To update the conditions of use, security requirements, and response to security breaches by Customers of the SUNCOM system.  

DEPARTMENT OF MANAGEMENT SERVICES

Technology Program

RULE NOS.:RULE TITLES:

60FF-3.003Additions or Modifications, Reductions or Terminations to Existing SUNCOM Service Initiated by the Department

60FF-3.004Protection Standards for State Network

60FF-3.005Security Breach Protection Provisions Required for Department Approved Use of Third Party Network Equipment, Services and Software

60FF-3.006Department Response to System Failures, Security Breaches and Security Exposures

60FF-3.007SUNCOM Cost Recovery for System Failures and Security Breaches Caused by Third Parties

60FF-3.008Management and Distribution of State Numbers and Addresses

PURPOSE AND EFFECT: To update the conditions of use, security requirements, and response to security breaches by Customers of the SUNCOM system.

SUMMARY: The proposed changes update security requirements for non-SUNCOM managed equipment, notification procedures following a security breach, Department and Customer response to security breaches, cost recovery, and management of state numbers and addresses.

SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:

The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the Agency.

The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: the agency, utilizing the expertise of division personnel, determined no SERC was required based on the nature of the rule and after completing the SERC checklist analysis.

Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

RULEMAKING AUTHORITY: 282.702(2), (9), 282.707(2), F.S.

LAW IMPLEMENTED: 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707, F.S.

IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE SCHEDULED AND ANNOUNCED IN THE FAR.

THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Robert Downie, Deputy Director, Division of Telecommunications, 4050 Esplanade Way, Tallahassee, Florida 32399, Robert.Downie@dms.fl.gov, (850)922-2963. A copy of the proposed rule is also available at https://www.dms.myflorida.com/agency_administration/general_counsel/rulemaking.

THE FULL TEXT OF THE PROPOSED RULE IS:

60FF-3.003 Additions or Modifications, Additions, Reductions or Terminations to Existing SUNCOM Service Initiated by the Department.

(1) through (2) No change.

(3) The terms of the applicable contract for the SUNCOM service shall be the basis for the Department’s notice obligation to vendors when requesting a change to a service.  If the applicable contract fails to address these notice obligations:

(a) through (b) No change.

(c) Modifications requiring physical actions shall be implemented within thirty (30) days from the date a request from the Department is issued a period that is customary for the vendor in serving large business customers.

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS. History–New 6-25-08, Amended                            .

60FF-3.004 Protection Standards for State Network.

To protect the integrity, predictability and availability of state communications services, Customers shall adhere to the following security specifications and directives:

(1) No change.

(2) Absent written approval from the Department, the following are prohibited:

(a) Any non-SUNCOM Backdoor connections to or from the State Intranet without SUNCOM managed or sanctioned filtering;

(b) through (c) No change.

(d) Any configuration creating non-SUNCOM managed remote access Connections to or from the State Intranet; and .

(e) Any non-SUNCOM managed equipment without two-factor authentication access.  Authentication factors include, but are not limited to, something a person knows (e.g., password or personal identification number) and something a person has (e.g., cryptographic identification device or token).

(3) No change. 

(4) The Department shall take several findings into consideration in determining whether or not to approve any of the conditions described in subsection 60FF-3.004(2), F.A.C. Those findings shall determine whether or not the Customer has in place:

(a) The appropriate and generally accepted processes for protecting the State Intranet and;

(b) A modern firewall using contemporary tools and functionality for protecting the State Intranet and;

(c) Trained staff available to inform and work with the Department and;

(d) Monitoring activities and modern tools that are adequate for protecting the State Intranet; and;

(e) Ongoing transparent access available to the Department to the information necessary to verify paragraphs (a) – (d) these things and perform associated diagnostics.

