HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/CS/CS/HB 1555 Cybersecurity
SPONSOR(S): Commerce Committee, State Administration & Technology Appropriations Subcommittee,
Energy, Communications & Cybersecurity Subcommittee, Giallombardo
TIED BILLS: IDEN./SIM. BILLS: CS/SB 1662
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
1) Energy, Communications & Cybersecurity 15 Y, 0 N, As CS Bauldree Keating
Subcommittee
2) State Administration & Technology 13 Y, 0 N, As CS Mullins Topp
Appropriations Subcommittee
3) Commerce Committee 15 Y, 1 N, As CS Bauldree Hamon
SUMMARY ANALYSIS
Over the last decade, cybersecurity has rapidly become a growing concern. Cyberattacks are growing in
frequency and severity. Currently, the Department of Management Services (DMS) oversees information
technology (IT) governance and security for the executive branch of state government. The Florida Digital
Service (FLDS) is housed within DMS and was established in 2020 to replace the Division of State
Technology. Through FLDS, DMS implements duties and policies for IT and cybersecurity for state agencies.
The bill:
Revises the duties of FLDS;
Provides definitions;
Provides that the state chief information officer (CIO), in consultation with the Secretary of DMS, must
designate a state chief technology officer and specifies the position’s responsibilities;
Requires state agencies to report all ransomware incidents, regardless of severity level, to the FLDS
Cybersecurity Operations Center (CSOC) as soon as possible, but no later than 12 hours after a
cybersecurity incident and no later than 6 hours after the discovery of a ransomware incident;
Authorizes the Speaker of the House of Representatives or the President of the Senate to designate
certain committee or subcommittee chairs to attend closed portions of meetings of the Cybersecurity
Advisory Council (CAC).
Modifies the membership of the CAC.
Requires local governments to report any cybersecurity incident determined to be level 3, 4, or 5 to the
CSOC rather than to the Cybercrime Office and the sheriff who has jurisdiction over the local
government;
Requires the CSOC to immediately notify the Cybercrime Office of the Florida Department of Law
Enforcement of a reported incident;
Requires the CSOC to immediately the state chief information security officer of a reported incident;
and
Revises the mission, goals, and responsibilities of the Florida Center for Cybersecurity.
The bill has an indeterminate fiscal impact on state expenditures. See Fiscal Comments.
The bill provides an effective date of July 1, 2024.
This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h1555e.COM
DATE: 2/24/2024
� FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Current Situation
Over the last decade, cybersecurity has rapidly become a growing concern. Cyberattacks are growing
in frequency and severity. Cybercrime was expected to inflict $8 trillion worth of damage globally in
2023.1 The United States is often a target of cyberattacks, including attacks on critical infrastructure,
and has been a target of more significant cyberattacks 2 over the last 14 years than any other country.3
The Colonial Pipeline is an example of critical infrastructure that was attacked, disrupting what is
arguably the nation’s most important fuel conduit.4
Ransomware is a type of cybersecurity incident where malware 5 that is designed to encrypt files on a
device renders the files and the systems that rely on them unusable. In other words, critical information
is no longer accessible. During a ransomware attack, malicious actors demand a ransom in exchange
for regained access through decryption. If the ransom is not paid, the ransomware actors will often
threaten to sell or leak the data or authentication information. Even if the ransom is paid, there is no
guarantee that the bad actor will follow through with decryption.
In recent years, ransomware incidents have become increasingly prevalent among the nation’s state,
local, tribal, and territorial government entities and critical infrastructure organizations. 6 For example,
Tallahassee Memorial Hospital was hit by a ransomware attack early in 2023, and the hospital’s
systems were forced to shut down, impacting many local residents in need of medical care.7 Likewise,
Tampa General Hospital detected a data breach in May of 2023, which may have compromised the
data of up to 1.2 million patients.8
IT and Cybersecurity Management
The Department of Management Services (DMS) oversees information technology (IT) 9 governance
and security for the executive branch in Florida.10 The Florida Digital Service (FLDS) is housed within
1 Cybercrime Magazine, Cyb ercrime to Cost the World $8 Trillion Annually in 2023, https://cybersecurityventures.com/cybercrime-to-
cost-the-world-8-trillion-annually-in-2023/ (last visited Jan. 23, 2024).
2
“Significant cyber-attacks” are defined as cyber-attacks on a country’s government agencies, defense, and high -tech companies, or
economic crimes with losses equating to more than a million dollars. FRA Conferences, Study: U.S. Largest Target for Significant
Cyb er-Attacks, https://www.fraconferences.com/insights-articles/compliance/study-us-largest-target-for-significant-cyber-
attacks/#:~:text=The%20United%20States%20has%20been%20on%20the%20receiving,article%20is%20from%20FRA%27s%20sister
%20company%2C%20Compliance%20Week (last visited Jan. 23, 20 24).
