Bill Text: FL S1900 | 2021 | Regular Session | Introduced

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Cybersecurity

Spectrum: Slight Partisan Bill (? 2-1)

Status: (Introduced - Dead) 2021-04-27 - Laid on Table, companion bill(s) passed, see CS/CS/HB 1297 (Ch. 2021-234) [S1900 Detail]

Download: Florida-2021-S1900-Introduced.html
       Florida Senate - 2021                                    SB 1900
       
       
        
       By Senator Boyd
       
       
       
       
       
       21-01791B-21                                          20211900__
    1                        A bill to be entitled                      
    2         An act relating to cybersecurity; amending s. 20.055,
    3         F.S.; requiring certain audit plans of an inspector
    4         general to include certain information; amending s.
    5         282.0041, F.S.; revising and providing definitions;
    6         amending ss. 282.0051, 282.201, and 282.206, F.S.;
    7         revising provisions to replace references to
    8         information technology security with cybersecurity;
    9         amending s. 282.318, F.S.; revising provisions to
   10         replace references to information technology security
   11         and computer security with references to
   12         cybersecurity; revising a short title; providing that
   13         the Department of Management Services, acting through
   14         the Florida Digital Service, is the lead entity for
   15         the purpose of certain responsibilities; providing and
   16         revising requirements for the department, acting
   17         through the Florida Digital Service; providing that
   18         certain employees shall be assigned to selected exempt
   19         service; providing that the state chief information
   20         security officer is responsible for state technology
   21         systems and must notify the Governor of certain
   22         incidents and threats; revising requirements for state
   23         agency heads; requiring the department, through the
   24         Florida Digital Service, to track the implementation
   25         by state agencies of certain plans; creating 282.319,
   26         F.S.; creating the Florida Cybersecurity Advisory
   27         Council within the Department of Management Services;
   28         providing the purpose of the council; requiring the
   29         council to provide certain assistance to the Florida
   30         Digital Service; providing for the membership of the
   31         council; providing for terms of council members;
   32         providing that the Secretary of Management Services,
   33         or his or her designee, shall serve as the ex officio
   34         executive director of the council; providing that
   35         members shall serve without compensation but are
   36         entitled to reimbursement for per diem and travel
   37         expenses; requiring the council to meet at least
   38         quarterly for certain purposes; requiring the council
   39         to submit an annual report to the Governor and
   40         Legislature; amending s. 943.0415, F.S., conforming
   41         provisions to changes made by the act; providing an
   42         effective date.
   43          
   44  Be It Enacted by the Legislature of the State of Florida:
   45  
   46         Section 1. Paragraph (i) of subsection (6) of section
   47  20.055, Florida Statutes, is amended to read:
   48         20.055 Agency inspectors general.—
   49         (6) In carrying out the auditing duties and
   50  responsibilities of this act, each inspector general shall
   51  review and evaluate internal controls necessary to ensure the
   52  fiscal accountability of the state agency. The inspector general
   53  shall conduct financial, compliance, electronic data processing,
   54  and performance audits of the agency and prepare audit reports
   55  of his or her findings. The scope and assignment of the audits
   56  shall be determined by the inspector general; however, the
   57  agency head may at any time request the inspector general to
   58  perform an audit of a special program, function, or
   59  organizational unit. The performance of the audit shall be under
   60  the direction of the inspector general, except that if the
   61  inspector general does not possess the qualifications specified
   62  in subsection (4), the director of auditing shall perform the
   63  functions listed in this subsection.
