Customer Access to State Long Distance Communications System, Modifications, Additions, Reductions or Terminations to Existing SUNCOM Service Initiated by a Customer, Additions or Modifications, Reductions or Terminations to Existing SUNCOM Service ...  

DEPARTMENT OF MANAGEMENT SERVICES
Communications and Information Technology Services

RULE NO: RULE TITLE
60FF-3.001: Customer Access to State Long Distance Communications System
60FF-3.002: Modifications, Additions, Reductions or Terminations to Existing SUNCOM Service Initiated by a Customer
60FF-3.003: Additions or Modifications, Reductions or Terminations to Existing SUNCOM Service Initiated by the Department
60FF-3.004: Network Protection Standards for State Network
60FF-3.005: Security Breach Protection Provisions Required for Department Approved Use of Third Party Equipment, Services and Software
60FF-3.006: Department Response to System Failures and Security Breaches
60FF-3.007: SUNCOM Cost Recovery for System Failures and Security Breaches Caused by Third Parties
60FF-3.008: Management and Distribution of State Numbers and Addresses
60FF-3.009: Delegation to the Department of Education
60FF-3.010: Florida State Government Listings

NOTICE OF CHANGE

Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 33, No. 52, December 28, 2007 issue of the Florida Administrative Weekly.

These changes respond to comments by the Joint Administrative Procedures Committee and to suggestions filed through written comments and/or made during public hearings held January 28, February 7 and February 20, 2008.

60FF-3.001 Customer Access to State Long Distance Communications System.

No change.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New__________.

60FF-3.002 Modifications, Additions, Reductions or Terminations to Existing SUNCOM Service Initiated by a Customer.

The Customer of a SUNCOM Service is required to adhere to the appropriate technical specifications and procedures associated with the applicable service, as outlined in the Portfolio of Services.  To obtain approval for any modifications, additions, reductions, or terminations of SUNCOM Services, the Customer shall follow the Customer Service Authorization (CSA) process, as described in Chapter 60FF-2, F.A.C., at least 45 days in advance of the requested effective date.  Failure to provide notification for the termination or modification of a service in the Communications Service Authorization and Billing System (CSAB System) within the required time frame shall result in continued charges for the existing service.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.

60FF-3.003 Additions or Modifications, Reductions or Terminations to Existing SUNCOM Service Initiated by the Department.

(1) The Department shall initiate changes or suspend terminate a Customer’s SUNCOM service based on any of the following reasons:

(a) through (d)  No change.

(e) A change to the service is required because the service offering has changed.

(f) No change.

(g) Violation of a security standard, as specified in Rules 60FF-3.004-.006, F.A.C.

(h) The Customer is no longer eligible for SUNCOM Services in accordance with Sections 282.103-.107, F.S.

(i) The Customer fails to pay for SUNCOM Services as described in subsection 60FF-2.005(3) 60FF-2.003(4), F.A.C.

(2) When a change to a Customer’s service is required, the Department shall notify the Customer of required changes to the Customer’s service.  If It the Customer disputes the basis for the change or wishes to request an extension, the Customer shall respond within 30 days from such notice, with a written request to justify why the Department should not make the proposed change to the Customer’s service.

(a) No change.

(b) No change.

(3) The terms of the applicable contract for the SUNCOM service shall be the basis for the Department’s notice obligation to vendors when requesting a change to a service.  If the applicable contract fails to address these notice obligations:

(a) Discontinuance of services shall be implemented within one day from the date a request from the Department is issued.

(b) Modifications requiring no physical actions other than electronic changes implemented through remote devices or databases shall be implemented within one day from the date a request from the Department is issued.

(c) Modifications requiring physical actions shall be implemented within a period that is customary for the vendor in serving large business customers.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.

60FF-3.004 Network Protection Standards for State Network.

To protect the integrity, predictability and availability of state communications services, Customers shall adhere to the following security specifications and directives:

(1) No change.

(2) Absent approval from the Department, the following are prohibited: The Department prohibits configurations which directly or indirectly circumvent the State firewall creating

(a) Any Backdoor cConnections without SUNCOM managed or sanctioned filtering;.

(b)(3) Any The Department prohibits configurations creating non-SUNCOM managed Virtual Connections to or from the State Intranet;, tunnels (encrypted and

(c) Any configuration creating non-SUNCOM managed tunnels to or from the State Intranet;

(d) Any configuration creating non-SUNCOM managed non-encrypted) or remote access Connections to or from the State Intranet directly or indirectly circumventing the State firewall.

