The Florida Senate
BILL ANALYSIS AND FISCAL IMPACT STATEMENT
(This document is based on the provisions contained in the legislation as of the latest date listed below.)
Prepared By: The Professional Staff of the Committee on Appropriations
BILL: CS/CS/CS/SB 1662
INTRODUCER: Appropriation Committee; Appropriations Committee on Agriculture, Environment, and
General Government; Governmental Oversight and Accountability Committee; and
Senator Collins
SUBJECT: Cybersecurity
DATE: February 28, 2024 REVISED:
ANALYST STAFF DIRECTOR REFERENCE ACTION
1. Harmsen McVaney GO Fav/CS
2. Hunter Betta AEG Fav/CS
3. Hunter Sadberry AP Fav/CS
Please see Section IX. for Additional Information:
COMMITTEE SUBSTITUTE - Substantial Changes
I. Summary:
CS/CS/CS/SB 1662 prohibits the award of a contract to technology services vendors that have
shared information with non-United States Trade Agreements Act compliant nations without
prior written consent within the past 7 years, revises the mission, goals, and responsibilities of
the Florida Center for Cybersecurity and adds program oversight for the Enterprise
Cybersecurity Resiliency program within the Department of Management Services.
The bill has no fiscal impact on state revenues or expenditures. See Section V., Fiscal Impact
Statement.
The bill provides an effective date of July 1, 2024.
�BILL: CS/CS/CS/SB 1662 Page 2
II. Present Situation:
Trade Agreements Act
Congress passed the Trade Agreements Act (TAA) of 1979 to modify provisions in the Buy
American Act and to promote fair and open international trade.1 Non-TAA compliant countries
are those without trade agreements with the United States in the following categories:
World Trade Organization Government Procurement Agreement Countries
Free Trade Agreement Countries
Least Developed Countries
Caribbean Basin Countries
Non-TAA compliant countries include, but are not limited to: China, India, Indonesia, Iran, Iraq,
Malaysia, North Korea, Pakistan, Russia, and Sri Lanka.2
Cybersecurity and Ransomware
Over the last decade, cybersecurity has rapidly become a growing concern. Cyberattacks are
growing in frequency and severity. Cybercrime is expected to inflict $8 trillion worth of damage
globally in 2023.3 The United States is often a target of cyberattacks,4 including attacks on
critical infrastructure, and has been a target of more significant cyberattacks5 over the last 14
years than any other country.6 The Colonial Pipeline is an example of critical infrastructure that
was attacked, disrupting what is arguably the nation’s most important fuel conduit.7
Ransomware is a type of cybersecurity incident where malware8 that is designed to encrypt files
on a device and renders the files and the systems that rely on them unusable. In other words,
critical information is no longer accessible. During a ransomware attack, malicious actors
demand a ransom in exchange for regained access through decryption. If the ransom is not paid,
the ransomware actors will often threaten to sell or leak the data or authentication information.
1
The Department of Commerce, The Big “A” Acquisition Conference (May 4, 2011), The Buy American Act / Trade
Agreements Act (last visited February 26, 2024).
2
GSA Federal Schedules, TAA Designated Countries (Nov. 16, 2023), https://gsa.federalschedules.com/resources/taa-
designated-countries/ (last visited Feb. 26, 2024).
3
Steve Morgan, CYBERCRIME MAGAZINE, Cybercrime to Cost the World $8 Trillion Annually in 2023 (Oct. 17, 2022),
Cybercrime To Cost The World 8 Trillion Annually In 2023 (cybersecurityventures.com) (last visited Jan. 31, 2024).
4
Chris Jaikaran, CONGRESSIONAL RESEARCH SERVICE, Cybersecurity: Selected Cyberattacks, 2012-2022 (Aug. 9, 2023),
https://crsreports.congress.gov/product/pdf/R/R46974 (last visited Jan. 25, 2024).
5
“Significant cyber-attacks” are defined as cyber-attacks on a country’s government agencies, defense and high-tech
companies, or economic crimes with losses equating to more than a million dollars. Kyle Brasseur, FRA CONFERENCES,
Study: U.S. Largest Target for Significant Cyber-Attacks (Jul. 13, 2020), https://www.fraconferences.com/insights-
articles/compliance/study-us-largest-target-for-significant-cyber-
attacks/#:~:text=The%20United%20States%20has%20been%20on%20the%20receiving,article%20is%20from%20FRA%27s
%20sister%20company%2C%20Compliance%20Week (last visited Jan. 31, 2024).
6
Id.
