Bill Text: FL S1670 | 2022 | Regular Session | Comm Sub


Bill Title: Cybersecurity

Spectrum: Slight Partisan Bill (? 2-1)

Status: (Introduced - Dead) 2022-03-09 - Laid on Table, refer to CS/HB 7055 [S1670 Detail]

Download: Florida-2022-S1670-Comm_Sub.html
       Florida Senate - 2022                      CS for CS for SB 1670
       
       
        
       By the Committees on Appropriations; and Military and Veterans
       Affairs, Space, and Domestic Security; and Senator Hutson
       
       
       
       
       576-03523-22                                          20221670c2
    1                        A bill to be entitled                      
    2         An act relating to cybersecurity; amending s.
    3         282.0041, F.S.; revising a definition and defining the
    4         term “ransomware incident”; amending s. 282.318, F.S.;
    5         requiring the Department of Management Services,
    6         acting through the Florida Digital Service, to develop
    7         and publish guidelines and processes for reporting
    8         cybersecurity incidents; requiring state agencies to
    9         report ransomware incidents and certain cybersecurity
   10         incidents to certain entities within specified
   11         timeframes; requiring the Cybersecurity Operations
   12         Center to provide certain notifications to the
   13         Legislature within a specified timeframe; requiring
   14         the Cybersecurity Operations Center to quarterly
   15         provide certain reports to the Legislature and the
   16         Florida Cybersecurity Advisory Council; requiring the
   17         department, acting through the Florida Digital
   18         Service, to develop and publish guidelines and
   19         processes by a specified date for submitting after
   20         action reports and annually provide cybersecurity
   21         training to certain persons; requiring state agency
   22         heads to annually provide cybersecurity awareness
   23         training to certain persons; requiring state agencies
   24         to report cybersecurity incidents and ransomware
   25         incidents in compliance with certain procedures and
   26         timeframes; requiring state agency heads to submit
   27         certain after-action reports to the Florida Digital
   28         Service within a specified timeframe; creating s.
   29         282.3185, F.S.; providing a short title; defining the
   30         term “local government”; requiring the Florida Digital
   31         Service to develop certain cybersecurity training
   32         curricula; requiring certain persons to complete
   33         certain cybersecurity training within a specified
   34         timeframe and annually thereafter; authorizing the
   35         Florida Digital Service to provide a certain training
   36         in collaboration with certain entities; requiring
   37         certain local governments to adopt certain
   38         cybersecurity standards by specified dates; requiring
   39         local governments to provide a certain notification to
   40         the Florida Digital Service and certain entities;
   41         providing notification requirements; requiring local
   42         governments to report ransomware incidents and certain
   43         cybersecurity incidents to certain entities within
   44         specified timeframes; requiring the Cybersecurity
   45         Operations Center to provide a certain notification to
   46         the Legislature within a specified timeframe;
   47         authorizing local governments to report certain
   48         cybersecurity incidents to certain entities; requiring
   49         the Cybersecurity Operations Center to quarterly
   50         provide certain reports to the Legislature and the
   51         Florida Cybersecurity Advisory Council; requiring
   52         local governments to submit after-action reports
   53         containing certain information to the Florida Digital
   54         Service within a specified timeframe; requiring the
   55         Florida Digital Service to establish certain
   56         guidelines and processes by a specified date; creating
   57         s. 282.3186, F.S.; prohibiting certain entities from
   58         paying or otherwise complying with a ransom demand;
   59         amending s. 282.319, F.S.; revising the purpose of the
   60         Florida Cybersecurity Advisory Council to include
   61         advising counties and municipalities on cybersecurity;
   62         requiring the council to meet at least quarterly to
   63         review certain information and develop and make
   64         certain recommendations; requiring the council to
   65         annually submit to the Governor and the Legislature a
   66         certain ransomware incident report beginning on a
   67         specified date; providing requirements for the report;
   68         defining the term “state agency”; creating s. 815.062,
   69         F.S.; defining the term “governmental entity”;
   70         prohibiting certain persons from introducing computer
   71         contaminants in order to procure a ransom; prohibiting
   72         certain employees or contractors from aiding or
   73         abetting another to introduce computer contaminants in
   74         order to procure a ransom; providing criminal
   75         penalties; requiring a person convicted of certain
   76         offenses to pay a certain fine; requiring deposit of
   77         certain moneys in the General Revenue Fund; providing
   78         a legislative finding and declaration of an important
   79         state interest; providing an effective date.