(4) Any inbound or outbound connectivity to the State Intranet via Virtual Connections, tunnels (encrypted and non-encrypted) or remote access shall be registered by the Customer with the Department.  To register, Customers shall adhere to Rule 60FF-1.004 or 60FF-1.0011, F.A.C., (depending upon its required usage status) by submitting an Exemption Request (for Required Users) or Clearance Request (for other Intranet users).  A 12 month utilization log shall be maintained by the Customer and made available to the Department upon request.

(3) To obtain approval for any of the conditions described in subsection 60FF-3.004(2), F.A.C.  Customers shall submit a Notice of Security Concern Regarding a Network Solution in accordance with Rule 60FF-1.005, F.A.C.  Additionally, if the Department does not keep a log for the Customer, the Customer shall maintain current 15-day log(s) for all of the Customer firewalls that connect any Customer Sub-network to any SUNCOM services outside of the Sub-network. The logs shall contain records for every transaction processed by the firewall with each record containing the following at a minimum:

(a) Source and destination ports contained in the transaction;

(b) Source and destination addresses contained in the transaction;

(c) The date and time for the transaction.

(4) The Department shall take several findings into consideration in determining whether or not to approve any of the conditions described in subsection 60FF-3.004(2), F.A.C. Those findings shall determine whether or not the Customer has in place:

(a) The appropriate and generally accepted processes for protecting the State Intranet and;

(b) A modern firewall using contemporary tools and functionality for protecting the State Intranet and;

(c) Trained staff available to inform and work with the Department and;

(d) Monitoring activities and modern tools that are adequate for protecting the State Intranet and;

(e) Ongoing transparent access available to the Department to the information necessary to verify these things and perform associated diagnostics.

(5) No scanning tools, Traffic generating stress testing of applications or communications, or network topology discovery tools that automatically generate repeated contact with other nodes outside the Customer’s Sub-network are allowed to be used on or across the SUNCOM network, are allowed to be used without written authorization from the Department.  Authorizations can be obtained via an electronic mail request and reply with the SUNCOM Network Operations Center. Said authorization may include provisions for repetitive activities if the request for authorization comprehensively defines the repetitive activity.  Authorizations shall be granted based upon the Department verifying that:

(a) through (c) No change.

(6) The Information Security Manager, as established by Section 282.318(2)(a), (1)., F.S., or the highest level information security official for the Customer, shall work with the Department to ensure that the Customer adheres to the Department’s security rules and any SUNCOM service requirement based on the appropriate technical specifications and procedures associated with the applicable service, as outlined in the Portfolio of Services. The Customer’s security designees and network administrator are responsible for keeping any Unauthorized Traffic or Connection from traversing the SUNCOM network.

(7) Additional Network Solutions obtained Services outside the official SUNCOM offering are subject to the Security Breach Protection provisions stated in Rules 60FF-3.004 60FF-3.005 through 60FF-3.007 60FF-3.006, F.A.C., and shall be documented by the Customer, as required in subsection 60FF-1.008(6) Rule 60FF-1.009, F.A.C., for Required Users or in Rule 60FF-1.013 subsection 60FF-1.011(4), F.A.C., for Non-Required Users. This documentation shall be made available to the Department for review upon request.

(8) SUNCOM communication Traffic shall be monitored by the Department for Unauthorized Activity. Violations shall be reported to the Customer having appeared to have facilitated the Unauthorized Activity and/or the appropriate authority with jurisdiction over associated prevention and enforcement. After the Department has notified the Customer, access to the SUNCOM network may be terminated by the Department until any Unauthorized Traffic has been eliminated if the Department believes it could threaten the State Network or its Customers., which shall include that Agency for Enterprise Information Technology, and be remedied through the provisions of Rule 60FF-3.006, F.A.C.

(9) The Customer shall provide documentation of network topology and configuration information to the Department during any related Network Security audits or during resolution or investigation of security incidents.

(10) Customers shall be responsible for resolving all security breaches and exposures problems and vulnerabilities defined in these rules for conditions within the Customer’s purview and shall cooperate with the Department on SUNCOM resolution efforts through the provisions of Rule 60FF-3.006, F.A.C. for conditions jointly within the purview of the Department and the Customer.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New_________.

60FF-3.005 Security Breach Protection Provisions Required for Department Approved Use of Third Party Network Equipment, Services and Software.

All Required Users and Users of the State Intranet shall adhere to these requirements for any purchase or lease of Network Services, Network Software or Network Equipment through means other than SUNCOM Services.

