Bill > S7026

Introduced Session

An act relating to information technology; creating s. 20.70, F.S.; creating the Agency for State Systems and Enterprise Technology (ASSET); providing that the Governor and Cabinet are the head of the agency; establishing divisions and offices of the agency; providing for an executive director of the agency; providing that the executive director also serves as the state chief information officer; providing for the appointment and removal of such executive director; prohibiting the state chief information officer from having financial, personal, or business conflicts of interest related to certain vendors, contractors, and service providers of the state; requiring that the state chief information officer selection committee within ASSET be appointed and provide a specified number of nominees upon a vacancy of such officer; providing the composition of such committee; requiring that a member of the committee designate an alternate state agency chief information officer to serve on the committee under a specified circumstance; providing the qualifications for the state chief information officer; providing that persons who currently serve, or have served, as state agency heads are ineligible to serve as the state chief information officer; transferring the state chief information officer of the Department of Management Services to ASSET until the Governor and the Cabinet appoint a permanent officer; requiring that such appointment occur by a specified date; amending s. 97.0525, F.S.; requiring that the Division of Elections comprehensive risk assessment comply with the risk assessment methodology developed by ASSET; amending s. 112.22, F.S.; defining the term “ASSET”; deleting the term “department”; revising the definition of the term “prohibited application”; authorizing public employers to request a certain waiver from ASSET; requiring ASSET to take specified actions; deleting obsolete language; requiring ASSET to adopt rules; amending s. 119.0725, F.S.; providing that confidential and exempt information must be made available to ASSET; amending s. 216.023, F.S.; requiring agencies and the judicial branch to include a cumulative inventory and a certain status report of specified projects with their legislative budget requests; defining the term “technology-related project”; deleting a provision requiring state agencies and the judicial branch to include a cumulative inventory and a certain status report of specified projects as part of a budget request; conforming a cross-reference; amending s. 282.0041, F.S.; deleting and revising definitions; defining the terms “ASSET” and “technical debt”; amending s. 282.0051, F.S.; deleting obsolete language; revising the powers, duties, and functions of the Department of Management Services, through the Florida Digital Service; deleting a requirement that the state chief information officer, in consultation with the Secretary of Management Services, designate a state chief data officer; deleting requirements of the department, acting through the Florida Digital Service, relating to the use of appropriated funds for certain actions; deleting provisions related to information technology projects that have a total project cost in excess of $10 million; providing for the future repeal of the section; deleting a requirement to adopt rules; repealing s. 282.00515, F.S., relating to duties of Cabinet agencies; creating s. 282.006, F.S.; requiring ASSET to operate as the state enterprise organization for information technology governance and as the lead entity responsible for understanding needs and environments, creating standards and strategy, supporting state agency technology efforts, and reporting on the state of information technology in this state; providing legislative intent; requiring ASSET to establish the strategic direction of information technology in the state; requiring ASSET to develop and publish information technology policy for a specified purpose; requiring that such policy be updated as necessary to meet certain requirements and advancements in technology; requiring ASSET to take specified actions related to oversight of the state’s technology enterprise; requiring ASSET to produce specified reports, recommendations, and analyses and provide such reports, recommendations, and analyses to the Governor, the Commissioner of Agriculture, the Chief Executive Officer, the Attorney General, and the Legislature by specified dates and at specified intervals; providing requirements for such reports; requiring ASSET to conduct a market analysis at a certain interval beginning on a specified date; providing requirements for the market analysis; requiring that each market analysis be used to prepare a strategic plan for specified purposes; requiring that copies of the market analysis and strategic plan be submitted by a specified date; authorizing ASSET to adopt rules; creating s. 282.0061, F.S.; providing legislative intent; requiring ASSET to complete a certain full baseline needs assessment of state agencies, develop a specified plan to conduct such assessments, and submit such plan to the Governor, the Commissioner of Agriculture, the Chief Financial Officer, the Attorney General, and the Legislature within a specified timeframe; requiring ASSET to support state agency strategic planning efforts and assist such agencies with a certain phased roadmap; providing requirements for such roadmaps; requiring ASSET to make recommendations for standardizing data across state agencies for a specified purpose and identify any opportunities for standardization and consolidation of information technology services across state agencies and support specified functions; requiring ASSET to develop standards