HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/HB 1511 Cybersecurity
SPONSOR(S): Energy, Communications & Cybersecurity Subcommittee, Giallombardo
TIED BILLS: IDEN./SIM. BILLS: SB 1708
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Energy, Communications & Cybersecurity 18 Y, 0 N, As CS Mortellaro Keating
Subcommittee
2) State Administration & Technology
Appropriations Subcommittee
3) Commerce Committee
SUMMARY ANALYSIS
Over the last decade, cybersecurity has rapidly become a growing concern. Cyberattacks are growing in
frequency and severity. Currently, the Department of Management Services (DMS) oversees information
technology (IT) governance and security for the executive branch of state government. The Florida Digital
Service (FLDS) is housed within DMS and was established in 2020 to replace the Division of State
Technology. Through FLDS, DMS implements duties and policies for information technology and cybersecurity
for state agencies.
The bill:
Provides DMS, acting through FLDS, with additional responsibilities related to ensuring the
independence of technology project oversight and responding to state agency cybersecurity incidents;
Requires DMS, through FLDS, to create an operations committee to foster interagency collaboration;
Requires the state chief information officer (CIO) to designate a state chief technology officer and
outlines the responsibilities of that position;
Specifies oversight of the state data center (SDC) and provides FLDS authority to appoint its director;
Specifies information that the SDC must report to DMS and FLDS.
Requires the state CIO to assume responsibility for the contract between DMS and the Northwest
Regional Data Center (NWRDC) and requires NWRDC to provide FLDS with access to information
regarding operations of the SDC;
Requires the SDC to fully integrate with the Cybersecurity Operations Center;
Requires state agencies and local governments to report all ransomware incidents within 4 hours and
all cybersecurity incidents within 2 hours and adds FLDS to the list of entities to receive such reports;
Provides new requirements for heads of state agencies related to cybersecurity;
Creates a career service exemption for particular positions;
Requires FLDS to provide cybersecurity briefings to members of specified legislative committees;
Provides that specified legislative committees may hold meetings closed by the respective legislative
body when being briefed on certain information; and
Provides that a government or private entity is not liable for events connected to a cybersecurity
incident if it meets specified standards.
The bill does not have a fiscal impact on state or local government revenues or local government expenditures.
The bill may increase state expenditures. See Fiscal Analysis & Economic Impact Statement.
The bill provides an effective date of July 1, 2023.
This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h1511a.ECC
DATE: 3/23/2023
� FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Cybersecurity Governance
Present Situation
Over the last decade, cybersecurity has rapidly become a growing concern. The cyberattacks are
growing in frequency and severity. Cybercrime is expected to inflict $8 trillion worth of damage globally
in 2023.1 The United States is often a target of cyberattacks, including attacks on critical infrastructure,
and has been a target of more significant cyberattacks 2 over the last 14 years than any other country.3
The Colonial Pipeline is an example of critical infrastructure that was attacked, disrupting what is
arguably the nation’s most important fuel conduit.4
Ransomware is a type of cybersecurity incident where malware5 that is designed to encrypt files on a
device and renders the files and the systems that rely on them unusable. In other words, critical
information is no longer accessible. During a ransomware attack, malicious actors demand a ransom in
exchange for regained access through decryption. If the ransom is not paid, the ransomware actors will
often threaten to sell or leak the data or authentication information. Even if the ransom is paid, there is
no guarantee that the bad actor will follow through with decryption.
In recent years, ransomware incidents have become increasingly prevalent among the nation’s state,
local, tribal, and territorial government entities and critical infrastructure organizations. 6 For example,
Tallahassee Memorial Hospital was hit by a ransomware attack early this February, and the hospitals
systems were forced to shut down, impacting many local residents in need of medical care. 7
Information Technology and Cybersecurity Management
The Department of Management Services (DMS) oversees information technology (IT)8 governance
and security for the executive branch in Florida.9 The Florida Digital Service (FLDS) is housed within
DMS and was established in 2020 to replace the Division of State Technology. 10 FLDS works under
DMS to implement policies for information technology and cybersecurity for state agencies.11
1 Cybercrime Magazine, Cyb ercrime to Cost the World $8 Trillion Annually in 2023, https://cybersecurityventures.com/cybercrime-to-
cost-the-world-8-trillion-annually-in-2023/ (last visited March 7, 2023).
2
“Significant cyber-attacks” are defined as cyber-attacks on a country’s government agencies, defense and high -tech companies, or
economic crimes with losses equating to more than a million dollars. FRA Conferences, Study: U.S. Largest Target for Significant
Cyb er-Attacks, https://www.fraconferences.com/insights-articles/compliance/study-us-largest-target-for-significant-cyber-
attacks/#:~:text=The%20United%20States%20has%20been%20on%20the%20receiving,article%20is%20from%20FRA%27s%20sister
%20company%2C%20Compliance%20Week (last visited Mar. 20, 2023).
