The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Governmental Oversight and Accountability
BILL: CS/SB 1708
INTRODUCER: Governmental Oversight and Accountability Committee and Senator DiCeglie
SUBJECT: Cybersecurity
DATE: March 30, 2023 REVISED:
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Harmsen McVaney GO Fav/CS
2. AEG
3. AP
4. RC
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/SB 1708, which may be called the “Florida Cyber Protection Act,” makes several changes to
laws regarding state information technology and cybersecurity governance. The bill:
 Requires the Department of Management Services (DMS), through the Florida Digital
Service (FLDS), to ensure independent oversight of state agency IT procurements;
 Establishes an operations committee that will develop collaborative efforts between agencies
and other governmental entities relating to cybersecurity issues;
 Creates the position of state chief technology officer, who will explore technology solutions,
and support cybersecurity and interoperability initiatives, among other duties;
 Expands oversight and management duties of the state data center, and grants the FLDS full
access to its infrastructure;
 Provides that the state data center, or its successor entity, must fully integrate with the
Cybersecurity Operations Center;
 Requires agencies and local governments to notify the FLDS of any cybersecurity or
ransomware incident;
 Grants the FLDS the ability to respond to any state agency cybersecurity incident; and
 Allows the FLDS to brief members of a legislative committee or subcommittee that is
responsible for cybersecurity issues
BILL: CS/SB 1708 Page 2
The state chief information officer (CIO), who serves as head of the FLDS, will now be
appointed by the Governor and subject to Senate confirmation.
The bill provides that local governments and private businesses cannot be liable for torts related
to cybersecurity breaches if they adhere to specific cybersecurity protocol, and update their
protocol according to provisions adopted in the bill.
The bill does not have a fiscal impact on state or local government revenues or local government
expenditures. The bill may increase state expenditures.
The bill takes effect on July 1, 2023.
II. Present Situation:
State Information Technology Management
The Department of Management Services (DMS) oversees information technology (IT)
governance and security for the executive branch of the State government.1 The Florida Digital
Service (FLDS) within the DMS was established by the Legislature in 20202 to replace the
Division of State Technology. The FLDS works subordinate to the DMS to implement policies
for IT and agency cybersecurity, and to fully support Florida’s cloud first policy. 3
The FLDS was created to modernize state government technology and information services.4
Accordingly, the DMS, through the FLDS, has the following powers, duties, and functions:
 Develop IT policy for the management of the state’s IT resources;
 Develop an enterprise architecture that facilitates interoperability between agencies and
supports the cloud-first policy;
 Establish IT project management and oversight standards for state agencies;
 Oversee state agency IT projects that cost $10 million or more and that are funded in the
General Appropriations Act or any other law;5 and
 Standardize and consolidate IT services that support interoperability, Florida’s cloud first
policy, and other common business functions and operations.
The head of FLDS is appointed by the Secretary of DMS and serves as the state chief
information officer (CIO).6 The CIO must have at least 5 years of experience in the development
of IT system strategic planning and IT policy, and preferably have leadership-level experience in
the design, development, and deployment of interoperable software and data solutions.7
1
Section 282.0051, F.S.
2
Ch. 2020-161, Laws of Fla.
3
Section 282.0051(1), F.S.
4
Section 282.0051(1), F.S.
5
The FLDS provides project oversight on IT projects that have a total cost of $20 million or more for the Department of
Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer Services. Section
282.0051(1)(m), F.S.
6
Section 282.0051(2)(a), F.S.
7
Id.
BILL: CS/SB 1708 Page 3
State Data Center
Present Situation
In 2022 the State Data Center (SDC) was moved from FLDS to DMS, which now operates and
maintains the SDC.8 The SDC provides data center services that comply with applicable state
and federal laws, regulations, and policies, including all applicable security, privacy, and
auditing requirements.9 The standards used by the SDC are created through the Information
Technology Infrastructure Library (ITIL); the International Organization for Standardization;
and the International Electrotechnical Commission (ISO/IEC) 27,000; and the Project
Management Institute’s (PMI) best practices.
