Florida Administrative Code (Last Updated: November 11, 2024) |
60. Department of Management Services |
60GG. Florida Digital Service |
60GG-4. Cloud Computing |
1(1) These rules apply to state agencies as defined in Section 12282.0041, F.S.
14(2) These rules are designed to further state agency implementation of the cloud-first policy as provided in Section 282.206, F.S., that requires state agencies to show a preference for cloud computing services that minimize or do not require the purchasing, financing, or leasing of state data center infrastructure when cloud-computing solutions meet the needs of the agency, reduce costs, and meet or exceed the applicable state and federal laws, regulations, and standards for information technology security.
90(3) These rules establish the requirements for state agencies to create formal processes to provide a preference for and to properly evaluate cloud computing services during procurement while ensuring that state agencies have adequately addressed and demonstrated protections to ensure that systems provisioned in the cloud are appropriately secure and performant, appropriate to th144e workload and data hosted, and ultimately ensure the availability, integrity and confidentiality of state data and resources.
162(4) Definitions:
164(a) Breach ‒ Has the same meaning as provided in Section 501.171, F.S.
177(b) Cloud Computing – A service, solution 184or option as defined in Special Publication 800-145 issued by the National Institute for Standards and Technology (NIST).
202(c) Cloud Service Provider – Person, organization, or entity responsible for making a cloud computing service, solution or option available to a consumer.
225(d) Data – Has the same meaning as defined in Section 236282.0041, 237Florida Statutes.
239(e) Data Classification – The act of categorizing information systems and the information processed, stored, and transmitted by those systems based on the security impact analysis found under the risk assessment process outlined in Rule 60GG-2.002, F.A.C., Information Security Categorization.
279(f) Department of Management Services (DMS) – State agency created pursuant to Section 29220.22, F.S., 294which includes the Florida Digital Service (FDS), responsible for operating the state data center and developing statewide information technology policy, among other functions.
317(g) Information Technology – Has the same meaning as defined in Section 329282.0041, 330Florida Sta332tutes.
333(h) Interoperability ‒ The ability for two disparate information technology systems to exchange data in a coordinated manner and make use of the data exchanged.
358(i) Managed Services – The delivery of information technology services, such as network, 371application, infrastructure and security, via continuous, regular management and support, to include active administration on the customer’s premises, in the service provider’s data center, or in a third-party data center.
401(j) Open data – Has the same meaning as defined in Section 413282.0041, F.S.
415(k) Portability – The ease by which data or an information technology system can be extracted, transformed, and loaded from one computing environment to another.
440(l) Service Level Agreement (SLA) – A 447component of an agreement between a cloud service provider and a customer. The SLA describes the IT service, documents service level requirements, and specifies the responsibilities of the cloud service provider and the customer.
481Rulemaking Authority 282.0051(6) FS. Law Implemented 282.0051 FS. History490‒New 1-9-20.