   80          
   81  Be It Enacted by the Legislature of the State of Florida:
   82  
   83         Section 1. Present subsections (28) through (37) of section
   84  282.0041, Florida Statutes, are redesignated as subsections (29)
   85  through (38), respectively, a new subsection (28) is added to
   86  that section, and subsection (19) of that section is amended, to
   87  read:
   88         282.0041 Definitions.—As used in this chapter, the term:
   89         (19) “Incident” means a violation or imminent threat of
   90  violation, whether such violation is accidental or deliberate,
   91  of information technology resources, security, policies, or
   92  practices. An imminent threat of violation refers to a situation
   93  in which a the state agency, county, or municipality has a
   94  factual basis for believing that a specific incident is about to
   95  occur.
   96         (28)“Ransomware incident” means a malicious cybersecurity
   97  incident in which a person or entity introduces software that
   98  gains unauthorized access to or encrypts, modifies, or otherwise
   99  renders unavailable a state agency’s, county’s, or
  100  municipality’s data and thereafter the person or entity demands
  101  a ransom to prevent the publication of the data, restore access
  102  to the data, or otherwise remediate the impact of the software.
  103         Section 2. Paragraphs (c) and (g) of subsection (3) and
  104  paragraphs (i) and (j) of subsection (4) of section 282.318,
  105  Florida Statutes, are amended, and paragraph (k) is added to
  106  subsection (4) of that section, to read:
  107         282.318 Cybersecurity.—
  108         (3) The department, acting through the Florida Digital
  109  Service, is the lead entity responsible for establishing
  110  standards and processes for assessing state agency cybersecurity
  111  risks and determining appropriate security measures. Such
  112  standards and processes must be consistent with generally
  113  accepted technology best practices, including the National
  114  Institute for Standards and Technology Cybersecurity Framework,
  115  for cybersecurity. The department, acting through the Florida
  116  Digital Service, shall adopt rules that mitigate risks;
  117  safeguard state agency digital assets, data, information, and
  118  information technology resources to ensure availability,
  119  confidentiality, and integrity; and support a security
  120  governance framework. The department, acting through the Florida
  121  Digital Service, shall also:
  122         (c) Develop and publish for use by state agencies a
  123  cybersecurity governance framework that, at a minimum, includes
  124  guidelines and processes for:
  125         1. Establishing asset management procedures to ensure that
  126  an agency’s information technology resources are identified and
  127  managed consistent with their relative importance to the
  128  agency’s business objectives.
  129         2. Using a standard risk assessment methodology that
  130  includes the identification of an agency’s priorities,
  131  constraints, risk tolerances, and assumptions necessary to
  132  support operational risk decisions.
  133         3. Completing comprehensive risk assessments and
  134  cybersecurity audits, which may be completed by a private sector
  135  vendor, and submitting completed assessments and audits to the
  136  department.
  137         4. Identifying protection procedures to manage the
  138  protection of an agency’s information, data, and information
  139  technology resources.
  140         5. Establishing procedures for accessing information and
  141  data to ensure the confidentiality, integrity, and availability
  142  of such information and data.
  143         6. Detecting threats through proactive monitoring of
  144  events, continuous security monitoring, and defined detection
  145  processes.
  146         7. Establishing agency cybersecurity incident response
  147  teams and describing their responsibilities for responding to
  148  cybersecurity incidents, including breaches of personal
  149  information containing confidential or exempt data.
  150         8. Recovering information and data in response to a
  151  cybersecurity incident. The recovery may include recommended
  152  improvements to the agency processes, policies, or guidelines.
  153         9. Establishing a cybersecurity incident reporting process
  154  that includes procedures and tiered reporting timeframes for
  155  notifying the department and the Department of Law Enforcement
  156  of cybersecurity incidents. The tiered reporting timeframes
  157  shall be based upon the level of severity of the cybersecurity
  158  incidents being reported.
