Table of Contents



711200-7708899For the Exclusive Use ofCLIENT NAME DATE \@ "MMMM d, yyyy" proprietary and confidentialFor the Exclusive Use ofCLIENT NAME DATE \@ "MMMM d, yyyy" proprietary and confidential711200-8280399Proposal for Interactive ServicesProposal for Interactive ServicesState of Florida Enterprise Architecture:Transforming the Way Florida Purchases and Manages State Technology ResourcesVersion 1.0 DraftFlorida Digital Service 2555 Shumard Oak Blvd ? Tallahassee, FL 32311digital.Table of Contents TOC \o "1-1" \u Definitions PAGEREF _Toc79675102 \h 1The Blueprint for Florida’s Digital Transformation PAGEREF _Toc79675103 \h 4Foundational Principles PAGEREF _Toc79675104 \h 5Approach PAGEREF _Toc79675105 \h 6Enterprise Architecture Framework PAGEREF _Toc79675106 \h 8DefinitionsAccess: availability to systems and Data to use functionality or retrieve information.Accountability: the state of being responsible for something and being obligated to explain, justify, and take responsibility.Agility: measurement of how efficiently technology infrastructure can respond to external stimuli.Artifacts: documents that set forth Customer requirements, intended use, program design, and intended outcomes for strategic Initiatives across the framework.Benefit: a tangible result from a program change that has quantifiable positive financial Value, such as new or increased revenues, operational efficiencies, cost reductions, new or increased reimbursements, or personnel cost reductions.Business Domain: includes programs, projects, and services.Cloud-First Policy: policy that first considers cloud-computing Solutions in an Enterprise Agency’s technology sourcing strategy for technology Initiatives and upgrades whenever possible and feasible (s. 282.206, F.S.). Code Review: an audit that investigates the coding practices used in the application. The main objective of such reviews is to discover Security defects and potentially identify Solutions.Customer: Stakeholders of the Enterprise, which includes Floridians, consumers of state government services, all branches of state government, and the individuals providing services to consumers.Cybersecurity: the protection afforded to an automated Information System to attain the applicable objectives of preserving the confidentiality, integrity, and availability of Data, information, and Information Technology resources.Data: a subset of structured information in a format that allows such information to be electronically retrieved and transmitted (s. 282.0041(8), F.S.).Data Catalog: a collection of metadata used to discover and identify Data within the Enterprise and subsequently to facilitate the appropriate inventorying and publication of available Data. Data Dictionary: a collection of titles, definitions, and attributes of relevant Data within the Enterprise. Data Domain: includes search, storage, retrieval, and manipulation.Data Element Inventory: a list showing all individual Data elements contained within relevant databases.Data Management Plan: describes how Data within a Solution will be managed, maintained, and stored; what Standards will be used and how Data will be handled and protected during and after project completion.Data Sharing Agreement: formal contract that clearly documents what Data is being shared, between which parties, and how the Data can be used. The agreement protects the Enterprise Agency providing the Data, ensuring that the Data will not be misused.Development Environment: a non-production workspace where programming tools are utilized by developers to create or make changes to applications or software, without affecting anything in the Production Environment. Digital Interoperability: the technical ability to share and use Data across and throughout the Enterprise (s. 282.0041(23), F.S.).Enterprise: state agencies, the Department of Legal Affairs, the Department of Financial Services, and the Department of Agriculture and Consumer Services (s. 282.0041(14), F.S.).Enterprise Agency: any agency within the Enterprise.Enterprise Agency Chief Data Officer (EA CDO): person responsible for overseeing Data related functions of an organization.Enterprise Agency Chief Information Security Officer (EA CISO): person responsible for the development, operation, and oversight of Cybersecurity for state technology systems.Enterprise Agency Chief Information Officer (EA CIO): person responsible for the management and implementation of information and technology within an organization.Enterprise Agency Chief Technology Officer (EA CTO): person responsible for the management of an organization’s technological needs. Enterprise Architecture: a comprehensive operational framework that contemplates the needs and assets of the Enterprise to support Interoperability (s. 282.0041(15), F.S.). Enterprise Architecture Domain: subset of the overall Enterprise Architecture. The Domains are Strategy, Business, Systems, Security, Data, Infrastructure, Testing.Enterprise Repository: a central location provided by FL[DS] in which data and documentation for Technology Projects, policies, and procedures are stored and managed.Florida Digital Service (FL[DS]): the entity created to propose innovative Solutions that securely modernize state government, including technology and information services, to achieve Value through digital transformation and Interoperability, and to fully support the Cloud-First Policy as specified