   64         (i) The inspector general shall develop long-term and
   65  annual audit plans based on the findings of periodic risk
   66  assessments. The plan, where appropriate, should include
   67  postaudit samplings of payments and accounts. The plan shall
   68  show the individual audits to be conducted during each year and
   69  related resources to be devoted to the respective audits. The
   70  plan shall include a specific cybersecurity audit plan. The
   71  Chief Financial Officer, to assist in fulfilling the
   72  responsibilities for examining, auditing, and settling accounts,
   73  claims, and demands pursuant to s. 17.03(1), and examining,
   74  auditing, adjusting, and settling accounts pursuant to s. 17.04,
   75  may use audits performed by the inspectors general and internal
   76  auditors. For state agencies under the jurisdiction of the
   77  Governor, the audit plans shall be submitted to the Chief
   78  Inspector General. The plan shall be submitted to the agency
   79  head for approval. A copy of the approved plan shall be
   80  submitted to the Auditor General.
   81         Section 2. Present subsections (8) through (21) of section
   82  282.0041, Florida Statutes, are redesignated as subsections (9)
   83  through (22), respectively, present subsection (22) is amended,
   84  and a new subsection (8) is added to that section, to read:
   85         282.0041 Definitions.—As used in this chapter, the term:
   86         (8)“Cybersecurity” means the protection afforded to
   87  information technology resources from unauthorized access or
   88  criminal use by ensuring the confidentiality, integrity, and
   89  availability of data and information.
   90         (22)“Information technology security” means the protection
   91  afforded to an automated information system in order to attain
   92  the applicable objectives of preserving the integrity,
   93  availability, and confidentiality of data, information, and
   94  information technology resources.
   95         Section 3. Paragraph (j) of subsection (1) of section
   96  282.0051, Florida Statutes, is amended to read:
   97         282.0051 Department of Management Services; Florida Digital
   98  Service; powers, duties, and functions.—
   99         (1) The Florida Digital Service has been created within the
  100  department to propose innovative solutions that securely
  101  modernize state government, including technology and information
  102  services, to achieve value through digital transformation and
  103  interoperability, and to fully support the cloud-first policy as
  104  specified in s. 282.206. The department, through the Florida
  105  Digital Service, shall have the following powers, duties, and
  106  functions:
  107         (j) Provide operational management and oversight of the
  108  state data center established pursuant to s. 282.201, which
  109  includes:
  110         1. Implementing industry standards and best practices for
  111  the state data center’s facilities, operations, maintenance,
  112  planning, and management processes.
  113         2. Developing and implementing cost-recovery mechanisms
  114  that recover the full direct and indirect cost of services
  115  through charges to applicable customer entities. Such cost
  116  recovery mechanisms must comply with applicable state and
  117  federal regulations concerning distribution and use of funds and
  118  must ensure that, for any fiscal year, no service or customer
  119  entity subsidizes another service or customer entity. The
  120  Florida Digital Service may recommend other payment mechanisms
  121  to the Executive Office of the Governor, the President of the
  122  Senate, and the Speaker of the House of Representatives. Such
  123  mechanism may be implemented only if specifically authorized by
  124  the Legislature.
  125         3. Developing and implementing appropriate operating
  126  guidelines and procedures necessary for the state data center to
  127  perform its duties pursuant to s. 282.201. The guidelines and
  128  procedures must comply with applicable state and federal laws,
  129  regulations, and policies and conform to generally accepted
  130  governmental accounting and auditing standards. The guidelines
  131  and procedures must include, but need not be limited to:
  132         a. Implementing a consolidated administrative support
  133  structure responsible for providing financial management,
  134  procurement, transactions involving real or personal property,
  135  human resources, and operational support.
  136         b. Implementing an annual reconciliation process to ensure
  137  that each customer entity is paying for the full direct and
  138  indirect cost of each service as determined by the customer
  139  entity’s use of each service.
  140         c. Providing rebates that may be credited against future
  141  billings to customer entities when revenues exceed costs.
  142         d. Requiring customer entities to validate that sufficient
  143  funds exist in the appropriate data processing appropriation
  144  category or will be transferred into the appropriate data
  145  processing appropriation category before implementation of a
  146  customer entity’s request for a change in the type or level of
  147  service provided, if such change results in a net increase to
  148  the customer entity’s cost for that fiscal year.