3 Id.
4
S&P Global, Pipeline operators must start reporting cyb erattacks to government: TSA orders,
https://www.spglobal.com/commodityinsights/en/market-insights/latest-news/electric-power/052721-pipeline-operators-must-start-
reporting-cyberattacks-to-government-tsa-
orders?utm_campaign=corporatepro&utm_medium=contentdigest&utm_source=esgmay2021 (last visited Mar. 8, 2023).
5 “Malware” means hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.
https://csrc.nist.gov/glossary/term/malware (last visited Mar 16, 2023).
6 Cybersecurity and Infrastructure Agency, Ransomware 101, https://www.cisa.gov/stopransomware/ransomware-101 (last visited
January 30, 2022).
7 Tallahassee Democrat, TMH says it has taken ‘major step’ toward restoration after cyb ersecurity incident (Feb. 15, 2023)
https://www.tallahassee.com/story/news/local/2023/02/14/tmh-update-hospital-has-taken-major-step-toward-restoration/69904510007/
(last visited Mar. 7, 2023).
8 The term “information technology” means equipment, hardware, software, firmware, programs, systems, networks, infrastructure,
media, and related material used to automatically, electronically, and wirelessly collect, receive, acces s, transmit, display, store, record,
retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge,
interface, switch, or disseminate information of any kind or form. S. 282.0041(19), F.S.
9 See s. 20.22, F.S.
10 Ch. 2020-161, L.O.F.
11 See s. 20.22(2)(b), F.S.
STORAGE NAME: h1511a.ECC PAGE: 2
DATE: 3/23/2023
� The head of FLDS is appointed by the Secretary of Management Services 12 and serves as the state
chief information officer (CIO).13 The CIO must have at least five years of experience in the
development of IT system strategic planning and IT policy and, preferably, have leadership-level
experience in the design, development, and deployment of interoperable software and data solutions. 14
FLDS must propose innovative solutions that securely modernize state government, including
technology and information services, to achieve value through digital transformation and
interoperability, and to fully support Florida’s cloud first policy.15
DMS, through FLDS, has the following powers, duties, and functions:
Develop IT policy for the management of the state’s IT resources;
Develop an enterprise architecture;
Establish project management and oversight standards with which state agencies must comply
when implementing IT projects;
Perform project oversight on all state agency IT projects that have a total cost of $10 million or
more and that are funded in the General Appropriations Act or any other law; and
Identify opportunities for standardization and consolidation of IT services that support
interoperability, Florida’s cloud first policy, and business functions and operations that are
common across state agencies.16
Information Technology Security Act
In 2021, the Legislature passed the IT Security Act,17 which requires DMS and the state agency18
heads to meet certain requirements in order to enhance the IT security of the state agencies.
Specifically, the IT Security Act provides that DMS is responsible for establishing standards and
processes consistent with accepted best practices for IT security,19 including cybersecurity, and
adopting rules that safeguard an agency’s data, information, and IT resources to ensure availability,
confidentiality, integrity, and to mitigate risks.20 In addition, DMS must:
Designate a state chief information security officer (CISO) to oversee state IT security;
Develop, and annually update, a statewide IT security strategic plan;
Develop and publish an IT security framework for use by state agencies;
Collaborate with the Cybercrime Office within the Florida Department of Law Enforcement
(FDLE) to provide training; and
Annually review the strategic and operational IT security plans of executive branch agencies. 21
State Cybersecurity Act
In 2022, the Legislature passed the State Cybersecurity Act,22 which requires DMS and the heads of
the state agencies 23 to meet certain requirements to enhance the cybersecurity24 of the state agencies.
12 The Secretary of Management Services serves as the head of DMS and is appointed by the Governor, subject to confirmation by t he
Senate. S. 20.22(1), F.S.
13 S. 282.0051(2)(a), F.S.
14 Id.
15
S. 282.0051(1), F.S.
16 Id.
17 S. 282.318, F.S.
18 The term “state agency” means any official, officer, commission, board, authority, council, committee, or department of the e xecutive
branch of state government; the Justice Administrative Commission; and the Public Service Commission. The term does not include
university boards of trustees or state universities. S. 282.0041(33), F.S. For purposes of the IT Security Act, the term includes the
Department of Legal Affairs, The Department of Agriculture and Consumer Services, and the Department of Financial Services. S.
282.318(2), F.S.