(5)  Customers shall not use or allow No scanning tools, Traffic generating stress testing of applications or communications, or network topology discovery tools that automatically generate repeated contact with other nodes outside the Customer’s Sub-network or across the SUNCOM network, are allowed to be used without written authorization from the Department. Customers shall request authorizations via email through Authorizations can be obtained via an electronic mail request and reply with the SUNCOM Network Operations Center. If the Customer is requesting authorization of a repetitive activity, the request must comprehensively define Said authorization may include provisions for repetitive activities if the request for authorization comprehensively defines the repetitive activity. Authorizations shall be granted based upon the Department verifying that:

(a) The extent of the activity shall not affect or alarm SUNCOM, its Providers and Customers.

(b) And Tthe activity shall not impair the capacity of SUNCOM circuits to accommodate communications traffic; and.

(b) (c) And Tthe initiator of the activity shall coordinate the timing and extent of the activity to minimize impact on the State Network and its Customers.

(6) The Customer’s Chief Information Security Manager Officer, as established by sSection 282.318(4) (3)(a), F.S., or the highest level information security official for the Customer, shall work with the Department to ensure that the Customer adheres to the Department’s security rules and any SUNCOM service requirement based on the appropriate technical specifications and procedures associated with the applicable service, as outlined in the Portfolio of Services.

(a) Customers shall adhere to all other applicable security requirements, including, but not limited to, chapter 282, F.S., and Rule Chapter 60GG-2, F.A.C.

(b) The Customer’s designees are responsible for:

1. Kkeeping any Unauthorized Traffic or Connection from traversing the SUNCOM network;  and

2. Notifying the SUNCOM Network Operations Center (888-478-6266) immediately upon discovery, and in no case more than fifteen (15) minutes after, a Security Exposure  (e.g., a virus, Denial of Service, worm, hoax email, discovery of hacking tools, or altered data) that impacts or has the potential to impact the State’s information resource is suspected or confirmed.

(7) Network Solutions obtained outside the official SUNCOM offering are subject to the Security Breach Protection provisions stated in Rules 60FF-3.004, F.A.C., through 60FF-3.007, F.A.C., and shall be documented by the Customer, as required in subsection 60FF-1.008(6), F.A.C., for Required Users or in Rule 60FF-1.013, F.A.C., for other Customers non-Required Users.

(8) SUNCOM communication Traffic shall be monitored by the Department’s Division of Telecommunications Department for Unauthorized Activity. The Department will report vViolations shall be reported to the Customer having appeared to have facilitated the Unauthorized Activity as well as and/or the appropriate authority with jurisdiction over associated prevention and enforcement, which shall include the Florida Digital Service that Agency for Enterprise Information Technology, and be remedied through the provisions of Rule 60FF-3.006, F.A.C.

(9) No change.

(10) Customers shall be responsible for resolving all Ssecurity Bbreaches, and Security Eexposures, and System Failures defined in these rules for conditions within the Customer’s purview and shall cooperate with the Department on SUNCOM resolution efforts through the provisions of Rule 60FF-3.006, F.A.C.

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS. History–New 6-25-08, Amended                            .

60FF-3.005 Security Breach Protection Provisions Required for Department Approved Use of Third Party Network Equipment, Services and Software.

(1) All Customers Required Users and Users of the State Intranet shall adhere to these requirements for any purchase or lease of Network Services, Network Software, or Network Equipment through means other than SUNCOM Services.

(2) No change.

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS. History–New 6-25-08, Amended                            .

60FF-3.006 Department Response to System Failures, Security Breaches and Security Exposures.

(1) If there is a Security Breach, Security Exposure or System Failure resulting from implementation of Network Services, Network Software, or Network Equipment purchased or leased from sources other than SUNCOM by a Customer Required Users and Users of the State Intranet, the Department’s Division of Telecommunications, Department in consultation with the Florida Digital Service, will Agency for Enterprise Information Technology  shall take whatever action the Department deems necessary to protect the integrity, predictability, and availability of the State Network and protect SUNCOM Customers following the escalation steps defined below:

(a) The Customer Customers shall remedy any Security Breach, or Security Exposure, or System Failure in coordination while in communications with the Department’s Division of Telecommunications Department and the Florida Digital Service Agency for Enterprise Information Technology.