  159         a.The level of severity of the cybersecurity incident is
  160  defined by the National Cyber Incident Response Plan of the
  161  United States Department of Homeland Security as follows:
  162         (I)Level 5 is an emergency-level incident within the
  163  specified jurisdiction that poses an imminent threat to the
  164  provision of wide-scale critical infrastructure services;
  165  national, state, or local government security; or the lives of
  166  the country’s, state’s, or local government’s residents.
  167         (II)Level 4 is a severe-level incident that is likely to
  168  result in a significant impact in the affected jurisdiction to
  169  public health or safety; national, state, or local security;
  170  economic security; or civil liberties.
  171         (III)Level 3 is a high-level incident that is likely to
  172  result in a demonstrable impact in the affected jurisdiction to
  173  public health or safety; national, state, or local security;
  174  economic security; civil liberties; or public confidence.
  175         (IV)Level 2 is a medium-level incident that may impact
  176  public health or safety; national, state, or local security;
  177  economic security; civil liberties; or public confidence.
  178         (V)Level 1 is a low-level incident that is unlikely to
  179  impact public health or safety; national, state, or local
  180  security; economic security; civil liberties; or public
  181  confidence.
  182         b.The cybersecurity incident reporting process must
  183  specify the information that must be reported by a state agency
  184  following a cybersecurity incident or ransomware incident,
  185  which, at a minimum, must include the following:
  186         (I)A summary of the facts surrounding the cybersecurity
  187  incident or ransomware incident.
  188         (II)The date on which the state agency most recently
  189  backed up its data, the physical location of the backup, if the
  190  backup was affected, and if the backup was created using cloud
  191  computing.
  192         (III)The types of data compromised by the cybersecurity
  193  incident or ransomware incident.
  194         (IV)The estimated fiscal impact of the cybersecurity
  195  incident or ransomware incident.
  196         (V)In the case of a ransomware incident, the details of
  197  the ransom demanded.
  198         c.(I)A state agency shall report all ransomware incidents
  199  and any cybersecurity incident determined by the state agency to
  200  be of severity level 3, 4, or 5 to the Cybersecurity Operations
  201  Center and the Cybercrime Office of the Department of Law
  202  Enforcement as soon as possible but no later than 48 hours after
  203  discovery of the cybersecurity incident and no later than 12
  204  hours after discovery of the ransomware incident. The report
  205  must contain the information required in sub-subparagraph b.
  206         (II)The Cybersecurity Operations Center shall notify the
  207  President of the Senate and the Speaker of the House of
  208  Representatives of any severity level 3, 4, or 5 incident as
  209  soon as possible but no later than 12 hours after receiving a
  210  state agency’s incident report. The notification must include a
  211  high-level description of the incident and the likely effects.
  212         d.A state agency shall report a cybersecurity incident
  213  determined by the state agency to be of severity level 1 or 2 to
  214  the Cybersecurity Operations Center and the Cybercrime Office of
  215  the Department of Law Enforcement as soon as possible. The
  216  report must contain the information required in sub-subparagraph
  217  b.
  218         e.The Cybersecurity Operations Center shall provide a
  219  consolidated incident report on a quarterly basis to the
  220  President of the Senate, the Speaker of the House of
  221  Representatives, and the Florida Cybersecurity Advisory Council.
  222  The report provided to the Florida Cybersecurity Advisory
  223  Council may not contain the name of any agency, network
  224  information, or system identifying information but must contain
  225  sufficient relevant information to allow the Florida
  226  Cybersecurity Advisory Council to fulfill its responsibilities
  227  as required in s. 282.319(9).
  228         10. Incorporating information obtained through detection
  229  and response activities into the agency’s cybersecurity incident
  230  response plans.
  231         11. Developing agency strategic and operational
  232  cybersecurity plans required pursuant to this section.
  233         12. Establishing the managerial, operational, and technical
  234  safeguards for protecting state government data and information
  235  technology resources that align with the state agency risk
  236  management strategy and that protect the confidentiality,
  237  integrity, and availability of information and data.