7
S&P Global, Pipeline operators must start reporting cyberattacks to government: TSA orders,
https://www.spglobal.com/commodityinsights/en/market-insights/latest-news/electric-power/052721-pipeline-operators-
must-start-reporting-cyberattacks-to-government-tsa-
orders?utm_campaign=corporatepro&utm_medium=contentdigest&utm_source=esgmay2021 (last visited Jan. 31, 2024).
8
“Malware” means hardware, firmware, or software that is intentionally included or inserted in a system for a harmful
purpose. malware - Glossary | CSRC (nist.gov) (last visited Jan. 31, 2024).
�BILL: CS/CS/CS/SB 1662 Page 3
Even if the ransom is paid, there is no guarantee that the bad actor will follow through with
decryption.
In recent years, ransomware incidents have become increasingly prevalent among the nation’s
state, local, tribal, and territorial government entities and critical infrastructure organizations.9
For example, Tallahassee Memorial Hospital was hit by a ransomware attack February 2023, and
the hospital’s systems were forced to shut down, impacting many local residents in need of
medical care.10
Information Technology and Cybersecurity Management
The Department of Management Services (DMS) oversees information technology (IT)11
governance and security for the executive branch in Florida.12 The Florida Digital Service
(FLDS) is housed within the DMS and was established in 2020 to replace the Division of State
Technology.13 The FLDS works under the DMS to implement policies for IT and cybersecurity
for state agencies.14
The head of the FLDS is appointed by the Secretary of Management Services15 and serves as the
state chief information officer (CIO).16 The CIO must have at least five years of experience in
the development of IT system strategic planning and IT policy and, preferably, have leadership-
level experience in the design, development, and deployment of interoperable software and data
solutions.17 The FLDS must propose innovative solutions that securely modernize state
government, including technology and information services, to achieve value through digital
transformation and interoperability, and to fully support Florida’s cloud first policy.18
The DMS, through the FLDS, has the following powers, duties, and functions:19
Develop IT policy for the management of the state’s IT resources;
Develop an enterprise architecture;
Establish IT project management and oversight standards for state agencies;
9
Cybersecurity and Infrastructure Agency, Ransomware 101, https://www.cisa.gov/stopransomware/ransomware-101 (last
visited Jan. 31, 2024).
10
Caitlyn Stroh-Page, TALLAHASSEE DEMOCRAT, Social Security Numbers, Some Patient Treatment Info Involved in TMH
Cybersecurity Incident (Apr. 1, 2023) https://www.tallahassee.com/story/news/local/2023/03/31/tmh-updates-what-
information-was-affected-during-cybersecurity-incident/70069655007/ (last visited Jan. 25, 2024).
11
The term “information technology” means equipment, hardware, software, firmware, programs, systems, networks,
infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access,
transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control,
communicate, exchange, convert, converge, interface, switch, or disseminate information of any kind or form.
Section 282.0041(19), F.S.
12
See s. 20.22, F.S.
13
Chapter 2020-161, Laws of Fla.
14
See s. 20.22(2)(b), F.S.
15
The Secretary of Management Services serves as the head of the DMS and is appointed by the Governor, subject to
confirmation by the Senate. Section 20.22(1), F.S.
16
Section 282.0051(2)(a), F.S.
17
Id.
18
Section 282.0051(1), F.S.
19
Id.
�BILL: CS/CS/CS/SB 1662 Page 4
Provide oversight for all state agency IT projects that have a total cost of $10 million or more
and that are funded in the General Appropriations Act or any other law;20 and
Standardize and consolidate IT services that support interoperability, Florida’s cloud first
policy, and business functions and operations that are common across state agencies.
State Cybersecurity Act
While it has existed in some form for more than 10 years, in 2022, the Legislature passed the
State Cybersecurity Act,21 which requires the DMS and the heads of the state agencies22 to meet
certain requirements to enhance the cybersecurity23 of the state agencies.
The DMS through FLDS is tasked with completing the following:24
Establish standards for assessing agency cybersecurity risks;
Adopt rules to mitigate risk, support a security governance framework, and safeguard agency
digital assets, data,25 information, and IT resources;26
Designate a chief information security officer (CISO);
Develop and annually update a statewide cybersecurity strategic plan such as identification
and mitigation of risk, protections against threats, and tactical risk detection for cyber
incidents;27
Develop and publish for use by state agencies a cybersecurity governance framework;
Assist the state agencies in complying with the State Cybersecurity Act;
Provide annual training on cybersecurity for information security managers and computer
security incident response team members;
Annually review the strategic and operational cybersecurity plans of state agencies;
Track the state agencies’ implementation of remediation plans;
Provide cybersecurity training to all state agency technology professionals that develops,
assesses, and documents competencies by role and skill level;
Maintain a Cybersecurity Operations Center (CSOC) led by the CISO to serve as a
clearinghouse for threat information and coordinate with the FDLE to support responses to
incidents; and
Lead an Emergency Support Function under the state emergency management plan.
