legislative budget request, each state 570 agency and the judicial branch shall include a cumulative an 571 inventory and status report of all ongoing technology-related 572 projects ongoing during the prior fiscal year or undertaken in 573 the prior fiscal year. For the purposes of this subsection, the 574 term technology-related project means a project that has been 575 funded or has had or is expected to have expenditures in more 576 than one fiscal year; has that have a cumulative estimated or 577 realized cost of more than $1 million; and does not include the 578 continuance of existing hardware and software maintenance 579 agreements, renewal of existing software licensing agreements, 580 or the replacement of desktop units with new technology that is 581 substantially similar to the technology being replaced. The 582 inventory must, at a minimum, contain all of the following 583 information: 584 (a)The name of the technology system. 585 (b)A brief description of the purpose and function of the 586 system. 587 (c)A brief description of the goals of the project. 588 (d)The initiation date of the project. 589 (e)The key performance indicators for the project. 590 (f)Any other metrics for the project evaluating the health 591 and status of the project. 592 (g)The original and current baseline estimated end dates 593 of the project. 594 (h)The original and current estimated costs of the 595 project. 596 (i)Total funds appropriated or allocated to the project 597 and the current realized cost for the project by fiscal year. 598 599 For purposes of this subsection, an ongoing technology-related 600 project is one which has been funded or has had or is expected 601 to have expenditures in more than one fiscal year. An ongoing 602 technology-related project does not include the continuance of 603 existing hardware and software maintenance agreements, the 604 renewal of existing software licensing agreements, or the 605 replacement of desktop units with new technology that is 606 substantially similar to the technology being replaced. This 607 subsection expires July 1, 2025. 608 Section 7.Effective July 1, 2026, paragraph (a) of 609 subsection (4) and subsection (7) of section 216.023, Florida 610 Statutes, are amended to read: 611 216.023Legislative budget requests to be furnished to 612 Legislature by agencies. 613 (4)(a)The legislative budget request for each program must 614 contain: 615 1.The constitutional or statutory authority for a program, 616 a brief purpose statement, and approved program components. 617 2.Information on expenditures for 3 fiscal years (actual 618 prior-year expenditures, current-year estimated expenditures, 619 and agency budget requested expenditures for the next fiscal 620 year) by appropriation category. 621 3.Details on trust funds and fees. 622 4.The total number of positions (authorized, fixed, and 623 requested). 624 5.An issue narrative describing and justifying changes in 625 amounts and positions requested for current and proposed 626 programs for the next fiscal year. 627 6.Information resource requests. 628 7.Supporting information, including applicable cost 629 benefit analyses, business case analyses, performance 630 contracting procedures, service comparisons, and impacts on 631 performance standards for any request to outsource or privatize 632 state agency functions. The cost-benefit and business case 633 analyses must include an assessment of the impact on each 634 affected activity from those identified in accordance with 635 paragraph (b). Performance standards must include standards for 636 each affected activity and be expressed in terms of the 637 associated unit of activity. 638 8.An evaluation of major outsourcing and privatization 639 initiatives undertaken during the last 5 fiscal years having 640 aggregate expenditures exceeding $10 million during the term of 641 the contract. The evaluation must include an assessment of 642 contractor performance, a comparison of anticipated service 643 levels to actual service levels, and a comparison of estimated 644 savings to actual savings achieved. Consolidated reports issued 645 by the Department of Management Services may be used to satisfy 646 this requirement. 647 9.Supporting information for any proposed consolidated 648 financing of deferred-payment commodity contracts including 649 guaranteed energy performance savings contracts. Supporting 650 information must also include narrative describing and 651 justifying the need, baseline for current costs, estimated cost 652 savings, projected equipment purchases, estimated contract 653 costs, and return on investment calculation. 654 10.For projects that exceed $10 million in total cost, the 655 statutory reference of the existing policy or the proposed 656 substantive policy that establishes and defines the projects 657 governance structure, planned scope, main business objectives 658 that must be achieved, and estimated completion timeframes. The 659 governance structure for information technology-related projects 660 must incorporate the applicable project management and oversight 661 standards established pursuant to s. 282.0061 s. 282.0051. 662 Information technology budget requests for the continuance of 663 existing hardware and software maintenance agreements, renewal 664 of existing software licensing agreements, or the replacement of 665 desktop units with new technology that is similar to the 666 technology currently in use are exempt from this requirement. 667 (7)As part of the legislative budget request, each state 668 agency and the judicial branch shall include a cumulative 669 inventory and status report of all technology-related projects 670 ongoing during the prior fiscal year or undertaken in the prior 671 fiscal year. For the purposes of this subsection, the term 672 technology-related project means a project that has been 673 funded or has had or is expected to have expenditures in more 674 than one fiscal year; has a cumulative estimated or realized 675 cost of more than $1 million; and does not include the 676 continuance of existing hardware and software maintenance 677 agreements, renewal of existing software licensing agreements, 678 or the replacement of desktop units with new technology that is 679 substantially similar to the technology being replaced. The 680 inventory must, at a minimum, contain all of the following 681 information: 682 (a)The name of the technology system. 683 (b)A brief description of the purpose and function of the 684 system. 685 (c)A brief description of the goals of the project. 686 (d)The initiation date of the project. 687 (e)The key performance indicators for the project. 688 (f)Any other metrics for the project evaluating the health 689 and status of the project. 690 (g)The original and current baseline estimated end dates 691 of the project. 692 (h)The original and current estimated costs of the 693 project. 694 (i)Total funds appropriated or allocated to the project 695 and the current realized cost for the project by fiscal year. 696 Section 8.Present subsections (36), (37), and (38) of 697 section 282.0041, Florida Statutes, are redesignated as 698 subsections (37), (38), and (39), respectively, and a new 699 subsection (36) is added to that section, and subsections (1) 700 and (34) of that section are amended, to read: 701 282.0041Definitions.As used in this chapter, the term: 702 (1)ASSET means the Agency for State Systems and 703 Enterprise Technology Agency assessment means the amount each 704 customer entity must pay annually for services from the 705 Department of Management Services and includes administrative 706 and data center services costs. 707 (34)State agency means any official, officer, 708 commission, board, authority, council, committee, or department 709 of the executive branch of state government; the Justice 710 Administrative Commission; the Northwest Regional Data Center; 711 and the Public Service Commission. The term does not include 712 university boards of trustees or state universities. As used in 713 part I of this chapter, except as otherwise specifically 714 provided, the term includes does not include the Department of 715 Legal Affairs, the Department of Agriculture and Consumer 716 Services, and or the Department of Financial Services. 717 (36)Technical debt means the accumulated cost and 718 operational impact resulting from the use of suboptimal, 719 expedient, or outdated technology solutions that require future 720 remediation, refactoring, or replacement to ensure 721 maintainability, security, efficiency, and compliance with 722 enterprise architecture standards. 723 Section 9.Section 282.0051, Florida Statutes, is amended 724 to read: 725 282.0051Department of Management Services; Florida Digital 726 Service; powers, duties, and functions. 727 (1)The Florida Digital Service has been created within the 728 department to propose innovative solutions that securely 729 modernize state government, including technology and information 730 services, to achieve value through digital transformation and 731 interoperability, and to fully support the cloud-first policy as 732 specified in s. 282.206. The department, through the Florida 733 Digital Service, shall have the following powers, duties, and 734 functions: 735 (a)Assign and document state agency technical debt and 736 security risks. All results of the assessments and all 737 documentation, including source documents, meeting notes, and 738 internal work products, must be provided in native electronic 739 and paper formats to ASSET no later than June 15, 2026. 740 (b)Facilitate the transfer of existing cybersecurity tools 741 and services, provided to state agencies by the department 742 through the Florida Digital Service, directly to the respective 743 state agencies, accompanied by the necessary training, no later 744 than September 15, 2025. 745 (c)Direct the state chief information security officer to 746 provide a consolidated cybersecurity incident report by the 30th 747 day after the end of each quarter to the interim state chief 748 information officer, the Executive Office of the Governor, the 749 Commissioner of Agriculture, the Chief Financial Officer, the 750 Attorney General, the President of the Senate, and the Speaker 751 of the House of Representatives Develop and publish information 752 technology policy for the management of the states information 753 technology resources. 754 (b)Develop an enterprise architecture that: 755 1.Acknowledges the unique needs of the entities within the 756 enterprise in the development and publication of standards and 757 terminologies to facilitate digital interoperability; 758 2.Supports the cloud-first policy as specified in s. 759 282.206; and 760 3.Addresses how information technology infrastructure may 761 be modernized to achieve cloud-first objectives. 762 (c)Establish project management and oversight standards 763 with which state agencies must comply when implementing 764 information technology projects. The department, acting through 765 the Florida Digital Service, shall provide training 766 opportunities to state agencies to assist in the adoption of the 767 project management and oversight standards. To support data 768 driven decisionmaking, the standards must include, but are not 769 limited to: 770 1.Performance measurements and metrics that objectively 771 reflect the status of an information technology project based on 772 a defined and documented project scope, cost, and schedule. 773 2.Methodologies for calculating acceptable variances in 774 the projected versus actual scope, schedule, or cost of an 775 information technology project. 776 3.Reporting requirements, including requirements designed 777 to alert all defined stakeholders that an information technology 778 project has exceeded acceptable variances defined and documented 779 in a project plan. 780 4.Content, format, and frequency of project updates. 781 5.Technical standards to ensure an information technology 782 project complies with the enterprise architecture. 783 (d)Perform project oversight on all state agency 784 information technology projects that have total project costs of 785 $10 million or more and that are funded in the General 786 Appropriations Act or any other law. The department, acting 787 through the Florida Digital Service, shall report at least 788 quarterly to the Executive Office of the Governor, the President 789 of the Senate, and the Speaker of the House of Representatives 790 on any information technology project that the department 791 identifies as high-risk due to the project exceeding acceptable 792 variance ranges defined and documented in a project plan. The 793 report must include a risk assessment, including fiscal risks, 794 associated with proceeding to the next stage of the project, and 795 a recommendation for corrective actions required, including 796 suspension or termination of the project. 797 (e)Identify opportunities for standardization and 798 consolidation of information technology services that support 799 interoperability and the cloud-first policy, as specified in s. 800 282.206, and business functions and operations, including 801 administrative functions such as purchasing, accounting and 802 reporting, cash management, and personnel, and that are common 803 across state agencies. The department, acting through the 804 Florida Digital Service, shall biennially on January 1 of each 805 even-numbered year provide recommendations for standardization 806 and consolidation to the Executive Office of the Governor, the 807 President of the Senate, and the Speaker of the House of 808 Representatives. 809 (f)Establish best practices for the procurement of 810 information technology products and cloud-computing services in 811 order to reduce costs, increase the quality of data center 812 services, or improve government services. 813 (g)Develop standards for information technology reports 814 and updates, including, but not limited to, operational work 815 plans, project spend plans, and project status reports, for use 816 by state agencies. 817 (h)Upon request, assist state agencies in the development 818 of information technology-related legislative budget requests. 819 (i)Conduct annual assessments of state agencies to 820 determine compliance with all information technology standards 821 and guidelines developed and published by the department and 822 provide results of the assessments to the Executive Office of 823 the Governor, the President of the Senate, and the Speaker of 824 the House of Representatives. 825 (j)Conduct a market analysis not less frequently than 826 every 3 years beginning in 2021 to determine whether the 827 information technology resources within the enterprise are 828 utilized in the most cost-effective and cost-efficient manner, 829 while recognizing that the replacement of certain legacy 830 information technology systems within the enterprise may be cost 831 prohibitive or cost inefficient due to the remaining useful life 832 of those resources; whether the enterprise is complying with the 833 cloud-first policy specified in s. 282.206; and whether the 834 enterprise is utilizing best practices with respect to 835 information technology, information services, and the 836 acquisition of emerging technologies and information services. 837 Each market analysis shall be used to prepare a strategic plan 838 for continued and future information technology and information 839 services for the enterprise, including, but not limited to, 840 proposed acquisition of new services or technologies and 841 approaches to the implementation of any new services or 842 technologies. Copies of each market analysis and accompanying 843 strategic plan must be submitted to the Executive Office of the 844 Governor, the President of the Senate, and the Speaker of the 845 House of Representatives not later than December 31 of each year 846 that a market analysis is conducted. 847 (k)Recommend other information technology services that 848 should be designed, delivered, and managed as enterprise 849 information technology services. Recommendations must include 850 the identification of existing information technology resources 851 associated with the services, if existing services must be 852 transferred as a result of being delivered and managed as 853 enterprise information technology services. 854 (l)In consultation with state agencies, propose a 855 methodology and approach for identifying and collecting both 856 current and planned information technology expenditure data at 857 the state agency level. 858 (m)1.Notwithstanding any other law, provide project 859 oversight on any information technology project of the 860 Department of Financial Services, the Department of Legal 861 Affairs, and the Department of Agriculture and Consumer Services 862 which has a total project cost of $20 million or more. Such 863 information technology projects must also comply with the 864 applicable information technology architecture, project 865 management and oversight, and reporting standards established by 866 the department, acting through the Florida Digital Service. 867 2.When performing the project oversight function specified 868 in subparagraph 1., report at least quarterly to the Executive 869 Office of the Governor, the President of the Senate, and the 870 Speaker of the House of Representatives on any information 871 technology project that the department, acting through the 872 Florida Digital Service, identifies as high-risk due to the 873 project exceeding acceptable variance ranges defined and 874 documented in the project plan. The report shall include a risk 875 assessment, including fiscal risks, associated with proceeding 876 to the next stage of the project and a recommendation for 877 corrective actions required, including suspension or termination 878 of the project. 