Northwest Regional Data Center
The Northwest Regional Data Center (NWRDC) is the leading computing provider for
educational and governmental communities in Florida. In 2022, NWRDC (located at Florida
State University) was declared an official state data center, and the current SDC resources,
contracts, and assets were transferred to NWRDC, through contract.10 This allows for NWRDC
to provide services from the SDC facility. The NWRDC offers services and 24/7 management
support for various IT support solutions, including: public/private cloud services, backup and
recovery, storage, managed services, Tallahassee fiber loop, Florida LambdaRail, MyFloridaNet,
Florida Power and Light Fibernet, CenturyLink Connectivity, security services, multi-site
colocation, and disaster recovery.11
State Cybersecurity Act
Agency Cybersecurity Standards
The State Cybersecurity Act12 requires the DMS and the heads of state agencies to meet certain
requirements to enhance state agencies’ cybersecurity.13 Specifically, the DMS, acting through
the FLDS, must:14
 Assess state agency cybersecurity risks and determine appropriate security measures
consistent with generally accepted best practices for cybersecurity.
 Adopt rules to mitigate risk, support a security governance framework, and safeguard state
agency digital assets, data, information, and IT resources15 to ensure availability,
confidentiality, and integrity.
 Designate a chief information security officer (CISO) who must develop, operate, and
oversee state technology systems’ cybersecurity. The CISO must be notified of all confirmed
8
Ch. 2022-153, Laws of Fla.
9
Section 282.201(1), F.S.
10
Section 282.201(5), F.S.
11
NWRDC: Florida’s Cloud Broker, About Northwest Regional Data Center, https://www.nwrdc.fsu.edu/about (last visited
Mar. 29, 2023).
12
Section 282.318, F.S.
13
“Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable
objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology
resources. Section 282.0041(8), F.S.
14
Section 282.318(3), F.S.
15
“Information technology resources” means data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. Section 282.0041(22), F.S.
BILL: CS/SB 1708 Page 4
or suspected incidents or threats of state agency IT resources and must report such
information to the CIO and the Governor.
 Develop and annually update a statewide cybersecurity strategic plan that includes security
goals and objectives for cybersecurity, including the identification and mitigation of risk,
proactive protections against threats, tactical risk detection, threat reporting, and response
and recovery protocols for cyber incidents.
 Develop a cybersecurity governance framework and publish it for state agency use.
 Assist state agencies in complying with the State Cybersecurity Act.
 Train state agency information security managers and computer security incident response
team members, in collaboration with the Florida Department of Law Enforcement (FDLE)
Cybercrime Office, on issues relating to cybersecurity, including cybersecurity threats,
trends, and best practices.
 Provide cybersecurity training to all state agency technology professionals that develop,
assess, and document competencies by role and skill level. The training may be provided in
collaboration with the Cybercrime Office, a private sector entity, or an institution of the state
university system.
 Annually review state agencies’ strategic and operational cybersecurity plans.
 Track, in coordination with agency inspectors general, state agencies’ implementation of
remediation plans.
 Operate and maintain a Cybersecurity Operations Center led by the CISO to serve as a
clearinghouse for threat information and to coordinate with the FDLE to support state agency
response to cybersecurity incidents.
 Lead an Emergency Support Function under the state comprehensive emergency
management plan.
The State Cybersecurity Act requires the head of each state agency to designate an information
security manager to administer the cybersecurity program of the state agency.16 In addition,
agency heads must:
 Establish an agency cybersecurity incident response team, which must report any confirmed
or suspected cybersecurity incidents to the CISO.
 Submit an annual strategic and operational cybersecurity plan to the DMS.
 Conduct a triennial comprehensive risk assessment to determine the security threats to the
data, information, and IT resources of the state agency.
 Develop and update internal policies and procedures, including procedures for reporting
cybersecurity incidents and breaches to the FLDS and the Cybercrime Office.
 Implement managerial, operational, and technical safeguards and risk assessment
remediation plans recommended by the DMS to address identified risks to the data,
information, and IT resources of the agency.
 Ensure periodic internal audits and evaluations of the agency’s cybersecurity program.
 Ensure that cybersecurity contract requirements of IT and IT resources and services meet or
exceed applicable state and federal laws, regulations, and standards for cybersecurity,
including the NIST cybersecurity framework.
 Provide cybersecurity awareness training to all state agency employees concerning
cybersecurity risks and the responsibility of employees to comply with policies, standards,
16
Section 282.318(4)(a), F.S.