for use by state agencies and enforce consistent standards and promote best practices across all state agencies; requiring ASSET to provide a certain report to the Governor, the Commissioner of Agriculture, the Chief Financial Officer, the Attorney General, and the Legislature by a specified date; providing requirements of the report; providing the duties and responsibilities of ASSET related to state agency technology projects; requiring ASSET, in consultation with state agencies, to create a methodology, approach, and applicable templates and formats for identifying and collecting information technology expenditure data at the state agency level; requiring ASSET to obtain, review, and maintain records of the appropriations, expenditures, and revenues for information technology for each state agency; requiring ASSET to prescribe the format for state agencies to provide financial information to ASSET for inclusion in a certain annual report; requiring state agencies to submit such information by a specified date annually; requiring that such information be reported to ASSET to determine all costs and expenditures of information technology assets and resources provided to state agencies; requiring ASSET to work with state agencies to provide alternative standards, policies, or requirements under specified circumstances; creating s. 282.0062, F.S.; establishing workgroups within ASSET to facilitate coordination with state agencies; providing for the membership and duties of such workgroups; creating s. 282.0063, F.S.; requiring ASSET to perform specified actions to develop and manage career paths, progressions, and training programs for the benefit of state agency personnel; creating s. 282.0064, F.S.; requiring ASSET, in coordination with the Department of Management Services, to establish a policy for all information technology-related solicitations, contracts, and procurements; providing requirements for the policy related to state term contracts, all contracts, and information technology projects that require oversight; prohibiting entities providing independent verification and validation from having certain interests, responsibilities, or other participation in the project; providing the primary objective of independent verification and validation; requiring the entity performing such verification and validation to provide specified regular reports and assessments; requiring the Division of State Purchasing within the Department of Management Services to coordinate with ASSET on state term contract solicitations and invitations to negotiate; requiring ASSET to evaluate vendor responses and answer vendor questions on such solicitations and invitations; creating s. 282.0065, F.S.; requiring ASSET to establish, maintain, and manage a certain test laboratory, beginning at a specified time; providing the purpose of the laboratory; requiring ASSET to take specified actions relating to the laboratory; creating s. 282.0066, F.S.; requiring ASSET to develop, implement, and maintain a certain library; providing requirements for the library; requiring ASSET to establish procedures that ensure the integrity, security, and availability of the library; requiring ASSET to regularly update documents and materials in the library to reflect current state and federal requirements, industry best practices, and emerging technologies; requiring state agencies to reference and adhere to the policies, standards, and guidelines of the library in specified tasks; requiring ASSET to create mechanisms for state agencies to submit feedback, request clarifications, and recommend updates; authorizing state agencies to request exemptions to specific policies, standards, or guidelines under specified circumstances; providing the mechanism for a state agency to request such exemption; requiring ASSET to review the request and make a recommendation to the state chief information officer; requiring the state chief information officer to present the exemption to the chief information officer workgroup; requiring that approval of the exemption be by majority vote; requiring that state agencies granted an exemption be reviewed periodically to determine whether such exemption is necessary or if compliance can be achieved; amending s. 282.318, F.S.; revising the duties of the Department of Management Services, acting through the Florida Digital Service, relating to cybersecurity; requiring state agencies to report all ransomware incidents to the state chief information security officer instead of the Cybersecurity Operations Center; requiring the state chief information security officer, instead of the Cybersecurity Operations Center, to notify the Legislature of certain incidents; requiring state agencies to notify the state chief information security officer within specified timeframes after the discovery of a specified cybersecurity incident or ransomware incident; requiring the state chief information security officer, instead of the Cybersecurity Operations Center, to provide a certain report on a quarterly basis to the Legislature; revising the actions that state agency heads are required to perform relating to cybersecurity; reducing the timeframe that the state agency strategic cybersecurity plan must cover; requiring that a specified comprehensive risk assessment be done biennially; providing requirements for such assessment; revising the definition of the term “state agency”; providing that ASSET is the lead entity responsible for establishing enterprise technology and cybersecurity standards and processes and security measures that comply with specified standards; requiring ASSET to adopt specified rules; requiring that ASSET take specified actions; revising the responsibilities of the