879 (n)If an information technology project implemented by a 880 state agency must be connected to or otherwise accommodated by 881 an information technology system administered by the Department 882 of Financial Services, the Department of Legal Affairs, or the 883 Department of Agriculture and Consumer Services, consult with 884 these departments regarding the risks and other effects of such 885 projects on their information technology systems and work 886 cooperatively with these departments regarding the connections, 887 interfaces, timing, or accommodations required to implement such 888 projects. 889 (o)If adherence to standards or policies adopted by or 890 established pursuant to this section causes conflict with 891 federal regulations or requirements imposed on an entity within 892 the enterprise and results in adverse action against an entity 893 or federal funding, work with the entity to provide alternative 894 standards, policies, or requirements that do not conflict with 895 the federal regulation or requirement. The department, acting 896 through the Florida Digital Service, shall annually report such 897 alternative standards to the Executive Office of the Governor, 898 the President of the Senate, and the Speaker of the House of 899 Representatives. 900 (p)1.Establish an information technology policy for all 901 information technology-related state contracts, including state 902 term contracts for information technology commodities, 903 consultant services, and staff augmentation services. The 904 information technology policy must include: 905 a.Identification of the information technology product and 906 service categories to be included in state term contracts. 907 b.Requirements to be included in solicitations for state 908 term contracts. 909 c.Evaluation criteria for the award of information 910 technology-related state term contracts. 911 d.The term of each information technology-related state 912 term contract. 913 e.The maximum number of vendors authorized on each state 914 term contract. 915 f.At a minimum, a requirement that any contract for 916 information technology commodities or services meet the National 917 Institute of Standards and Technology Cybersecurity Framework. 918 g.For an information technology project wherein project 919 oversight is required pursuant to paragraph (d) or paragraph 920 (m), a requirement that independent verification and validation 921 be employed throughout the project life cycle with the primary 922 objective of independent verification and validation being to 923 provide an objective assessment of products and processes 924 throughout the project life cycle. An entity providing 925 independent verification and validation may not have technical, 926 managerial, or financial interest in the project and may not 927 have responsibility for, or participate in, any other aspect of 928 the project. 929 2.Evaluate vendor responses for information technology 930 related state term contract solicitations and invitations to 931 negotiate. 932 3.Answer vendor questions on information technology 933 related state term contract solicitations. 934 4.Ensure that the information technology policy 935 established pursuant to subparagraph 1. is included in all 936 solicitations and contracts that are administratively executed 937 by the department. 938 (q)Recommend potential methods for standardizing data 939 across state agencies which will promote interoperability and 940 reduce the collection of duplicative data. 941 (r)Recommend open data technical standards and 942 terminologies for use by the enterprise. 943 (s)Ensure that enterprise information technology solutions 944 are capable of utilizing an electronic credential and comply 945 with the enterprise architecture standards. 946 (2)(a)The Secretary of Management Services shall designate 947 a state chief information officer, who shall administer the 948 Florida Digital Service. The state chief information officer, 949 prior to appointment, must have at least 5 years of experience 950 in the development of information system strategic planning and 951 development or information technology policy, and, preferably, 952 have leadership-level experience in the design, development, and 953 deployment of interoperable software and data solutions. 954 (b)The state chief information officer, in consultation 955 with the Secretary of Management Services, shall designate a 956 state chief data officer. The chief data officer must be a 957 proven and effective administrator who must have significant and 958 substantive experience in data management, data governance, 959 interoperability, and security. 960 (3)The department, acting through the Florida Digital 961 Service and from funds appropriated to the Florida Digital 962 Service, shall: 963 (a)Create, not later than December 1, 2022, and maintain a 964 comprehensive indexed data catalog in collaboration with the 965 enterprise that lists the data elements housed within the 966 enterprise and the legacy system or application in which these 967 data elements are located. The data catalog must, at a minimum, 968 specifically identify all data that is restricted from public 969 disclosure based on federal or state laws and regulations and 970 require that all such information be protected in accordance 971 with s. 282.318. 972 (b)Develop and publish, not later than December 1, 2022, 973 in collaboration with the enterprise, a data dictionary for each 974 agency that reflects the nomenclature in the comprehensive 975 indexed data catalog. 976 (c)Adopt, by rule, standards that support the creation and 977 deployment of an application programming interface to facilitate 978 integration throughout the enterprise. 979 (d)Adopt, by rule, standards necessary to facilitate a 980 secure ecosystem of data interoperability that is compliant with 981 the enterprise architecture. 982 (e)Adopt, by rule, standards that facilitate the 983 deployment of applications or solutions to the existing 984 enterprise system in a controlled and phased approach. 985 (f)After submission of documented use cases developed in 986 conjunction with the affected agencies, assist the affected 987 agencies with the deployment, contingent upon a specific 988 appropriation therefor, of new interoperable applications and 989 solutions: 990 1.For the Department of Health, the Agency for Health Care 991 Administration, the Agency for Persons with Disabilities, the 992 Department of Education, the Department of Elderly Affairs, and 993 the Department of Children and Families. 994 2.To support military members, veterans, and their 995 families. 996 (4)For information technology projects that have a total 997 project cost of $10 million or more: 998 (a)State agencies must provide the Florida Digital Service 999 with written notice of any planned procurement of an information 1000 technology project. 1001 (b)The Florida Digital Service must participate in the 1002 development of specifications and recommend modifications to any 1003 planned procurement of an information technology project by 1004 state agencies so that the procurement complies with the 1005 enterprise architecture. 1006 (c)The Florida Digital Service must participate in post 1007 award contract monitoring. 1008 (2)(5)The department, acting through the Florida Digital 1009 Service, may not retrieve or disclose any data without a shared 1010 data agreement in place between the department and the 1011 enterprise entity that has primary custodial responsibility of, 1012 or data-sharing responsibility for, that data. 1013 (3)This section is repealed July 1, 2026. 1014 (6)The department, acting through the Florida Digital 1015 Service, shall adopt rules to administer this section. 1016 Section 10.Section 282.00515, Florida Statutes, is 1017 repealed. 1018 Section 11.Effective July 1, 2026, section 282.006, 1019 Florida Statutes, is created to read: 1020 282.006Agency for State Systems and Enterprise Technology; 1021 duties; enterprise responsibilities; reporting. 1022 (1)The Agency for State Systems and Enterprise Technology 1023 established in s. 20.70 shall operate as the state enterprise 1024 organization for information technology governance and is the 1025 lead entity responsible for understanding the unique state 1026 agency information technology needs and environments, creating 1027 enterprise technology standards and strategy, supporting state 1028 agency technology efforts, and reporting on the status of 1029 technology for the enterprise. 1030 (2)The Legislature intends for ASSET policy, standards, 1031 guidance, and oversight to allow for adaptability to emerging 1032 technology and organizational needs while maintaining compliance 1033 with industry best practices. All policies, standards, and 1034 guidelines established pursuant to this chapter must be 1035 technology-agnostic and may not prescribe specific tools, 1036 platforms, or vendors. 1037 (3)ASSET shall establish the strategic direction of 1038 information technology in the state. ASSET shall develop and 1039 publish information technology policy that aligns with industry 1040 best practices for the management of the states information 1041 technology resources. The policy must be updated as necessary to 1042 meet the requirements of this chapter and advancements in 1043 technology. 1044 (4)Related to its oversight of the states technology 1045 enterprise, ASSET shall: 1046 (a)In coordination with state agency technology subject 1047 matter experts, develop, publish, and maintain an enterprise 1048 architecture that: 1049 1.Acknowledges the unique needs of the entities within the 1050 enterprise in the development and publication of standards and 1051 terminologies to facilitate digital interoperability; 1052 2.Supports the cloud-first policy as specified in s. 1053 282.206; 1054 3.Addresses how information technology infrastructure may 1055 be modernized to achieve security, scalability, maintainability, 1056 interoperability, and improved cost-efficiency goals; and 1057 4.Includes, at a minimum, best practices, guidelines, and 1058 standards for: 1059 a.Data models and taxonomies. 1060 b.Master data management. 1061 c.Data integration and interoperability. 1062 d.Data security and encryption. 1063 e.Bot prevention and data protection. 1064 f.Data backup and recovery. 1065 g.Application portfolio and catalog requirements. 1066 h.Application architectural patterns and principles. 1067 i.Technology and platform standards. 1068 j.Secure coding practices. 1069 k.Performance and scalability. 1070 l.Cloud infrastructure and architecture. 1071 m.Networking, connectivity, and security protocols. 1072 n.Authentication, authorization, and access controls. 1073 o.Disaster recovery. 1074 p.Quality assurance. 1075 q.Testing methodologies and measurements. 1076 r.Logging and log retention. 1077 s.Application and use of artificial intelligence. 1078 (b)Recommend open data technical standards and 1079 terminologies for use by the states technology enterprise. 1080 (c)Develop enterprise technology testing and quality 1081 assurance best practices and standards to ensure the 1082 reliability, security, and performance of information technology 1083 systems. Such best practices and standards must include: 1084 1.Functional testing to ensure software or systems meet 1085 required specifications. 1086 2.Performance and load testing to ensure software and 1087 systems operate efficiently under various conditions. 1088 3.Security testing to protect software and systems from 1089 vulnerabilities and cyber threats. 1090 4.Compatibility and interoperability testing to ensure 1091 software and systems operate seamlessly across environments. 1092 (5)ASSET shall produce the following reports and provide 1093 them to the Governor, the Commissioner of Agriculture, the Chief 1094 Financial Officer, the Attorney General, the President of the 1095 Senate, and the Speaker of the House of Representatives: 1096 (a)Annually by December 15, an enterprise analysis report 1097 that includes all of the following: 1098 1.Results of the state agency needs assessments, including 1099 any plan to address technical debt as required by s. 282.0061 1100 pursuant to the schedule adopted. 1101 2.Alternative standards related to federal funding adopted 1102 pursuant to s. 282.0061. 1103 3.Information technology financial data for each state 1104 agency for the previous fiscal year. This portion of the annual 1105 report must include, at a minimum, the following recurring and 1106 nonrecurring information: 1107 a.Total number of full-time equivalent positions. 1108 b.Total amount of salary. 1109 c.Total amount of benefits. 1110 d.Total number of comparable full-time equivalent 1111 positions and total amount of expenditures for information 1112 technology staff augmentation. 1113 e.Total number of contracts and purchase orders and total 1114 amount of associated expenditures for information technology 1115 managed services. 1116 f.Total amount of expenditures by state term contract as 1117 defined in s. 287.012, contracts procured using alternative 1118 purchasing methods as authorized pursuant to s. 287.042(16), and 1119 state agency procurements through request for proposal, 1120 invitation to negotiate, invitation to bid, single source, and 1121 emergency purchases. 1122 g.Total amount of expenditures for hardware. 1123 h.Total amount of expenditures for non-cloud software. 1124 i.Total amount of expenditures for cloud software licenses 1125 and services with a separate amount for expenditures for state 1126 data center services. 1127 j.Total amount of expenditures for cloud data center 1128 services with a separate amount for expenditures for state data 1129 center services. 1130 k.Total amount of expenditures for administrative costs. 1131 4.Consolidated information for the previous fiscal year 1132 about state information technology projects, which must include, 1133 at a minimum, the following information: 1134 a.Anticipated funding requirements for information 1135 technology support over the next 5 years. 1136 b.An inventory of current information technology assets 1137 and major projects. The term major project includes projects 1138 costing more than $500,000 to implement. 1139 c.Significant unmet needs for information technology 1140 resources over the next 5 fiscal years, ranked in priority order 1141 according to their urgency. 1142 5.A review and summary of whether the information 1143 technology contract policy established pursuant to s. 282.0064 1144 is included in all solicitations and contracts. 1145 6.Information related to the information technology test 1146 laboratory created in s. 282.0065, including usage statistics 1147 and key findings, and recommendations for improving the states 1148 information technology procurement processes. 1149 (b)Biennially by December 15 of even-numbered years, a 1150 report on the strategic direction of information technology in 1151 the state which includes all of the following: 1152 1.Recommendations for standardization and consolidation of 1153 information technology services that are identified as common 1154 across state agencies as required in s. 282.0061. 1155 2.Recommendations for information technology services that 1156 should be designed, delivered, and managed as enterprise 1157 information technology services. Recommendations must include 1158 the identification of existing information technology resources 1159 associated with the services, if existing services must be 1160 transferred as a result of being delivered and managed as 1161 enterprise information technology services, and which entity is 1162 best suited to manage the service. 1163 (c)1.When conducted as provided in this paragraph, a 1164 market analysis and accompanying strategic plan submitted by 1165 December 31 of each year that the market analysis is conducted. 1166 2.No less frequently than every 3 years, ASSET shall 1167 conduct market analysis to determine whether the: 1168 a.Information technology resources within the enterprise 1169 are used in the most cost-effective and cost-efficient manner, 1170 while recognizing that the replacement of certain legacy 1171 information technology systems within the enterprise may be cost 1172 prohibitive or cost inefficient due to the remaining useful life 1173 of those resources; and 1174 b.Enterprise is using best practices with respect to 1175 information technology, information services, and the 1176 acquisition of emerging technologies and information services. 1177 3.Each market analysis must be used to prepare a strategic 1178 plan for continued and future information technology and 1179 information services for the enterprise, including, but not 1180 limited to, proposed acquisition of new services or technologies 1181 and approaches to the implementation of any new services or 1182 technologies. 1183 (6)ASSET may adopt rules to implement this chapter. 1184 Section 12.Effective July 1, 2026, section 282.0061, 1185 Florida Statutes, is created to read: 1186 282.0061ASSET support of state agencies; information 1187 technology procurement and projects. 1188 (1)LEGISLATIVE INTENT.The Legislature intends for ASSET 1189 to support state agencies in their information technology 1190 efforts through the adoption of policies, standards, and 1191 guidance and by providing oversight that recognizes unique state 1192 agency information technology needs, environments, and goals. 1193 ASSET assistance and support must allow for adaptability to 1194 emerging technologies and organizational needs while maintaining 1195 compliance with industry best practices. ASSET may not prescribe 1196 specific tools, platforms, or vendors. 1197 (2)NEEDS ASSESSMENTS. 1198 (a)By January 1, 2028, ASSET shall conduct full baseline 1199 needs assessments of state agencies to document their distinct 1200 technical environments, existing technical debt, security risks, 1201 and compliance with all information technology standards and 1202 guidelines developed and published by ASSET. The needs 1203 assessment must use the Capability Maturity Model to evaluate 1204 each state agencys information technology capabilities, 1205 providing a maturity level rating for each assessed domain. 