  149         e. By November 15 of each year, providing to the Office of
  150  Policy and Budget in the Executive Office of the Governor and to
  151  the chairs of the legislative appropriations committees the
  152  projected costs of providing data center services for the
  153  following fiscal year.
  154         f. Providing a plan for consideration by the Legislative
  155  Budget Commission if the cost of a service is increased for a
  156  reason other than a customer entity’s request made pursuant to
  157  sub-subparagraph d. Such a plan is required only if the service
  158  cost increase results in a net increase to a customer entity for
  159  that fiscal year.
  160         g. Standardizing and consolidating procurement and
  161  contracting practices.
  162         4. In collaboration with the Department of Law Enforcement,
  163  developing and implementing a process for detecting, reporting,
  164  and responding to cybersecurity information technology security
  165  incidents, breaches, and threats.
  166         5. Adopting rules relating to the operation of the state
  167  data center, including, but not limited to, budgeting and
  168  accounting procedures, cost-recovery methodologies, and
  169  operating procedures.
  170         Section 4. Paragraph (g) of subsection (1) of section
  171  282.201, Florida Statutes, is amended to read:
  172         282.201 State data center.—The state data center is
  173  established within the department. The provision of data center
  174  services must comply with applicable state and federal laws,
  175  regulations, and policies, including all applicable security,
  176  privacy, and auditing requirements. The department shall appoint
  177  a director of the state data center, preferably an individual
  178  who has experience in leading data center facilities and has
  179  expertise in cloud-computing management.
  180         (1) STATE DATA CENTER DUTIES.—The state data center shall:
  181         (g) In its procurement process, show preference for cloud
  182  computing solutions that minimize or do not require the
  183  purchasing, financing, or leasing of state data center
  184  infrastructure, and that meet the needs of customer agencies,
  185  that reduce costs, and that meet or exceed the applicable state
  186  and federal laws, regulations, and standards for cybersecurity
  187  information technology security.
  188         Section 5. Subsection (2) of section 282.206, Florida
  189  Statutes, is amended to read:
  190         282.206 Cloud-first policy in state agencies.—
  191         (2) In its procurement process, each state agency shall
  192  show a preference for cloud-computing solutions that either
  193  minimize or do not require the use of state data center
  194  infrastructure when cloud-computing solutions meet the needs of
  195  the agency, reduce costs, and meet or exceed the applicable
  196  state and federal laws, regulations, and standards for
  197  cybersecurity information technology security.
  198         Section 6. Section 282.318, Florida Statutes, is amended to
  199  read:
  200         282.318 Cybersecurity Security of data and information
  201  technology.—
  202         (1) This section may be cited as the “Florida State
  203  Cybersecurity Act.” “Information Technology Security Act.”
  204         (2) As used in this section, the term “state agency” has
  205  the same meaning as provided in s. 282.0041, except that the
  206  term includes the Department of Legal Affairs, the Department of
  207  Agriculture and Consumer Services, and the Department of
  208  Financial Services.
  209         (3) The department, acting through the Florida Digital
  210  Service, is the lead entity responsible for establishing
  211  standards and processes for assessing state agency cybersecurity
  212  risks and determining appropriate security measures. Such
  213  standards and processes must be consistent with generally
  214  accepted technology best practices, including the National
  215  Institute for Standards and Technology Cybersecurity Framework,
  216  for cybersecurity. This shall include information technology
  217  security, to include cybersecurity, and adopting rules that
  218  mitigate risk; safeguard the state’s digital assets and agency
  219  an agency’s data, information, and information technology
  220  resources to ensure availability, confidentiality, and
  221  integrity; and support a centralized security governance and to
  222  mitigate risks. The department, acting through the Florida
  223  Digital Service, shall also:
  224         (a) Designate an employee of the Florida Digital Service as
  225  the state chief information security officer. The state chief
  226  information security officer must have experience and expertise
  227  in security and risk management for communications and
  228  information technology resources. The employees under the
  229  direction of the state chief information security officer shall
  230  be assigned to selected exempt service. The state chief
  231  information security officer is responsible for the development,
  232  operation, and management of cybersecurity for state technology
  233  systems. The state chief information security officer must have
  234  a direct communication channel to the Governor, or his or her
  235  designee, related to risk assessments, threat monitoring,
  236  detection, and response activities of suspected or confirmed
  237  cyber incidents or threats.