  238         13. Establishing procedures for procuring information
  239  technology commodities and services that require the commodity
  240  or service to meet the National Institute of Standards and
  241  Technology Cybersecurity Framework.
  242         14.Submitting after-action reports following a
  243  cybersecurity incident or ransomware incident. Such guidelines
  244  and processes for submitting after-action reports must be
  245  developed and published by December 1, 2022.
  246         (g) Annually provide cybersecurity training to all state
  247  agency technology professionals and employees with access to
  248  highly sensitive information which that develops, assesses, and
  249  documents competencies by role and skill level. The
  250  cybersecurity training curriculum must include training on the
  251  identification of each cybersecurity incident severity level
  252  referenced in sub-subparagraph (c)9.a. The training may be
  253  provided in collaboration with the Cybercrime Office of the
  254  Department of Law Enforcement, a private sector entity, or an
  255  institution of the State University System.
  256         (4) Each state agency head shall, at a minimum:
  257         (i) Provide cybersecurity awareness training to all state
  258  agency employees within in the first 30 days after commencing
  259  employment, and annually thereafter, concerning cybersecurity
  260  risks and the responsibility of employees to comply with
  261  policies, standards, guidelines, and operating procedures
  262  adopted by the state agency to reduce those risks. The training
  263  may be provided in collaboration with the Cybercrime Office of
  264  the Department of Law Enforcement, a private sector entity, or
  265  an institution of the State University System.
  266         (j) Develop a process for detecting, reporting, and
  267  responding to threats, breaches, or cybersecurity incidents
  268  which is consistent with the security rules, guidelines, and
  269  processes established by the department through the Florida
  270  Digital Service.
  271         1. All cybersecurity incidents and ransomware incidents
  272  breaches must be reported by state agencies. Such reports to the
  273  Florida Digital Service within the department and the Cybercrime
  274  Office of the Department of Law Enforcement and must comply with
  275  the notification procedures and reporting timeframes established
  276  pursuant to paragraph (3)(c).
  277         2. For cybersecurity breaches, state agencies shall provide
  278  notice in accordance with s. 501.171.
  279         (k)Submit to the Florida Digital Service, within 1 week
  280  after the remediation of a cybersecurity incident or ransomware
  281  incident, an after-action report that summarizes the incident,
  282  the incident’s resolution, and any insights gained as a result
  283  of the incident.
  284         Section 3. Section 282.3185, Florida Statutes, is created
  285  to read:
  286         282.3185Local government cybersecurity.—
  287         (1)SHORT TITLE.—This section may be cited as the “Local
  288  Government Cybersecurity Act.”
  289         (2)DEFINITION.—As used in this section, the term “local
  290  government” means any county or municipality.
  291         (3)CYBERSECURITY TRAINING.—
  292         (a)The Florida Digital Service shall:
  293         1.Develop a basic cybersecurity training curriculum for
  294  local government employees. All local government employees with
  295  access to the local government’s network must complete the basic
  296  cybersecurity training within 30 days after commencing
  297  employment and annually thereafter.
  298         2.Develop an advanced cybersecurity training curriculum
  299  for local governments which is consistent with the cybersecurity
  300  training required under s. 282.318(3)(g). All local government
  301  technology professionals and employees with access to highly
  302  sensitive information must complete the advanced cybersecurity
  303  training within 30 days after commencing employment and annually
  304  thereafter.
  305         (b)The Florida Digital Service may provide the
  306  cybersecurity training required by this subsection in
  307  collaboration with the Cybercrime Office of the Department of
  308  Law Enforcement, a private sector entity, or an institution of
  309  the State University System.
  310         (4)CYBERSECURITY STANDARDS.—
  311         (a)Each local government shall adopt cybersecurity
  312  standards that safeguard its data, information technology, and
  313  information technology resources to ensure availability,
  314  confidentiality, and integrity. The cybersecurity standards must
  315  be consistent with generally accepted best practices for
  316  cybersecurity, including the National Institute of Standards and
  317  Technology Cybersecurity Framework.
  318         (b)Each county with a population of 75,000 or more must
  319  adopt the cybersecurity standards required by this subsection by
  320  January 1, 2024. Each county with a population of less than
  321  75,000 must adopt the cybersecurity standards required by this
  322  subsection by January 1, 2025.