1206 After completion of the full baseline needs assessments, such 1207 assessments must be maintained and updated on a regular schedule 1208 adopted by ASSET. 1209 (b)In assessing the existing technical debt portion of the 1210 needs assessment, ASSET shall analyze the states legacy 1211 information technology systems and develop a plan to document 1212 the needs and costs for replacement systems. The plan must 1213 include an inventory of legacy applications and infrastructure; 1214 the required capabilities not available with the legacy system; 1215 the estimated process, timeline, and cost to migrate from legacy 1216 environments; and any other information necessary for fiscal or 1217 technology planning. The plan must determine and document the 1218 estimated timeframe during which the state agency can continue 1219 to efficiently use legacy information technology systems, 1220 resources, security, and data management to support operations. 1221 State agencies shall provide all necessary documentation to 1222 enable accurate reporting on legacy systems. 1223 (c)ASSET shall develop a plan and schedule to conduct the 1224 initial full baseline needs assessments. By October 1, 2026, 1225 ASSET shall submit the plan to the Governor, the Commissioner of 1226 Agriculture, the Chief Financial Officer, the Attorney General, 1227 the President of the Senate, and the Speaker of the House of 1228 Representatives. 1229 (d)ASSET shall support state agency strategic planning 1230 efforts and assist state agencies with the production of a 1231 phased roadmap to address known technology gaps and deficiencies 1232 as identified in the needs assessments. The roadmaps must 1233 include specific strategies and initiatives aimed at advancing 1234 the state agencys maturity level in accordance with the 1235 Capability Maturity Model. State agencies shall create, 1236 maintain, and submit the roadmap on an annual basis with their 1237 legislative budget requests required under s. 216.023. 1238 (3)STANDARDIZATION.ASSET shall: 1239 (a)Recommend in its annual enterprise analysis required 1240 under s. 282.006 any potential methods for standardizing data 1241 across state agencies which will promote interoperability and 1242 reduce the collection of duplicative data. 1243 (b)Identify any opportunities in its annual enterprise 1244 analysis required under s. 282.006 for standardization and 1245 consolidation of information technology services that are common 1246 across all state agencies and that support: 1247 1.Improved interoperability, security, scalability, 1248 maintainability, and cost efficiency; and 1249 2.Business functions and operations, including 1250 administrative functions such as purchasing, accounting and 1251 reporting, cash management, and personnel. 1252 (4)DATA MANAGEMENT. 1253 (a)ASSET shall develop standards for use by state agencies 1254 which support best practices for master data management at the 1255 state agency level to facilitate enterprise data sharing and 1256 interoperability. 1257 (b)ASSET shall establish a methodology and strategy for 1258 implementing statewide master data management and submit a 1259 report to the Governor, the Commissioner of Agriculture, the 1260 Chief Financial Officer, the Attorney General, the President of 1261 the Senate, and the Speaker of the House of Representatives by 1262 December 1, 2028. The report must include the vision, goals, and 1263 benefits of implementing a statewide master data management 1264 initiative, an analysis of the current state of data management, 1265 and the recommended strategy, methodology, and estimated 1266 timeline and resources needed at a state agency and enterprise 1267 level to accomplish the initiative. 1268 (5)INFORMATION TECHNOLOGY PROJECTS.ASSET has the 1269 following duties and responsibilities related to state agency 1270 technology projects: 1271 (a)Provide procurement advisory and review services for 1272 information technology projects to all state agencies, including 1273 procurement and contract development assistance to meet the 1274 information technology contract policy established pursuant to 1275 s. 282.0064. 1276 (b)Establish best practices and enterprise procurement 1277 processes and develop metrics to support these processes for the 1278 procurement of information technology products and services in 1279 order to reduce costs or improve the provision of government 1280 services. 1281 (c)Upon request, assist state agencies in the development 1282 of information technology-related legislative budget requests. 1283 (d)Develop standards and accountability measures for 1284 information technology projects, including criteria for 1285 effective project management and oversight. State agencies must 1286 satisfy these standards and measures when implementing 1287 information technology projects. To support data-driven 1288 decisionmaking, the standards and measures must include, but are 1289 not limited to: 1290 1.Performance measurements and metrics that objectively 1291 reflect the status of an information technology project based on 1292 a defined and documented project scope, to include the volume of 1293 impacted stakeholders, cost, and schedule. 1294 2.Methodologies for calculating and defining acceptable 1295 variances in the projected versus actual scope, schedule, or 1296 cost of an information technology project. 1297 3.Reporting requirements designed to alert all defined 1298 stakeholders that an information technology project has exceeded 1299 acceptable variances defined and documented in a project plan as 1300 well as any variances that represent a schedule delay of 1 month 1301 or more or a cost increase of $1 million or more. 1302 4.Technical standards to ensure an information technology 1303 project complies with the enterprise architecture standards. 1304 (e)Develop information technology project reports for use 1305 by state agencies, including, but not limited to, operational 1306 work plans, project spending plans, and project status reports. 1307 Reporting standards must include content, format, and frequency 1308 of project updates. 1309 (f)Provide training opportunities to state agencies to 1310 assist in the adoption of the project management and oversight 1311 standards. 1312 (g)Perform project oversight on all state agency 1313 information technology projects that have total project costs of 1314 $10 million or more. ASSET shall report by the 30th day after 1315 the end of each quarter to the Executive Office of the Governor, 1316 the Commissioner of Agriculture, the Chief Financial Officer, 1317 the Attorney General, the President of the Senate, and the 1318 Speaker of the House of Representatives on any information 1319 technology project that ASSET identifies as high-risk. The 1320 report must include a risk assessment, including fiscal risks, 1321 associated with proceeding to the next stage of the project, and 1322 a recommendation for corrective actions required, including 1323 suspension or termination of the project. 1324 (6)INFORMATION TECHNOLOGY FINANCIAL DATA. 1325 (a)In consultation with state agencies, ASSET shall create 1326 a methodology, an approach, and applicable templates and formats 1327 for identifying and collecting both current and planned 1328 information technology expenditure data at the state agency 1329 level. ASSET shall continuously obtain, review, and maintain 1330 records of the appropriations, expenditures, and revenues for 1331 information technology for each state agency. 1332 (b)ASSET shall prescribe the format for state agencies to 1333 provide all necessary financial information to ASSET for 1334 inclusion in the annual report required under s. 282.006. State 1335 agencies must provide the information to ASSET by October 1 for 1336 the previous fiscal year. The information must be reported by 1337 ASSET in order to determine all costs and expenditures for 1338 information technology assets and resources provided by the 1339 state agencies or through contracts or grants. 1340 (7)FEDERAL CONFLICTS.ASSET shall work with state agencies 1341 to provide alternative standards, policies, or requirements that 1342 do not conflict with federal regulations or requirements, if 1343 adherence to standards or policies adopted by or established 1344 pursuant to this section conflict with federal regulations or 1345 requirements imposed on an entity within the enterprise and 1346 results in, or is expected to result in, adverse action against 1347 the state agencies or loss of federal funding. 1348 Section 13.Effective July 1, 2026, section 282.0062, 1349 Florida Statutes, is created to read: 1350 282.0062ASSET workgroups.The following workgroups are 1351 established within ASSET to facilitate coordination with state 1352 agencies: 1353 (1)CHIEF INFORMATION OFFICER WORKGROUP. 1354 (a)The chief information officer workgroup, composed of 1355 all state agency chief information officers, shall consider and 1356 make recommendations to the state chief information officer and 1357 the state chief information architect on such matters as 1358 enterprise information technology policies, standards, services, 1359 and architecture. The workgroup may also identify and recommend 1360 opportunities for the establishment of public-private 1361 partnerships when considering technology infrastructure and 1362 services in order to accelerate project delivery and provide a 1363 source of new or increased project funding. 1364 (b)At a minimum, the state chief information officer shall 1365 consult with the workgroup on a quarterly basis with regard to 1366 executing the duties and responsibilities of the state agencies 1367 related to statewide information technology strategic planning 1368 and policy. 1369 (2)ENTERPRISE DATA AND INTEROPERABILITY WORKGROUP. 1370 (a)The enterprise data and interoperability workgroup, 1371 composed of chief data officer representatives from all state 1372 agencies, shall consider and make recommendations to the state 1373 chief data officer on such matters as enterprise data policies, 1374 standards, services, and architecture that promote data 1375 consistency, accessibility, and seamless integration across the 1376 enterprise. 1377 (b)At a minimum, the state chief data officer shall 1378 consult with the workgroup on a quarterly basis with regard to 1379 executing the duties and responsibilities of the state agencies 1380 related to statewide data governance planning and policy. 1381 (3)ENTERPRISE SECURITY WORKGROUP. 1382 (a)The enterprise security workgroup, composed of chief 1383 security officer representatives from all state agencies, shall 1384 consider and make recommendations to the state chief security 1385 officer on such matters as cybersecurity policies, standards, 1386 services, and architecture that promote the protection of state 1387 assets. 1388 (b)At a minimum, the state chief security officer shall 1389 consult with the workgroup on a quarterly basis with regard to 1390 executing the duties and responsibilities of the state agencies 1391 related to cybersecurity governance and policy development. 1392 (4)ENTERPRISE INFORMATION TECHNOLOGY OPERATIONS 1393 WORKGROUP. 1394 (a)The enterprise information technology operations 1395 workgroup, composed of information technology business analyst 1396 representatives from all state agencies, shall consider and make 1397 recommendations to the state chief technology officer on such 1398 matters as information technology needs assessments policies, 1399 standards, and services that promote the strategic alignment of 1400 technology with operational needs and the evaluation of 1401 solutions across the enterprise. 1402 (b)At a minimum, the state chief technology officer shall 1403 consult with the workgroup on a quarterly basis with regard to 1404 executing the duties and responsibilities of the state agencies 1405 related to statewide process improvement and optimization. 1406 (5)ENTERPRISE INFORMATION TECHNOLOGY QUALITY ASSURANCE 1407 WORKGROUP. 1408 (a)The enterprise information technology quality assurance 1409 workgroup, composed of testing and quality assurance 1410 representatives from all state agencies, shall consider and make 1411 recommendations to the state chief technology officer on such 1412 matters as testing methodologies, tools, and best practices to 1413 reduce risks related to software defects, cybersecurity threats, 1414 and operational failures. 1415 (b)At a minimum, the state chief technology officer shall 1416 consult with the workgroup on a quarterly basis with regard to 1417 executing the duties and responsibilities of the state agencies 1418 related to enterprise software testing and quality assurance 1419 standards. 1420 (6)ENTERPRISE INFORMATION TECHNOLOGY PROJECT MANAGEMENT 1421 WORKGROUP. 1422 (a)The enterprise information technology project 1423 management workgroup, composed of information technology project 1424 manager representatives from all state agencies, shall consider 1425 and make recommendations to the state chief technology officer 1426 on such matters as information technology project management 1427 policies, standards, accountability measures, and services that 1428 promote project governance and standardization across the 1429 enterprise. 1430 (b)At a minimum, the state chief technology officer shall 1431 consult with the workgroup on a quarterly basis with regard to 1432 executing the duties and responsibilities of the state agencies 1433 related to project management and oversight. 1434 (7)ENTERPRISE INFORMATION TECHNOLOGY CONTRACT MANAGEMENT 1435 WORKGROUP. 1436 (a)The enterprise information technology contract 1437 management workgroup, composed of information technology 1438 contract manager representatives from all state agencies, shall 1439 consider and make recommendations to the state chief technology 1440 officer on such matters as information technology contract 1441 management policies and standards that promote best practices 1442 for vendor oversight, risk management and compliance, and 1443 performance monitoring and reporting across the enterprise. 1444 (b)At a minimum, the state chief technology officer shall 1445 consult with the workgroup on a quarterly basis with regard to 1446 executing the duties and responsibilities of the state agencies 1447 related to contract management and vendor accountability. 1448 (8)ENTERPRISE INFORMATION TECHNOLOGY PURCHASING 1449 WORKGROUP. 1450 (a)The enterprise information technology purchasing 1451 workgroup, composed of information technology procurement 1452 representatives from all state agencies, shall consider and make 1453 recommendations to the state chief technology procurement 1454 officer on such matters as information technology procurement 1455 policies, standards, and purchasing strategy and optimization 1456 that promote best practices for contract negotiation, 1457 consolidation, and effective service-level agreement 1458 implementation across the enterprise. 1459 (b)At a minimum, the state chief technology procurement 1460 officer shall consult with the workgroup on a quarterly basis 1461 with regard to executing the duties and responsibilities of the 1462 state agencies related to technology evaluation, purchasing, and 1463 cost savings. 1464 Section 14.Effective July 1, 2026, section 282.0063, 1465 Florida Statutes, is created to read: 1466 282.0063State information technology professionals career 1467 paths and training. 1468 (1)ASSET shall develop standardized frameworks for, and 1469 career paths, progressions, and training programs for, the 1470 benefit of state agency information technology personnel. To 1471 meet that goal, ASSET shall: 1472 (a)Assess current and future information technology 1473 workforce needs across state agencies, identifying skill gaps 1474 and developing strategies to address them. 1475 (b)Develop and establish a training program for state 1476 agencies to support the understanding and implementation of each 1477 element of the enterprise architecture. 1478 (c)Establish training programs, certifications, and 1479 continuing education opportunities to enhance information 1480 technology competencies, including cybersecurity, cloud 1481 computing, and emerging technologies. 1482 (d)Support initiatives to upskill existing employees in 1483 emerging technologies and automation, ensuring state agencies 1484 remain competitive and innovative. 1485 (e)Develop strategies to recruit and retain information 1486 technology professionals, including internship programs, 1487 partnerships with educational institutions, scholarships for 1488 service, and initiatives to attract diverse talent. 1489 (2)ASSET shall consult with CareerSource Florida, Inc., 1490 the Department of Commerce, and the Department of Education in 1491 the implementation of this section. 1492 (3)Specifically, in consultation with the Division of 1493 State Human Resource Management in the Department of Management 1494 Services, ASSET shall: 1495 (a)Define career progression frameworks for information 1496 technology personnel, for supporting leadership development, and 1497 for providing mentorship programs. 1498 (b)Establish guidelines and best practices for information 1499 technology professional development and performance management 1500 across state agencies. 1501 Section 15.Effective July 1, 2026, section 282.0064, 1502 Florida Statutes, is created to read: 1503 282.0064Information technology contract policy. 1504 (1)In coordination with the Department of Management 1505 Services, ASSET shall establish a policy for all information 1506 technology-related solicitations and contracts, including state 1507 term contracts; contracts sourced using alternative purchasing 1508 methods as authorized pursuant to s. 287.042(16); sole source 1509 and emergency procurements; and contracts for commodities, 1510 consultant services, and staff augmentation services. 1511 (2)Related to state term contracts, the information 1512 technology policy must include: 1513 (a)Identification of the information technology product 1514 and service categories to be included in state term contracts. 