  238         (b) Develop, and annually update by February 1, a statewide
  239  cybersecurity information technology security strategic plan
  240  that includes security goals and objectives for cybersecurity,
  241  including the identification and mitigation of risk, proactive
  242  protections against threats, tactical risk detection, threat
  243  reporting, and response and recovery protocols for a cyber
  244  incident the strategic issues of information technology security
  245  policy, risk management, training, incident management, and
  246  disaster recovery planning.
  247         (c) Develop and publish for use by state agencies a
  248  centralized cybersecurity governance an information technology
  249  security framework that, at a minimum, includes guidelines and
  250  processes for:
  251         1. Establishing asset management procedures to ensure that
  252  an agency’s information technology resources are identified and
  253  managed consistent with their relative importance to the
  254  agency’s business objectives.
  255         2. Using a standard risk assessment methodology that
  256  includes the identification of an agency’s priorities,
  257  constraints, risk tolerances, and assumptions necessary to
  258  support operational risk decisions.
  259         3. Completing comprehensive risk assessments and
  260  cybersecurity information technology security audits, which may
  261  be completed by a private sector vendor, and submitting
  262  completed assessments and audits to the department.
  263         4. Identifying protection procedures to manage the
  264  protection of an agency’s information, data, and information
  265  technology resources.
  266         5. Establishing procedures for accessing information and
  267  data to ensure the confidentiality, integrity, and availability
  268  of such information and data.
  269         6. Detecting threats through proactive monitoring of
  270  events, continuous security monitoring, and defined detection
  271  processes.
  272         7. Establishing agency cybersecurity computer security
  273  incident response teams and describing their responsibilities
  274  for responding to cybersecurity information technology security
  275  incidents, including breaches of personal information containing
  276  confidential or exempt data.
  277         8. Recovering information and data in response to a
  278  cybersecurity an information technology security incident. The
  279  recovery may include recommended improvements to the agency
  280  processes, policies, or guidelines.
  281         9. Establishing a cybersecurity an information technology
  282  security incident reporting process that includes procedures and
  283  tiered reporting timeframes for notifying the department and the
  284  Department of Law Enforcement of cybersecurity information
  285  technology security incidents. The tiered reporting timeframes
  286  shall be based upon the level of severity of the cybersecurity
  287  information technology security incidents being reported.
  288         10. Incorporating information obtained through detection
  289  and response activities into the agency’s cybersecurity
  290  information technology security incident response plans.
  291         11. Developing agency strategic and operational
  292  cybersecurity information technology security plans required
  293  pursuant to this section.
  294         12. Establishing the managerial, operational, and technical
  295  safeguards for protecting state government data and information
  296  technology resources that align with the state agency risk
  297  management strategy and that protect the confidentiality,
  298  integrity, and availability of information and data.
  299         (d) Assist state agencies in complying with this section.
  300         (e) In collaboration with the Cybercrime Office of the
  301  Department of Law Enforcement, annually provide training for
  302  state agency information security managers and computer security
  303  incident response team members that contains training on
  304  cybersecurity information technology security, including
  305  cybersecurity, threats, trends, and best practices.
  306         (f) Annually review the strategic and operational
  307  cybersecurity information technology security plans of executive
  308  branch agencies.