(1) Any procurement solicitation, contract, purchase order or agreement for Network Services, Network Software, or Network Equipment through means other than SUNCOM Services must include the following:

(a) This phrase, “The vendor agrees to use of reasonable efforts to provide equipment, software and services in accordance with and adherence to Chapters 60FF-1 through 60FF-3, Florida Administrative Code.”

(b) A description of the relative amount of liability for System Failures and Security Breaches that shall be assumed by the purchasing entity, the vendor and the Department when the cause of System Failures or Security Breaches are within the shared control of these parties.

(b)(c)  This phrase, “The vendor shall assume one hundred percent (100%) liability for System Failures and/or Security Breaches that which result from the violations of subsections 60FF-3.004(1) and (2), F.A.C., that are caused by the vendor provided network solution if the vendor has failed to inform, in accordance with Rule 60FF-1.005, F.A.C., the Florida Department of Management Services, the purchaser and parties who are vendor’s failure to properly implement or coordinate implementation (which includes providing due diligent communications with other parties having roles in implementing or accommodating implementation) of the services, equipment or software described in this contract/purchase order/agreement or result from the inherent flaws or limitations of the services, equipment or software described in this contract/purchase order/agreement.”

(c) This phrase, “The relative amount of liability for System Failures and Security Breaches shall be apportioned between the purchasing entity, the vendor and the Department when the cause of System Failures or Security Breaches are within the shared control of these parties in accordance with their respective fault.”

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.

60FF-3.006 Department Response to System Failures, and Security Breaches and Security Exposures.

(1) If there is a Security Breach, Security Exposure or System Failure resulting from implementation of Network Services, Network Software or Network Equipment purchased or leased from sources other than SUNCOM by Required Users and Users of the State Intranet, the Department in consultation with the Agency for Enterprise Information Technology shall take whatever action the Department deems necessary to protect the integrity, predictability and availability of the State Network and SUNCOM Customers. following the escalation steps defined below:

(a) Customers shall remedy any Security Breach or Security Exposure while in communications with the Department and the Agency for Enterprise Information Technology.

(b) In the event that the customer cannot remedy the Security Breach or Security Exposure, the Department shall be granted access to and/or control of any resources the Department declares to be related to the failure, breach or exposure.

(c) Based on This can include the Department’s determination that steps (a) and (b) above have failed to resolve the Security Breach or Exposure in a manner that will protect the integrity, predictability and availability of the State Network and SUNCOM Customers, the Department shall be granted assumption of exclusive access and control, through the Department’s staff or its vendors, of any and all said Network Services, Network Software, or Network Equipment, or may temporarily suspend (b) And/or this can result in temporary termination of SUNCOM Services to the SUNCOM Customer responsible for said Network Services, Network Software, or Network Equipment.

1. In making its determination that steps (a) and (b) have failed, the Department shall consider the severity of System Failure, Security Breach or Security Exposure, the extent, timeliness and effectiveness of the Customer’s resolution efforts and the findings described in subsection 60FF-3.004(4), F.A.C.

(d) The Department shall provide notice to the Customer prior to taking the actions described in paragraph 60FF-3.006(1)(b) and (c), F.A.C.

(2) Government entities and associated vendors that are responsible for any and all said Network Services, Network Software, or Network Equipment shall grant the Department exclusive access to and control of any resources that the Department declares to be related to the failure or, breach or exposure, remedy thereto and ongoing prevention of recurrence.

(a) If the Department assumes exclusive control of these Network Resources, the Department shall grant staff authorized by the Customer unlimited opportunity to see information regarding the configuration, conditions and activities on the Network Resource.

(b) If the Department assumes exclusive control of these Network Resources, the Department shall do so in consultation with the Agency for Enterprise Information Technology.

(3) If the Customer requests allowance for continuation of the primary conditions that led to the Security Breach or Security Exposure beyond the short term mitigation efforts, the Department may implement ongoing State Network protection requirements that may include implementing access controls to shared resources, isolation of the Customer’s Sub-network and/or special monitoring of the Customer’s network traffic and configurations.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.

60FF-3.007 SUNCOM Cost Recovery for System Failures and Security Breaches Caused by Third Parties.

If there is a Security Breach or System Failure that affects SUNCOM or any SUNCOM Customer resulting from a breach as described in Rule 60FF-3.005, F.A.C., the providing vendor shall pay the Department liquidated damages in proportion to the vendor’s liability share. The amount of the liquidated damages shall be equal to the Department’s costs to resolve the breach, repair consequential damages and establish protections to prevent recurrence. The Department’s costs shall consist of SUNCOM staff time, any equipment, expenses or vendor charges related to the effort.