1515 (b)The term of each information technology-related state 1516 term contract. 1517 (c)The maximum number of vendors authorized on each state 1518 term contract. 1519 (3)For all contracts, the information technology policy 1520 must include: 1521 (a)Evaluation criteria for the award of information 1522 technology-related contracts. 1523 (b)Requirements to be included in solicitations. 1524 (c)At a minimum, a requirement that any contract for 1525 information technology commodities or services must meet the 1526 requirements of the enterprise architecture and National 1527 Institute of Standards and Technology Cybersecurity Framework. 1528 (4)The policy must include the following requirements for 1529 any information technology project that requires project 1530 oversight through independent verification and validation: 1531 (a)An entity providing independent verification and 1532 validation may not have any: 1533 1.Technical, managerial, or financial interest in the 1534 project; or 1535 2.Responsibility for or participation in any other aspect 1536 of the project. 1537 (b)The primary objective of independent verification and 1538 validation must be to provide an objective assessment throughout 1539 the entire project life cycle, reporting directly to all 1540 relevant stakeholders. An independent verification and 1541 validation entity shall independently verify and validate 1542 whether: 1543 1.The project is being built and implemented in accordance 1544 with defined technical architecture, specifications, and 1545 requirements. 1546 2.The project is adhering to established project 1547 management processes. 1548 3.The procurement of products, tools, and services and 1549 resulting contracts align with current statutory and regulatory 1550 requirements. 1551 4.The value of services delivered is commensurate with 1552 project costs. 1553 5.The completed project meets the actual needs of the 1554 intended users. 1555 (c)The entity performing independent verification and 1556 validation shall provide regular reports and assessments 1557 directly to the designated oversight body, identifying risks, 1558 deficiencies, and recommendations for corrective actions to 1559 ensure project success and compliance with statutory 1560 requirements. 1561 (5)The Division of State Purchasing in the Department of 1562 Management Services shall coordinate with ASSET on state term 1563 contract solicitations and invitations to negotiate related to 1564 information technology. ASSET shall evaluate vendor responses 1565 and answer vendor questions on such solicitations or invitations 1566 to negotiate. 1567 Section 16.Effective July 1, 2026, section 282.0065, 1568 Florida Statutes, is created to read: 1569 282.0065ASSET information technology test laboratory. 1570 (1)Beginning July 1, 2027, or after all elements of the 1571 enterprise architecture are published, whichever is later, and 1572 subject to specific appropriation, ASSET shall establish, 1573 maintain, and manage an information technology test laboratory 1574 to support state agencies in evaluating information technology 1575 services, software, and tools before procurement and 1576 implementation. 1577 (2)The purpose of the information technology test 1578 laboratory is to: 1579 (a)Serve as an independent environment for state agencies 1580 to develop, test, and refine proofs of concept for information 1581 technology solutions to assess functionality, security, 1582 interoperability, and performance; and 1583 (b)Assist state agencies in defining and improving 1584 procurement requirements based on real-world testing and 1585 evaluation. 1586 (3)ASSET shall: 1587 (a)Operate and maintain the test laboratory and ensure 1588 that it remains fully operational with the necessary 1589 infrastructure, resources, and security controls to support 1590 state agency testing activities. 1591 (b)Facilitate proofs of concept for state agencies by 1592 providing the agencies with controlled environments to assess 1593 emerging technologies, validate vendor claims, and conduct 1594 comparative evaluations of information technology solutions. 1595 (c)Support the development of requirements for state 1596 agency information technology projects by assisting state 1597 agencies in refining technical specifications, performance 1598 benchmarks, and security requirements prior to issuing 1599 procurement solicitations. 1600 (d)Ensure the security and compliance of the test 1601 laboratory by implementing safeguards to protect sensitive data, 1602 ensure compliance with applicable laws, and prevent unauthorized 1603 access to testing environments. 1604 (e)Provide access to emerging technologies by partnering 1605 with industry and research institutions to ensure that state 1606 agencies have the opportunity to evaluate the latest information 1607 technology innovations relevant to government operations. 1608 (f)Enter into partnerships with public and private 1609 entities to support the information technology test laboratorys 1610 operations, provided that such partnerships comply with 1611 conflict-of-interest policies and procurement regulations. 1612 (g)Establish policies, procedures, and eligibility 1613 criteria for state agencies to access and use the lab. 1614 Section 17.Section 282.0066, Florida Statutes, is created 1615 to read: 1616 282.0066Enterprise Information Technology Library. 1617 (1)ASSET shall develop, implement, and maintain a library 1618 to serve as the official repository for all enterprise 1619 information technology policies, standards, guidelines, and best 1620 practices applicable to state agencies. The library must be 1621 online and accessible by all state agencies through a secure 1622 authentication system. 1623 (2)In developing the library, ASSET shall create a 1624 structured index and search functionality to facilitate 1625 efficient retrieval of information and maintain version control 1626 and revision history for all published documents. 1627 (3)The library must include standardized checklists 1628 organized by technical subject areas to assist state agencies in 1629 measuring compliance with the information technology policies, 1630 standards, guidelines, and best practices. 1631 (4)ASSET shall establish procedures to ensure the 1632 integrity, security, and availability of the library, including 1633 appropriate access controls, encryption, and disaster recovery 1634 measures. ASSET must regularly update documents and materials of 1635 the library to reflect current state and federal requirements, 1636 industry best practices, and emerging technologies. 1637 (5)(a)All state agencies shall reference and adhere to the 1638 policies, standards, guidelines, and best practices contained in 1639 the online library in information technology planning, 1640 procurement, implementation, and operations. ASSET shall create 1641 mechanisms for state agencies to submit feedback, request 1642 clarifications, and recommend updates. 1643 (b)1.A state agency may request an exemption to a specific 1644 policy, standard, or guideline when compliance is not 1645 technically feasible, would cause undue hardship, or conflicts 1646 with agency specific statutory requirements. The state agency 1647 requesting an exception must submit a formal justification to 1648 ASSET detailing all of the following: 1649 a.The specific requirement for which an exemption is 1650 sought. 1651 b.The reason compliance is not feasible or practical. 1652 c.Any compensating controls or alternative measures the 1653 state agency will implement to mitigate associated risks. 1654 d.The anticipated duration of the exemption. 1655 2.ASSET shall review all exemption requests and provide a 1656 recommendation to the state chief information officer who shall 1657 present the compliance exemption requests to the chief 1658 information officer workgroup. Approval of exemption requests 1659 must be made by a majority vote of the workgroup. Approved 1660 exemptions must be documented, including conditions and 1661 expiration dates. 1662 3.A state agency with an approved exemption must undergo 1663 periodic review to determine whether the exemption remains 1664 necessary or if compliance can be achieved. 1665 Section 18.Paragraphs (b), (c), (g), (h), and (i) of 1666 subsection (3) and paragraphs (b), (c), (d), and (j) of 1667 subsection (4) of section 282.318, Florida Statutes, are amended 1668 to read: 1669 282.318Cybersecurity. 1670 (3)The department, acting through the Florida Digital 1671 Service, is the lead entity responsible for establishing 1672 standards and processes for assessing state agency cybersecurity 1673 risks and determining appropriate security measures. Such 1674 standards and processes must be consistent with generally 1675 accepted technology best practices, including the National 1676 Institute for Standards and Technology Cybersecurity Framework, 1677 for cybersecurity. The department, acting through the Florida 1678 Digital Service, shall adopt rules that mitigate risks; 1679 safeguard state agency digital assets, data, information, and 1680 information technology resources to ensure availability, 1681 confidentiality, and integrity; and support a security 1682 governance framework. The department, acting through the Florida 1683 Digital Service, shall also: 1684 (b)Develop, and annually update by February 1, a statewide 1685 cybersecurity strategic plan that includes security goals and 1686 objectives for cybersecurity, including the identification and 1687 mitigation of risk, proactive protections against threats, 1688 tactical risk detection, threat reporting, and response and 1689 recovery protocols for a cyber incident. 1690 (c)Develop and publish for use by state agencies a 1691 cybersecurity governance framework that, at a minimum, includes 1692 guidelines and processes for: 1693 1.Establishing asset management procedures to ensure that 1694 an agencys information technology resources are identified and 1695 managed consistent with their relative importance to the 1696 agencys business objectives. 1697 2.Using a standard risk assessment methodology that 1698 includes the identification of an agencys priorities, 1699 constraints, risk tolerances, and assumptions necessary to 1700 support operational risk decisions. 1701 3.Completing comprehensive risk assessments and 1702 cybersecurity audits, which may be completed by a private sector 1703 vendor, and submitting completed assessments and audits to the 1704 department. 1705 4.Identifying protection procedures to manage the 1706 protection of an agencys information, data, and information 1707 technology resources. 1708 5.Establishing procedures for accessing information and 1709 data to ensure the confidentiality, integrity, and availability 1710 of such information and data. 1711 6.Detecting threats through proactive monitoring of 1712 events, continuous security monitoring, and defined detection 1713 processes. 1714 7.Establishing agency cybersecurity incident response 1715 teams and describing their responsibilities for responding to 1716 cybersecurity incidents, including breaches of personal 1717 information containing confidential or exempt data. 1718 8.Recovering information and data in response to a 1719 cybersecurity incident. The recovery may include recommended 1720 improvements to the agency processes, policies, or guidelines. 1721 9.Establishing a cybersecurity incident reporting process 1722 that includes procedures for notifying the department and the 1723 Department of Law Enforcement of cybersecurity incidents. 1724 a.The level of severity of the cybersecurity incident is 1725 defined by the National Cyber Incident Response Plan of the 1726 United States Department of Homeland Security as follows: 1727 (I)Level 5 is an emergency-level incident within the 1728 specified jurisdiction that poses an imminent threat to the 1729 provision of wide-scale critical infrastructure services; 1730 national, state, or local government security; or the lives of 1731 the countrys, states, or local governments residents. 1732 (II)Level 4 is a severe-level incident that is likely to 1733 result in a significant impact in the affected jurisdiction to 1734 public health or safety; national, state, or local security; 1735 economic security; or civil liberties. 1736 (III)Level 3 is a high-level incident that is likely to 1737 result in a demonstrable impact in the affected jurisdiction to 1738 public health or safety; national, state, or local security; 1739 economic security; civil liberties; or public confidence. 1740 (IV)Level 2 is a medium-level incident that may impact 1741 public health or safety; national, state, or local security; 1742 economic security; civil liberties; or public confidence. 1743 (V)Level 1 is a low-level incident that is unlikely to 1744 impact public health or safety; national, state, or local 1745 security; economic security; civil liberties; or public 1746 confidence. 1747 b.The cybersecurity incident reporting process must 1748 specify the information that must be reported by a state agency 1749 following a cybersecurity incident or ransomware incident, 1750 which, at a minimum, must include the following: 1751 (I)A summary of the facts surrounding the cybersecurity 1752 incident or ransomware incident. 1753 (II)The date on which the state agency most recently 1754 backed up its data; the physical location of the backup, if the 1755 backup was affected; and if the backup was created using cloud 1756 computing. 1757 (III)The types of data compromised by the cybersecurity 1758 incident or ransomware incident. 1759 (IV)The estimated fiscal impact of the cybersecurity 1760 incident or ransomware incident. 1761 (V)In the case of a ransomware incident, the details of 1762 the ransom demanded. 1763 c.(I)A state agency shall report all ransomware incidents 1764 and any cybersecurity incident determined by the state agency to 1765 be of severity level 3, 4, or 5 to the state chief information 1766 security officer Cybersecurity Operations Center and the 1767 Cybercrime Office of the Department of Law Enforcement as soon 1768 as possible but no later than 48 hours after discovery of the 1769 cybersecurity incident and no later than 12 hours after 1770 discovery of the ransomware incident. The report must contain 1771 the information required in sub-subparagraph b. 1772 (II)The state chief information security officer 1773 Cybersecurity Operations Center shall notify the President of 1774 the Senate and the Speaker of the House of Representatives of 1775 any severity level 3, 4, or 5 incident as soon as possible but 1776 no later than 12 hours after receiving a state agencys incident 1777 report. The notification must include a high-level description 1778 of the incident and the likely effects. 1779 d.A state agency shall report a cybersecurity incident 1780 determined by the state agency to be of severity level 1 or 2 to 1781 the state chief information security officer Cybersecurity 1782 Operations Center and the Cybercrime Office of the Department of 1783 Law Enforcement as soon as possible, but no later than 96 hours 1784 after the discovery of the cybersecurity incident and no later 1785 than 72 hours after the discovery of the ransomware incident. 1786 The report must contain the information required in sub 1787 subparagraph b. 1788 e.The state chief information security officer 1789 Cybersecurity Operations Center shall provide a consolidated 1790 incident report on a quarterly basis to the President of the 1791 Senate and, the Speaker of the House of Representatives, and the 1792 Florida Cybersecurity Advisory Council. The report provided to 1793 the Florida Cybersecurity Advisory Council may not contain the 1794 name of any agency, network information, or system identifying 1795 information but must contain sufficient relevant information to 1796 allow the Florida Cybersecurity Advisory Council to fulfill its 1797 responsibilities as required in s. 282.319(9). 1798 2.10.Incorporating information obtained through detection 1799 and response activities into the agencys cybersecurity incident 1800 response plans. 1801 3.11.Developing agency strategic and operational 1802 cybersecurity plans required pursuant to this section. 1803 4.12.Establishing the managerial, operational, and 1804 technical safeguards for protecting state government data and 1805 information technology resources that align with the state 1806 agency risk management strategy and that protect the 1807 confidentiality, integrity, and availability of information and 1808 data. 1809 13.Establishing procedures for procuring information 1810 technology commodities and services that require the commodity 1811 or service to meet the National Institute of Standards and 1812 Technology Cybersecurity Framework. 1813 5.14.Submitting after-action reports following a 1814 cybersecurity incident or ransomware incident. Such guidelines 1815 and processes for submitting after-action reports must be 1816 developed and published by December 1, 2022. 1817 (f)(g)Annually provide cybersecurity training to all state 1818 agency technology professionals and employees with access to 1819 highly sensitive information which develops, assesses, and 1820 documents competencies by role and skill level. The 1821 cybersecurity training curriculum must include training on the 1822 identification of each cybersecurity incident severity level 1823 referenced in sub-subparagraph (b)1.a. (c)9.a. The training may 1824 be provided in collaboration with the Cybercrime Office of the 1825 Department of Law Enforcement, a private sector entity, or an 1826 institution of the State University System. 1827 (h)Operate and maintain a Cybersecurity Operations Center 1828 led by the state chief information security officer, which must 1829 be primarily virtual and staffed with tactical detection and 1830 incident response personnel. The Cybersecurity Operations Center 1831 shall serve as a clearinghouse for threat information and 1832 coordinate with the Department of Law Enforcement to support 1833 state agencies and their response to any confirmed or suspected 1834 cybersecurity incident. 