Bill > S0480

Introduced Session

An act relating to information technology; providing for a type two transfer of the duties and functions of the Florida Digital Service from the Department of Management Services to the Division of Integrated Government Innovation and Technology; creating s. 14.205, F.S.; creating the Division of Integrated Government Innovation and Technology (DIGIT) within the Executive Office of the Governor; providing that the division is a separate budget entity and must prepare and submit a budget in accordance with specified provisions; requiring the division to be responsible for all professional, technical, and administrative support to carry out its assigned duties; providing for a director of the division; providing that the director also serves as the state chief information officer; providing for the appointment of the director; prohibiting the state chief information officer from having certain conflicts of interest; providing the qualifications for the state chief information officer; providing that the deputy director also serves as the deputy chief information officer; providing that the director will select a state chief information security officer, state chief data officer, state chief technology officer, and state chief technology procurement officer; transferring the state chief information officer of the Department of Management Services to DIGIT until the Governor appoints a permanent officer; requiring that such appointment occur by a specified date; amending s. 20.055, F.S.; requiring agency inspectors general to review and report whether certain agency practices are consistent with specified reporting requirements and standards; requiring such inspectors general to prepare and submit a certain compliance report to certain persons by a specified date annually; requiring the chief inspector general to review certain reports and prepare a consolidated report; requiring that such report be submitted to the Executive Office of the Governor and the Legislature annually by a specified date; requiring certain agency heads to submit certain reports to the Executive Office of the Governor and the Legislature annually by a specified date; amending s. 97.0525, F.S.; requiring that the Division of Elections comprehensive risk assessment comply with the risk assessment methodology developed by DIGIT; amending s. 112.22, F.S.; defining the term “DIGIT”; deleting the term “department”; revising the definition of the term “prohibited application”; authorizing public employers to request a certain waiver from DIGIT; requiring DIGIT to take specified actions; deleting obsolete language; requiring DIGIT to adopt rules; amending s. 119.0725, F.S.; requiring that certain confidential and exempt information be made available to DIGIT; amending s. 216.023, F.S.; deleting a provision requiring state agencies and the judicial branch to include a cumulative inventory and a certain status report of specified projects as part of a budget request; deleting provisions relating to ongoing technology-related projects; conforming a cross-reference; amending s. 282.0041, F.S.; deleting and revising definitions; defining the terms “DIGIT” and “technical debt”; amending s. 282.00515, F.S.; authorizing the Department of Legal Affairs, the Department of Financial Services, and the Department of Agriculture and Consumer Services to adopt alternative standards that must be based on specified industry-recognized best practices and standards; requiring the departments to evaluate the adoption of such standards on a case-by-case basis; requiring the departments to follow specified standards under certain circumstances; requiring the departments to conduct a certain full baseline needs assessment; authorizing the departments to contract with DIGIT to assist or complete such assessment; requiring the departments to each produce certain phased roadmaps that must be submitted annually with specified budget requests; authorizing the departments to contract with DIGIT to assist or complete such roadmaps; authorizing the departments to contract with DIGIT for specified services; requiring the departments to use certain information technology reports and follow a specified reporting process; requiring the departments to submit a certain report annually by a specified date to the Governor and the Legislature; revising applicability; authorizing DIGIT to perform project oversight on information technology projects of the departments which have a specified project cost; requiring that such projects comply with certain standards; requiring DIGIT to report periodically to the Legislature high risk information technology projects; specifying report requirements; requiring state agencies to consult with DIGIT and work cooperatively with certain departments under specified circumstances; revising cross-references; creating s. 282.006, F.S.; requiring DIGIT to operate as the state enterprise organization for information technology governance and as the lead entity responsible for understanding needs and environments, creating standards and strategy, supporting state agency technology efforts, and reporting on the state of information technology in this state; providing legislative intent; requiring DIGIT to establish the strategic direction of information technology in the state; requiring DIGIT to develop and publish an information technology policy for a specified purpose; requiring that such policy be updated as necessary to meet certain requirements and reflect advancements in technology; requiring DIGIT, in coordination with certain subject matter experts, to develop, publish, and maintain specified enterprise architecture; requiring DIGIT to take specified actions related to oversight of the state’s technology enterprise; requiring DIGIT to develop open data standards and technologies for use by state agencies; requiring DIGIT to develop certain testing, best practices, and standards; specifying such best practices and standards; requiring DIGIT to produce specified reports and provide such reports to the Governor and the Legislature by specified dates and at specified intervals; specifying requirements for such reports; requiring DIGIT to conduct a market analysis at a certain interval beginning on a specified date; specifying requirements for the market analysis; requiring that each market analysis be used to prepare a strategic plan for specified purposes; requiring that the market analysis and strategic plan be submitted by a specified date; requiring DIGIT to develop, implement, and maintain a certain library; specifying requirements for the library; requiring DIGIT to establish procedures that ensure the