  309         (g)Provide training to all state agency technology
  310  professionals which develops, assesses, and documents
  311  competencies by role and skill level. The training may be
  312  provided in collaboration with the Cybercrime Office of the
  313  Department of Law Enforcement, a private sector entity, or a
  314  state university.
  315         (h)Operate and maintain a Cybersecurity Operations Center
  316  led by the state chief information security officer, which must
  317  be primarily virtual and staffed with tactical detection and
  318  incident response personnel. The Cybersecurity Operations Center
  319  shall serve as a clearinghouse for threat information and will
  320  coordinate with the Department of Law Enforcement to support
  321  state agencies and their response to any confirmed or suspected
  322  cybersecurity incident.
  323         (i)Lead an emergency support function at the State
  324  Emergency Operations Center.
  325         (j)In consultation with the Department of Law Enforcement,
  326  have the authority to intervene in any confirmed or suspected
  327  cybersecurity incident of a state agency.
  328         (4) Each state agency head shall, at a minimum:
  329         (a) Designate an information security manager to administer
  330  the cybersecurity information technology security program of the
  331  state agency. This designation must be provided annually in
  332  writing to the department by January 1. A state agency’s
  333  cybersecurity information security manager, for purposes of
  334  these information security duties, shall report directly to the
  335  agency head. The agency information security manager shall, at a
  336  minimum, provide an asset management report detailing the
  337  agency’s information technology resources to the state chief
  338  information officer and chief information security officer
  339  annually.
  340         (b) In consultation with the department, through the
  341  Florida Digital Service, and the Cybercrime Office of the
  342  Department of Law Enforcement, establish an agency cybersecurity
  343  computer security incident response team to respond to a
  344  cybersecurity an information technology security incident. The
  345  agency cybersecurity computer security incident response team
  346  shall convene upon notification of a cybersecurity an
  347  information technology security incident and must immediately
  348  report all confirmed or suspected incidents to the state chief
  349  information security officer, or his or her designee, and comply
  350  with all applicable guidelines and processes established
  351  pursuant to paragraph (3)(c).
  352         (c) Submit to the department annually by July 31, the state
  353  agency’s strategic and operational cybersecurity information
  354  technology security plans developed pursuant to rules and
  355  guidelines established by the department through the Florida
  356  Digital Service.
  357         1. The state agency strategic cybersecurity information
  358  technology security plan must cover a 3-year period and, at a
  359  minimum, define security goals, intermediate objectives, and
  360  projected agency costs for the strategic issues of agency
  361  information security policy, risk management, security training,
  362  security incident response, and disaster recovery. The plan must
  363  be based on the statewide cybersecurity information technology
  364  security strategic plan created by the department and include
  365  performance metrics that can be objectively measured to reflect
  366  the status of the state agency’s progress in meeting security
  367  goals and objectives identified in the agency’s strategic
  368  information security plan.
  369         2. The state agency operational cybersecurity information
  370  technology security plan must include a progress report that
  371  objectively measures progress made towards the prior operational
  372  cybersecurity information technology security plan and a project
  373  plan that includes activities, timelines, and deliverables for
  374  security objectives that the state agency will implement during
  375  the current fiscal year.
  376         (d) Conduct, and update every 3 years, a comprehensive risk
  377  assessment annually, which may be completed by a private sector
  378  vendor, to determine the security threats to the data,
  379  information, and information technology resources, including
  380  mobile devices and print environments, of the agency. The risk
  381  assessment must comply with the risk assessment methodology
  382  developed by the department and is confidential and exempt from
  383  s. 119.07(1), except that such information shall be available to
  384  the Auditor General, the Florida Digital Service within the
  385  department, the Cybercrime Office of the Department of Law
  386  Enforcement, and, for state agencies under the jurisdiction of
  387  the Governor, the Chief Inspector General. If a private sector
  388  vendor is used to complete this requirement, it must attest to
  389  the validity of the risk assessment findings.