1835 (i)Lead an Emergency Support Function, ESF CYBER, under 1836 the state comprehensive emergency management plan as described 1837 in s. 252.35. 1838 (4)Each state agency head shall, at a minimum: 1839 (b)In consultation with the department, through the 1840 Florida Digital Service, and the Cybercrime Office of the 1841 Department of Law Enforcement, establish an agency cybersecurity 1842 response team to respond to a cybersecurity incident. The agency 1843 cybersecurity response team shall convene upon notification of a 1844 cybersecurity incident and must immediately report all confirmed 1845 or suspected incidents to the state chief information security 1846 officer, or his or her designee, and comply with all applicable 1847 guidelines and processes established pursuant to paragraph 1848 (3)(b) (3)(c). 1849 (c)Submit to the state chief information security officer 1850 department annually by July 31, the state agencys strategic and 1851 operational cybersecurity plans developed pursuant to rules and 1852 guidelines established by the state chief information security 1853 officer department, through the Florida Digital Service. 1854 1.The state agency strategic cybersecurity plan must cover 1855 a 2-year 3-year period and, at a minimum, define security goals, 1856 intermediate objectives, and projected agency costs for the 1857 strategic issues of agency information security policy, risk 1858 management, security training, security incident response, and 1859 disaster recovery. The plan must be based on the statewide 1860 cybersecurity strategic plan created by the state chief 1861 information security officer department and include performance 1862 metrics that can be objectively measured to reflect the status 1863 of the state agencys progress in meeting security goals and 1864 objectives identified in the agencys strategic information 1865 security plan. 1866 2.The state agency operational cybersecurity plan must 1867 include a set of measures that objectively assesses the 1868 performance of the agencys cybersecurity program in accordance 1869 with its risk management plan progress report that objectively 1870 measures progress made towards the prior operational 1871 cybersecurity plan and a project plan that includes activities, 1872 timelines, and deliverables for security objectives that the 1873 state agency will implement during the current fiscal year. 1874 (d)Conduct, and update every 2 3 years, a comprehensive 1875 risk assessment, which may be completed by a private sector 1876 vendor, to determine the security threats to the data, 1877 information, and information technology resources, including 1878 mobile devices and print environments, of the agency. The risk 1879 assessment must comply with the risk assessment methodology 1880 developed by the state chief information security officer 1881 department and is confidential and exempt from s. 119.07(1), 1882 except that such information shall be available to the Auditor 1883 General, the state chief information security officer Florida 1884 Digital Service within the department, the Cybercrime Office of 1885 the Department of Law Enforcement, and, for state agencies under 1886 the jurisdiction of the Governor, the Chief Inspector General. 1887 If a private sector vendor is used to complete a comprehensive 1888 risk assessment, it must attest to the validity of the risk 1889 assessment findings. The comprehensive risk assessment must 1890 include all of the following: 1891 1.The results of vulnerability and penetration tests on 1892 any Internet website or mobile application that processes any 1893 sensitive personal information or confidential information and a 1894 plan to address any vulnerability identified in the tests. 1895 2.A written acknowledgment that the executive director or 1896 the secretary of the agency, the chief financial officer of the 1897 agency, and each executive manager as designated by the state 1898 agency have been made aware of the risks revealed during the 1899 preparation of the agencys operations cybersecurity plan and 1900 the comprehensive risk assessment. 1901 (j)Develop a process for detecting, reporting, and 1902 responding to threats, breaches, or cybersecurity incidents 1903 which is consistent with the security rules, guidelines, and 1904 processes established by the department through the Florida 1905 Digital Service. 1906 1.All cybersecurity incidents and ransomware incidents 1907 must be reported by state agencies. Such reports must comply 1908 with the notification procedures and reporting timeframes 1909 established pursuant to paragraph (3)(b) (3)(c). 1910 2.For cybersecurity breaches, state agencies shall provide 1911 notice in accordance with s. 501.171. 1912 Section 19.Effective July 1, 2026, subsections (2), (3), 1913 (4), (7), and (10) of section 282.318, Florida Statutes, as 1914 amended by this act, are amended to read: 1915 282.318Cybersecurity. 1916 (2)As used in this section, the term state agency has 1917 the same meaning as provided in s. 282.0041, except that the 1918 term includes the Department of Legal Affairs, the Department of 1919 Agriculture and Consumer Services, and the Department of 1920 Financial Services. 1921 (3)ASSET The department, acting through the Florida 1922 Digital Service, is the lead entity responsible for establishing 1923 enterprise technology and cybersecurity standards and processes 1924 for assessing state agency cybersecurity risks and determining 1925 appropriate security measures that comply with all national and 1926 state data compliance security standards. Such standards and 1927 processes must be consistent with generally accepted technology 1928 best practices, including the National Institute for Standards 1929 and Technology Cybersecurity Framework, for cybersecurity. ASSET 1930 The department, acting through the Florida Digital Service, 1931 shall adopt rules that mitigate risks; safeguard state agency 1932 digital assets, data, information, and information technology 1933 resources to ensure availability, confidentiality, and 1934 integrity; and support a security governance framework. ASSET 1935 The department, acting through the Florida Digital Service, 1936 shall also: 1937 (a)Designate an employee of the Florida Digital Service as 1938 the state chief information security officer. The state chief 1939 information security officer must have experience and expertise 1940 in security and risk management for communications and 1941 information technology resources. The state chief information 1942 security officer is responsible for the development of 1943 enterprise cybersecurity policy, standards, operation, and 1944 security architecture oversight of cybersecurity for state 1945 technology systems. The state chief information security officer 1946 shall be notified of all confirmed or suspected incidents or 1947 threats of state agency information technology resources and 1948 must report such incidents or threats to the state chief 1949 information officer and the Governor. 1950 (b)Develop, and annually update by February 1, a statewide 1951 cybersecurity strategic plan that includes security goals and 1952 objectives for cybersecurity, including the identification and 1953 mitigation of risk, proactive protections against threats, 1954 tactical risk detection, threat reporting, and response and 1955 recovery protocols for a cyber incident. 1956 (c)(b)Develop and publish for use by state agencies a 1957 cybersecurity governance framework that, at a minimum, includes 1958 guidelines and processes for: 1959 1.Establishing asset management procedures to ensure that 1960 an agencys information technology resources are identified and 1961 managed consistently with their relative importance to the 1962 agencys business objectives. 1963 2.Using a standard risk assessment methodology that 1964 includes the identification of an agencys priorities, 1965 constraints, risk tolerances, and assumptions necessary to 1966 support operational risk decisions. 1967 3.Completing comprehensive risk assessments and 1968 cybersecurity audits, which may be completed by a private sector 1969 vendor, and submitting completed assessments and audits to the 1970 department. 1971 4.Identifying protection procedures to manage the 1972 protection of an agencys information, data, and information 1973 technology resources. 1974 5.Establishing procedures for accessing information and 1975 data to ensure the confidentiality, integrity, and availability 1976 of such information and data. 1977 6.Detecting threats through proactive monitoring of 1978 events, continuous security monitoring, and defined detection 1979 processes. 1980 7.Establishing agency cybersecurity incident response 1981 teams and describing their responsibilities for responding to 1982 cybersecurity incidents, including breaches of personal 1983 information containing confidential or exempt data. 1984 8.Recovering information and data in response to a 1985 cybersecurity incident. The recovery may include recommended 1986 improvements to the agency processes, policies, or guidelines. 1987 9.Establishing a cybersecurity incident reporting process 1988 that includes procedures for notifying ASSET the department and 1989 the Department of Law Enforcement of cybersecurity incidents. 1990 a.The level of severity of the cybersecurity incident is 1991 defined by the National Cyber Incident Response Plan of the 1992 United States Department of Homeland Security as follows: 1993 (I)Level 5 is an emergency-level incident within the 1994 specified jurisdiction that poses an imminent threat to the 1995 provision of wide-scale critical infrastructure services; 1996 national, state, or local government security; or the lives of 1997 the countrys, states, or local governments residents. 1998 (II)Level 4 is a severe-level incident that is likely to 1999 result in a significant impact in the affected jurisdiction to 2000 public health or safety; national, state, or local security; 2001 economic security; or civil liberties. 2002 (III)Level 3 is a high-level incident that is likely to 2003 result in a demonstrable impact in the affected jurisdiction to 2004 public health or safety; national, state, or local security; 2005 economic security; civil liberties; or public confidence. 2006 (IV)Level 2 is a medium-level incident that may impact 2007 public health or safety; national, state, or local security; 2008 economic security; civil liberties; or public confidence. 2009 (V)Level 1 is a low-level incident that is unlikely to 2010 impact public health or safety; national, state, or local 2011 security; economic security; civil liberties; or public 2012 confidence. 2013 b.The cybersecurity incident reporting process must 2014 specify the information that must be reported by a state agency 2015 following a cybersecurity incident or ransomware incident, 2016 which, at a minimum, must include the following: 2017 (I)A summary of the facts surrounding the cybersecurity 2018 incident or ransomware incident. 2019 (II)The date on which the state agency most recently 2020 backed up its data; the physical location of the backup, if the 2021 backup was affected; and if the backup was created using cloud 2022 computing. 2023 (III)The types of data compromised by the cybersecurity 2024 incident or ransomware incident. 2025 (IV)The estimated fiscal impact of the cybersecurity 2026 incident or ransomware incident. 2027 (V)In the case of a ransomware incident, the details of 2028 the ransom demanded. 2029 c.(I)A state agency shall report all ransomware incidents 2030 and any cybersecurity incident determined by the state agency to 2031 be of severity level 3, 4, or 5 to the state chief information 2032 security officer and the Cybercrime Office of the Department of 2033 Law Enforcement as soon as possible but no later than 48 hours 2034 after discovery of the cybersecurity incident and no later than 2035 12 hours after discovery of the ransomware incident. The report 2036 must contain the information required in sub-subparagraph b. 2037 (II)The state chief information security officer shall 2038 notify the President of the Senate and the Speaker of the House 2039 of Representatives of any severity level 3, 4, or 5 incident as 2040 soon as possible but no later than 12 hours after receiving a 2041 state agencys incident report. The notification must include a 2042 high-level description of the incident and the likely effects. 2043 d.A state agency shall report a cybersecurity incident 2044 determined by the state agency to be of severity level 1 or 2 to 2045 the state chief information security officer and the Cybercrime 2046 Office of the Department of Law Enforcement as soon as possible, 2047 but no later than 96 hours after the discovery of the 2048 cybersecurity incident and no later than 72 hours after the 2049 discovery of the ransomware incident. The report must contain 2050 the information required in sub-subparagraph b. 2051 e.The state chief information security officer shall 2052 provide a consolidated incident report on a quarterly basis to 2053 the Executive office of the Governor, the Commissioner of 2054 Agriculture, the Chief Financial Officer, the Attorney General, 2055 the President of the Senate, and the Speaker of the House of 2056 Representatives. 2057 10.2.Incorporating information obtained through detection 2058 and response activities into the agencys cybersecurity incident 2059 response plans. 2060 11.3.Developing agency strategic and operational 2061 cybersecurity plans required pursuant to this section. 2062 12.4.Establishing the managerial, operational, and 2063 technical safeguards for protecting state government data and 2064 information technology resources that align with the state 2065 agency risk management strategy and that protect the 2066 confidentiality, integrity, and availability of information and 2067 data. 2068 13.In coordination with the state chief information 2069 technology procurement officer, establishing procedures for 2070 procuring information technology commodities and services that 2071 require the commodity or service to meet the National Institute 2072 of Standards and Technology Cybersecurity Framework. 2073 14.5.Submitting after-action reports following a 2074 cybersecurity incident or ransomware incident. Such guidelines 2075 and processes for submitting after-action reports must be 2076 developed and published by July 1, 2027 December 1, 2022. 2077 (d)(c)Assist state agencies in complying with this 2078 section. 2079 (e)(d)In collaboration with the Cybercrime Office of the 2080 Department of Law Enforcement and through the state chief 2081 information security officer and the Division of Enterprise 2082 Information Technology Workforce Development, annually provide 2083 training for state agency information security managers and 2084 computer security incident response team members that contains 2085 training on cybersecurity, including cybersecurity threats, 2086 trends, and best practices. 2087 (f)(e)Annually review the strategic and operational 2088 cybersecurity plans of state agencies. 2089 (g)(f)Annually provide cybersecurity training through the 2090 state chief information security officer and the Division of 2091 Enterprise Information Technology Workforce Development to all 2092 state agency technology professionals and employees with access 2093 to highly sensitive information which develops, assesses, and 2094 documents competencies by role and skill level. The 2095 cybersecurity training curriculum must include training on the 2096 identification of each cybersecurity incident severity level 2097 referenced in sub-subparagraph (c)9.a. (b)1.a. The training may 2098 be provided in collaboration with the Cybercrime Office of the 2099 Department of Law Enforcement, a private sector entity, or an 2100 institution of the State University System. 2101 (4)Each state agency head shall, at a minimum: 2102 (a)Designate an information security manager to administer 2103 the cybersecurity program of the state agency. This designation 2104 must be provided annually in writing to ASSET the department by 2105 January 1. A state agencys information security manager, for 2106 purposes of these information security duties, shall report 2107 directly to the agency head. 2108 (b)In consultation with the state chief information 2109 security officer department, through the Florida Digital 2110 Service, and the Cybercrime Office of the Department of Law 2111 Enforcement, establish an agency cybersecurity response team to 2112 respond to a cybersecurity incident. The agency cybersecurity 2113 response team shall convene upon notification of a cybersecurity 2114 incident and must immediately report all confirmed or suspected 2115 incidents to the state chief information security officer, or 2116 his or her designee, and comply with all applicable guidelines 2117 and processes established pursuant to paragraph (3)(c) (3)(b). 2118 (c)Submit to state chief information security officer 2119 annually by July 31 the state agencys strategic and operational 2120 cybersecurity plans developed pursuant to rules and guidelines 2121 established by the state chief information security officer. 