F.S. 282.201282.201 State data center.—The state data center is established within the department. The provision of data center services must comply with applicable state and federal laws, regulations, and policies, including all applicable security, privacy, and auditing requirements. The department shall appoint a director of the state data center who has experience in leading data center facilities and has expertise in cloud-computing management.(1) STATE DATA CENTER DUTIES.—The state data center shall:(a) Offer, develop, and support the services and applications defined in service-level agreements executed with its customer entities. (b) Maintain performance of the state data center by ensuring proper data backup; data backup recovery; disaster recovery; and appropriate security, power, cooling, fire suppression, and capacity. (c) Develop and implement business continuity and disaster recovery plans, and annually conduct a live exercise of each plan. (d) Enter into a service-level agreement with each customer entity to provide the required type and level of service or services. If a customer entity fails to execute an agreement within 60 days after commencement of a service, the state data center may cease service. A service-level agreement may not have a term exceeding 3 years and at a minimum must:1. Identify the parties and their roles, duties, and responsibilities under the agreement. 2. State the duration of the contract term and specify the conditions for renewal. 3. Identify the scope of work. 4. Identify the products or services to be delivered with sufficient specificity to permit an external financial or performance audit. 5. Establish the services to be provided, the business standards that must be met for each service, the cost of each service by agency application, and the metrics and processes by which the business standards for each service are to be objectively measured and reported. 6. Provide a timely billing methodology to recover the costs of services provided to the customer entity pursuant to s. 215.422. 7. Provide a procedure for modifying the service-level agreement based on changes in the type, level, and cost of a service. 8. Include a right-to-audit clause to ensure that the parties to the agreement have access to records for audit purposes during the term of the service-level agreement. 9. Provide that a service-level agreement may be terminated by either party for cause only after giving the other party and the department notice in writing of the cause for termination and an opportunity for the other party to resolve the identified cause within a reasonable period. 10. Provide for mediation of disputes by the Division of Administrative Hearings pursuant to s. 120.573. (e) For purposes of chapter 273, be the custodian of resources and equipment located in and operated, supported, and managed by the state data center. (f) Assume administrative access rights to resources and equipment, including servers, network components, and other devices, consolidated into the state data center.1. Upon consolidation, a state agency shall relinquish administrative rights to consolidated resources and equipment. State agencies required to comply with federal and state criminal justice information security rules and policies shall retain administrative access rights sufficient to comply with the management control provisions of those rules and policies; however, the state data center shall have the appropriate type or level of rights to allow the center to comply with its duties pursuant to this section. The Department of Law Enforcement shall serve as the arbiter of disputes pertaining to the appropriate type and level of administrative access rights pertaining to the provision of management control in accordance with the federal criminal justice information guidelines. 2. The state data center shall provide customer entities with access to applications, servers, network components, and other devices necessary for entities to perform business activities and functions, and as defined and documented in a service-level agreement. (g) In its procurement process, show preference for cloud-computing solutions that minimize or do not require the purchasing, financing, or leasing of state data center infrastructure, and that meet the needs of customer agencies, that reduce costs, and that meet or exceed the applicable state and federal laws, regulations, and standards for cybersecurity. (h) Assist customer entities in transitioning from state data center services to the Northwest Regional Data Center or other third-party cloud-computing services procured by a customer entity or by the Northwest Regional Data Center on behalf of a customer entity. 1(2) USE OF THE STATE DATA CENTER.—(a) The following are exempt from the use of the state data center: the Department of Law Enforcement, the Department of the Lottery’s Gaming System, Systems Design and Development in the Office of Policy and Budget, the regional traffic management centers as described in s. 335.14(2) and the Office of Toll Operations of the Department of Transportation, the State Board of Administration, state attorneys, public defenders, criminal conflict and civil regional counsel, capital collateral regional counsel, and the Florida Housing Finance Corporation. (b) The Division of Emergency Management is exempt from the use of the state data center. This paragraph expires July 1, 2025. (3) AGENCY LIMITATIONS.