Effective on Thursday, January 9, 2020
  • 1(1) These rules apply to state agencies as defined in Section 12282.0041, 13Florida Statutes.

    15(2) These rules are designed to further state agency implementation of the cloud-first policy as provided in Section 282.206, Florida Statutes, that requires state agencies to show a preference for cloud computing services that minimize or do not require the purchasing, financing, or leasing of state data center infrastructure when cloud-computing solutions meet the needs of the agency, reduce costs, and meet or exceed the applicable state and federal laws, regulations, and standards for information technology security.

    92(3) These rules establish the requirements for state agencies to create formal processes to provide a preference for and to properly evaluate cloud computing services during procurement while ensuring that state agencies have adequately addressed and demonstrated protections to ensure that systems provisioned in the cloud are appropriately secure and perf143ormant, appropriate to the workload and data hosted, and ultimately ensure the availability, integrity and confidentiality of state data and resources.

    164(4) Definitions:

    166(a) Breach ‒ Has the same meaning as provided in Section 501.171, Florida Statutes.

    180(b) 181Cloud Computing – A service, solution or option as defined in Special Publication 800-145 issued by the National Institute for Standards and Technology (NIST).

    205(c) Cloud Service Provider – Person, organization, or entity responsible for making a cloud computing service, solution or option available to a consumer.

    228(d) Data – Has the same meaning as defined in Section 239282.0041, 240Florida Statutes.

    242(e) Data Classification – The act of categorizing information systems and the information processed, stored, and transmitted by those systems based on the security impact analysis found under the risk assessment process outlined in Rule 60GG-2.002, Florida Administrative Code, Information Security Categorization.

    284(f) Department of Management Services (DMS) – State agency created pursuant to Section 29720.22, F.S., 299which includes the Division of State Technology (DST), responsible for operating the state data center and developing statewide information technology policy, among other functions.

    323(g) Information Technology – 327Has the same meaning as defined in Section 335282.0041, 336Florida Statutes.

    338(h) Interoperability ‒ The ability for two disparate information technology systems to exchange data in a coordinated manner and make use of the data exchanged.

    363(i) Managed Services – T368he delivery of information technology services, such as network, application, infrastructure and security, via continuous, regular management and support, to include active administration on the customer’s premises, in the service provider’s data center, or in a third-party data center.

    407(j) Open data – Has the same meaning as defined in Section 419282.0041, 420Florida Statutes.

    422(k) Portability – T426he ease by which data or an information technology system can be extracted, transformed, and loaded from one computing environment to another.

    448(l) Service Level Agreement (SLA) – A component of an agreement between a cloud service provider and a customer. The SLA describes the IT service, documents service level requirements, and specifies the responsibilities of the cloud service provider and the customer.

    489Rulemaking Authority 282.0051(19) FS. Law Implemented 282.0051(6) FS. History498‒New 1-9-20.