2122 1.The state agency strategic cybersecurity plan must cover 2123 a 2-year period and, at a minimum, define security goals, 2124 intermediate objectives, and projected agency costs for the 2125 strategic issues of agency information security policy, risk 2126 management, security training, security incident response, and 2127 disaster recovery. The plan must be based on the statewide 2128 cybersecurity strategic plan created by the state chief 2129 information security officer and include performance metrics 2130 that can be objectively measured to reflect the status of the 2131 state agencys progress in meeting security goals and objectives 2132 identified in the agencys strategic information security plan. 2133 2.The state agency operational cybersecurity plan must 2134 include a set of measures that objectively assess the 2135 performance of the agencys cybersecurity program in accordance 2136 with its risk management plan. 2137 (d)Conduct, and update every 2 years, a comprehensive risk 2138 assessment, which may be completed by a private sector vendor, 2139 to determine the security threats to the data, information, and 2140 information technology resources, including mobile devices and 2141 print environments, of the agency. The risk assessment must 2142 comply with the risk assessment methodology developed by the 2143 state chief information security officer and is confidential and 2144 exempt from s. 119.07(1), except that such information shall be 2145 available to the Auditor General, the state chief information 2146 security officer, the Cybercrime Office of the Department of Law 2147 Enforcement, and, for state agencies under the jurisdiction of 2148 the Governor, the Chief Inspector General. If a private sector 2149 vendor is used to complete a comprehensive risk assessment, it 2150 must attest to the validity of the risk assessment findings. The 2151 comprehensive risk assessment must include all of the following: 2152 1.The results of vulnerability and penetration tests on 2153 any Internet website or mobile application that processes any 2154 sensitive personal information or confidential information and a 2155 plan to address any vulnerability identified in the tests. 2156 2.A written acknowledgment that the executive director or 2157 secretary of the agency, the chief financial officer of the 2158 agency, and each executive manager as designated by the state 2159 agency have been made aware of the risks revealed during the 2160 preparation of the agencys operational cybersecurity plan and 2161 the comprehensive risk assessment. 2162 (e)Develop, and periodically update, written internal 2163 policies and procedures, which include procedures for reporting 2164 cybersecurity incidents and breaches to the Cybercrime Office of 2165 the Department of Law Enforcement and the state chief 2166 information security officer Florida Digital Service within the 2167 department. Such policies and procedures must be consistent with 2168 the rules, guidelines, and processes established by ASSET the 2169 department to ensure the security of the data, information, and 2170 information technology resources of the agency. The internal 2171 policies and procedures that, if disclosed, could facilitate the 2172 unauthorized modification, disclosure, or destruction of data or 2173 information technology resources are confidential information 2174 and exempt from s. 119.07(1), except that such information shall 2175 be available to the Auditor General, the Cybercrime Office of 2176 the Department of Law Enforcement, the state chief information 2177 security officer the Florida Digital Service within the 2178 department, and, for state agencies under the jurisdiction of 2179 the Governor, the Chief Inspector General. 2180 (f)Implement managerial, operational, and technical 2181 safeguards and risk assessment remediation plans recommended by 2182 ASSET the department to address identified risks to the data, 2183 information, and information technology resources of the agency. 2184 The state chief information security officer department, through 2185 the Florida Digital Service, shall track implementation by state 2186 agencies upon development of such remediation plans in 2187 coordination with agency inspectors general. 2188 (g)Ensure that periodic internal audits and evaluations of 2189 the agencys cybersecurity program for the data, information, 2190 and information technology resources of the agency are 2191 conducted. The results of such audits and evaluations are 2192 confidential information and exempt from s. 119.07(1), except 2193 that such information shall be available to the Auditor General, 2194 the Cybercrime Office of the Department of Law Enforcement, the 2195 state chief information security officer Florida Digital Service 2196 within the department, and, for agencies under the jurisdiction 2197 of the Governor, the Chief Inspector General. 2198 (h)Ensure that the cybersecurity requirements in the 2199 written specifications for the solicitation, contracts, and 2200 service-level agreement of information technology and 2201 information technology resources and services meet or exceed the 2202 applicable state and federal laws, regulations, and standards 2203 for cybersecurity, including the National Institute of Standards 2204 and Technology Cybersecurity Framework. Service-level agreements 2205 must identify service provider and state agency responsibilities 2206 for privacy and security, protection of government data, 2207 personnel background screening, and security deliverables with 2208 associated frequencies. 2209 (i)Provide cybersecurity awareness training to all state 2210 agency employees within 30 days after commencing employment, and 2211 annually thereafter, concerning cybersecurity risks and the 2212 responsibility of employees to comply with policies, standards, 2213 guidelines, and operating procedures adopted by the state agency 2214 to reduce those risks. The training may be provided in 2215 collaboration with the Cybercrime Office of the Department of 2216 Law Enforcement, a private sector entity, or an institution of 2217 the State University System. 2218 (j)Develop a process for detecting, reporting, and 2219 responding to threats, breaches, or cybersecurity incidents 2220 which is consistent with the security rules, guidelines, and 2221 processes established by ASSET the department through the state 2222 chief information security officer Florida Digital Service. 2223 1.All cybersecurity incidents and ransomware incidents 2224 must be reported by state agencies. Such reports must comply 2225 with the notification procedures and reporting timeframes 2226 established pursuant to paragraph (3)(c) (3)(b). 2227 2.For cybersecurity breaches, state agencies shall provide 2228 notice in accordance with s. 501.171. 2229 (k)Submit to the state chief information security officer 2230 Florida Digital Service, within 1 week after the remediation of 2231 a cybersecurity incident or ransomware incident, an after-action 2232 report that summarizes the incident, the incidents resolution, 2233 and any insights gained as a result of the incident. 2234 (7)The portions of records made confidential and exempt in 2235 subsections (5) and (6) shall be available to the Auditor 2236 General, the Cybercrime Office of the Department of Law 2237 Enforcement, the state chief information security officer, the 2238 Legislature Florida Digital Service within the department, and, 2239 for agencies under the jurisdiction of the Governor, the Chief 2240 Inspector General. Such portions of records may be made 2241 available to a local government, another state agency, or a 2242 federal agency for cybersecurity purposes or in furtherance of 2243 the state agencys official duties. 2244 (10)ASSET The department shall adopt rules relating to 2245 cybersecurity and to administer this section. 2246 Section 20.Section 282.3185, Florida Statutes, is amended 2247 to read: 2248 282.3185Local government cybersecurity. 2249 (1)SHORT TITLE.This section may be cited as the Local 2250 Government Cybersecurity Act. 2251 (2)DEFINITION.As used in this section, the term local 2252 government means any county or municipality. 2253 (3)CYBERSECURITY TRAINING. 2254 (a)The state chief information security officer Florida 2255 Digital Service shall: 2256 1.Develop a basic cybersecurity training curriculum for 2257 local government employees. All local government employees with 2258 access to the local governments network must complete the basic 2259 cybersecurity training within 30 days after commencing 2260 employment and annually thereafter. 2261 2.Develop an advanced cybersecurity training curriculum 2262 for local governments which is consistent with the cybersecurity 2263 training required under s. 282.318(3)(f) s. 282.318(3)(g). All 2264 local government technology professionals and employees with 2265 access to highly sensitive information must complete the 2266 advanced cybersecurity training within 30 days after commencing 2267 employment and annually thereafter. 2268 (b)The state chief information security officer Florida 2269 Digital Service may provide the cybersecurity training required 2270 by this subsection in collaboration with the Cybercrime Office 2271 of the Department of Law Enforcement, a private sector entity, 2272 or an institution of the State University System. 2273 (4)CYBERSECURITY STANDARDS. 2274 (a)Each local government shall adopt cybersecurity 2275 standards that safeguard its data, information technology, and 2276 information technology resources to ensure availability, 2277 confidentiality, and integrity. The cybersecurity standards must 2278 be consistent with generally accepted best practices for 2279 cybersecurity, including the National Institute of Standards and 2280 Technology Cybersecurity Framework. 2281 (b)Each county with a population of 75,000 or more must 2282 adopt the cybersecurity standards required by this subsection by 2283 January 1, 2024. Each county with a population of less than 2284 75,000 must adopt the cybersecurity standards required by this 2285 subsection by January 1, 2025. 2286 (c)Each municipality with a population of 25,000 or more 2287 must adopt the cybersecurity standards required by this 2288 subsection by January 1, 2024. Each municipality with a 2289 population of less than 25,000 must adopt the cybersecurity 2290 standards required by this subsection by January 1, 2025. 2291 (d)Each local government shall notify the state chief 2292 information security officer Florida Digital Service of its 2293 compliance with this subsection as soon as possible. 2294 (5)INCIDENT NOTIFICATION. 2295 (a)A local government shall provide notification of a 2296 cybersecurity incident or ransomware incident to the state chief 2297 information security officer Cybersecurity Operations Center, 2298 the Cybercrime Office of the Department of Law Enforcement, and 2299 the sheriff who has jurisdiction over the local government in 2300 accordance with paragraph (b). The notification must include, at 2301 a minimum, the following information: 2302 1.A summary of the facts surrounding the cybersecurity 2303 incident or ransomware incident. 2304 2.The date on which the local government most recently 2305 backed up its data; the physical location of the backup, if the 2306 backup was affected; and if the backup was created using cloud 2307 computing. 2308 3.The types of data compromised by the cybersecurity 2309 incident or ransomware incident. 2310 4.The estimated fiscal impact of the cybersecurity 2311 incident or ransomware incident. 2312 5.In the case of a ransomware incident, the details of the 2313 ransom demanded. 2314 6.A statement requesting or declining assistance from the 2315 Cybersecurity Operations Center, the Cybercrime Office of the 2316 Department of Law Enforcement, or the sheriff who has 2317 jurisdiction over the local government. 2318 (b)1.A local government shall report all ransomware 2319 incidents and any cybersecurity incident determined by the local 2320 government to be of severity level 3, 4, or 5 as provided in s. 2321 282.318(3)(b) s. 282.318(3)(c) to the state chief information 2322 security officer Cybersecurity Operations Center, the Cybercrime 2323 Office of the Department of Law Enforcement, and the sheriff who 2324 has jurisdiction over the local government as soon as possible 2325 but no later than 12 48 hours after discovery of the 2326 cybersecurity incident and no later than 6 12 hours after 2327 discovery of the ransomware incident. The report must contain 2328 the information required in paragraph (a). 2329 2.The state chief information security officer 2330 Cybersecurity Operations Center shall notify the state chief 2331 information officer, the Governor, the Commissioner of 2332 Agriculture, the Chief Financial Officer, the Attorney General, 2333 the President of the Senate, and the Speaker of the House of 2334 Representatives of any severity level 3, 4, or 5 incident as 2335 soon as possible but no later than 12 hours after receiving a 2336 local governments incident report. The notification must 2337 include a high-level description of the incident and the likely 2338 effects. 2339 (c)A local government may report a cybersecurity incident 2340 determined by the local government to be of severity level 1 or 2341 2 as provided in s. 282.318(3)(b) s. 282.318(3)(c) to the state 2342 chief information security officer Cybersecurity Operations 2343 Center, the Cybercrime Office of the Department of Law 2344 Enforcement, and the sheriff who has jurisdiction over the local 2345 government. The report shall contain the information required in 2346 paragraph (a). 2347 (d)The state chief information security officer 2348 Cybersecurity Operations Center shall provide a consolidated 2349 incident report by the 30th day after the end of each quarter on 2350 a quarterly basis to the Governor, the Commissioner of 2351 Agriculture, the Chief Financial Officer, the Attorney General, 2352 the President of the Senate, and the Speaker of the House of 2353 Representatives, and the Florida Cybersecurity Advisory Council. 2354 The report provided to the Florida Cybersecurity Advisory 2355 Council may not contain the name of any local government, 2356 network information, or system identifying information but must 2357 contain sufficient relevant information to allow the Florida 2358 Cybersecurity Advisory Council to fulfill its responsibilities 2359 as required in s. 282.319(9). 2360 (6)AFTER-ACTION REPORT.A local government must submit to 2361 the state chief information security officer Florida Digital 2362 Service, within 1 week after the remediation of a cybersecurity 2363 incident or ransomware incident, an after-action report that 2364 summarizes the incident, the incidents resolution, and any 2365 insights gained as a result of the incident. By December 1, 2027 2366 2022, the state chief information security officer Florida 2367 Digital Service shall establish guidelines and processes for 2368 submitting an after-action report. 2369 Section 21.Effective July 1, 2026, paragraph (a) of 2370 subsection (3) and paragraphs (b) and (c) of subsection (5) of 2371 section 282.3185, Florida Statutes, as amended by this act, are 2372 amended to read: 2373 282.3185Local government cybersecurity. 2374 (3)CYBERSECURITY TRAINING. 2375 (a)The state chief information security officer shall: 2376 1.Develop a basic cybersecurity training curriculum for 2377 local government employees. All local government employees with 2378 access to the local governments network must complete the basic 2379 cybersecurity training within 30 days after commencing 2380 employment and annually thereafter. 2381 2.Develop an advanced cybersecurity training curriculum 2382 for local governments which is consistent with the cybersecurity 2383 training required under s. 282.318(3)(g) s. 282.318(3)(f). All 2384 local government technology professionals and employees with 2385 access to highly sensitive information must complete the 2386 advanced cybersecurity training within 30 days after commencing 2387 employment and annually thereafter. 2388 (5)INCIDENT NOTIFICATION. 2389 (b)1.A local government shall report all ransomware 2390 incidents and any cybersecurity incident determined by the local 2391 government to be of severity level 3, 4, or 5 as provided in s. 2392 282.318(3)(c) s. 282.318(3)(b) to the state chief information 2393 security officer, the Cybercrime Office of the Department of Law 2394 Enforcement, and the sheriff who has jurisdiction over the local 2395 government as soon as possible but no later than 12 hours after 2396 discovery of the cybersecurity incident and no later than 6 2397 hours after discovery of the ransomware incident. The report 2398 must contain the information required in paragraph (a). 2399 2.The state chief information security officer shall 2400 notify the state chief information officer, the Governor, the 2401 Commission of Agriculture, the Chief Financial Officer, the 2402 Attorney General, the President of the Senate and the Speaker of 2403 the House of Representatives of any severity level 3, 4, or 5 2404 incident as soon as possible but no later than 12 hours after 2405 receiving a local governments incident report. The notification 2406 must include a high-level description of the incident and the 2407 likely effects. 2408 (c)A local government may report a cybersecurity incident 2409 determined by the local government to be of severity level 1 or 2410 2 as provided in s. 282.318(3)(c) s. 282.318(3)(b) to the state 2411 chief information security officer, the Cybercrime Office of the 2412 Department of Law Enforcement, and the sheriff who has 2413 jurisdiction over the local government. The report shall contain 2414 the information required in paragraph (a). 2415 Section 22.Section 282.319, Florida Statutes, is repealed. 2416 Section 23.(1)POSITIONS. 2417 (a)The following positions are established within the 2418 Agency for State Systems and Enterprise Technology: 2419 1.Chief operations officer. 2420 2.Chief information officer. 2421 (b)Effective July 1, 2026, the following positions are 2422 established within the Agency for State Systems and Enterprise 2423 Technology, all of whom shall be appointed by the executive 2424 director: 2425 1.Deputy executive director, who shall serve as the state 2426 chief information architect, and the following: 2427 a.A minimum of six lead technology coordinators. At least 2428 one coordinator shall be assigned to each of the following major 2429 program areas: health and human services, education, government 2430 operations, criminal and civil justice, agriculture and natural 2431 resources, and transportation and economic development. 