282.201 State data center.—The state data center is established within the Agency for State Technology and shall provide data center services that are hosted on premises or externally through a third-party provider as an enterprise information technology service. The provision of services must comply with applicable state and federal laws, regulations, and policies, including all applicable security, privacy, and auditing requirements.
(1) INTENT.—The Legislature finds that the most efficient and effective means of providing quality utility data processing services to state agencies requires that computing resources be concentrated in quality facilities that provide the proper security, disaster recovery, infrastructure, and staff resources to ensure that the state’s data is maintained reliably and safely, and is recoverable in the event of a disaster. Unless otherwise exempt by law, it is the intent of the Legislature that all agency data centers and computing facilities shall be consolidated into the state data center.
(2) STATE DATA CENTER DUTIES.–The state data center shall:
(a) Offer, develop, and support the services and applications defined in service-level agreements executed with its customer entities.
(b) Maintain performance of the state data center by ensuring proper data backup, data backup recovery, disaster recovery, and appropriate security, power, cooling, fire suppression, and capacity.
(c) Develop and implement a business continuity plan and a disaster recovery plan, and beginning July 1, 2015, and annually thereafter, conduct a live exercise of each plan.
(d) Enter into a service-level agreement with each customer entity to provide the required type and level of service or services. If a customer entity fails to execute an agreement within 60 days after commencement of a service, the state data center may cease service. A service-level agreement may not have a term exceeding 3 years and at a minimum must:
1. Identify the parties and their roles, duties, and responsibilities under the agreement.
2. State the duration of the contract term and specify the conditions for renewal.
3. Identify the scope of work.
4. Identify the products or services to be delivered with sufficient specificity to permit an external financial or performance audit.
5. Establish the services to be provided, the business standards that must be met for each service, the cost of each service, and the metrics and processes by which the business standards for each service are to be objectively measured and reported.
6. Provide a timely billing methodology to recover the cost of services provided to the customer entity pursuant to s. 215.422.
7. Provide a procedure for modifying the service-level agreement based on changes in the type, level, and cost of a service.
8. Include a right-to-audit clause to ensure that the parties to the agreement have access to records for audit purposes during the term of the service-level agreement.
9. Provide that a service-level agreement may be terminated by either party for cause only after giving the other party and the Agency for State Technology notice in writing of the cause for termination and an opportunity for the other party to resolve the identified cause within a reasonable period.
10. Provide for mediation of disputes by the Division of Administrative Hearings pursuant to s. 120.573.
(e) For purposes of chapter 273, be the custodian of resources and equipment located in and operated, supported, and managed by the state data center.
(f) Assume administrative access rights to resources and equipment, including servers, network components, and other devices, consolidated into the state data center.
1. Upon the date of each consolidation specified in this section, the General Appropriations Act, or any other law, a state agency shall relinquish administrative rights to consolidated resources and equipment. State agencies required to comply with federal and state criminal justice information security rules and policies shall retain administrative access rights sufficient to comply with the management control provisions of those rules and policies; however, the state data center shall have the appropriate type or level of rights to allow the center to comply with its duties pursuant to this section. The Department of Law Enforcement shall serve as the arbiter of disputes pertaining to the appropriate type and level of administrative access rights pertaining to the provision of management control in accordance with the federal criminal justice information guidelines.
2. The state data center shall provide customer entities with access to applications, servers, network components, and other devices necessary for entities to perform business activities and functions, and as defined and documented in a service-level agreement.
(3) STATE AGENCY DUTIES.—
(a) Each state agency shall provide to the Agency for State Technology all requested information relating to its data centers and computing facilities and any other information relevant to the effective transition of an agency data center or computing facility into the state data center.
(b) Each state agency customer of the state data center shall notify the state data center, by May 31 and November 30 of each year, of any significant changes in anticipated utilization of state data center services pursuant to requirements established by the state data center.
(4) SCHEDULE FOR CONSOLIDATIONS OF AGENCY DATA CENTERS.—
(a) Consolidations of agency data centers and computing facilities into the state data center shall be made by the dates specified in this section and in accordance with budget adjustments contained in the General Appropriations Act.