integrity, security, and availability of the library; requiring DIGIT to regularly update documents and materials in the library to reflect current state and federal requirements, industry best practices, and emerging technologies; requiring DIGIT to create mechanisms for state agencies to submit feedback, request clarification, and recommend updates; requiring state agencies to actively participate and collaborate with DIGIT to achieve certain objectives and to reference and adhere to the policies, standards, and guidelines of the library in specified tasks; authorizing state agencies to request exemptions to specific policies, standards, or guidelines under specified circumstances; providing the mechanism for a state agency to request such exemptions; requiring DIGIT to review the request and make a recommendation to the state chief information officer; requiring the state chief information officer to present the exemption to the chief information officer workgroup; requiring that approval of the exemption be by majority vote; requiring that state agencies granted an exemption be reviewed periodically to determine whether such exemption is necessary or whether compliance can be achieved; authorizing DIGIT to adopt rules; creating s. 282.0061, F.S.; providing legislative intent; requiring DIGIT to complete a certain full baseline needs assessment of state agencies, develop a specified plan to conduct such assessments, and submit such plan to the Governor and the Legislature within a specified timeframe; requiring DIGIT to support state agency strategic planning efforts and assist agencies with production of a certain phased roadmap; specifying requirements for such roadmaps; requiring DIGIT to make recommendations for standardizing data across state agencies for a specified purpose, identify any opportunities for standardization and consolidation of information technology services across state agencies, support specified functions, review all state agency legislative budget requests for compliance, and provide a certain review to the Office of Policy and Budget in the Executive Office of the Governor; requiring DIGIT to develop standards for use by state agencies which support specified best practices for data management at the state agency level; requiring DIGIT to provide a certain report to the Governor and the Legislature by a specified date; specifying requirements for the report; providing the duties and responsibilities of DIGIT related to state agency technology projects; requiring DIGIT, in consultation with state agencies, to create a methodology, approach, and applicable templates and formats for identifying and collecting information technology expenditure data at the state agency level; requiring DIGIT to continuously obtain, review, and maintain records of the appropriations, expenditures, and revenues for information technology for each state agency; requiring DIGIT to prescribe the format for state agencies to provide financial information to DIGIT for inclusion in a certain annual report; requiring state agencies to submit such information by a specified date annually; requiring DIGIT to work with state agencies to provide alternative standards, policies, or requirements under specified circumstances; creating s. 282.0062, F.S.; establishing workgroups within DIGIT to facilitate coordination with state agencies; providing for the membership and duties of such workgroups; requiring the appropriate staff of the Department of Legal Affairs, the Department of Financial Services, and the Department of Agriculture and Consumer Services to participate in specified workgroups; authorizing such staff to participate in specified workgroups and any other workgroups as authorized by their respective elected official; creating s. 282.0063, F.S.; requiring DIGIT to perform specified actions to develop and manage career paths, progressions, and training programs for the benefit of state agency personnel; requiring DIGIT to consult with specified entities to implement specified provisions; creating s. 282.0064, F.S.; requiring DIGIT, in coordination with the Department of Management Services, to establish a policy for all information technology related solicitations, contracts, and procurements; specifying requirements for the policy related to state term contracts, all contracts, and information technology projects that require oversight; prohibiting entities providing independent verification and validation from having certain interests, responsibilities, or other participation in the project; providing the primary objective of independent verification and validation; requiring the entity performing such verification and validation to provide specified regular reports and assessments; requiring the Division of State Purchasing within the Department of Management Services to coordinate with DIGIT on state term contract solicitations and invitations to negotiate; specifying the scope of the coordination; requiring DIGIT to evaluate vendor responses and assist with answers to vendor questions on such solicitations and invitations; authorizing the Department of Legal Affairs, the Department of Financial Services, and the Department of Agriculture and Consumer Services to adopt alternative information technology policy; providing requirements for adopting such alternative policy; amending s. 282.318, F.S.; providing that DIGIT is the lead entity responsible for establishing enterprise technology and cybersecurity standards and processes and security measures that comply with specified standards; requiring DIGIT to adopt specified rules; requiring DIGIT to take specified actions; revising the responsibilities of the state chief information security officer; revising the guidelines and processes for state agency cybersecurity governance frameworks; requiring state agencies to report all ransomware incidents to the state chief information security officer instead of the Cybersecurity Operations Center; requiring state agencies to also notify the Northwest Regional Data Center of such incidents under specified conditions; requiring the state chief information security officer, instead of the Cybersecurity Operations Center, to notify the Legislature of certain incidents; requiring state agencies to notify the state chief information security officer within specified timeframes after the discovery of a specified cybersecurity incident or ransomware incident; requiring state agencies to also notify the Northwest Regional Data Center of such incidents under specified conditions; requiring the state chief information security officer, instead of the Cybersecurity Operations Center, to provide a certain report