2432 b.A minimum of six assistant technology coordinators. At 2433 least one coordinator shall be assigned to each of the following 2434 major program areas: health and human services, education, 2435 government operations, criminal and civil justice, agriculture 2436 and natural resources, and transportation and economic 2437 development. 2438 2.State chief information security officer and six lead 2439 security consultants. One consultant shall be assigned to each 2440 of the following major program areas: health and human services, 2441 education, government operations, criminal and civil justice, 2442 agriculture and natural resources, and transportation and 2443 economic development. 2444 3.State chief data officer and the following: 2445 a.A minimum of three data specialists with at least one 2446 specialist dedicated to each of the following areas of data 2447 expertise: 2448 (I)Personally identifiable information. 2449 (II)Protected health information. 2450 (III)Criminal justice information services. 2451 b.A minimum of six data security consultants. At least one 2452 consultant shall be assigned to each of the following major 2453 program areas: health and human services, education, government 2454 operations, criminal and civil justice, agriculture and natural 2455 resources, and transportation and economic development. 2456 4.State chief information technology procurement officer 2457 and a minimum of six lead information technology procurement 2458 consultants. At least one coordinator shall be assigned to each 2459 of the following major program areas: health and human services, 2460 education, government operations, criminal and civil justice, 2461 agriculture and natural resources, and transportation and 2462 economic development. 2463 5.State chief technology officer and the following: 2464 a.A minimum of 42 information technology business analyst 2465 consultants that shall be assigned to major program areas as 2466 follows: 2467 (I)At least 11 consultants shall be assigned to health and 2468 human services and dedicated to state agencies at a minimum as 2469 follows: 2470 (A)Two dedicated to the Department of Health. 2471 (B)Four dedicated to the Agency for Health Care 2472 Administration. 2473 (C)Three dedicated to the Department of Children and 2474 Families. 2475 (D)Two dedicated to the remaining health and human 2476 services state agencies. 2477 (II)At least four consultants shall be assigned to 2478 education. 2479 (III)At least eight consultants shall be assigned to 2480 government operations and dedicated to state agencies at a 2481 minimum as follows: 2482 (A)Two dedicated to the Department of Financial Services. 2483 (B)One dedicated to the Department of Business and 2484 Professional Regulation. 2485 (C)Two dedicated to the Department of Management Services. 2486 (D)Three dedicated to the remaining government operations 2487 state agencies. 2488 (IV)At least six consultants shall be assigned to criminal 2489 and civil justice and dedicated to state agencies at a minimum 2490 as follows: 2491 (A)One dedicated to the Department of Law Enforcement. 2492 (B)Two dedicated to the Department of Corrections. 2493 (C)One dedicated to the Department of Juvenile Justice. 2494 (D)One dedicated to the Department of Legal Affairs. 2495 (E)One dedicated to the remaining criminal and civil 2496 justice state agencies. 2497 (V)At least four consultants shall be assigned to 2498 agriculture and natural resources and dedicated to state 2499 agencies at a minimum as follows: 2500 (A)One dedicated the Department of Agriculture and 2501 Consumer Services. 2502 (B)One dedicated to the Department of Environmental 2503 Protection. 2504 (C)One dedicated to the Fish and Wildlife Conservation 2505 Commission. 2506 (D)One dedicated to the remaining agriculture and natural 2507 resources state agencies. 2508 (VI)At least nine consultants shall be assigned to 2509 transportation and economic development and dedicated to state 2510 agencies at a minimum as follows: 2511 (A)Two dedicated to the Department of Transportation. 2512 (B)Two dedicated to the Department of State. 2513 (C)One dedicated to the Department of Highway Safety and 2514 Motor Vehicles. 2515 (D)Two dedicated to the Department of Commerce. 2516 (E)One dedicated to the Division of Emergency Management. 2517 (F)One dedicated to the remaining transportation and 2518 economic development state agencies. 2519 b.A minimum of six information technology project 2520 management professional consultants. At least one consultant 2521 shall be assigned to each of the following major program areas: 2522 health and human services, education, government operations, 2523 criminal and civil justice, agriculture and natural resources, 2524 and transportation and economic development. 2525 c.A minimum of six information technology contract 2526 management consultants. At least one consultant shall be 2527 assigned to each of the following major program areas: health 2528 and human services, education, government operations, criminal 2529 and civil justice, agriculture and natural resources, and 2530 transportation and economic development. 2531 d.A minimum of six information technology quality 2532 assurance consultants. At least one consultant shall be assigned 2533 to each of the following major program areas: health and human 2534 services, education, government operations, criminal and civil 2535 justice, agriculture and natural resources, and transportation 2536 and economic development. 2537 (2)BUREAUS. 2538 (a)The Division of Enterprise Information Technology 2539 Services shall include: 2540 1.The Bureau of Enterprise Information Technology 2541 Operations, responsible for assessing state agency information 2542 technology needs and risks as established under s. 282.006, 2543 Florida Statutes. 2544 2.The Bureau of Enterprise Information Technology Quality 2545 Assurance, responsible for activities established under s. 2546 282.006, Florida Statutes. 2547 3.The Bureau of Enterprise Information Technology Project 2548 Management, responsible for project management oversight and 2549 activities established under s. 282.006, Florida Statutes. 2550 4.The Bureau of Enterprise Information Technology Contract 2551 Management, responsible for contract management oversight and 2552 activities established under s. 282.006, Florida Statutes. 2553 (b)The Division of Enterprise Information Technology 2554 Purchasing shall include: 2555 1.The Bureau of Enterprise Information Technology 2556 Procurement Services, responsible for procurement activities 2557 established under s. 282.006, Florida Statutes. 2558 2.The Bureau of Enterprise Information Technology 2559 Procurement Policy and Oversight, responsible for activities 2560 established under s. 282.006, Florida Statutes. 2561 (3)WORKGROUP. 2562 (a)The chief information officer policy workgroup shall be 2563 composed of all state agency chief information officers. 2564 (b)The purpose of the workgroup is to provide the 2565 Legislature with input and feedback regarding the structure, 2566 budget, and governance of the Agency for State Systems and 2567 Enterprise Technology. 2568 (c)The chair of the workgroup shall be the interim state 2569 chief information officer. 2570 (d)The voting members of the workgroup shall include the 2571 chair of the workgroup and the chief information officers from 2572 the Department of Financial Services, the Department of 2573 Agriculture and Consumer Services, and the Department of Legal 2574 Affairs. 2575 (e)The chair of the workgroup shall submit a report to the 2576 Governor, the Commissioner of Agriculture, the Chief Financial 2577 Officer, the Attorney General, the President of the Senate, and 2578 the Speaker of the House of Representatives which includes 2579 recommendations and justifications for changes by December 1, 2580 2025. The final report must be voted on and accepted by a 2581 unanimous vote of the voting members of the workgroup. 2582 (f)The workgroup shall expire after submission of the 2583 report required in paragraph (e). 2584 Section 24.Section 282.201, Florida Statutes, is amended 2585 to read: 2586 282.201State data center.The state data center is 2587 established within the Northwest Regional Data Center pursuant 2588 to s. 282.2011 the department. The provision of data center 2589 services must comply with applicable state and federal laws, 2590 regulations, and policies, including all applicable security, 2591 privacy, and auditing requirements. The department shall appoint 2592 a director of the state data center who has experience in 2593 leading data center facilities and has expertise in cloud 2594 computing management. 2595 (1)STATE DATA CENTER DUTIES.The state data center shall: 2596 (a)Offer, develop, and support the services and 2597 applications defined in service-level agreements executed with 2598 its customer entities. 2599 (b)Maintain performance of the state data center by 2600 ensuring proper data backup; data backup recovery; disaster 2601 recovery; and appropriate security, power, cooling, fire 2602 suppression, and capacity. 2603 (c)Develop and implement business continuity and disaster 2604 recovery plans, and annually conduct a live exercise of each 2605 plan. 2606 (d)Enter into a service-level agreement with each customer 2607 entity to provide the required type and level of service or 2608 services. If a customer entity fails to execute an agreement 2609 within 60 days after commencement of a service, the state data 2610 center may cease service. A service-level agreement may not have 2611 a term exceeding 3 years and at a minimum must: 2612 1.Identify the parties and their roles, duties, and 2613 responsibilities under the agreement. 2614 2.State the duration of the contract term and specify the 2615 conditions for renewal. 2616 3.Identify the scope of work. 2617 4.Identify the products or services to be delivered with 2618 sufficient specificity to permit an external financial or 2619 performance audit. 2620 5.Establish the services to be provided, the business 2621 standards that must be met for each service, the cost of each 2622 service by agency application, and the metrics and processes by 2623 which the business standards for each service are to be 2624 objectively measured and reported. 2625 6.Provide a timely billing methodology to recover the 2626 costs of services provided to the customer entity pursuant to s. 2627 215.422. 2628 7.Provide a procedure for modifying the service-level 2629 agreement based on changes in the type, level, and cost of a 2630 service. 2631 8.Include a right-to-audit clause to ensure that the 2632 parties to the agreement have access to records for audit 2633 purposes during the term of the service-level agreement. 2634 9.Provide that a service-level agreement may be terminated 2635 by either party for cause only after giving the other party and 2636 the department notice in writing of the cause for termination 2637 and an opportunity for the other party to resolve the identified 2638 cause within a reasonable period. 2639 10.Provide for mediation of disputes by the Division of 2640 Administrative Hearings pursuant to s. 120.573. 2641 (e)For purposes of chapter 273, be the custodian of 2642 resources and equipment located in and operated, supported, and 2643 managed by the state data center. 2644 (f)Assume administrative access rights to resources and 2645 equipment, including servers, network components, and other 2646 devices, consolidated into the state data center. 2647 1.Upon consolidation, a state agency shall relinquish 2648 administrative rights to consolidated resources and equipment. 2649 State agencies required to comply with federal and state 2650 criminal justice information security rules and policies shall 2651 retain administrative access rights sufficient to comply with 2652 the management control provisions of those rules and policies; 2653 however, the state data center shall have the appropriate type 2654 or level of rights to allow the center to comply with its duties 2655 pursuant to this section. The Department of Law Enforcement 2656 shall serve as the arbiter of disputes pertaining to the 2657 appropriate type and level of administrative access rights 2658 pertaining to the provision of management control in accordance 2659 with the federal criminal justice information guidelines. 2660 2.The state data center shall provide customer entities 2661 with access to applications, servers, network components, and 2662 other devices necessary for entities to perform business 2663 activities and functions, and as defined and documented in a 2664 service-level agreement. 2665 (g)In its procurement process, show preference for cloud 2666 computing solutions that minimize or do not require the 2667 purchasing, financing, or leasing of state data center 2668 infrastructure, and that meet the needs of customer agencies, 2669 that reduce costs, and that meet or exceed the applicable state 2670 and federal laws, regulations, and standards for cybersecurity. 2671 (h)Assist customer entities in transitioning from state 2672 data center services to the Northwest Regional Data Center or 2673 other third-party cloud-computing services procured by a 2674 customer entity or by the Northwest Regional Data Center on 2675 behalf of a customer entity. 2676 (1)(2)USE OF THE STATE DATA CENTER. 2677 (a)The following are exempt from the use of the state data 2678 center: the Department of Law Enforcement, the Department of the 2679 Lotterys Gaming System, Systems Design and Development in the 2680 Office of Policy and Budget, the regional traffic management 2681 centers as described in s. 335.14(2) and the Office of Toll 2682 Operations of the Department of Transportation, the State Board 2683 of Administration, state attorneys, public defenders, criminal 2684 conflict and civil regional counsel, capital collateral regional 2685 counsel, and the Florida Housing Finance Corporation, and the 2686 Division of Emergency Management within the Executive Office of 2687 the Governor. 2688 (b)The Division of Emergency Management is exempt from the 2689 use of the state data center. This paragraph expires July 1, 2690 2025. 2691 (2)(3)AGENCY LIMITATIONS.Unless exempt from the use of 2692 the state data center pursuant to this section or authorized by 2693 the Legislature, a state agency may not: 2694 (a)Create a new agency computing facility or data center, 2695 or expand the capability to support additional computer 2696 equipment in an existing agency computing facility or data 2697 center; or 2698 (b)Terminate services with the state data center without 2699 giving written notice of intent to terminate services 180 days 2700 before such termination. 2701 (4)DEPARTMENT RESPONSIBILITIES.The department shall 2702 provide operational management and oversight of the state data 2703 center, which includes: 2704 (a)Implementing industry standards and best practices for 2705 the state data centers facilities, operations, maintenance, 2706 planning, and management processes. 2707 (b)Developing and implementing cost-recovery mechanisms 2708 that recover the full direct and indirect cost of services 2709 through charges to applicable customer entities. Such cost 2710 recovery mechanisms must comply with applicable state and 2711 federal regulations concerning distribution and use of funds and 2712 must ensure that, for any fiscal year, no service or customer 2713 entity subsidizes another service or customer entity. The 2714 department may recommend other payment mechanisms to the 2715 Executive Office of the Governor, the President of the Senate, 2716 and the Speaker of the House of Representatives. Such mechanisms 2717 may be implemented only if specifically authorized by the 2718 Legislature. 2719 (c)Developing and implementing appropriate operating 2720 guidelines and procedures necessary for the state data center to 2721 perform its duties pursuant to subsection (1). The guidelines 2722 and procedures must comply with applicable state and federal 2723 laws, regulations, and policies and conform to generally 2724 accepted governmental accounting and auditing standards. The 2725 guidelines and procedures must include, but need not be limited 2726 to: 2727 1.Implementing a consolidated administrative support 2728 structure responsible for providing financial management, 2729 procurement, transactions involving real or personal property, 2730 human resources, and operational support. 2731 2.Implementing an annual reconciliation process to ensure 2732 that each customer entity is paying for the full direct and 2733 indirect cost of each service as determined by the customer 2734 entitys use of each service. 2735 3.Providing rebates that may be credited against future 2736 billings to customer entities when revenues exceed costs. 2737 4.Requiring customer entities to validate that sufficient 2738 funds exist before implementation of a customer entitys request 2739 for a change in the type or level of service provided, if such 2740 change results in a net increase to the customer entitys cost 2741 for that fiscal year. 2742 5.By November 15 of each year, providing to the Office of 2743 Policy and Budget in the Executive Office of the Governor and to 2744 the chairs of the legislative appropriations committees the 2745 projected costs of providing data center services for the 2746 following fiscal year. 2747 6.Providing a plan for consideration by the Legislative 2748 Budget Commission if the cost of a service is increased for a 2749 reason other than a customer entitys request made pursuant to 2750 subparagraph 4. Such a plan is required only if the service cost 2751 increase results in a net increase to a customer entity for that 2752 fiscal year. 2753 7.Standardizing and consolidating procurement and 2754 contracting practices. 2755 (d)In collaboration with the Department of Law Enforcement 2756 and the Florida Digital Service, developing and implementing a 2757 process for detecting, reporting, and responding to 2758 cybersecurity incidents, breaches, and threats. 