3 Id.
4
S&P Global, Pipeline operators must start reporting cyb erattacks to government: TSA orders,
https://www.spglobal.com/commodityinsights/en/market-insights/latest-news/electric-power/052721-pipeline-operators-must-start-
reporting-cyberattacks-to-government-tsa-
orders?utm_campaign=corporatepro&utm_medium=contentdigest&utm_source=esgmay2021 (last vis ited Jan. 23, 2024).
5 “Malware” means hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.
https://csrc.nist.gov/glossary/term/malware (last visited Jan. 23, 2024).
6 Cybersecurity and Infrastructure Agency, Ransomware 101, https://www.cisa.gov/stopransomware/ransomware-101 (last visited Jan.
23, 2024).
7 Tallahassee Democrat, TMH says it has taken ‘major step’ toward restoration after cyb ersecurity incident (Feb. 15, 2023)
https://www.tallahassee.com/story/news/local/2023/02/14/tmh-update-hospital-has-taken-major-step-toward-restoration/69904510007/
(last visited Jan. 23, 2023).
8 Alessandro Mascellino, Infosecurity Magazine, Tampa General Hospital Data Breach Impacts 1.2 Million Patients (Jul. 24, 2023),
https://www.infosecurity-magazine.com/news/tampa-hospital-data-breach/ (last visited Jan. 24, 2023).
9 The term “information technology” means equipment, hardware, software, firmware, programs, systems, networks, infrastructure,
media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record,
retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge,
interface, switch, or disseminate information of any kind or form. S. 282.0041(19), F.S.
10 See s. 20.22, F.S.
STORAGE NAME: h1555e.COM PAGE: 2
DATE: 2/24/2024
� DMS and was established in 2020 to replace the Division of State Technology. 11 FLDS works under
DMS to implement policies for IT and cybersecurity for state agencies.12
The head of FLDS is appointed by the Secretary of Management Services 13 and serves as the state
chief information officer (CIO).14 The CIO must have at least five years of experience in the
development of IT system strategic planning and IT policy and, preferably, have leadership-level
experience in the design, development, and deployment of interoperable software and data solutions. 15
FLDS must propose innovative solutions that securely modernize state government, including
technology and information services, to achieve value through digital transformation and
interoperability, and to fully support Florida’s cloud first policy.16
DMS, through FLDS, has the following powers, duties, and functions:
Develop IT policy for the management of the state’s IT resources;
Develop an enterprise architecture;
Establish project management and oversight standards with which state agencies must comply
when implementing IT projects;
Perform project oversight on all state agency IT projects that have a total cost of $10 million or
more and that are funded in the General Appropriations Act or any other law; and
Identify opportunities for standardization and consolidation of IT services that support
interoperability, Florida’s cloud first policy, and business functions and operations that are
common across state agencies.17
State Cybersecurity Act
In 2021, the Legislature passed the State Cybersecurity Act, 18 which requires DMS and the heads of
the state agencies 19 to meet certain requirements to enhance the cybersecurity20 of the state agencies.
DMS is tasked with completing the following, through FLDS:
Establishing standards for assessing agency cybersecurity risks;
Adopting rules to mitigate risk, support a security governance framework, and safeguard agency
digital assets, data,21 information, and IT resources;22
Designating a chief information security officer (CISO);
Developing and annually updating a statewide cybersecurity strategic plan to address matters
such as identification and mitigation of risk, protections against threats, and tactical risk
detection for cyber incidents;23
Developing and publishing for use by state agencies a cybersecurity governance framework;
Assisting the state agencies in complying with the State Cybersecurity Act;
Annually providing training on cybersecurity for managers and team members;
Annually reviewing the strategic and operational cybersecurity plans of state agencies;
Tracking the state agencies’ implementation of remediation plans;
11 Ch. 2020-161, L.O.F.
12 See s. 20.22(2)(b), F.S.
13
The Secretary of Management Services serves as the head of DMS and is appointed by the Gover nor, subject to confirmation by the
Senate. S. 20.22(1), F.S.
14 S. 282.0051(2)(a), F.S.
15 Id.
16 S. 282.0051(1), F.S.
17
Id.
18 Ch. 2012-234, L.O.F.
19 For purposes of the State Cybersecurity Act, the term “state agency” includes the Department of Legal Affairs, the Department of
Agriculture and Consumer Services, and the Department of Financial Services. S. 282.318(2), F.S.
20 “Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable objectives of
preserving the confidentiality, integrity, and availability of data, information, and IT resources. S. 282.0041(8), F.S.
21 “Data” means a subset of structured information in a format that allows such information to be electronically retrieved and t ransmitted.
