Lawmakers Discuss State’s IT Governance and Organizational Structure

Earlier this week, the Florida House of Representatives IT Budget and Policy Subcommittee met to review House Bill 1183 and discuss the state’s approach to IT governance.

Regarding the latter, the subcommittee focused on the following points:

• Divided authority within the state’s IT structure 
• Unclear leadership 
• Fragmented decision-making 
• Independent agency strategies 
• A lack of centralized accountability 

“Who is truly in charge of overseeing state technology in Florida?“ asked Rep. John Snyder, R-86. “President Eisenhower was famous for the saying on his desk 'the buck stops here,' and that is one of the questions that we have often been unable to answer when we look at the enterprise: Where does the buck stop when it comes to our state IT policy?”

As a result, Snyder said, accountability has become fragmented, and decision-making has devolved into shifting responsibility, resulting in the absence of a unified enterprisewide strategy exacerbated by state agencies following their own IT strategies.

Because of this, issues such as “lengthy and involved procurement procedures, which slow the selection and onboarding of vendors, delays in project timelines, misaligned expectations and increased costs as agencies struggle to adapt to shifting needs” and workforce challenges have become more prevalent, Snyder added.

Other lawmakers echoed similar concerns.

“We run everything independently, as if there are individual companies and with their own individual budget, and there’s no senior leadership controlling a downstream effect,” said Rep. Kevin Steele, R-55. “From an organization perspective, we have 35 agencies, all with their own C suite, which is in statute. We’d have to change the law to fix the problem, but the only way we’re going to ever have anything successful is having a senior leadership team that has the authority to make decisions for every agency down below it.”

“I think one of my biggest takeaways is the way that government is funded is diametrically opposed to successful IT projects — that as much as can be left into the free market in capitalism to go build those things to specs and maintain them on an ongoing basis, and a more fixed cost method, the more successful we’re going to be as a state, and the more direct oversight of experts to do that, the better off we’re going to be as well,” said Rep. Monique Miller, R-33.

Rep. Mike Giallombardo, R-79, bemoaned the siloing of state agencies.

“There’s no real oversight or accountability. The efficiency is gone,“ he said. “So I think that it’s going to be a matter of time before the state’s going to have to make a decision to put our big boy pants on and take the next step and really make sure that for state IT, there is somebody where the buck stops with that we can go to, and they’re going to be accountable.”

Lawmakers briefly discussed the Florida Agency for Persons with Disabilities' iConnect System.

“I will continue to say while a number of the presentations were very heavy, the day when we heard from the Agency for Persons with Disabilities was the most heartbreaking to know that people that already have barriers, and we as [the] state of Florida are creating yet another barrier in terms of access. It was concerning,” Rep. LaVon Bracy Davis, D-40, said.

Snyder agreed, but said “there’s a lot of good people doing the best that they can on that,“ and that the project will take multiple years.

“My goal is that before we gavel out of session, we’ll have some type of immediate reprieve for the users of that system, either to find workarounds or other means to where they are not trapped in that frustrating process of dual entry,” he added.

Other general solutions from lawmakers regarding the state’s IT governance process included the following:

• Implement a centralized CIO that reports to the state’s leadership 
• Adopt enterprise-wide technology management 
• Implement a unified approval process for technology procurement 
• Establish clear accountability lines 
• Create and implement a streamlined leadership structure 

Giallombardo presented House Bill 1183 to the committee, saying it would provide cybersecurity incident liability by protecting local governments and private entities from lawsuits related to cybersecurity incidents.

A few ways the bill seeks to achieve this are by enforcing certain compliance requirements, including implementing multifactor authentication, having disaster recovery plans and establishing comprehensive cybersecurity policies and procedures.

The lawmakers raised several questions regarding the bill, including:

• How is this bill different from last year’s vetoed version? 
• What recourse do consumers have if their sensitive data is breached? 
• Are they providing liability protection simply for complying with the law? 
• How will substantial compliance be determined? 
• Is this self-attestation, or will there be external verification? 

Giallombardo addressed these concerns by explaining how HB 1183 seeks to consolidate common cybersecurity standards, clarify how consumers can file suits so long as they prove negligence and that courts could potentially be tasked with determining substantial compliance after reviewing subsequent documentation.

After listening to all questions and responses, 14 lawmakers voted yes to advance the bill, while two voted no, moving the bill forward to the Civil Justice and Claims Subcommittee.

A full recording of this week’s IT Budget and Policy Subcommittee meeting can be found online.