in section 282.206, F.S. FL[DS] is led by the State CIO, who in conjunction with his or her staff, is responsible for creating, developing, managing, and enforcing the state’s Enterprise Architecture. This includes leading the program, involving Stakeholders, and promoting frequent communication between all.Floridians First: the requirement that the consumers of our services always be considered first when making Technology Asset decisions.Functional Requirements: a description of what a software must do and how the system must respond to inputs.Identity and Access Management (IAM): a registration, credentialing, authentication, identity proofing, or attribute management service that may be utilized by more than one relying party or system.Implementation: agreed upon date which customer can use the solution. Information System: any information resources organized for the collection, processing, creation, maintenance, use, sharing, dissemination, or disposition of digital rmation Technology: equipment, hardware, software, firmware, programs, systems, networks, infrastructure, media, and related material used to automatically, electronically, and wirelessly collect, receive, access, transmit, display, store, record, retrieve, analyze, evaluate, process, classify, manipulate, manage, assimilate, control, communicate, exchange, convert, converge, interface, switch, disseminate information of any kind or form (s. 282.0041(19), F.S.).Infrastructure Diagram: displays a high-level picture of the physical architecture, including the assets that make up a system or Solution, the connection between those assets, clients expected to access the system or Solution, and the relationship of a system or Solution to other assets deployed in the Enterprise.Infrastructure Domain: includes facilities, networks, and equipment.Initiative: an investment of resources dedicated to accomplishing an organizational objective. Load Test: a testing process where a software or application is tested under a specific expected load. This test helps to determine the impact on the performance of a software or application when being accessed by multiple users simultaneously. Penetration Test: a simulated cyberattack against a system, application, or software to check and document exploitable vulnerabilities. Peripherals: any external device used to provide input or output for a computer or device. Persistence: the behavior consistent with the truth that Technology Projects are never finished; a core principle of the approach to the Enterprise Architecture.Privacy: the relationship between the collection of Data, the expectation of the use of information, and the legal and political issues surrounding them.Production Environment: group of physical or virtual computers established for daily use and maintenance of an application in a live environment throughout the term of an application or program.Risk Assessment: the process of identifying risks to organizational operations, organizational assets, individuals, other organizations, and the nation, resulting from the operation of an Information System.Resilience: a measure of the health and durability of an asset.Scalability: the ability of a technology Solution to rapidly and exponentially increase its ability to serve additional users.Security: a condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach.Security Controls: actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an Information System.Security Domain: includes risk, controls, audits, monitoring, and response.Security Scanning: scanning that attempts to verify that an implementation protects data and maintains functionality as intended.Security Testing: a process intended to reveal or highlight flaws in a technology asset that could put Data and functionality at risk.Solution: a collection of processes and tools that solve a problem identified within the Strategic Domain.Standards: required practices, controls, components, or configurations established by an authority.Stakeholder: a person, group, organization, or State Enterprise Agency involved in or affected by a course of action.State Chief Information Officer (State CIO): the state Chief Information Officer who administers the Florida Digital Service.State Agency: any official, officer, commission, board, authority, council, committee, or department of the executive branch of state government; the Justice Administrative Commission; and the Public Service Commission. The term does not include university boards of trustees or state universities. Unless otherwise specifically provided, the term does not include the Department of Legal Affairs, the Department of Agriculture and Consumer Services, or the Department of Financial Services (cite stat)Strategy Domain: includes an organization’s mission, vision, and strategic goals.Systems Domain: includes platforms, applications, and Peripherals.System Security Plan: a formal document that provides an overview of the Security requirements for an Information System and describes the Security Controls in place or planned for meeting those requirements.Technical Architecture: a description of the platforms, languages, and supporting technological structures that keeps an environment functioning.Technology Asset: An item, whether hardware, software, firmware, computing platform, network device, or other technology components, information, or Data which is owned, accessed, or used