S. 282.0041(9), F.S.
22 “Information technology resources” means data processing hardware and software and services, c ommunications, supplies,
personnel, facility resources, maintenance, and training. S. 282.0041(22), F.S.
23 “Incident” means a violation or imminent threat of violation, whether such violation is accidental or deliberate, of IT resou rces,
security, policies, or practices. An imminent threat of violation refers to a situation in which the state agency has a factual basis for
believing that a specific incident is about to occur. S. 282.0041(19), F.S.
STORAGE NAME: h1555e.COM PAGE: 3
DATE: 2/24/2024
� Providing cybersecurity training to all state agency technology professionals that develops,
assesses, and documents competencies by role and skill level;
Maintaining a Cybersecurity Operations Center (CSOC) led by the CISO to serve as a
clearinghouse for threat information and coordinate with FDLE to support responses to
incidents; and
Leading an Emergency Support Function under the state emergency management plan. 24
The State Cybersecurity Act requires the head of each state agency to designate an information
security manager to administer the state agency’s cybersecurity program. 25 The head of the agency
has additional tasks in protecting against cybersecurity threats as follows:
Establish a cybersecurity incident response team with FLDS and the Cybercrime Office in FDLE,
which must immediately report all confirmed or suspected incidents to the CISO;
Annually submit to DMS the state agency’s strategic and operational cybersecurity plans;
Conduct and update a comprehensive risk assessment to determine the security threats;
Develop and update written internal policies and procedures for reporting cyber incidents;
Implement safeguards and risk assessment remediation plans to address identified risks;
Ensure internal audits and evaluations of the agency’s cybersecurity program are conducted;
Ensure that the cybersecurity requirements for the solicitation, contracts, and service-level
agreement of IT and IT resources meet or exceed applicable state and federal laws, regulations,
and standards for cybersecurity, including the National Institute of Standards and Technology
(NIST)26 cybersecurity framework;
Provide cybersecurity training to all agency employees within 30 days of employment; and
Develop a process that is consistent with the rules and guidelines established by FLDS for
detecting, reporting, and responding to threats, breaches, or cybersecurity incidents. 27
Florida Cybersecurity Advisory Council
The Florida Cybersecurity Advisory Council28 (CAC) within DMS29 assists state agencies in protecting
IT resources from cyber threats and incidents.30 The CAC must assist FLDS in implementing best
cybersecurity practices, taking into consideration the final recommendations of the Florida
Cybersecurity Task Force – a task force created to review and assess the state’s cybersecurity
infrastructure, governance, and operations.31 The CAC meets at least quarterly to:
Review existing state agency cybersecurity policies;
Assess ongoing risks to state agency IT;
Recommend a reporting and information sharing system to notify state agencies of new risks;
Recommend data breach simulation exercises;
Assist FLDS in developing cybersecurity best practice recommendations; and
Examine inconsistencies between state and federal law regarding cybersecurity.32
24 Ch. 2021-234, L.O.F.
25 S. 282.318(4)(a), F.S.
26 NIST, otherwise known as the National Institute of Standards and Technology, “is a non -regulatory government agency that develops
technology, metrics, and standards to drive innovation and economic competitiveness at U.S.-based organizations in the science and
technology industry.” Nate Lord, What is NIST Compliance, DataInsider (Dec. 1, 2020), https://www.digitalguardian.com/blog/what-nist-
compliance (last visited Jan. 23, 2024).
27 S. 282.318(4), F.S.
28 The CAC is comprised of: the Lieutenant Governor or his or her designee; the state CIO; the state chief information security officer;
the director of the Division of Emergency Management or his or her designee; a representative of the computer crime center of the
Department of Law Enforcement, appointed by the executive director of the Department of Law Enforcement; a representative of the
Florida Fusion Center of the Department of Law Enforcement, appointed by the executive director of the Department of Law
Enforcement; the Chief Inspector General; up to two representatives from institutions of higher education located in this state,
appointed by the Governor; three representatives from critical infrastructure sectors, one of whom must be from a water treat ment
facility, appointed by the Governor; four representatives of the private sector with senior level experience in cybersecurity or software
engineering from within the finance, energy, health care, and transportation sectors, appointed by the Governor; and two
representatives with expertise on emerging technology, with one appointed by the President of the Senate and one appointed by the
Speaker of the House of Representatives. S, 282.319(3), F.S.
29 S. 282.319(1), F.S.
30 S. 282.319(2), F.S.
31 S. 282.319(3), F.S.
32 S. 282.319(9), F.S.
STORAGE NAME: h1555e.COM PAGE: 4
DATE: 2/24/2024
� The CAC must work with NIST and other federal agencies, private sector businesses, and private
security experts to identify which local infrastructure sectors, not covered by federal law, are at the
greatest risk of cyber-attacks and to identify categories of critical infrastructure as critical cyber
infrastructure if cyber damage to the infras