HOUSE OF REPRESENTATIVES STAFF ANALYSIS
BILL #: CS/HB 7055 PCB SAT 22-02 Cybersecurity
SPONSOR(S): State Affairs Committee, State Administration & Technology Appropriations Subcommittee,
Giallombardo, Fischer and others
TIED BILLS: CS/HB 7057 IDEN./SIM. BILLS: CS/SB 1670
REFERENCE ACTION ANALYST STAFF DIRECTOR or
BUDGET/POLICY CHIEF
Orig. Comm.: State Administration & Technology 14 Y, 0 N Mullins Topp
Appropriations Subcommittee
1) State Affairs Committee 23 Y, 0 N, As CS Villa Williamson
SUMMARY ANALYSIS
The State Cybersecurity Act requires the Florida Digital Service (FLDS) and the heads of state agencies to meet
certain requirements to enhance the cybersecurity of state agencies. Currently, state agencies must provide
cybersecurity training to their employees, report cybersecurity incidents, and adopt cybersecurity standards.
However, there are no such requirements for counties and municipalities (local governments).
Current law regarding state or local government cybersecurity does not specifically add ress ransomware, which is a
form of malware designed to encrypt files on a device, rendering any files unusable. Malicious actors then demand
ransom in exchange for decryption.
The bill prohibits state agencies and local governments from paying or otherwise complying with a ransomware
incident.
The bill defines the severity level of a cybersecurity incident in accordance with the National Cyber Incident
Response Plan. State agencies and local governments must report all ransomware incidents and hig h severity level
cybersecurity incidents to the Cybersecurity Operations Center (CSOC) and the Cybercrime Office within the Florida
Department of Law Enforcement as soon as possible but no later than a time certain. Local governments must also
report to the sheriff. The bill requires state agencies to report low level cybersecurity incidents and provides that
local governments may report such incidents. The bill also requires state agencies and local governments to submit
after-action reports to FLDS following a cybersecurity or ransomware incident.
The bill requires the CSOC to notify the Legislature of high severity level cybersecurity incidents. The notice must
contain a high-level overview of the incident and its likely effects. In addition, the CSOC mu st provide the Legislature
and the Cybersecurity Advisory Council (CAC) with a consolidated incident report on a quarterly basis.
The bill requires state agency and local government employees to undergo certain cybersecurity training within 30
days of employment and annually thereafter.
The bill requires local governments to adopt cybersecurity standards that safeguard the local government’s data,
information technology (IT), and IT resources.
The bill expands the purpose of the CAC to include advising local governments on cybersecurity and requires the
CAC to examine reported cybersecurity and ransomware incidents to develop best practice recommendations. The
CAC must submit an annual comprehensive report regarding ransomware to the Governor and Legi slature.
The bill establishes penalties and fines for certain ransomware offenses against a government entity.
The bill will likely have a negative fiscal impact on state and local government expenditures; however, the bill may
also have a positive fiscal impact on the state due to the punitive fine established in the bill. See Fiscal Analysis &
Economic Impact Statement.
This docum ent does not reflect the intent or official position of the bill sponsor or House of Representatives .
STORAGE NAME: h7055.SAC
DATE: 2/23/2022
� FULL ANALYSIS
I. SUBSTANTIVE ANALYSIS
A. EFFECT OF PROPOSED CHANGES:
Background
Ransomware
Ransomware is a form of malware1 designed to encrypt files on a device, rendering any files and the
systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication
information if the ransom is not paid. In recent years, ransomware incidents have become increasingly
prevalent among the nation’s state, local, tribal, and territorial government entities and critical
infrastructure organizations.2 In 2021, state chief information officers overwhelmingly named
ransomware as their top cybersecurity concern.3
While most ransomware attacks are not reported in the news, in 2021 at least 2,323 state and local
governments, schools, and healthcare providers experienced ransomware attacks.4 Ransomware
attacks on such entities have resulted in medical records being inaccessible or permanently lost;
surgical procedures being canceled, tests postponed, and admissions halted; schools closing; students’
grades being lost; 911 services interrupted; police being locked out of background check systems;
surveillance systems going offline; badge scanners and building access systems ceasing to work;
property transactions being halted; websites going offline; online payment portals being inaccessible;
email and phone systems ceasing to work; driver licenses not being issued or renewed; and payments
to vendors being delayed.