19 The term “information technology security” means the protection afforded to an automated information system in order to attai n the
applicable objectives of preserving the integrity, availability, and confidentiality of data, information, and information technology
resources. S. 282.0041(22), F.S.
20 S. 292.318(3), F.S.
21 Id.
22 S. 282.318, F.S.
23 For purposes of the State Cybersecurity Act, the term “state agency” includes the Department of Legal Affairs, the Department of
Agriculture and Consumer Services, and the Department of Financial Services. S. 282.318(2), F.S.
24 “Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable objectives of
preserving the confidentiality, integrity, and availability of data, information, and information technology resources. S. 28 2.0041(8), F.S.
STORAGE NAME: h1511a.ECC PAGE: 3
DATE: 3/23/2023
� DMS is tasked with completing the following, through FLDS:
Establishing standards for assessing agency cybersecurity risks;
Adopting rules to mitigate risk, support a security governance framework, and safeguard agency
digital assets, data,25 information, and IT resources;26
Designating a chief information security officer (CISO);
Developing and annually updating a statewide cybersecurity strategic plan such as identification
and mitigation of risk, protections against threats, and tactical risk detection for cyber
incidents;27
Developing and publishing for use by state agencies a cybersecurity governance framework;
Assisting the state agencies in complying with the State Cybersecurity Act;
Annually providing training on cybersecurity for managers and team members;
Annually reviewing the strategic and operational cybersecurity plans of state agencies;
Tracking the state agencies’ implementation of remediation plans;
Providing cybersecurity training to all state agency technology professionals that develops,
assesses, and documents competencies by role and skill level;
Maintaining a Cybersecurity Operations Center (CSOC) led by the CISO to serve as a
clearinghouse for threat information and coordinate with FDLE to support responses to
incidents; and
Leading an Emergency Support Function under the state emergency management plan.28
The State Cybersecurity Act requires the head of each state agency to designate an information
security manager to administer the state agency’s cybersecurity program.29 The head of the agency
has additional tasks in protecting against cybersecurity threats as follows:
Establish a cybersecurity incident response team with FLDS and the Cybercrime Office, which
must immediately report all confirmed or suspected incidents to the CISO;
Annually submit to DMS the state agency’s strategic and operational cybersecurity plans;
Conduct and update a comprehensive risk assessment to determine the security threats ;
Develop and update written internal policies and procedures for reporting cyber incidents ;
Implement safeguards and risk assessment remediation plans to address identified risks;
Ensure internal audits and evaluations of the agency’s cybersecurity program are conducted;
Ensure that the cybersecurity requirements for the solicitation, contracts, and service-level
agreement of IT and IT resources meet or exceed applicable state and federal laws, regulations,
and standards for cybersecurity, including the National Institute of Standards and Technology
(NIST)30 cybersecurity framework;
Provide cybersecurity training to all agency employees within 30 days of employment; and
Develop a process that is consistent with the rules and guidelines established by FLDS for
detecting, reporting, and responding to threats, breaches, or cybersecurity incidents. 31
Florida Cybersecurity Advisory Council
25 “Data” means a subset of structured information in a format that allows such information to be electronically retrieved and transmitted.
S. 282.0041(9), F.S.
26 “Information technology resources” means data processing hardware and software and services, communicati ons, supplies,
personnel, facility resources, maintenance, and training. S. 282.0041(22), F.S.
27 “Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of informat ion
technology resources, security, policies, or practices. An imminent threat of violation refers to a situation in which the state agency has
a factual basis for believing that a specific incident is about to occur. S. 282.0041(19), F.S.
28 S. 282.318(3), F.S.
29 S. 282.318(4)(a), F.S.
30 NIST, otherwise known as the National Institute of Standards and Technology, “is a non -regulatory government agency that develops
technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and
technology industry.” Nate Lord, What is NIST Compliance, DataInsider (Dec. 1, 2020), https://www.digitalguardian.com/blog/what-nist-
compliance (last visited Mar. 17, 2023).
31 S. 282.318(4), F.S.
STORAGE NAME: h1511a.ECC PAGE: 4
DATE: 3/23/2023
� The Florida Cybersecurity Advisory Council32 (CAC) within DMS33 assists state agencies in protecting
IT resources from cyber threats and incidents.34 The CAC must assist FLDS in implementing best
cybersecurity practices, taking into consideration the final recommendations of the Florida
Cybersecurity Task Force – a task force created to review and assess the state’s cybersecurity
infrastructure, governance, and operations.35 The CAC meets at least quarterly to:
Review existing state agency cybersecurity policies;
Assess ongoing risks to state agency IT;
Recommend a reporting and information