  390         (e) Develop, and periodically update, written internal
  391  policies and procedures, which include procedures for reporting
  392  cybersecurity information technology security incidents and
  393  breaches to the Cybercrime Office of the Department of Law
  394  Enforcement and the Florida Digital Service within the
  395  department. Such policies and procedures must be consistent with
  396  the rules, guidelines, and processes established by the
  397  department to ensure the security of the data, information, and
  398  information technology resources of the agency. The internal
  399  policies and procedures that, if disclosed, could facilitate the
  400  unauthorized modification, disclosure, or destruction of data or
  401  information technology resources are confidential information
  402  and exempt from s. 119.07(1), except that such information shall
  403  be available to the Auditor General, the Cybercrime Office of
  404  the Department of Law Enforcement, the Florida Digital Service
  405  within the department, and, for state agencies under the
  406  jurisdiction of the Governor, the Chief Inspector General.
  407         (f) Implement managerial, operational, and technical
  408  safeguards and risk assessment remediation plans recommended by
  409  the department to address identified risks to the data,
  410  information, and information technology resources of the agency.
  411  The department, through the Florida Digital Service, shall track
  412  implementation by state agencies upon development of such
  413  remediation plans in coordination with agency inspectors
  414  general.
  415         (g) Ensure that periodic internal audits and evaluations of
  416  the agency’s cybersecurity information technology security
  417  program for the data, information, and information technology
  418  resources of the agency are conducted. The results of such
  419  audits and evaluations are confidential information and exempt
  420  from s. 119.07(1), except that such information shall be
  421  available to the Auditor General, the Cybercrime Office of the
  422  Department of Law Enforcement, the Florida Digital Service
  423  within the department, and, for agencies under the jurisdiction
  424  of the Governor, the Chief Inspector General.
  425         (h) Ensure that the information technology security and
  426  cybersecurity requirements in both the written specifications
  427  for the solicitation, contracts, and service-level agreement of
  428  information technology and information technology resources and
  429  services meet or exceed the applicable state and federal laws,
  430  regulations, and standards for information technology security
  431  and cybersecurity. Service-level agreements must identify
  432  service provider and state agency responsibilities for privacy
  433  and security, protection of government data, personnel
  434  background screening, and security deliverables with associated
  435  frequencies.
  436         (i) Provide information technology security and
  437  cybersecurity awareness training, as approved by the Florida
  438  Digital Service, to all state agency employees in the first 30
  439  days after commencing employment concerning cybersecurity
  440  information technology security risks and the responsibility of
  441  employees to comply with policies, standards, guidelines, and
  442  operating procedures adopted by the state agency to reduce those
  443  risks. The training may be provided in collaboration with the
  444  Cybercrime Office of the Department of Law Enforcement, a
  445  private sector entity, or a state university.
  446         (j) Develop a process for detecting, reporting, and
  447  responding to threats, breaches, or cybersecurity information
  448  technology security incidents which is consistent with the
  449  security rules, guidelines, and processes established by the
  450  department.
  451         1. All cybersecurity information technology security
  452  incidents and breaches must be reported to the Florida Digital
  453  Service within the department and the Cybercrime Office of the
  454  Department of Law Enforcement and must comply with the
  455  notification procedures and reporting timeframes established
  456  pursuant to paragraph (3)(c).
  457         2. For cybersecurity information technology security
  458  breaches, state agencies shall provide notice in accordance with
  459  s. 501.171.
  460         (5) Portions of records held by a state agency which
  461  contain network schematics, hardware and software
  462  configurations, or encryption, or which identify detection,
  463  investigation, or response practices for suspected or confirmed
  464  cybersecurity information technology security incidents,
  465  including suspected or confirmed breaches, are confidential and
  466  exempt from s. 119.07(1) and s. 24(a), Art. I of the State
  467  Constitution, if the disclosure of such records would facilitate
  468  unauthorized access to or the unauthorized modification,
  469  disclosure, or destruction of:
  470         (a) Data or information, whether physical or virtual; or
  471         (b) Information technology resources, which includes:
  472         1. Information relating to the security of the agency’s
  473  technologies, processes, and practices designed to protect
  474  networks, computers, data processing software, and data from
  475  attack, damage, or unauthorized access; or
  476         2. Security information, whether physical or virtual, which
  477  relates to the agency’s existing or proposed information
  478  technology systems.