National Institute for Standards and Technology Cybersecurity Framework
The National Institute for Standards and Technology (NIST) is a non-regulatory federal agency housed
within the United States Department of Commerce. NIST is charged with providing a prioritized, flexible,
repeatable, performance-based, and cost-effective framework that helps owners and operators of
critical infrastructure identify, assess, and manage cyber risk. While the framework was developed with
critical infrastructure in mind, it can be used by organizations in any sector of the economy or society. 5
The framework is designed to complement, and not replace, an organization’s own unique approach to
cybersecurity risk management. As such, there are a variety of ways to use the framework and the
decision about how to apply it is left to the implementing organization. For example, an organization
may use its current processes and consider the framework to identify opportunities to strengthen its
cybersecurity risk management. Overall, the framework provides an outline of best practices that helps
organizations decide where to focus resources for cybersecurity protection.6
1 “Malware” means hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.
https://csrc.nist.gov/glossary/term/malware (last visited January 30, 2022).
2 Cybersecurity and Infrastructure Agency, Ransomware 101, https://www.cisa.gov/stopransomware/ransomware-101 (last visited
January 30, 2022).
3 National Association of State Chief Information Officers, Driving digital acceleration The 2021 State CIO Survey (October 2021),
available at https://www.nascio.org/wp-content/uploads/2021/10/2021-State-CIO-Survey.pdf (last visited January 30, 2022).
4 Emsisoft Malware Lab, The State of Ransomware in the US: Report and Statistics 2021 (January 18, 2022), available at
https://blog.emsisoft.com/en/40813/the-state-of-ransomware-in-the-us-report-and-statistics-2021/ (last visited January 30, 2022).
These numbers do not include ransomware attacks that were reported in the press as cyberattacks or attacks on third party service and
solution providers.
5 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, available at
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf (last visited January 30, 2022).
6 Id.
STORAGE NAME: h7055.SAC PAGE: 2
DATE: 2/23/2022
� National Cyber Incident Response Plan
The National Cyber Incident Response Plan (NCIRP) was developed according to the direction of
Presidential Policy Directive (PPD)-41,7 by the U.S. Department of Homeland Security. The NCIRP is
part of the broader National Preparedness System and establishes the strategic framework for a whole-
of-Nation approach to mitigating, responding to, and recovering from cybersecurity incidents posing risk
to critical infrastructure.8 The NCIRP is not a tactical or operational plan; rather, it serves as the primary
strategic framework for stakeholders to understand how federal departments and agencies and other
national-level partners provide resources to support response operations. The NCIRP was developed in
coordination with federal, state, local, and private sector entities and is designed to interface with
industry best practice standards for cybersecurity, including the NIST Cybersecurity Framework.
The NCIRP adopted a common schema for describing the severity of cybersecurity incidents affecting
the U.S. The schema establishes a common framework to evaluate and assess cybersecurity incidents
to ensure that all departments and agencies have a common view of the severity of a given incident;
urgency required for responding to a given incident; seniority level necessary for coordinating response
efforts; and level of investment required for response efforts.9
Figure 1: Cybersecurity Incident Severity Schema
7 Annex for PPD-41: U.S. Cyber Incident Coordination, available at: https://obamawhitehouse.archives.gov/the-press-
office/2016/07/26/annex-presidential-policy-directive-united-states-cyber-incident (last visited February 18, 2022).
8 U.S. Department of Homeland Security, National Cyber Incident Response Plan (December 2016) available at:
file:///C:/Users/Villa.Chris/Downloads/798128%20(7).pdf (last visited February 20, 2022).
9 Id.
STORAGE NAME: h7055.SAC PAGE: 3
DATE: 2/23/2022
� Information Technology Management
The Department of Management Services (DMS) 10 oversees information technology (IT)11 governance
and security for the executive branch of state government. The Florida Digital Service (FLDS) within
DMS was established by the Legislature in 2020 to replace the Division of State Technology.12 The
head of FLDS is appointed by the Secretary of Management Services 13 and serves as the state chief
information officer (CIO).14
FLDS was created to propose innovative solutions that securely modernize state government, including
technology and information services, to achieve value through digital transformation and
interoperability, and to fully support Florida’s cloud first policy.15 Accordingly, DMS through FLDS has
the following powers, duties, and functions:
Develop IT policy for the management of the state’s IT resources.
Develop an enterprise architecture.
Establish project management and oversight standards with which state agencies 16 must
comply when implementing IT projects.