  323         (c)Each municipality with a population of 25,000 or more
  324  must adopt the cybersecurity standards required by this
  325  subsection by January 1, 2024. Each municipality with a
  326  population of less than 25,000 must adopt the cybersecurity
  327  standards required by this subsection by January 1, 2025.
  328         (d)Each local government shall notify the Florida Digital
  329  Service of its compliance with this subsection as soon as
  330  possible.
  331         (5)INCIDENT NOTIFICATION.—
  332         (a)A local government shall provide notification of a
  333  cybersecurity incident or ransomware incident to the
  334  Cybersecurity Operations Center, Cybercrime Office of the
  335  Department of Law Enforcement, and sheriff who has jurisdiction
  336  over the local government in accordance with paragraph (b). The
  337  notification must include, at a minimum, the following
  338  information:
  339         1.A summary of the facts surrounding the cybersecurity
  340  incident or ransomware incident.
  341         2.The date on which the local government most recently
  342  backed up its data, the physical location of the backup, if the
  343  backup was affected, and if the backup was created using cloud
  344  computing.
  345         3.The types of data compromised by the cybersecurity
  346  incident or ransomware incident.
  347         4.The estimated fiscal impact of the cybersecurity
  348  incident or ransomware incident.
  349         5.In the case of a ransomware incident, the details of the
  350  ransom demanded.
  351         6.A statement requesting or declining assistance from the
  352  Cybersecurity Operations Center, the Cybercrime Office of the
  353  Department of Law Enforcement, or the sheriff who has
  354  jurisdiction over the local government.
  355         (b)1.A local government shall report all ransomware
  356  incidents and any cybersecurity incident determined by the local
  357  government to be of severity level 3, 4, or 5 as provided in s.
  358  282.318(3)(c) to the Cybersecurity Operations Center, the
  359  Cybercrime Office of the Department of Law Enforcement, and the
  360  sheriff who has jurisdiction over the local government as soon
  361  as possible but no later than 48 hours after discovery of the
  362  cybersecurity incident and no later than 12 hours after
  363  discovery of the ransomware incident. The report must contain
  364  the information required in paragraph (a).
  365         2.The Cybersecurity Operations Center shall notify the
  366  President of the Senate and the Speaker of the House of
  367  Representatives of any severity level 3, 4, or 5 incident as
  368  soon as possible but no later than 12 hours after receiving a
  369  local government’s incident report. The notification must
  370  include a high-level description of the incident and the likely
  371  effects.
  372         (c)A local government may report a cybersecurity incident
  373  determined by the local government to be of severity level 1 or
  374  2 as provided in s. 282.318(3)(c) to the Cybersecurity
  375  Operations Center, the Cybercrime Office of the Department of
  376  Law Enforcement, and the sheriff who has jurisdiction over the
  377  local government. The report shall contain the information
  378  required in paragraph (a).
  379         (d)The Cybersecurity Operations Center shall provide a
  380  consolidated incident report on a quarterly basis to the
  381  President of the Senate, the Speaker of the House of
  382  Representatives, and the Florida Cybersecurity Advisory Council.
  383  The report provided to the Florida Cybersecurity Advisory
  384  Council may not contain the name of any local government,
  385  network information, or system identifying information but must
  386  contain sufficient relevant information to allow the Florida
  387  Cybersecurity Advisory Council to fulfill its responsibilities
  388  as required in s. 282.319(9).
  389         (6)AFTER-ACTION REPORT.—A local government must submit to
  390  the Florida Digital Service, within 1 week after the remediation
  391  of a cybersecurity incident or ransomware incident, an after
  392  action report that summarizes the incident, the incident’s
  393  resolution, and any insights gained as a result of the incident.
  394  By December 1, 2022, the Florida Digital Service shall establish
  395  guidelines and processes for submitting an after-action report.
