ENROLLED
2022 Legislature SB 2518, 2nd Engrossed






20222518er
1
2 An act relating to information technology; providing
3 that all functions, records, personnel, contracts,
4 interagency agreements, and assets of the Department
5 of Management Services State Data Center are
6 transferred to the Northwest Regional Data Center;
7 amending s. 282.0041, F.S.; revising the definition of
8 the term “service-level agreement”; amending s.
9 282.0051, F.S.; deleting the operational management
10 and oversight of the state data center from the
11 powers, duties, and functions of the department,
12 acting through Florida Digital Service; requiring the
13 department, acting through the Florida Digital
14 Service, to create a certain indexed data catalog and
15 develop and publish a certain data dictionary by a
16 specified date; amending s. 282.201, F.S.; requiring
17 the department to assist customer entities
18 transitioning from other cloud-computing services to
19 the Northwest Regional Data Center or a cloud
20 computing service procured by the state data center;
21 providing responsibilities to the department relating
22 to the operational management and oversight of the
23 state data center; requiring the department to adopt
24 specified rules; requiring the secretary of the
25 department to contract with the Northwest Regional
26 Data Center to carry out the department’s duties and
27 responsibilities by a specified date; providing
28 contract requirements; requiring the department to
29 provide contract oversight for the data center;
30 requiring the department to approve or deny certain
31 requests within a specified timeframe; providing that
32 no action on an invoice is an approval by default;
33 requiring the data center to submit approved invoices
34 directly to state agency customers; amending s.
35 1004.649, F.S.; designating the Northwest Regional
36 Data Center as the state data center; specifying
37 additional requirements for service-level agreements
38 with state agency customers; specifying required
39 duties of the Northwest Regional Data Center;
40 prohibiting state agencies from engaging in certain
41 activities, unless otherwise authorized; modifying
42 provisions governing the transition of state agency
43 customers to a cloud-based data center; amending s.
44 282.00515, F.S.; conforming a cross-reference;
45 providing an effective date.
46
47 Be It Enacted by the Legislature of the State of Florida:
48
49 Section 1. All functions, records, personnel, contracts,
50 interagency agreements, and assets of the current Department of
51 Management Services State Data Center are transferred to the
52 Northwest Regional Data Center.
53 Section 2. Subsection (30) of section 282.0041, Florida
54 Statutes, is amended to read:
55 282.0041 Definitions.—As used in this chapter, the term:
56 (30) “Service-level agreement” means a written contract
57 between the Department of Management Services or a provider of
58 data center services and a customer entity which specifies the
59 scope of services provided, service level, the duration of the
60 agreement, the responsible parties, and service costs. A
61 service-level agreement is not a rule pursuant to chapter 120.
62 Section 3. Paragraphs (j) and (q) of subsection (1) and
63 paragraphs (a) and (b) of subsection (3) of section 282.0051,
64 Florida Statutes, are amended to read:
65 282.0051 Department of Management Services; Florida Digital
66 Service; powers, duties, and functions.—
67 (1) The Florida Digital Service has been created within the
68 department to propose innovative solutions that securely
69 modernize state government, including technology and information
70 services, to achieve value through digital transformation and
71 interoperability, and to fully support the cloud-first policy as
72 specified in s. 282.206. The department, through the Florida
73 Digital Service, shall have the following powers, duties, and
74 functions:
75 (j) Provide operational management and oversight of the
76 state data center established pursuant to s. 282.201, which
77 includes:
78 1. Implementing industry standards and best practices for
79 the state data center’s facilities, operations, maintenance,
80 planning, and management processes.
81 2. Developing and implementing cost-recovery mechanisms
82 that recover the full direct and indirect cost of services
83 through charges to applicable customer entities. Such cost
84 recovery mechanisms must comply with applicable state and
85 federal regulations concerning distribution and use of funds and
86 must ensure that, for any fiscal year, no service or customer
87 entity subsidizes another service or customer entity. The
88 Florida Digital Service may recommend other payment mechanisms
89 to the Executive Office of the Governor, the President of the
90 Senate, and the Speaker of the House of Representatives. Such
91 mechanism may be implemented only if specifically authorized by
92 the Legislature.