  479         (6) The portions of risk assessments, evaluations, external
  480  audits, and other reports of a state agency’s cybersecurity
  481  information technology security program for the data,
  482  information, and information technology resources of the state
  483  agency which are held by a state agency are confidential and
  484  exempt from s. 119.07(1) and s. 24(a), Art. I of the State
  485  Constitution if the disclosure of such portions of records would
  486  facilitate unauthorized access to or the unauthorized
  487  modification, disclosure, or destruction of:
  488         (a) Data or information, whether physical or virtual; or
  489         (b) Information technology resources, which include:
  490         1. Information relating to the security of the agency’s
  491  technologies, processes, and practices designed to protect
  492  networks, computers, data processing software, and data from
  493  attack, damage, or unauthorized access; or
  494         2. Security information, whether physical or virtual, which
  495  relates to the agency’s existing or proposed information
  496  technology systems.
  497  
  498  For purposes of this subsection, “external audit” means an audit
  499  that is conducted by an entity other than the state agency that
  500  is the subject of the audit.
  501         (7) Those portions of a public meeting as specified in s.
  502  286.011 which would reveal records which are confidential and
  503  exempt under subsection (5) or subsection (6) are exempt from s.
  504  286.011 and s. 24(b), Art. I of the State Constitution. No
  505  exempt portion of an exempt meeting may be off the record. All
  506  exempt portions of such meeting shall be recorded and
  507  transcribed. Such recordings and transcripts are confidential
  508  and exempt from disclosure under s. 119.07(1) and s. 24(a), Art.
  509  I of the State Constitution unless a court of competent
  510  jurisdiction, after an in camera review, determines that the
  511  meeting was not restricted to the discussion of data and
  512  information made confidential and exempt by this section. In the
  513  event of such a judicial determination, only that portion of the
  514  recording and transcript which reveals nonexempt data and
  515  information may be disclosed to a third party.
  516         (8) The portions of records made confidential and exempt in
  517  subsections (5), (6), and (7) shall be available to the Auditor
  518  General, the Cybercrime Office of the Department of Law
  519  Enforcement, the Florida Digital Service within the department,
  520  and, for agencies under the jurisdiction of the Governor, the
  521  Chief Inspector General. Such portions of records may be made
  522  available to a local government, another state agency, or a
  523  federal agency for cybersecurity information technology security
  524  purposes or in furtherance of the state agency’s official
  525  duties.
  526         (9) The exemptions contained in subsections (5), (6), and
  527  (7) apply to records held by a state agency before, on, or after
  528  the effective date of this exemption.
  529         (10) Subsections (5), (6), and (7) are subject to the Open
  530  Government Sunset Review Act in accordance with s. 119.15 and
  531  shall stand repealed on October 2, 2025, unless reviewed and
  532  saved from repeal through reenactment by the Legislature.
  533         (11) The department shall adopt rules relating to
  534  cybersecurity information technology security and to administer
  535  this section.
  536         Section 7. Section 282.319, Florida Statutes, is created to
  537  read:
  538         282.319Florida Cybersecurity Advisory Council.—
  539         (1)The Florida Cybersecurity Advisory Council, an advisory
  540  council as defined in s. 20.03(7), is created within the
  541  department. Except as otherwise provided in this section, the
  542  advisory council shall operate in a manner consistent with s.
  543  20.052.
  544         (2)The purpose of the council is to assist the state in
  545  protecting the state’s information technology resources from
  546  cyber threats and incidents.