—Unless exempt from the use of the state data center pursuant to this section or authorized by the Legislature, a state agency may not:(a) Create a new agency computing facility or data center, or expand the capability to support additional computer equipment in an existing agency computing facility or data center; or (b) Terminate services with the state data center without giving written notice of intent to terminate services 180 days before such termination. (4) DEPARTMENT RESPONSIBILITIES.—The department shall provide operational management and oversight of the state data center, which includes:(a) Implementing industry standards and best practices for the state data center’s facilities, operations, maintenance, planning, and management processes. (b) Developing and implementing cost-recovery mechanisms that recover the full direct and indirect cost of services through charges to applicable customer entities. Such cost-recovery mechanisms must comply with applicable state and federal regulations concerning distribution and use of funds and must ensure that, for any fiscal year, no service or customer entity subsidizes another service or customer entity. The department may recommend other payment mechanisms to the Executive Office of the Governor, the President of the Senate, and the Speaker of the House of Representatives. Such mechanisms may be implemented only if specifically authorized by the Legislature. (c) Developing and implementing appropriate operating guidelines and procedures necessary for the state data center to perform its duties pursuant to subsection (1). The guidelines and procedures must comply with applicable state and federal laws, regulations, and policies and conform to generally accepted governmental accounting and auditing standards. The guidelines and procedures must include, but need not be limited to:1. Implementing a consolidated administrative support structure responsible for providing financial management, procurement, transactions involving real or personal property, human resources, and operational support. 2. Implementing an annual reconciliation process to ensure that each customer entity is paying for the full direct and indirect cost of each service as determined by the customer entity’s use of each service. 3. Providing rebates that may be credited against future billings to customer entities when revenues exceed costs. 4. Requiring customer entities to validate that sufficient funds exist before implementation of a customer entity’s request for a change in the type or level of service provided, if such change results in a net increase to the customer entity’s cost for that fiscal year. 5. By November 15 of each year, providing to the Office of Policy and Budget in the Executive Office of the Governor and to the chairs of the legislative appropriations committees the projected costs of providing data center services for the following fiscal year. 6. Providing a plan for consideration by the Legislative Budget Commission if the cost of a service is increased for a reason other than a customer entity’s request made pursuant to subparagraph 4. Such a plan is required only if the service cost increase results in a net increase to a customer entity for that fiscal year. 7. Standardizing and consolidating procurement and contracting practices. (d) In collaboration with the Department of Law Enforcement and the Florida Digital Service, developing and implementing a process for detecting, reporting, and responding to cybersecurity incidents, breaches, and threats. (e) Adopting rules relating to the operation of the state data center, including, but not limited to, budgeting and accounting procedures, cost-recovery methodologies, and operating procedures. (5) NORTHWEST REGIONAL DATA CENTER CONTRACT.—In order for the department to carry out its duties and responsibilities relating to the state data center, the secretary of the department shall contract by July 1, 2022, with the Northwest Regional Data Center pursuant to s. 287.057(11). The contract shall provide that the Northwest Regional Data Center will manage the operations of the state data center and provide data center services to state agencies.(a) The department shall provide contract oversight, including, but not limited to, reviewing invoices provided by the Northwest Regional Data Center for services provided to state agency customers. (b) The department shall approve or request updates to invoices within 10 business days after receipt. If the department does not respond to the Northwest Regional Data Center, the invoice will be approved by default. The Northwest Regional Data Center must submit approved invoices directly to state agency customers. History.—s. 8, ch. 2008-116; s. 24, ch. 2009-21; s. 8, ch. 2009-80; s. 44, ch. 2010-5; s. 2, ch. 2010-148; s. 5, ch. 2011-50; s. 33, ch. 2012-96; s. 2, ch. 2012-134; s. 1, ch. 2012-142; s. 37, ch. 2013-15; ss. 47, 48, ch. 2013-41; s. 50, ch. 2014-19; ss. 13, 14, ch. 2014-221; ss. 60, 61, ch. 2018-10; ss. 80, 81, 82, 115, ch. 2019-116; s. 10, ch. 2019-118; s. 47, ch. 2020-2; s. 4, ch. 2021-234; s. 4, ch. 2022-153; s. 85, ch. 2024-228. 1Note.—Section 85, ch. 2024-228, amended subsection (2) “in order to implement Specific Appropriation 2693A of the 2024-2025 General Appropriations [A]ct.”
|