According to Senate Bill 1662, FLDS will be “established within the department to lead enterprise cybersecurity efforts, to safeguard enterprise digital data, to propose, test, develop and deploy innovative solutions that securely modernize state government, including technology and information services, to achieve value through digital transformation and interoperability, and to fully support the [state’s] cloud-first policy.”
Along with this revised definition are updated responsibilities, including:
- Developing and publishing IT policy for the management of the state’s IT resources.
- Developing an enterprise architecture that acknowledges the unique needs of entities within the enterprise to facilitate digital interoperability.
- Addressing how IT infrastructure may be modernized to achieve cloud-first objectives.
- Establishing project management and oversight standards for state agencies to comply with when implementing IT projects. Examples include implementing performance measurements for IT projects and having methodologies in place for calculating variances in projected versus actual scope, schedule or cost of IT projects.
- Ensuring that independent project oversight on all agency IT projects that have total project costs of $25 million or more and that are funded by the General Appropriations Act or any other law is performed in compliance with applicable state and federal law.
- Establishing best practices for the procurement of IT products and cloud-computing services to reduce costs, increase the quality of data center services, or improve government services.
As for local government requirements, the bill states: “A local government shall report all ransomware incidents and any cybersecurity incident determined by the local government to be of severity level 3, 4, or 5 as provided in s. 282.318(3)(c) to the Cybersecurity Operations Center, the Cybercrime Office of the Department of Law Enforcement, and the sheriff who has jurisdiction over the local government as soon as possible but no later than 12 hours after discovery of the cybersecurity incident and no later than 6 hours after discovery of the ransomware incident.”
According to the bill, a Level 3 security incident is a high-level incident that is likely to impact an affected jurisdiction’s “public health or safety, national, state, or local security, economic security, civil liberties, or public confidence.” The only difference between that and a Level 4 security incident is the outcome being deemed “severe” versus “high level.”
Meanwhile, a Level 5 security incident is an emergency-level incident within a specific jurisdiction that threatens wide-scale critical infrastructure services; national, state or local government security; or residents.
More information about SB 1662 can be found online.