on a quarterly basis to the Legislature; revising the actions that state agency heads are required to perform relating to cybersecurity; revising the timeframe that the state agency strategic cybersecurity plan must cover; requiring that a specified comprehensive risk assessment be completed biennially; authorizing such assessment to be completed by an independent third party; requiring the third party to attest to the validity of the findings; specifying requirements for the comprehensive risk assessment; providing that confidential and exempt records be made available to the state chief information security officer and Legislature; conforming provisions to changes made by the act; amending s. 282.3185, F.S.; requiring the state chief information security officer to perform specified actions relating to cybersecurity training for state employees; deleting obsolete language; requiring local governments to notify the state chief information security officer of compliance with specified provisions as soon as possible; requiring local governments to notify the state chief information security officer, instead of the Cybersecurity Operations Center, of cybersecurity or ransomware incidents; revising the timeframes in which such notifications must be made; requiring the state chief information security officer to notify the Governor and the Legislature of certain incidents within a specified timeframe; authorizing local governments to report certain cybersecurity incidents to the state chief information security officer instead of the Cybersecurity Operations Center; requiring the state chief information security officer to provide a certain consolidated incident report within a specified timeframe to the Legislature; requiring the state chief information security officer to establish certain guidelines and processes by a specified date; conforming provisions to changes made by the act; repealing s. 282.319, F.S., relating to the Florida Cybersecurity Advisory Council; amending s. 282.201, F.S.; establishing the state data center within the Northwest Regional Data Center; requiring the Northwest Regional Data Center to meet or exceed specified information technology standards; revising requirements of the state data center; abrogating the scheduled repeal of the Division of Emergency Management’s exemption from using the state data center; deleting the Department of Management Services’ responsibilities related to the state data center; deleting provisions relating to contracting with the Northwest Regional Data Center; creating s. 282.2011, F.S.; designating the Northwest Regional Data Center as the state data center for all state agencies; requiring the data center to engage in specified actions; requiring the Department of Law Enforcement to serve as the arbiter of certain disputes in accordance with the federal criminal justice information guidelines; prohibiting state agencies from terminating services with the data center without giving written notice within a specified timeframe, procuring third-party cloud computing services without evaluating the data center’s cloud-computing services, and exceeding a specified timeframe to remit payments for services provided by the data center; specifying circumstances under which the data center’s authorization to provide services may be terminated; providing that the data center has a specified timeframe to provide for the transition of state agency customers to a qualified alternative cloud-based data center that meets specified standards; providing that the data center is the lead entity responsible for creating, operating, and managing the Florida Behavioral Health Care Data Repository; providing the purpose of the repository; requiring the data center, in collaboration with the Data Analysis Committee of the Commission on Mental Health and Substance Use Disorder, to develop a specified plan; requiring, beginning on a specified date, the data center to submit a certain report annually to the Governor and the Legislature; providing for a transition to an alternative cloud based data center under specified circumstances; revising the information the plan identifies and documents; amending s. 282.206, F.S.; requiring state agencies to submit a certain strategic plan to DIGIT and the Northwest Regional Data Center annually by a specified date; amending s. 1004.649, F.S.; creating the Northwest Regional Data Center at Florida State University; conforming provisions to changes made by the act; creating s. 287.0583, F.S.; requiring that contracts for information technology commodities and services ensure extraction of data, certain documentation, assistance and support, and anticipated fees; amending s. 287.0591, F.S.; requiring the Department of Management Services to coordinate with DIGIT in specified solicitations; specifying the scope of the coordination; requiring agencies to maintain copies of certain documents when issuing a request for quote for state term contracts within specified threshold amounts; providing that agencies that issue requests for quotes in excess of certain thresholds are subject to specified public records requirements; requiring such agencies to publish specified information; requiring such agencies to maintain copies of certain documentation for a specified timeframe; providing that use of a request for quote is not subject to certain protest provisions; authorizing agencies to request certain services from DIGIT; requiring the department to prequalify firms and individuals who provide information technology commodities; authorizing such firms and individuals to submit responses to requests for quotes; amending s. 20.22, F.S.; conforming provisions to changes made by the act; amending s. 282.802, F.S.; providing that the Government Technology Modernization Council is located within DIGIT; providing that the state chief information officer, rather than the Secretary of Management Services, is the ex officio head of the council; conforming a cross-reference; amending s. 282.604, F.S.; conforming provisions to changes made by the act; amending s. 443.1113, F.S.; conforming provisions to changes made by the act; amending s. 943.0415, F.S.; requiring the state chief information security officer, rather than the Florida Digital Service, to consult with the Department of Law Enforcement’s Cybercrime Office in the adoption of certain rules; amending s. 1004.444, F.S.; revising the list of who may request certain assistance from the Florida Center for Cybersecurity; providing an effective date.

AI Summary

Committee Categories

Gayle Harrell (R)*, 

Other Sponsors (2)

CS/CS by Appropriations read 1st time (on 02/18/2026)

Official Document