by the Enterprise to carry out the organizational mission or business functions.Technology Asset in Development: A Technology Asset upon which work has begun but implementation has not yet occurred. Technology Asset in Operation: A Technology Asset which has been made operational to Stakeholders or implemented.Technology Asset Planned: A Technology Asset for which the intent to acquire has occurred but for which procurement has not been officially and publicly initiated.Technology Project: a relevant Initiative with an established project plan that includes defined objectives and quantifiable metrics.Technology Program: a collection of Technology Projects.Testing Domain: includes testing to validate an Enterprise Agency is in compliance with the Enterprise Architecture framework.Testing Environment: a separate environment which replicates the Production Environment to support the testing of software, hardware, and network configuration to accomplish its intended goals.Transparency: a condition where the material facts of an Enterprise are made available in a timely, and preferably reusable, manner.Usability: the measure of how well a specific user in a specific context can use a product or design to achieve a defined goal effectively, efficiently, and satisfactorily.User Acceptance Test: the process by which software is made available to actual or prospective users to facilitate testing designed to confirm the software can carry out the required tasks it was designed to address.Use Case(s): text and graphical description(s) of ways that an end-user is intended to utilize a Solution.Use Case Model Tool: a software program that assists users in the development of a Use Case diagram. Value: a calculation of cost versus Benefit to maximize the amount of Benefit at the lowest cost.Vulnerability Scanning: a technique used to identify host(s) attributes and associated weakness in an Information System, system Security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.The Blueprint for Florida’s Digital Transformation The State of Florida’s Enterprise Architecture is a comprehensive operational framework that contemplates the needs and assets of the Enterprise to support Digital Interoperability to drive modernization and digital transformation. The Enterprise Architecture incorporates an approach that prioritizes the citizens and consumers who receive service. The Enterprise Architecture defines the processes, Standards, terminologies, and technical requirements necessary to improve overall product and service delivery. Development and implementation of this Enterprise Architecture provides the foundation for digital transformation throughout all of state government. The Enterprise Architecture serves as the foundation for Technology Projects by incorporating the strategic, functional, and technological needs within the Enterprise.2.1 The Approach to Enterprise GovernanceThe State of Florida created FL[DS] to deliver better government services and Transparency to Floridians through design and technology. The effectiveness of the Enterprise Architecture and subsequent transformations must result in identifiable and quantifiable improvements to state government services consumed by Floridians.For all Technology Programs and Projects, FL[DS] operates as a consultative resource to support the Enterprise using the FL[DS]-01, Technology Initiative Management Form, or an equivalent of this document.Florida’s Enterprise Architecture, in balancing the need to strive for the highest Standards with the realities of the status quo, will embrace a “may, should, shall” structure. Technology Assets are separated into three distinct types for the purpose of providing governance: Technology AssetsTechnology Assets Planned. For Technology Assets Planned the Enterprise Agency “shall” comply with the Enterprise Architecture using the FL[DS]-01, Technology Initiative Management Form, or an alternative format that ensures the same deliverables and FL[DS] shall support Initiatives which align with the Enterprise Architecture.Technology Assets in Development. For Technology Assets in Development, the Enterprise Agency “should” find the Enterprise Architecture instructive where appropriate and FL[DS] shall support?Initiatives if aligned with the Enterprise Architecture.Technology Assets in Operation. For Technology Assets in Operation, the Enterprise Agency “may” find this rule instructive as a roadmap to modernization and FL[DS] shall support Initiatives if aligned with the Enterprise Architecture.2.2The Stakeholders Impacted by Enterprise Governance FL[DS] designed the Enterprise Architecture to serve multiple Stakeholders. The Stakeholders include Floridians, consumers of state government services, all branches of state government, and the Enterprise Agencies providing services to consumers. To gain insight into the needs of the Stakeholders, FL[DS] will implement various workgroups, on an as needed basis, and at the direction of the State CIO or designee. The workgroups will consist of Stakeholders across the Enterprise, including executive leadership, EA CIOs, EA CTOs, EA CISOs, EA CDOs, and their equivalents. The purpose of the workgroups is to provide input, feedback, and insight for changes of technology policies and Standards that produce Benefits for Florida’s governmental agencies and the operations of their departments.Foundational PrinciplesWhen designing an Enterprise