Bill Summary – FastDemocracy

       ENROLLED
       2022 Legislature                          SB 2518, 2nd Engrossed
       
       
       
       
       
       
                                                             20222518er

       An act relating to information technology; providing
       that all functions, records, personnel, contracts,
       interagency agreements, and assets of the Department
       of Management Services State Data Center are
       transferred to the Northwest Regional Data Center;
       amending s. 282.0041, F.S.; revising the definition of
       the term âservice-level agreementâ; amending s.
       282.0051, F.S.; deleting the operational management
       and oversight of the state data center from the
       powers, duties, and functions of the department,
       acting through Florida Digital Service; requiring the
       department, acting through the Florida Digital
       Service, to create a certain indexed data catalog and
       develop and publish a certain data dictionary by a
       specified date; amending s. 282.201, F.S.; requiring
       the department to assist customer entities
       transitioning from other cloud-computing services to
       the Northwest Regional Data Center or a cloud
       computing service procured by the state data center;
       providing responsibilities to the department relating
       to the operational management and oversight of the
       state data center; requiring the department to adopt
       specified rules; requiring the secretary of the
       department to contract with the Northwest Regional
       Data Center to carry out the departmentâs duties and
       responsibilities by a specified date; providing
       contract requirements; requiring the department to
       provide contract oversight for the data center;
       requiring the department to approve or deny certain
       requests within a specified timeframe; providing that
       no action on an invoice is an approval by default;
       requiring the data center to submit approved invoices
       directly to state agency customers; amending s.
       1004.649, F.S.; designating the Northwest Regional
       Data Center as the state data center; specifying
       additional requirements for service-level agreements
       with state agency customers; specifying required
       duties of the Northwest Regional Data Center;
       prohibiting state agencies from engaging in certain
       activities, unless otherwise authorized; modifying
       provisions governing the transition of state agency
       customers to a cloud-based data center; amending s.
       282.00515, F.S.; conforming a cross-reference;
       providing an effective date.
        
Be It Enacted by the Legislature of the State of Florida:

       Section 1.âAll functions, records, personnel, contracts,
interagency agreements, and assets of the current Department of
Management Services State Data Center are transferred to the
Northwest Regional Data Center.
       Section 2.âSubsection (30) of section 282.0041, Florida
Statutes, is amended to read:
       282.0041âDefinitions.âAs used in this chapter, the term:
       (30)ââService-level agreementâ means a written contract
between the Department of Management Services or a provider of
data center services and a customer entity which specifies the
scope of services provided, service level, the duration of the
agreement, the responsible parties, and service costs. A
service-level agreement is not a rule pursuant to chapter 120.
       Section 3.âParagraphs (j) and (q) of subsection (1) and
paragraphs (a) and (b) of subsection (3) of section 282.0051,
Florida Statutes, are amended to read:
       282.0051âDepartment of Management Services; Florida Digital
Service; powers, duties, and functions.â
       (1)âThe Florida Digital Service has been created within the
department to propose innovative solutions that securely
modernize state government, including technology and information
services, to achieve value through digital transformation and
interoperability, and to fully support the cloud-first policy as
specified in s. 282.206. The department, through the Florida
Digital Service, shall have the following powers, duties, and
functions:
       (j)âProvide operational management and oversight of the
state data center established pursuant to s. 282.201, which
includes:
       1.âImplementing industry standards and best practices for
the state data centerâs facilities, operations, maintenance,
planning, and management processes.
       2.âDeveloping and implementing cost-recovery mechanisms
that recover the full direct and indirect cost of services
through charges to applicable customer entities. Such cost
recovery mechanisms must comply with applicable state and
federal regulations concerning distribution and use of funds and
must ensure that, for any fiscal year, no service or customer
entity subsidizes another service or customer entity. The
Florida Digital Service may recommend other payment mechanisms
to the Executive Office of the Governor, the President of the
Senate, and the Speaker of the House of Representatives. Such
mechanism may be implemented only if specifically authorized by
the Legislature.
       3.âDeveloping and implementing appropriate operating
guidelines and procedures necessary for the state data center to
perform its duties pursuant to s. 282.201. The guidelines and
procedures must comply with applicable state and federal laws,
regulations, and policies and conform to generally accepted
governmental accounting and auditing standards. The guidelines
and procedures must include, but need not be limited to:
       a.âImplementing a consolidated administrative support
structure responsible for providing financial management,
procurement, transactions involving real or personal property,
human resources, and operational support.
       b.âImplementing an annual reconciliation process to ensure
that each customer entity is paying for the full direct and
indirect cost of each service as determined by the customer
entityâs use of each service.
       c.âProviding rebates that may be credited against future
billings to customer entities when revenues exceed costs.
       d.âRequiring customer entities to validate that sufficient
funds exist in the appropriate data processing appropriation
category or will be transferred into the appropriate data
processing appropriation category before implementation of a
customer entityâs request for a change in the type or level of
service provided, if such change results in a net increase to
the customer entityâs cost for that fiscal year.
       e.âBy November 15 of each year, providing to the Office of
Policy and Budget in the Executive Office of the Governor and to
the chairs of the legislative appropriations committees the
projected costs of providing data center services for the
following fiscal year.
       f.âProviding a plan for consideration by the Legislative
Budget Commission if the cost of a service is increased for a
reason other than a customer entityâs request made pursuant to
sub-subparagraph d. Such a plan is required only if the service
cost increase results in a net increase to a customer entity for
that fiscal year.
       g.âStandardizing and consolidating procurement and
contracting practices.
       4.âIn collaboration with the Department of Law Enforcement,
developing and implementing a process for detecting, reporting,
and responding to cybersecurity incidents, breaches, and
threats.
       5.âAdopting rules relating to the operation of the state
data center, including, but not limited to, budgeting and
accounting procedures, cost-recovery methodologies, and
operating procedures.
       (p)1.(q)1.âEstablish an information technology policy for
all information technology-related state contracts, including
state term contracts for information technology commodities,
consultant services, and staff augmentation services. The
information technology policy must include:
       a.âIdentification of the information technology product and
service categories to be included in state term contracts.
       b.âRequirements to be included in solicitations for state
term contracts.
       c.âEvaluation criteria for the award of information
technology-related state term contracts.
       d.âThe term of each information technology-related state
term contract.
       e.âThe maximum number of vendors authorized on each state
term contract.
       f.âAt a minimum, a requirement that any contract for
information technology commodities or services meet the National
Institute of Standards and Technology Cybersecurity Framework.
       g.âFor an information technology project wherein project
oversight is required pursuant to paragraph (d) or paragraph (m)
(n), a requirement that independent verification and validation
be employed throughout the project life cycle with the primary
objective of independent verification and validation being to
provide an objective assessment of products and processes
throughout the project life cycle. An entity providing
independent verification and validation may not have technical,
managerial, or financial interest in the project and may not
have responsibility for, or participate in, any other aspect of
the project.
       2.âEvaluate vendor responses for information technology
