CS/HB 7055 (State Administration and Technology Appropriations Subcommittee, Giallombardo) and CS/CS/SB 1670 (Hutson) create the Local Government Cybersecurity Act. The bills require all local government employees with access to the government’s network to complete a basic cybersecurity training within 30 days after they begin employment and annually thereafter. All local government technology employees and employees with access to highly sensitive information will be required to complete more advanced cybersecurity training. The Florida Digital Service will develop and provide these trainings. The bills also require local governments to adopt cybersecurity standards that safeguard their data, information technology and information technology resources to ensure availability, confidentiality and integrity. The standards must be consistent with generally accepted best practices for cybersecurity, including the National Institute of Standards and Technology (NIST) and Technology Cybersecurity Framework. Municipalities with a population over 25,000 must comply by January 1, 2024. Municipalities with a population under 25,000 must comply by January 1, 2025. The bills also require local governments to report cybersecurity incidents and ransomware incidents to the State Watch Office as soon as possible but no later than 48 hours after discovery for a cybersecurity incident and 12 hours after discovery for a ransomware incident. The bills also prohibit state agencies, counties, and municipalities from paying or otherwise complying with a ransom demand. The recommended committee budget includes over $60 million of nonrecurring state funding to assist local governments in complying with the provisions of the bill.
The bills were amended to add more clarity regarding the type of cyber incidents that need to be reported by a local government. The amendment defines the levels of severity of a cybersecurity incident set by the U.S. Department of Homeland Security National Cyber Incident Response Plan. All incidents that could be described as levels 3-5 in severity shall be reported to the Cybersecurity Operations Center with the timelines specified above. Level 1-2 incidents may be reported if the local government chooses. The amendment also requires the advanced training to include training on the incident levels. (Taggart)