Effective on Thursday, January 9, 2020
  • 1(1) As part of their cloud-first policy, the state agency will develop formal procedures to be used when procuring information technology that establish a preference for cloud computing.

    29(2) Where products or services are required for cloud migration and integration with products or services hosted at the State Data Center (SDC), the state agency shall consult with the Division of State Technology (DST) prior to the procurement of cloud services to ensure compatibility and security. 76The state agency will document such consultation in writing.

    85(3) The state agency will maintain and provide to DST by October 15 of each year a comprehensive, documented record of applications, workload, data, and services procured or placed into a cloud service provider environment. The record will include the business system’s common name, purpose, operating requirements, and estimated annual cost of cloud computing.

    139(4) The state agency will ensure that security and interoperability with applications that interface outside the cloud service provider’s cloud are well documented and addressed, including data egress charge models.

    169(5) The state agency will ensure that technical security controls are commensurate with the data’s classification as defined in Rule Chapter 60GG-2, Information Security, F.A.C.

    194(6) The state agency will ensure that contracts reflect the restriction on the geographic location of data to the continental United States unless approved in writing by the agency head or designee. Remote access to data, other than open data, from outside the continental United States is prohibited unless approved in writing by the agency head or designee.

    252(7) Prior to execution of the contract and deployment of a cloud computing service, the state agency shall ensure that the cloud service provider delivers audit reports based on the classification of the data, for the agency assessment of the effectiveness and suitability of the cloud service provider. During the contract term, the state agency will ensure that security controls required under subsection (5) above are well documented and addressed.

    322(8) The state agency will maintain data ownership and will include contractual provisions for portability for risk management purposes.

    341(9) The state agency will include contract provisions, associated with end of contract or breach of contract, that fully document the exit strategy for cloud computing services or applications, including data acquisition, migration strategy, high-level timeline, and costs.

    379(10) The state agency will ensure that Service Level Agreement (SLA) requirements for cloud computing availability, performance, and response are included in the contract.

    403(11) The contract will provide for performance and service level monitoring and reporting from the cloud service provider to the state agency.

    425(12) The state agency will ensure contractual financial consequences are included in the contract in the event of the cloud service provider’s failure to perform as agreed under the terms of the service level agreement, consistent with applicable law.

    464(13) The state agency will validate that the cloud service provider’s disaster recovery plan is developed commensurate with data classification and complies with Rule Chapter 60GG-2, F.A.C., Information Technology Security. If the disaster recovery plan is modified during the contract term, the cloud service provider will provide the modified plan to the state agency.

    518Rulemaking Authority 282.0051(19) FS. Law Implemented 282.0051(5256) FS. History‒New 1-9-20.