93 3. Developing and implementing appropriate operating
94 guidelines and procedures necessary for the state data center to
95 perform its duties pursuant to s. 282.201. The guidelines and
96 procedures must comply with applicable state and federal laws,
97 regulations, and policies and conform to generally accepted
98 governmental accounting and auditing standards. The guidelines
99 and procedures must include, but need not be limited to:
100 a. Implementing a consolidated administrative support
101 structure responsible for providing financial management,
102 procurement, transactions involving real or personal property,
103 human resources, and operational support.
104 b. Implementing an annual reconciliation process to ensure
105 that each customer entity is paying for the full direct and
106 indirect cost of each service as determined by the customer
107 entity’s use of each service.
108 c. Providing rebates that may be credited against future
109 billings to customer entities when revenues exceed costs.
110 d. Requiring customer entities to validate that sufficient
111 funds exist in the appropriate data processing appropriation
112 category or will be transferred into the appropriate data
113 processing appropriation category before implementation of a
114 customer entity’s request for a change in the type or level of
115 service provided, if such change results in a net increase to
116 the customer entity’s cost for that fiscal year.
117 e. By November 15 of each year, providing to the Office of
118 Policy and Budget in the Executive Office of the Governor and to
119 the chairs of the legislative appropriations committees the
120 projected costs of providing data center services for the
121 following fiscal year.
122 f. Providing a plan for consideration by the Legislative
123 Budget Commission if the cost of a service is increased for a
124 reason other than a customer entity’s request made pursuant to
125 sub-subparagraph d. Such a plan is required only if the service
126 cost increase results in a net increase to a customer entity for
127 that fiscal year.
128 g. Standardizing and consolidating procurement and
129 contracting practices.
130 4. In collaboration with the Department of Law Enforcement,
131 developing and implementing a process for detecting, reporting,
132 and responding to cybersecurity incidents, breaches, and
133 threats.
134 5. Adopting rules relating to the operation of the state
135 data center, including, but not limited to, budgeting and
136 accounting procedures, cost-recovery methodologies, and
137 operating procedures.
138 (p)1.(q)1. Establish an information technology policy for
139 all information technology-related state contracts, including
140 state term contracts for information technology commodities,
141 consultant services, and staff augmentation services. The
142 information technology policy must include:
143 a. Identification of the information technology product and
144 service categories to be included in state term contracts.
145 b. Requirements to be included in solicitations for state
146 term contracts.
147 c. Evaluation criteria for the award of information
148 technology-related state term contracts.
149 d. The term of each information technology-related state
150 term contract.
151 e. The maximum number of vendors authorized on each state
152 term contract.
153 f. At a minimum, a requirement that any contract for
154 information technology commodities or services meet the National
155 Institute of Standards and Technology Cybersecurity Framework.
156 g. For an information technology project wherein project
157 oversight is required pursuant to paragraph (d) or paragraph (m)
158 (n), a requirement that independent verification and validation
159 be employed throughout the project life cycle with the primary
160 objective of independent verification and validation being to
161 provide an objective assessment of products and processes
162 throughout the project life cycle. An entity providing
163 independent verification and validation may not have technical,
164 managerial, or financial interest in the project and may not
165 have responsibility for, or participate in, any other aspect of
166 the project.
167 2. Evaluate vendor responses for information technology
168 related state term contract solicitations and invitations to
169 negotiate.
170 3. Answer vendor questions on information technology
171 related state term contract solicitations.
172 4. Ensure that the information technology policy
173 established pursuant to subparagraph 1. is included in all
174 solicitations and contracts that are administratively executed
175 by the department.
176 (3) The department, acting through the Florida Digital
177 Service and from funds appropriated to the Florida Digital
178 Service, shall:
179 (a) Create, not later than December 1, 2022 October 1,
180 2021, and maintain a comprehensive indexed data catalog in
181 collaboration with the enterprise that lists the data elements
182 housed within the enterprise and the legacy system or
183 application in which these data elements are located. The data
184 catalog must, at a minimum, specifically identify all data that
185 is restricted from public disclosure based on federal or state
186 laws and regulations and require that all such information be
187 protected in accordance with s. 282.318.
188 (b) Develop and publish, not later than December 1, 2022
189 October 1, 2021, in collaboration with the enterprise, a data
190 dictionary for each agency that reflects the nomenclature in the
191 comprehensive indexed data catalog.