Perform project oversight on state agency IT projects that have a total cost of $10 million or
more and that are funded in the General Appropriations Act or any other law. 17
Identify opportunities for standardization and consolidation of IT services that support
interoperability, Florida’s cloud first policy, and business functions and operations that are
common across state agencies.18
State Cybersecurity Act
The State Cybersecurity Act19 requires DMS and the heads of state agencies 20 to meet certain
requirements to enhance the cybersecurity21 of state agencies. Specifically, DMS, acting through FLDS
must:
Establish standards and processes for assessing state agency cybersecurity risks and
determining appropriate security measures consistent with generally accepted best practices for
cybersecurity, including the NIST cybersecurity framework.
Adopt rules to mitigate risk, support a security governance framework, and safeguard state
agency digital assets, data,22 information, and IT resources 23 to ensure availability,
confidentiality, and integrity.
10 See s. 20.22, F.S.
11 The term “information technology” means equipment, hardware, software, firmware , programs, systems, networks, infrastructure,
media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display , store,
record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert,
converge, interface, switch, or disseminate information of any kind or form. Section 282.0041(20), F.S.
12 Ch. 2020-161, L.O.F.
13 The Secretary of Management Services serves as the head of DMS and is appointed by the Governor, subject to confirmation by t he
Senate. Section 20.22(1), F.S.
14 Section 282.0051(2)(a), F.S.
15 Section 282.0051(1), F.S.
16 “State agency” means any official, officer, commission, board, authority, council, committee, or department of the executive branch
of state government; the Justice Administrative Commission; and the Public Service Commission. The term does not include
university boards of trustees, state universities, the Department of Legal Affairs, the Department of Agriculture and Consumer
Services, or the Department of Financial Services. Section 282.0041(33), F.S.
17 For the Department of Financial Services, the Department of Legal Affairs, and the Department of Agriculture and Consumer
Services, FDS provides project oversight on IT projects that have a total cost of $20 million or more. Section 282.0051(1)(n), F.S.
18 Section 282.0051(1), F.S.
19 Section 282.318, F.S.
20 For purposes of the State Cybersecurity Act, the term “state agency” includes the Department of Legal Affairs, the Department of
Agriculture and Consumer Services, and the Department of Financial Services. Section 282.318(2), F.S.
21 “Cybersecurity” means the protection afforded to an automated information system in order to attain the applicable objectives of
preserving the confidentiality, integrity, and availability of data, information, and information technology resources. Section
282.0041(8), F.S.
22 “Data” means a subset of structured information in a format that allows such information to be electronically retrieved and
transmitted. Section 282.0041(9), F.S.
23 “Information technology resources” means data processing hardware and software and services, communications, supplies,
personnel, facility resources, maintenance, and training. Section 282.0041(22), F.S.
STORAGE NAME: h7055.SAC PAGE: 4
DATE: 2/23/2022
� Designate a chief information security officer (CISO) responsible for the development,
operation, and oversight of cybersecurity for state technology systems. The CISO must be
notified of all confirmed or suspected incidents or threats of state agency IT resources and must
report such information to the CIO and the Governor.
Develop and annually update a statewide cybersecurity strategic plan that includes security
goals and objectives for cybersecurity, including the identification and mitigation of risk,
proactive protections against threats, tactical risk detection, threat reporting, and response and
recovery protocols for cyber incidents.24
Develop and publish for use by state agencies a cybersecurity governance framework.
Assist state agencies in complying with the State Cybersecurity Act.
In collaboration with the Cybercrime Office within the Florida Department of Law Enforcement
(FDLE), annually provide training for state agency information security managers and computer
security incident response team members that contains training on cybersecurity, including
cybersecurity threats, trends, and best practices.
Annually review the strategic and operational cybersecurity plans of state agencies.
Track, in coordination with agency inspectors general, state agencies’ implementation of
remediation plans.
Provide cybersecurity training to all state agency technology professionals that develops,
assesses, and documents competencies by role and skill level. The training may be provided in
collaboration with the Cybercrime Office, a private sector entity, or an institution of the state
university system.
Operate and maintain a Cybersecurity Operations Center led by the CISO to serve as a
clearinghouse for threat information and to coordinate with FDLE to support state agency
response to cybersecurity incidents.
Lead an Emergency Support Function under the state comprehensive emergency management
plan.25
The State Cybersecurity Act requires the head of each state agency to designate an information
security manager to administer the cybersecurity program of the state agency.26 In addition, the head of
each state agency must:
Establish an agency cybersecurity incident response team in consultation with FLDS and the
Cybercrime Office. The agency cybersecurity incident response team must convene upon
notification of a cybersecurity incident and must immediately report all confirmed or suspected
incidents to the CISO.
Annually submit to DMS the state agency’s strategic an