  396         Section 4. Section 282.3186, Florida Statutes, is created
  397  to read:
  398         282.3186Ransomware incident compliance.—A state agency as
  399  defined in s. 282.318(2), a county, or a municipality
  400  experiencing a ransomware incident may not pay or otherwise
  401  comply with a ransom demand.
  402         Section 5. Subsection (2) of section 282.319, Florida
  403  Statutes, is amended, paragraphs (g) and (h) are added to
  404  subsection (9) of that section, and subsections (12) and (13)
  405  are added to that section, to read:
  406         282.319 Florida Cybersecurity Advisory Council.—
  407         (2) The purpose of the council is to:
  408         (a) Assist state agencies in protecting their information
  409  technology resources from cybersecurity cyber threats and
  410  incidents.
  411         (b)Advise counties and municipalities on cybersecurity,
  412  including cybersecurity threats, trends, and best practices.
  413         (9) The council shall meet at least quarterly to:
  414         (g)Review information relating to cybersecurity incidents
  415  and ransomware incidents to determine commonalities and develop
  416  best practice recommendations for state agencies, counties, and
  417  municipalities.
  418         (h)Recommend any additional information that a county or
  419  municipality should report to the Florida Digital Service as
  420  part of its cybersecurity incident or ransomware incident
  421  notification pursuant to s. 282.3185.
  422         (12)Beginning December 1, 2022, and each December 1
  423  thereafter, the council shall submit to the Governor, the
  424  President of the Senate, and the Speaker of the House of
  425  Representatives a comprehensive report that includes data,
  426  trends, analysis, findings, and recommendations for state and
  427  local action regarding ransomware incidents. At a minimum, the
  428  report must include:
  429         (a)Descriptive statistics including the amount of ransom
  430  requested, duration of the ransomware incident, and overall
  431  monetary cost to taxpayers of the ransomware incident.
  432         (b)A detailed statistical analysis of the circumstances
  433  that led to the ransomware incident which does not include the
  434  name of the state agency, county, or municipality; network
  435  information; or system identifying information.
  436         (c)A detailed statistical analysis of the level of
  437  cybersecurity employee training and frequency of data backup for
  438  the state agency, county, or municipality that reported the
  439  ransomware incident.
  440         (d)Specific issues identified with current policies,
  441  procedures, rules, or statutes and recommendations to address
  442  such issues.
  443         (e)Any other recommendations to prevent ransomware
  444  incidents.
  445         (13)For purposes of this section, the term “state agency”
  446  has the same meaning as provided in s. 282.318(2).
  447         Section 6. Section 815.062, Florida Statutes, is created to
  448  read:
  449         815.062Offenses against governmental entities.—
  450         (1)As used in this section, the term “governmental entity”
  451  means any official, officer, commission, board, authority,
  452  council, committee, or department of the executive, judicial, or
  453  legislative branch of state government; any state university; or
  454  any county or municipality, special district, water management
  455  district, or other political subdivision of the state.
  456         (2)A person who willfully, knowingly, and without
  457  authorization introduces a computer contaminant that gains
  458  unauthorized access to, encrypts, modifies, or otherwise renders
  459  unavailable data, programs, or supporting documentation residing
  460  or existing within a computer, computer system, computer
  461  network, or electronic device owned or operated by a
  462  governmental entity and demands a ransom to prevent the
  463  publication of or restore access to the data, programs, or
  464  supporting documentation or to otherwise remediate the impact of
  465  the computer contaminant commits a felony of the first degree,
  466  punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
  467         (3)An employee or contractor of a governmental entity with
  468  access to the governmental entity’s network who willfully and
  469  knowingly aids or abets another in the commission of a violation
  470  of subsection (2) commits a felony of the first degree,
  471  punishable as provided in s. 775.082, s. 775.083, or s. 775.084.
  472         (4)In addition to any other penalty imposed, a person
  473  convicted of a violation of this section must pay a fine equal
  474  to twice the amount of the ransom demand. Moneys recovered under
  475  this subsection shall be deposited into the General Revenue
  476  Fund.
  477         Section 7. The Legislature finds and declares that this act
  478  fulfills an important state interest.
  479         Section 8. This act shall take effect July 1, 2022.

feedback