2759 (e)Adopting rules relating to the operation of the state 2760 data center, including, but not limited to, budgeting and 2761 accounting procedures, cost-recovery methodologies, and 2762 operating procedures. 2763 (5)NORTHWEST REGIONAL DATA CENTER CONTRACT.In order for 2764 the department to carry out its duties and responsibilities 2765 relating to the state data center, the secretary of the 2766 department shall contract by July 1, 2022, with the Northwest 2767 Regional Data Center pursuant to s. 287.057(11). The contract 2768 shall provide that the Northwest Regional Data Center will 2769 manage the operations of the state data center and provide data 2770 center services to state agencies. 2771 (a)The department shall provide contract oversight, 2772 including, but not limited to, reviewing invoices provided by 2773 the Northwest Regional Data Center for services provided to 2774 state agency customers. 2775 (b)The department shall approve or request updates to 2776 invoices within 10 business days after receipt. If the 2777 department does not respond to the Northwest Regional Data 2778 Center, the invoice will be approved by default. The Northwest 2779 Regional Data Center must submit approved invoices directly to 2780 state agency customers. 2781 Section 25.Section 1004.649, Florida Statutes, is 2782 transferred, renumbered as section 282.0211, Florida Statutes, 2783 and amended to read: 2784 282.0211 1004.649Northwest Regional Data Center. 2785 (1)For the purpose of providing data center services to 2786 its state agency customers, the Northwest Regional Data Center 2787 is designated as a state data center for all state agencies and 2788 shall: 2789 (a)Operate under a governance structure that represents 2790 its customers proportionally. 2791 (b)Maintain an appropriate cost-allocation methodology 2792 that accurately bills state agency customers based solely on the 2793 actual direct and indirect costs of the services provided to 2794 state agency customers and ensures that, for any fiscal year, 2795 state agency customers are not subsidizing other customers of 2796 the data center. Such cost-allocation methodology must comply 2797 with applicable state and federal regulations concerning the 2798 distribution and use of state and federal funds. 2799 (c)Enter into a service-level agreement with each state 2800 agency customer to provide services as defined and approved by 2801 the governing board of the center. At a minimum, such service 2802 level agreements must: 2803 1.Identify the parties and their roles, duties, and 2804 responsibilities under the agreement; 2805 2.State the duration of the agreement term, which may not 2806 exceed 3 years, and specify the conditions for up to two 2807 optional 1-year renewals of the agreement before execution of a 2808 new agreement; 2809 3.Identify the scope of work; 2810 4.Establish the services to be provided, the business 2811 standards that must be met for each service, the cost of each 2812 service, and the process by which the business standards for 2813 each service are to be objectively measured and reported; 2814 5.Provide a timely billing methodology for recovering the 2815 cost of services provided pursuant to s. 215.422; 2816 6.Provide a procedure for modifying the service-level 2817 agreement to address any changes in projected costs of service; 2818 7.Include a right-to-audit clause to ensure that the 2819 parties to the agreement have access to records for audit 2820 purposes during the term of the service-level agreement; 2821 8.Identify the products or services to be delivered with 2822 sufficient specificity to permit an external financial or 2823 performance audit; 2824 9.Provide that the service-level agreement may be 2825 terminated by either party for cause only after giving the other 2826 party notice in writing of the cause for termination and an 2827 opportunity for the other party to resolve the identified cause 2828 within a reasonable period; and 2829 10.Provide state agency customer entities with access to 2830 applications, servers, network components, and other devices 2831 necessary for entities to perform business activities and 2832 functions and as defined and documented in a service-level 2833 agreement. 2834 (d)In its procurement process, show preference for cloud 2835 computing solutions that minimize or do not require the 2836 purchasing or financing of state data center infrastructure, 2837 that meet the needs of state agency customer entities, that 2838 reduce costs, and that meet or exceed the applicable state and 2839 federal laws, regulations, and standards for cybersecurity. 2840 (e)Assist state agency customer entities in transitioning 2841 from state data center services to other third-party cloud 2842 computing services procured by a customer entity or by the 2843 Northwest Regional Data Center on behalf of the customer entity. 2844 (f)Provide to the Board of Governors the total annual 2845 budget by major expenditure category, including, but not limited 2846 to, salaries, expenses, operating capital outlay, contracted 2847 services, or other personnel services by July 30 each fiscal 2848 year. 2849 (g)Provide to each state agency customer its projected 2850 annual cost for providing the agreed-upon data center services 2851 by September 1 each fiscal year. 2852 (h)By November 15 of each year, provide to the Office of 2853 Policy and Budget in the Executive Office of the Governor and to 2854 the chairs of the legislative appropriations committees the 2855 projected costs of providing data center services for the 2856 following fiscal year. 2857 (i)(h)Provide a plan for consideration by the Legislative 2858 Budget Commission if the governing body of the center approves 2859 the use of a billing rate schedule after the start of the fiscal 2860 year that increases any state agency customers costs for that 2861 fiscal year. 2862 (j)(i)Provide data center services that comply with 2863 applicable state and federal laws, regulations, and policies, 2864 including all applicable security, privacy, and auditing 2865 requirements. 2866 (k)(j)Maintain performance of the data center facilities 2867 by ensuring proper data backup; data backup recovery; disaster 2868 recovery; and appropriate security, power, cooling, fire 2869 suppression, and capacity. 2870 (l)(k)Prepare and submit state agency customer invoices to 2871 the Department of Management Services for approval. Upon 2872 approval or by default pursuant to s. 282.201(5), Submit 2873 invoices to state agency customers. 2874 (m)(l)As funded in the General Appropriations Act, provide 2875 data center services to state agencies from multiple facilities. 2876 (2)Unless exempt from the requirement to use the state 2877 data center pursuant to s. 282.201(1) s. 282.201(2) or as 2878 authorized by the Legislature, a state agency may not do any of 2879 the following: 2880 (a)Terminate services with the Northwest Regional Data 2881 Center without giving written notice of intent to terminate 2882 services 180 days before such termination. 2883 (b)Procure third-party cloud-computing services without 2884 evaluating the cloud-computing services provided by the 2885 Northwest Regional Data Center. 2886 (c)Exceed 30 days from receipt of approved invoices to 2887 remit payment for state data center services provided by the 2888 Northwest Regional Data Center. 2889 (3)The Northwest Regional Data Centers authority to 2890 provide data center services to its state agency customers may 2891 be terminated if: 2892 (a)The center requests such termination to the Board of 2893 Governors, the President of the Senate, and the Speaker of the 2894 House of Representatives; or 2895 (b)The center fails to comply with the provisions of this 2896 section. 2897 (4)If such authority is terminated, the center has 1 year 2898 to provide for the transition of its state agency customers to a 2899 qualified alternative cloud-based data center that meets the 2900 enterprise architecture standards established by the Florida 2901 Digital Service. 2902 Section 26.Effective July 1, 2026, subsection (2) of 2903 section 20.22, Florida Statutes, is amended to read: 2904 20.22Department of Management Services.There is created a 2905 Department of Management Services. 2906 (2)The following divisions, programs, and services within 2907 the Department of Management Services are established: 2908 (a)Facilities Program. 2909 (b)The Florida Digital Service. 2910 (c)Workforce Program. 2911 (c)1.(d)1.Support Program. 2912 2.Federal Property Assistance Program. 2913 (d)(e)Administration Program. 2914 (e)(f)Division of Administrative Hearings. 2915 (f)(g)Division of Retirement. 2916 (g)(h)Division of State Group Insurance. 2917 (h)(i)Division of Telecommunications. 2918 Section 27.Effective July 1, 2026, subsections (1), (5), 2919 (7), and (8) of section 282.802, Florida Statutes, are amended 2920 to read: 2921 282.802Government Technology Modernization Council. 2922 (1)The Government Technology Modernization Council, an 2923 advisory council as defined in s. 20.03(7), is located created 2924 within ASSET the department. Except as otherwise provided in 2925 this section, the advisory council shall operate in a manner 2926 consistent with s. 20.052. 2927 (5)The state chief information officer Secretary of 2928 Management Services, or his or her designee, shall serve as the 2929 ex officio, nonvoting executive director of the council. 2930 (7)(a)The council shall meet at least quarterly to: 2931 (a)1.Recommend legislative and administrative actions that 2932 the Legislature and state agencies as defined in s. 282.0041 s. 2933 282.318(2) may take to promote the development of data 2934 modernization in this state. 2935 (b)2.Assess and provide guidance on necessary legislative 2936 reforms and the creation of a state code of ethics for 2937 artificial intelligence systems in state government. 2938 (c)3.Assess the effect of automated decision systems or 2939 identity management on constitutional and other legal rights, 2940 duties, and privileges of residents of this state. 2941 (d)4.Evaluate common standards for artificial intelligence 2942 safety and security measures, including the benefits of 2943 requiring disclosure of the digital provenance for all images 2944 and audio created using generative artificial intelligence as a 2945 means of revealing the origin and edit of the image or audio, as 2946 well as the best methods for such disclosure. 2947 (e)5.Assess the manner in which governmental entities and 2948 the private sector are using artificial intelligence with a 2949 focus on opportunity areas for deployments in systems across 2950 this state. 2951 (f)6.Determine the manner in which artificial intelligence 2952 is being exploited by bad actors, including foreign countries of 2953 concern as defined in s. 287.138(1). 2954 (g)7.Evaluate the need for curriculum to prepare school 2955 age audiences with the digital media and visual literacy skills 2956 needed to navigate the digital information landscape. 2957 (b)At least one quarterly meeting of the council must be a 2958 joint meeting with the Florida Cybersecurity Advisory Council. 2959 (8)By December 31, 2024, and Each December 31 thereafter, 2960 the council shall submit to the Governor, the Commissioner of 2961 Agriculture, the Chief Financial Officer, the Attorney General, 2962 the President of the Senate, and the Speaker of the House of 2963 Representatives any legislative recommendations considered 2964 necessary by the council to modernize government technology, 2965 including: 2966 (a)Recommendations for policies necessary to: 2967 1.Accelerate adoption of technologies that will increase 2968 productivity of state enterprise information technology systems, 2969 improve customer service levels of government, and reduce 2970 administrative or operating costs. 2971 2.Promote the development and deployment of artificial 2972 intelligence systems, financial technology, education 2973 technology, or other enterprise management software in this 2974 state. 2975 3.Protect Floridians from bad actors who use artificial 2976 intelligence. 2977 (b)Any other information the council considers relevant. 2978 Section 28.Effective July 1, 2026, section 282.604, 2979 Florida Statutes, is amended to read: 2980 282.604Adoption of rules.ASSET The Department of 2981 Management Services shall, with input from stakeholders, adopt 2982 rules pursuant to ss. 120.536(1) and 120.54 for the development, 2983 procurement, maintenance, and use of accessible electronic 2984 information technology by governmental units. 2985 Section 29.Subsection (4) of section 287.0591, Florida 2986 Statutes, is amended to read: 2987 287.0591Information technology; vendor disqualification. 2988 (4)If the department issues a competitive solicitation for 2989 information technology commodities, consultant services, or 2990 staff augmentation contractual services, the state chief 2991 information officer must Florida Digital Service within the 2992 department shall participate in such solicitations. 2993 Section 30.Subsection (4) of section 288.012, Florida 2994 Statutes, is amended to read: 2995 288.012State of Florida international offices; direct 2996 support organization.The Legislature finds that the expansion 2997 of international trade and tourism is vital to the overall 2998 health and growth of the economy of this state. This expansion 2999 is hampered by the lack of technical and business assistance, 3000 financial assistance, and information services for businesses in 3001 this state. The Legislature finds that these businesses could be 3002 assisted by providing these services at State of Florida 3003 international offices. The Legislature further finds that the 3004 accessibility and provision of services at these offices can be 3005 enhanced through cooperative agreements or strategic alliances 3006 between private businesses and state, local, and international 3007 governmental entities. 3008 (4)The Department of Commerce, in connection with the 3009 establishment, operation, and management of any of its offices 3010 located in another country, is exempt from the provisions of ss. 3011 255.21, 255.25, and 255.254 relating to leasing of buildings; 3012 ss. 283.33 and 283.35 relating to bids for printing; ss. 3013 287.001-287.20 relating to purchasing and motor vehicles; and 3014 ss. 282.0051 and 282.702-282.7101 ss. 282.003-282.00515 and 3015 282.702-282.7101 relating to communications, and from all 3016 statutory provisions relating to state employment. 3017 (a)The department may exercise such exemptions only upon 3018 prior approval of the Governor. 3019 (b)If approval for an exemption under this section is 3020 granted as an integral part of a plan of operation for a 3021 specified international office, such action shall constitute 3022 continuing authority for the department to exercise the 3023 exemption, but only in the context and upon the terms originally 3024 granted. Any modification of the approved plan of operation with 3025 respect to an exemption contained therein must be resubmitted to 3026 the Governor for his or her approval. An approval granted to 3027 exercise an exemption in any other context shall be restricted 3028 to the specific instance for which the exemption is to be 3029 exercised. 3030 (c)As used in this subsection, the term plan of 3031 operation means the plan developed pursuant to subsection (2). 3032 (d)Upon final action by the Governor with respect to a 3033 request to exercise the exemption authorized in this subsection, 3034 the department shall report such action, along with the original 3035 request and any modifications thereto, to the President of the 3036 Senate and the Speaker of the House of Representatives within 30 3037 days. 3038 Section 31.Effective July 1, 2026, paragraph (b) of 3039 subsection (4) of section 443.1113, Florida Statutes, is amended 3040 to read: 3041 443.1113Reemployment Assistance Claims and Benefits 3042 Information System. 3043 (4) 3044 (b)The department shall seek input on recommended 3045 enhancements from, at a minimum, the following entities: 3046 1.The Agency for State Systems and Enterprise Technology 3047 Florida Digital Service within the Department of Management 3048 Services. 3049 2.The General Tax Administration Program Office within the 3050 Department of Revenue. 3051 3.The Division of Accounting and Auditing within the 3052 Department of Financial Services. 3053 Section 32.Effective July 1, 2026, subsection (5) of 3054 section 943.0415, Florida Statutes, is amended to read: 3055 943.0415Cybercrime Office.There is created within the 3056 Department of Law Enforcement the Cybercrime Office. The office 3057 may: 3058 (5)Consult with the state chief information security 3059 officer of the Agency for State Systems and Enterprise 3060 Technology Florida Digital Service within the Department of 3061 Management Services in the adoption of rules relating to the 3062 information technology security provisions in s. 282.318. 3063 Section 33.Effective July 1, 2026, subsection (3) of 3064 section 1004.444, Florida Statutes, is amended to read: 3065 1004.444Florida Center for Cybersecurity. 3066 (3)Upon receiving a request for assistance from a the 3067 Department of Management Services, the Florida Digital Service, 3068 or another state agency, the center is authorized, but may not 3069 be compelled by the agency, to conduct, consult on, or otherwise 3070 assist any state-funded initiatives related to: 3071 (a)Cybersecurity training, professional development, and 3072 education for state and local government employees, including 3073 school districts and the judicial branch; and 3074 (b)Increasing the cybersecurity effectiveness of the 3075 states and local governments technology platforms and 3076 infrastructure, including school districts and the judicial 3077 branch. 3078 Section 34.Except as otherwise provided in this act, this 3079 act shall take effect July 1, 2025.