  547         (3)The council shall assist the Florida Digital Service in
  548  implementing best cybersecurity practices, taking into
  549  consideration the final recommendations of the Florida
  550  Cybersecurity Task Force.
  551         (4)The council shall be comprised of the following
  552  members:
  553         (a)The Lieutenant Governor or his or her designee.
  554         (b)The state chief information officer.
  555         (c)The state chief information security officer.
  556         (d)The director of the Division of Emergency Management or
  557  his or her designee.
  558         (e)A representative of the computer crime center of the
  559  Department of Law Enforcement, appointed by the executive
  560  director of the department.
  561         (f)A representative of the Florida Fusion Center of the
  562  Department of Law Enforcement, appointed by the executive
  563  director of the department.
  564         (g)The Chief Inspector General.
  565         (h)Six members of the private sector with experience in
  566  cybersecurity mitigation or response, with two appointed by the
  567  Governor, two appointed by the President of the Senate, and two
  568  appointed by the Speaker of the House of Representatives.
  569         (5)Members shall serve for a term of 4 years; however, for
  570  the purpose of providing staggered terms, the initial
  571  appointments made by the President of the Senate and the Speaker
  572  of the House of Representatives shall be for a term of 2 years.
  573  A vacancy shall be filled for the remainder of the unexpired
  574  term in the same manner as the initial appointment. All members
  575  of the council are eligible for reappointment.
  576         (6)The Secretary of Management Services, or his or her
  577  designee, shall serve as the ex officio, nonvoting executive
  578  director of the council.
  579         (7)Members of the council shall serve without compensation
  580  but are entitled to receive reimbursement for per diem and
  581  travel expenses pursuant to s. 112.061.
  582         (8)The council shall meet at least quarterly to:
  583         (a)Review existing state agency cybersecurity policies.
  584         (b)Assess ongoing risks to state agency information
  585  technology.
  586         (c)Recommend a method to notify state agencies of new
  587  risks.
  588         (d)Recommend data breach simulation exercises.
  589         (e)Assist the Florida Digital Service in developing
  590  cybersecurity best practice recommendations for state agencies
  591  which include recommendations regarding:
  592         1.Continuous risk monitoring.
  593         2.Password management.
  594         3.Protecting data in legacy and new systems.
  595         (f)Examine inconsistencies between state and federal law
  596  regarding cybersecurity.
  597         (9)Beginning June 30, 2022, and each June 30 thereafter,
  598  the council shall submit a report to the Governor, the President
  599  of the Senate, and the Speaker of the House of Representatives
  600  outlining any recommendations considered necessary by the
  601  council to address cybersecurity.
  602         Section 8. Section 943.0415, Florida Statutes, is amended
  603  to read:
  604         943.0415 Cybercrime Office.—There is created within the
  605  Department of Law Enforcement the Cybercrime Office. The office
  606  may:
  607         (1) Investigate violations of state law pertaining to the
  608  sexual exploitation of children which are facilitated by or
  609  connected to the use of any device capable of storing electronic
  610  data.
  611         (2) Monitor state information technology resources and
  612  provide analysis on cybersecurity information technology
  613  security incidents, threats, and breaches as defined in s.
  614  282.0041.
  615         (3) Investigate violations of state law pertaining to
  616  cybersecurity information technology security incidents pursuant
  617  to s. 282.0041 and assist in incident response and recovery.
  618         (4) Provide security awareness training and information to
  619  state agency employees concerning cybersecurity, online sexual
  620  exploitation of children, and security risks, and the
  621  responsibility of employees to comply with policies, standards,
  622  guidelines, and operating procedures adopted by the department.
  623         (5) Consult with the Florida Digital Service within the
  624  Department of Management Services in the adoption of rules
  625  relating to the cybersecurity information technology security
  626  provisions in s. 282.318.
  627         Section 9. This act shall take effect July 1, 2021.

feedback