(b) In the event that the Ccustomer cannot remedy the Security Breach, or Security Exposure, or System Failure, the Customer shall grant the Department shall be granted access to, and, if deemed necessary by the Department, and/or control of any resources the Department declares to be related to the Security Breach, Security Exposure, or System Ffailure, breach or exposure.

(c) Based on the Department’s determination that steps (a) and (b), above, have failed to resolve the Security Breach, or Security Exposure, or System Failure in a manner that will protect the integrity, predictability and availability of the State Network and protect SUNCOM Customers, the Customer shall grant the Department shall be granted exclusive access and control of any and all said Network Services, Network Software, or Network Equipment, or, if deemed necessary, the Department will may temporarily suspend SUNCOM Services to the SUNCOM Customer responsible for said Network Services, Network Software, or Network Equipment.  In making its determination that steps (a) and (b) have failed, the Department shall consider the severity of the Security Breach, Security Exposure, or Ssystem Ffailure, Security Breach or Security Exposure, the extent, timeliness, and effectiveness of the Customer’s resolution efforts and the findings described in subsection 60FF-3.004(4), F.A.C.

(d) No change.

(2) Government entities and associated vendors that are responsible for any and all said Network Services, Network Software, or Network Equipment shall grant the Department exclusive access to and control of any resources that the Department declares to be related to the Security Breach, Security Exposure, or System Ffailure, breach or exposure, remedy thereto and ongoing prevention of recurrence.

(a) No change.

(b) If the Department assumes exclusive control of these Network Resources, the Department’s Division of Telecommunications Department shall do so in consultation with the Florida Digital Service Agency for Enterprise Information Technology.

(3) If the Customer requests allowance for continuation of the primary conditions that led to the Security Breach, or Security Exposure, or System Failure beyond the short term mitigation efforts, the Department will may implement ongoing State Network protection requirements, such as that may include implementing access controls to shared resources, isolation of the Customer’s Sub-network and/or special monitoring of the Customer’s network Ttraffic and configurations.

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS. History–New 6-25-08, Amended                            .

60FF-3.007 SUNCOM Cost Recovery for System Failures and Security Breaches Caused by Third Parties.

If there is a Security Breach, Security Exposure or System Failure that affects SUNCOM or any SUNCOM Customer resulting from a breach as described in Rule 60FF-3.005, F.A.C., the providing vendor shall pay the Department liquidated damages in proportion to the vendor’s liability share. The amount of the liquidated damages shall be equal to the Department’s costs to resolve the Security Breach, Security Exposure or System Failure; breach, repair consequential damages and establish protections to prevent recurrence. The Department’s costs shall consist of SUNCOM staff time, and any equipment, expenses or vendor charges related to the effort.

(1) No change.

(2) The vendor shall also pay all costs associated with damages experienced by SUNCOM Customers affected by the System Failure, Security Exposure or Security Breach in proportion to the vendor’s relative liability. The costs associated with said damages shall be calculated in a good faith and equitable manner by each affected SUNCOM Customer.

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS History–New 6-25-08, Amended                            .

60FF-3.008 Management and Distribution of State Numbers and Addresses.

The Department, as the provider of the State Network, shall own, manage and establish standards for the communications addressing, directory services, and the state numbering plans for State computing and telephony communications and the State Network. This applies to the following:

(1) No change.

(2) For all phone numbers, regardless of when they were distributed, the Department shall distribute and/or authorize numbers to Customers of the network, and/or delegate management of subsidiary groups of numbers to Customers of the network.

(3) through (4) No change.

(5) Telephone numbers and electronic addresses provided by the Department as part of the SUNCOM Service offering belong to the Department and cannot be given to another entity without the Department’s express written consent should the SUNCOM Sservice offering be suspended without the Department’s expressed written consent.

(6) No change.

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS History–New 6-25-08, Amended                            .

NAME OF PERSON ORIGINATING PROPOSED RULE: Robert Downie, Deputy Director, Division of Telecommunications

NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: J. Todd Inman, Secretary, Department of Management Services

DATE PROPOSED RULE APPROVED BY AGENCY HEAD: January 24, 2022

DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAR: March 3, 2021