20
The FLDS provides project oversight on IT projects that have a total cost of $20 million or more for the Department of
Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer Services.
Section 282.0051(1)(m), F.S.
21
Section 282.318, F.S.
22
For purposes of the State Cybersecurity Act, the term “state agency” includes the Department of Legal Affairs, the
Department of Agriculture and Consumer Services, and the Department of Financial Services. Section 282.318(2), F.S.
23
“Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable
objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology
resources. Section 282.0041(8), F.S.
24
Section 282.318(3), F.S.
25
“Data” means a subset of structured information in a format that allows such information to be electronically retrieved and
transmitted. Section 282.0041(9), F.S.
26
“Information technology resources” means data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. Section 282.0041(22), F.S.
27
“Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of
information technology resources, security, policies, or practices. An imminent threat of violation refers to a situation in
which the state agency has a factual basis for believing that a specific incident is about to occur. Section 282.0041(19), F.S.
�BILL: CS/CS/CS/SB 1662 Page 5
The State Cybersecurity Act requires the head of each state agency to designate an information
security manager to administer the state agency’s cybersecurity program.28 The head of the
agency has additional tasks in protecting against cybersecurity threats as follows:29
Establish a cybersecurity incident response team with the FLDS and the Cybercrime Office,
which must immediately report all confirmed or suspected incidents to the CISO;
Annually submit to the DMS the state agency’s strategic and operational cybersecurity plans;
Conduct and update a comprehensive risk assessment to determine the security threats once
every three years;
Develop and update written internal policies and procedures for reporting cyber incidents;
Implement safeguards and risk assessment remediation plans to address identified risks;
Ensure internal audits and evaluations of the agency’s cybersecurity program are conducted;
Ensure that the cybersecurity requirements for the solicitation, contracts, and service-level
agreement of IT and IT resources meet or exceed applicable state and federal laws,
regulations, and standards for cybersecurity, including the National Institute of Standards and
Technology (NIST)30 cybersecurity framework;
Provide cybersecurity training to all agency employees within 30 days of employment;
Develop a process that is consistent with the rules and guidelines established by the FLDS
for detecting, reporting, and responding to threats, breaches, or cybersecurity incidents; and
Submit an after-action report to the FLDS within one week after remediation of a
cybersecurity incident or ransomware incident.
Florida Cybersecurity Advisory Council
The Florida Cybersecurity Advisory Council31 (CAC) within the DMS32 assists state agencies in
protecting IT resources from cyber threats and incidents.33 The CAC must assist the FLDS in
implementing best cybersecurity practices, taking into consideration the final recommendations
of the Florida Cybersecurity Task Force – a task force created to review and assess the state’s
cybersecurity infrastructure, governance, and operations.34 The CAC meets at least quarterly to:35
Review existing state agency cybersecurity policies;
Assess ongoing risks to state agency IT;
Recommend a reporting and information sharing system to notify state agencies of new risks;
Recommend data breach simulation exercises;
28
Section 282.318(4)(a), F.S.
29
Section 282.318(4), F.S.
30
NIST, otherwise known as the National Institute of Standards and Technology, “is a non-regulatory government agency
that develops technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based
organizations in the science and technology industry.” Nate Lord, What is NIST Compliance, DataInsider (May. 6, 2023),
https://www.digitalguardian.com/blog/what-nist-compliance (last visited Jan. 31, 2024).
31
Under Florida law, an “advisory council” means an advisory body created by specific statutory enactment and appointed to
function on a continuing basis. Generally, an advisory council is enacted to study the problems arising in a specified
functional or program area of state government and to provide recommendations and policy alternatives. Section 20.03(7),
F.S.; See also s. 20.052, F.S.
32
Section 282.319(1), F.S.
33
Section 282.319(2), F.S.
34
Section 282.319(2)-(3), F.S.
35
Section 282.319(9), F.S.
�BILL: CS/CS/CS/SB 1662 Page 6
Assist the FLDS in developing cybersecurity best practice recommendations; and
Examine inconsistencies between state and federal law regarding cybersecurity.
The CAC must work with NIST and other federal agencies, private sector businesses, and private
security experts to identify which local infrastructure sectors, not covered by federal law, are at
the greatest risk of cyber-attacks and to identify categories of critical infrastructure as critical
cyber infrastructure if cyber damage to the infrastructure could result in catastrophic
consequences.36
The CAC must also prepare and submit a comprehensive report to the Governor, the President of
the Senate, and the Speaker of the House of Representatives that includes data, trends, analysis,
findings, and recommendations for state and local action regarding ransomware incidents as
stated below:37
Descriptive statistics, including the amount of ransom requested, durat