Florida League of Cities

Cybersecurity (Support) – PASSED 

CS/HB 7055 (State Administration and Technology Appropriations Subcommittee, Giallombardo) creates the Local Government Cybersecurity Act. The bill requires all local government employees with access to the government’s network to complete a basic cybersecurity training within 30 days after they begin employment and annually thereafter. All local government technology employees and employees with access to highly sensitive information will be required to complete more advanced cybersecurity training. The Florida Digital Service will develop and provide these trainings. The bill also requires local governments to adopt cybersecurity standards that safeguard their data, information technology and information technology resources to ensure availability, confidentiality and integrity. The standards must be consistent with generally accepted best practices for cybersecurity, including the National Institute of Standards and Technology (NIST) and Technology Cybersecurity Framework. Municipalities with a population over 25,000 must comply by January 1, 2024. Municipalities with a population under 25,000 must comply by January 1, 2025. The bill also requires local governments to report cybersecurity incidents and ransomware incidents to the State Watch Office as soon as possible but no later than 48 hours after discovery for a cybersecurity incident and 12 hours after discovery for a ransomware incident. The bill also prohibits state agencies, counties and municipalities from paying or otherwise complying with a ransom demand. The budget includes $67 million of nonrecurring state funding to assist local governments in complying with the provisions of the bill. 

The bill was amended to add more clarity regarding the type of cyber incidents that need to be reported by a local government. The amendment defines the levels of severity of a cybersecurity incident set by the U.S. Department of Homeland Security National Cyber Incident Response Plan. All incidents that could be described as levels 3-5 in severity shall be reported to the Cybersecurity Operations Center with the timelines specified above. Level 1-2 incidents may be reported if the local government chooses. The amendment also requires the advanced training to include training on the incident levels. CS/HB 7055 passed the House (110-0) and the Senate (38-0) and is awaiting action by the Governor. (Taggart)