BILL: CS/SB 1708 Page 5
guidelines, and operating procedures adopted by the state agency to reduce those risks. The
training may be provided in collaboration with the Cybercrime Office, a private sector entity,
or an institution of the state university system.
 Develop a process, consistent with FLDS rules and guidelines, to detect, report, and respond
to threats, breaches, or cybersecurity incidents.
Specifically, state agencies and local governments in Florida, must report all ransomware
incidents and any cybersecurity incidents at severity levels three, four, and five incident as soon
as possible, but no later than 48 hours after discovery of a cybersecurity incident and no later
than 12 hours after discovery of a ransomware incident, to the Cybersecurity Operations
Center.17 The Cybersecurity Operations Center shall notify the President of the Senate and the
Speaker of the House of Representatives of any severity level three, four, or five as soon as
possible, but no later than 12 hours after receiving the incident report from the state agency or
local government.18 For state agency and local government incidents at severity levels one and
two, they must report these to the Cybersecurity Operations Center and the Cybercrime Office at
FDLE as soon as possible.19
In addition, the Cybersecurity Operations Center must provide consolidated incident reports to
the President of the Senate, Speaker of the House of Representatives, and the Advisory Council
on a quarterly basis.20
State agencies and local governments must also submit an after-action report to FLDS within 1
week of the remediation of a cybersecurity or ransomware incident.21 The report must summarize
the incident, state the resolution, and provide any insights from the incident.
Public Record and Public Meetings Exemption for Specific Cybersecurity Records Held by
Agencies
The State Cybersecurity Act makes confidential and exempt from public records copying and
inspection requirements the portions of risk assessments, evaluations, external audits, and other
agency cybersecurity program reports that are held by an agency, if the disclosure would
facilitate unauthorized access to, modification, disclosure, or destruction of data or IT
resources.22 However, this information must be shared with the Auditor General, DLE
Cybercrime Office, FLDS, and the Chief Inspector General. An agency may share its
confidential and exempt documents with a local government, another agency, or a federal agency
if given for a cybersecurity purpose, or in furtherance of the agency’s official duties.23
The State Cybersecurity act also exempts portions of any public meeting that would reveal
records that it makes confidential and exempt.24
17
Sections 282.318(3)(c)9.c, and 282.3185(5)(b)1., F.S.
18
Sections 282.318(3)(c)9.c.(II), and 282.3185(5)(b)2. F.S.
19
Sections 282.318(3)(c)9.d., 282.3185(5)(c), F.S.
20
Sections 282.318(3)(c)9.e, and 282.3185(5)(d), F.S.
21
Sections 282.318(4)(k), and 282.3185(6), F.S. See also, ch. 2022-220, Laws of Fla.
22
Section 282.318(5), F.S.
23
Section 282.318(7), F.S.
24
Section 282.318(6), F.S.
BILL: CS/SB 1708 Page 6
Florida Cybersecurity Advisory Council
The Florida Cybersecurity Advisory Council (Advisory Council) within the DMS25 protects IT
resources from cyber threats and incidents.26
The Advisory Council’s membership must consist of:
 The Lieutenant Governor or his or her designee.
 The state chief information officer.
 The state chief information security officer.
 The director of the Division of Emergency Management or his or her designee.
 A representative of the computer crime center of the Department of Law Enforcement,
appointed by the executive director of the Department of Law Enforcement.
 A representative of the Florida Fusion Center of the Department of Law Enforcement,
appointed by the executive director of the Department of Law Enforcement.
 The Chief Inspector General.
 A representative from the Public Service Commission.
 Up to two representatives from institutions of higher education located in this state,
appointed by the Governor.
 Three representatives from critical infrastructure sectors, one of whom must be from a water
treatment facility, appointed by the Governor.
 Four representatives of the private sector with senior level experience in cybersecurity or
software engineering from within the finance, energy, health care, and transportation sectors,
appointed by the Governor.
 Two representatives with expertise on emerging technology, with one appointed by the
President of the Senate and one appointed by the Speaker of the House of Representatives.
The Advisory Council must assist the FLDS with the implementation of best cybersecurity
practices, taking into consideration the final recommen