192 Section 4. Section 282.201, Florida Statutes, is amended to
193 read:
194 282.201 State data center.—The state data center is
195 established within the department. The provision of data center
196 services must comply with applicable state and federal laws,
197 regulations, and policies, including all applicable security,
198 privacy, and auditing requirements. The department shall appoint
199 a director of the state data center, preferably an individual
200 who has experience in leading data center facilities and has
201 expertise in cloud-computing management.
202 (1) STATE DATA CENTER DUTIES.—The state data center shall:
203 (a) Offer, develop, and support the services and
204 applications defined in service-level agreements executed with
205 its customer entities.
206 (b) Maintain performance of the state data center by
207 ensuring proper data backup, data backup recovery, disaster
208 recovery, and appropriate security, power, cooling, fire
209 suppression, and capacity.
210 (c) Develop and implement business continuity and disaster
211 recovery plans, and annually conduct a live exercise of each
212 plan.
213 (d) Enter into a service-level agreement with each customer
214 entity to provide the required type and level of service or
215 services. If a customer entity fails to execute an agreement
216 within 60 days after commencement of a service, the state data
217 center may cease service. A service-level agreement may not have
218 a term exceeding 3 years and at a minimum must:
219 1. Identify the parties and their roles, duties, and
220 responsibilities under the agreement.
221 2. State the duration of the contract term and specify the
222 conditions for renewal.
223 3. Identify the scope of work.
224 4. Identify the products or services to be delivered with
225 sufficient specificity to permit an external financial or
226 performance audit.
227 5. Establish the services to be provided, the business
228 standards that must be met for each service, the cost of each
229 service by agency application, and the metrics and processes by
230 which the business standards for each service are to be
231 objectively measured and reported.
232 6. Provide a timely billing methodology to recover the
233 costs of services provided to the customer entity pursuant to s.
234 215.422.
235 7. Provide a procedure for modifying the service-level
236 agreement based on changes in the type, level, and cost of a
237 service.
238 8. Include a right-to-audit clause to ensure that the
239 parties to the agreement have access to records for audit
240 purposes during the term of the service-level agreement.
241 9. Provide that a service-level agreement may be terminated
242 by either party for cause only after giving the other party and
243 the department notice in writing of the cause for termination
244 and an opportunity for the other party to resolve the identified
245 cause within a reasonable period.
246 10. Provide for mediation of disputes by the Division of
247 Administrative Hearings pursuant to s. 120.573.
248 (e) For purposes of chapter 273, be the custodian of
249 resources and equipment located in and operated, supported, and
250 managed by the state data center.
251 (f) Assume administrative access rights to resources and
252 equipment, including servers, network components, and other
253 devices, consolidated into the state data center.
254 1. Upon consolidation, a state agency shall relinquish
255 administrative rights to consolidated resources and equipment.
256 State agencies required to comply with federal and state
257 criminal justice information security rules and policies shall
258 retain administrative access rights sufficient to comply with
259 the management control provisions of those rules and policies;
260 however, the state data center shall have the appropriate type
261 or level of rights to allow the center to comply with its duties
262 pursuant to this section. The Department of Law Enforcement
263 shall serve as the arbiter of disputes pertaining to the
264 appropriate type and level of administrative access rights
265 pertaining to the provision of management control in accordance
266 with the federal criminal justice information guidelines.
267 2. The state data center shall provide customer entities
268 with access to applications, servers, network components, and
269 other devices necessary for entities to perform business
270 activities and functions, and as defined and documented in a
271 service-level agreement.
272 (g) In its procurement process, show preference for cloud
273 computing solutions that minimize or do not require the
274 purchasing, financing, or leasing of state data center
275 infrastructure, and that meet the needs of customer agencies,
276 that reduce costs, and that meet or exceed the applicable state
277 and federal laws, regulations, and standards for cybersecurity.
278 (h) Assist customer entities in transitioning from state
279 data center services to the Northwest Regional Data Center or
280 other third-party cloud-computing services procured by a
281 customer entity or by the Northwest Regional Data Center on
282 behalf of a customer entity.
283 (2) USE OF THE STATE DATA CENTER.—The following are exempt
284 from the use of the state data center: the Department of Law
285 Enforcement, the Department of the Lottery’s Gaming System,
286 Systems Design and Development in the Office of Policy and
287 Budget, the regional traffic management centers as described in
288 s. 335.14(2) and the Office of Toll Operations of the Department
289 of Transportation, the