state chief information security officer; requiring that ASSET develop and publish a specified framework that includes certain guidelines and processes for use by state agencies; requiring that ASSET, in consultation with the state chief information technology procurement officer, establish specified procedures for procuring information technology commodities and services; requiring ASSET, thorough the state chief information security officer and the Division of Enterprise Information Technology Workforce Development, to provide a certain annual training to specified persons; conforming provisions to changes made by the act; amending s. 282.3185, F.S.; requiring the state chief information security officer to perform specified actions relating to cybersecurity training for state employees; requiring local governments to notify the state chief information security officer of compliance with specified provisions as soon as possible; requiring local governments to notify the state chief information security officer, instead of the Cybersecurity Operations Center, of cybersecurity or ransomware incidents; revising the timeframes in which such notifications must be made; requiring the state chief information security officer to notify the state chief information officer, the Governor, the Commissioner of Agriculture, the Chief Financial Officer, the Attorney General, and the Legislature of certain incidents within a specified timeframe; authorizing local governments to report certain cybersecurity incidents to the state chief information security officer instead of the Cybersecurity Operations Center; requiring the state chief information security officer to provide a certain consolidated incident report within a specified timeframe to the Governor, the Commissioner of Agriculture, the Chief Financial Officer, the Attorney General, and the Legislature; conforming provisions to changes made by the act; requiring the state chief information security officer to establish certain guidelines and processes by a specified date; conforming cross-references; repealing s. 282.319, F.S., relating to the Florida Cybersecurity Advisory Council; establishing positions within ASSET; establishing the Division of Enterprise Information Technology Services and the Division of Enterprise Information Technology Purchasing and associated bureaus; providing the responsibilities of the bureaus; establishing the chief information officer policy workgroup; providing the membership, purpose, chair, and duties of the workgroup; providing for the expiration of the workgroup upon completion of its duties; amending s. 282.201, F.S.; establishing the state data center within the Northwest Regional Data Center; requiring the Northwest Regional Data Center to meet or exceed specified information technology standards; revising requirements of the state data center; abrogating the scheduled repeal of the Division of Emergency Management’s exemption from using the state data center; deleting Department of Management Services’ responsibilities related to the state data center; deleting provisions relating to contracting with the Northwest Regional Data Center; creating s. 282.0211, F.S.; designating the Northwest Regional Data Center as a state data center for all state agencies; requiring the data center to engage in specified actions; prohibiting state agencies from terminating services with the data center without giving written notice within a specified timeframe, procuring third-party cloud-computing services without evaluating the data center’s cloud-computing services, and exceeding a specified timeframe to remit payments for data center services provided by the data center; specifying circumstances under which the data center’s designation may be terminated; providing that the data center has a specified timeframe to provide for the transition of state agency customers to a qualified alternative cloud-based data center that meets specified standards; amending s. 1004.649, F.S.; creating the Northwest Regional Data Center at Florida State University; conforming provisions to changes made by the act; amending s. 20.22, F.S.; deleting the Florida Digital Service from the list of divisions, programs, and services of the Department of Management Services; amending s. 282.802, F.S.; providing that the Government Technology Modernization Council is located within ASSET; providing that the state chief information officer, or his or her designee, is the ex officio executive director of the council; conforming provisions to changes made by the act; requiring the council annually to submit to the Commissioner of Agriculture, the Chief Financial Officer, and the Attorney General certain legislative recommendations; amending s. 282.604, F.S.; requiring ASSET, with input from stakeholders, to adopt rules; amending s. 287.0591, F.S.; requiring the state chief information officer, instead of the Florida Digital Service, to participate in certain solicitations; amending s. 288.012, F.S.; conforming a cross-reference; amending s. 443.1113, F.S.; requiring the Department of Commerce to seek input on recommended enhancements from ASSET instead of the Florida Digital Service; amending s. 943.0415, F.S.; authorizing the Cybercrime Office to consult with the state chief information security officer of ASSET instead of the Florida Digital Service; amending s. 1004.444, F.S.; authorizing the Florida Center for Cybersecurity to conduct, consult, or assist state agencies upon receiving a request for assistance from such agencies; providing effective dates.

No sponsors listed

Other Sponsors (1)

Died in Messages, companion bill(s) passed, see SB 2500 (Ch. 2025-198), SB 2502 (Ch. 2025-199) (on 06/16/2025)

Official Document