related state term contract solicitations and invitations to
negotiate.
       3.âAnswer vendor questions on information technology
related state term contract solicitations.
       4.âEnsure that the information technology policy
established pursuant to subparagraph 1. is included in all
solicitations and contracts that are administratively executed
by the department.
       (3)âThe department, acting through the Florida Digital
Service and from funds appropriated to the Florida Digital
Service, shall:
       (a)âCreate, not later than December 1, 2022 October 1,
2021, and maintain a comprehensive indexed data catalog in
collaboration with the enterprise that lists the data elements
housed within the enterprise and the legacy system or
application in which these data elements are located. The data
catalog must, at a minimum, specifically identify all data that
is restricted from public disclosure based on federal or state
laws and regulations and require that all such information be
protected in accordance with s. 282.318.
       (b)âDevelop and publish, not later than December 1, 2022
October 1, 2021, in collaboration with the enterprise, a data
dictionary for each agency that reflects the nomenclature in the
comprehensive indexed data catalog.
       Section 4.âSection 282.201, Florida Statutes, is amended to
read:
       282.201âState data center.âThe state data center is
established within the department. The provision of data center
services must comply with applicable state and federal laws,
regulations, and policies, including all applicable security,
privacy, and auditing requirements. The department shall appoint
a director of the state data center, preferably an individual
who has experience in leading data center facilities and has
expertise in cloud-computing management.
       (1)âSTATE DATA CENTER DUTIES.âThe state data center shall:
       (a)âOffer, develop, and support the services and
applications defined in service-level agreements executed with
its customer entities.
       (b)âMaintain performance of the state data center by
ensuring proper data backup, data backup recovery, disaster
recovery, and appropriate security, power, cooling, fire
suppression, and capacity.
       (c)âDevelop and implement business continuity and disaster
recovery plans, and annually conduct a live exercise of each
plan.
       (d)âEnter into a service-level agreement with each customer
entity to provide the required type and level of service or
services. If a customer entity fails to execute an agreement
within 60 days after commencement of a service, the state data
center may cease service. A service-level agreement may not have
a term exceeding 3 years and at a minimum must:
       1.âIdentify the parties and their roles, duties, and
responsibilities under the agreement.
       2.âState the duration of the contract term and specify the
conditions for renewal.
       3.âIdentify the scope of work.
       4.âIdentify the products or services to be delivered with
sufficient specificity to permit an external financial or
performance audit.
       5.âEstablish the services to be provided, the business
standards that must be met for each service, the cost of each
service by agency application, and the metrics and processes by
which the business standards for each service are to be
objectively measured and reported.
       6.âProvide a timely billing methodology to recover the
costs of services provided to the customer entity pursuant to s.
215.422.
       7.âProvide a procedure for modifying the service-level
agreement based on changes in the type, level, and cost of a
service.
       8.âInclude a right-to-audit clause to ensure that the
parties to the agreement have access to records for audit
purposes during the term of the service-level agreement.
       9.âProvide that a service-level agreement may be terminated
by either party for cause only after giving the other party and
the department notice in writing of the cause for termination
and an opportunity for the other party to resolve the identified
cause within a reasonable period.
       10.âProvide for mediation of disputes by the Division of
Administrative Hearings pursuant to s. 120.573.
       (e)âFor purposes of chapter 273, be the custodian of
resources and equipment located in and operated, supported, and
managed by the state data center.
       (f)âAssume administrative access rights to resources and
equipment, including servers, network components, and other
devices, consolidated into the state data center.
       1.âUpon consolidation, a state agency shall relinquish
administrative rights to consolidated resources and equipment.
State agencies required to comply with federal and state
criminal justice information security rules and policies shall
retain administrative access rights sufficient to comply with
the management control provisions of those rules and policies;
however, the state data center shall have the appropriate type
or level of rights to allow the center to comply with its duties
pursuant to this section. The Department of Law Enforcement
shall serve as the arbiter of disputes pertaining to the
appropriate type and level of administrative access rights
pertaining to the provision of management control in accordance
with the federal criminal justice information guidelines.
       2.âThe state data center shall provide customer entities
with access to applications, servers, network components, and
other devices necessary for entities to perform business
activities and functions, and as defined and documented in a
service-level agreement.
       (g)âIn its procurement process, show preference for cloud
computing solutions that minimize or do not require the
purchasing, financing, or leasing of state data center
infrastructure, and that meet the needs of customer agencies,
that reduce costs, and that meet or exceed the applicable state
and federal laws, regulations, and standards for cybersecurity.
       (h)âAssist customer entities in transitioning from state
data center services to the Northwest Regional Data Center or
other third-party cloud-computing services procured by a
customer entity or by the Northwest Regional Data Center on
behalf of a customer entity.
       (2)âUSE OF THE STATE DATA CENTER.âThe following are exempt
from the use of the state data center: the Department of Law
Enforcement, the Department of the Lotteryâs Gaming System,
Systems Design and Development in the Office of Policy and
Budget, the regional traffic management centers as described in
s. 335.14(2) and the Office of Toll Operations of the Department
of Transportation, the