(b) During the 2013-2014 fiscal year, the following state agencies shall be consolidated by the specified date:
1. By October 31, 2013, the Department of Economic Opportunity.
2. By December 31, 2013, the Executive Office of the Governor, to include the Division of Emergency Management except for the Emergency Operation Center’s management system in Tallahassee and the Camp Blanding Emergency Operations Center in Starke.
3. By March 31, 2014, the Department of Elderly Affairs.
4. By October 30, 2013, the Fish and Wildlife Conservation Commission, except for the commission’s Fish and Wildlife Research Institute in St. Petersburg.
(c) The following are exempt from state data center consolidation under this section: the Department of Law Enforcement, the Department of the Lottery’s Gaming System, Systems Design and Development in the Office of Policy and Budget, the regional traffic management centers as described in s. 335.14(2) and the Office of Toll Operations of the Department of Transportation, the State Board of Administration, state attorneys, public defenders, criminal conflict and civil regional counsel, capital collateral regional counsel, and the Florida Housing Finance Corporation.
(d) A state agency that is consolidating its agency data center or computing facility into the state data center must execute a new or update an existing service-level agreement within 60 days after the commencement of the service. If a state agency and the state data center are unable to execute a service-level agreement by that date, the agency shall submit a report to the Executive Office of the Governor within 5 working days after that date which explains the specific issues preventing execution and describing the plan and schedule for resolving those issues.
(e) Each state agency scheduled for consolidation into the state data center shall submit a transition plan to the Agency for State Technology by July 1 of the fiscal year before the fiscal year in which the scheduled consolidation will occur. Transition plans shall be developed in consultation with the state data center and must include:
1. An inventory of the agency data center’s resources being consolidated, including all hardware and its associated life cycle replacement schedule, software, staff, contracted services, and facility resources performing data center management and operations, security, backup and recovery, disaster recovery, system administration, database administration, system programming, job control, production control, print, storage, technical support, help desk, and managed services, but excluding application development, and the agency’s costs supporting these resources.
2. A list of contracts in effect, including, but not limited to, contracts for hardware, software, and maintenance, which identifies the expiration date, the contract parties, and the cost of each contract.
3. A detailed description of the level of services needed to meet the technical and operational requirements of the platforms being consolidated.
4. A timetable with significant milestones for the completion of the consolidation.
(f) Each state agency scheduled for consolidation into the state data center shall submit with its respective legislative budget request the specific recurring and nonrecurring budget adjustments of resources by appropriation category into the appropriate data processing category pursuant to the legislative budget request instructions in s. 216.023. (5) AGENCY LIMITATIONS.— (a) Unless exempt from data center consolidation pursuant to this section or authorized by the Legislature or as provided in paragraph (b), a state agency may not:
1. Create a new agency computing facility or data center, or expand the capability to support additional computer equipment in an existing agency computing facility or data center;
2. Spend funds before the state agency’s scheduled consolidation into the state data center to purchase or modify hardware or operations software that does not comply with standards established by the Agency for State Technology pursuant to s. 282.0051;
3. Transfer existing computer services to any data center other than the state data center;
4. Terminate services with the state data center without giving written notice of intent to terminate services 180 days before such termination; or
5. Initiate a new computer service except with the state data center.
(b) Exceptions to the limitations in subparagraphs (a)1., 2., 3., and 5. may be granted by the Agency for State Technology if there is insufficient capacity in the state data center to absorb the workload associated with agency computing services, if expenditures are compatible with the standards established pursuant to s. 282.0051, or if the equipment or resources are needed to meet a critical agency business need that cannot be satisfied by the state data center. The Agency for State Technology shall establish requirements that a state agency must follow when submitting and documenting a request for an exception. The Agency for State Technology shall also publish guidelines for its consideration of exception requests. However, the decision of the Agency for State Technology regarding an exception request is not subject to chapter 120.
History.—s. 8, ch. 2008-116; s. 24, ch. 2009-21; s. 8, ch. 2009-80; s. 44, ch. 2010-5; s. 2, ch. 2010-148; s. 5, ch. 2011-50; s. 33, ch. 2012-96; s. 2, ch. 2012-134; s. 1, ch. 2012-142; s. 37, ch. 2013-15; ss. 47, 48, ch. 2013-41; s. 50, ch. 2014-19; ss. 13, 14, ch. 2014-221.