(1) through (2) No change.

Specific Authority 282.102(9) FS.  Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.

60FF-3.008 Management and Distribution of State Numbers and Addresses.

(1) The Department, as the provider of the State Network, shall own, manage and establish standards for the communications addressing, directory services, and the state numbering plans for State computing and telephony state communications and the State Network.  This applies to the following:

(1) For all Internet Protocol Versions later than Internet Protocol Verison Four, the Department shall distribute and/or authorize (a) This includes distributing and/or authorizing all numbers and addresses to Customers of the network, and/or delegate delegating management of subsidiary groups of numbers and addresses to Customers of the network. No Required User shall seek ownership or usage of any Internet Protocol addresses through any source other than the Department.

(2) For all phone numbers regardless of when they were distributed, the Department shall distribute and/or authorize numbers to Customers of the network, and/or delegate management of subsidiary groups of numbers to Customers of the network.

(3) All private Internet Protocol Version Four addresses used on the State Intranet that are intended to be used outside the Customer’s Sub-network shall be registered with and approved by the Department of Management Services.  Duplicate registrations will be found in favor of the first registrant.

(4) Upon request from the Department, Customers shall provide the Department with a full listing and usage status classification of all of the non-private numbers, addresses or series of numbers or addresses that are held, reserved, used by or scheduled for usage by the Customer.

(5)(2) Telephone numbers and electronic addresses provided by the Department as part of the SUNCOM Service offering belong to the Department and cannot be given to another entity should SUNCOM service be suspended terminated without the Department’s expressed written consent.

(6)(3) Required Users shall cooperate with the Department’s efforts to carry out these responsibilities, and other Customers shall cooperate with such efforts as they relate to the SUNCOM Services purchased by the Customers.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.

60FF-3.009 Exemption for Delegation to the Department of Education.

The Department of Management Services exempts the Department of Education from the requirement to file Exemption Requests, as described in Chapter 60FF-1, F.A.C., for the purpose of acquiring, leasing, and utilizing broadcast communications equipment, facilities, and services that are used to carry out the responsibilities of the Department of Education under Section 1001.26, F.S. The authority to acquire, lease, and utilize broadcast communications equipment, facilities, and services is hereby delegated to the Department of Education in the procurement of broadcast equipment, facilities, and services for use by the public and educational broadcast entities licensed by the Federal Communications Commission. The Department of Education shall brief the Department on these delegated activities and shall permit the Department to audit activities delegated herein when the Federal Communications Commission initiates an action related to these delegations or the Department of Education engages in a related procurement process.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (5), (8), (12), 282.103 FS. History–New________.

60FF-3.010 Exemption for Computerized Traffic Systems and Control Devices.

The authority of the Department of Transportation to acquire, lease, maintain and utilize communications equipment, facilities, circuits and services that facilitate traffic systems and control devices solely for the purpose of motor vehicle traffic control and surveillance, is hereby exempted from the requirement to use SUNCOM and the provisions of Rules 60FF-1.007 through 60FF-1.010, F.A.C.

(1) This exemption does not apply in any instance where the Department of Transportation’s communications equipment, facilities, circuits or services are put to use as tools in other operations of the Department of Transportation or do not comply with uniform system of traffic control devices adopted pursuant to Section 316.0745, F.S., even if these communications resources also carry traffic systems and control data.

(2) The Department of Transportation shall permit the Department upon request to audit activities exempted herein and provide the Department the associated information it needs to verify that the Department of Transportation’s communications resources to which this exemption applies are solely used for the purpose of motor vehicle traffic control and surveillance.

Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (5), (8), (12), 282.103 FS. History–New________.

60FF-3.01160FF-3.010 Florida State Government Listings.

(1) The Department shall provide the State of Florida government listing information for all local commercial directories and coordinate the maintenance maintainance of government and personnel listing information on the state government Web site www.411.myflorida.com. The Department shall have final authority regarding State of Florida government listing publishing, format, distribution and standardization for all local commercial directories and on the state government Web site www.411.myflorida.com.

(2) Each Eligible User shall be responsible for submitting updated listing information through means provided by the Department on the state government Web site at www.411.myflorida.com, or by email to help@dms.myflorida.com, or by writing to:

Department of Management Services

SUNCOM

Attention: Directory Records Listings Information

4030 Esplanade Way

Tallahassee, Florida 32399-0950.

(3) through (6) No change.

Specific Authority 282.102(9) FS. Law Implemented 282.103, 282.104, 282.105, 282.106, 282.107 FS. History–New________.