Architecture, an organization must identify Values that are fundamental for decisions related to the process and structure of the organization’s technology decisions. The Values act as a guide to ensure that tactical decisions are in the best interest of the organization. FL[DS] has identified the following Values for the development of the state’s Enterprise Architecture. The following principles must be considered when making technology decisions.FOUNDATIONAL PRINCIPLES3.1 Floridians First. Make Floridians and consumers of government services the priority when making technology decisions.3.2 Value Based. Calculate the price and the Benefit when making decisions to deliver the maximum amount of Benefit at the lowest cost. A calculation of Value must include both Benefit and cost.3.3 Security. Take every available measure to ensure that all relevant state assets and technology resources are secure and properly monitored.3.4 Usability. Deliver consistent, high-quality, accurate, and intuitive experiences for all Customers.3.5 Access. Provide and maintain availability to systems and Data to authorized users.3.6 Accountability. Establish benchmarks, performance metrics, and quantitative evaluations that allow agencies, departments, groups, and individuals to be recognized for their accomplishments.3.7 Transparency. Deliver timely, accurate, and reliable information to provide operational visibility to Stakeholders.3.8 Privacy. Establish controls that protect users’ information, uphold the law, and inspire confidence for users of Enterprise Architecture Solutions.3.9 Agility. Encourage iterative design, rapid implementation, continuous measurement of performance, and necessary calibration.3.10 Scalability. Design services, technologies, and Solutions that are rapidly expandable in a time- and cost-effective manner.3.11 Resilience. Maintain functionality while surviving time, use, and threats.3.12 Persistence. Recognize that technology is, by definition, iterative, and as a result is never completed.ApproachThe State of Florida’s Enterprise Architecture approach has been developed on seven core elements: governance, methods, framework, Standards and best practices, project management and oversight, Form FL[DS]-1 Technology Management Form and supporting Artifacts, and Enterprise Repository. Each element is further described within these sections. These elements must be considered within the Enterprise Architecture Domains. GovernanceThe core element of governance identifies the decision-making, planning, oversight process, and groups that determines how the Enterprise Architecture is developed and maintained. As referenced in 2.1 of this document, FL[DS] is empowered to propose innovative Solutions that securely modernize state government, which includes technology and information services, fully support the Cloud-First Policy, and achieve Value through the digital transformation and Interoperability of the ernance includes, but is not limited to, compliance with Enterprise Architecture Standards and best practices published by FL[DS]. FL[DS] is entrusted with the establishment and execution of appropriate processes and compliance. The goal is to assess and assist agencies in complying with all requirements set forth in statute or rule, and implementing best practice standards published by FL[DS].Methods: Updating, Managing and Collaborating:The following methods are provided to prescribe how FL[DS], in conjunction with Enterprise Agencies, will update, manage, and collaborate on future iterations of the Enterprise Architecture. Method: Updating of Enterprise ArchitecturePeriodic updates to the Enterprise Architecture are required. Each method has its own documented process for identifying a change, vetting appropriateness, and implementation across the Enterprise. A minimum requirement of the updating process is proper communication that starts with an announcement of potential updates to the workgroups, feedback from the workgroups, and announcement to the Enterprise.Method: Internal ManagementFL[DS] is staffed with both technical and non-technical leadership who are responsible for continually assessing and improving the Enterprise Architecture. FL[DS] will continually assess the effectiveness of both the technical and non-technical components of the Enterprise Architecture to identify opportunities and needs for revisions. Revisions will be implemented in accordance with the rule, statute, published policies, and best practices. Method: External Collaboration The Enterprise consists of technical and non-technical leadership who possess specific capabilities that contribute to the development and improvement the Enterprise Architecture. FL[DS] will collaborate with Enterprise Stakeholders, through various means to obtain input on the EA. These efforts will be focused on discovering and understanding Enterprise or Stakeholder needs or opportunities, as well as delivering compliant and secure Solutions.FrameworkThe Enterprise Architecture framework is a model that defines the individual parts (i.e., Enterprise Architecture Domains) of the Enterprise Architecture and their individual relationships. Defining the domains of the Enterprise Architecture allows for further definition of scope of projects and strategic Initiatives. The Enterprise Architecture framework includes seven architecture domains (Strategy, Business, Systems, Security, Data, Infrastructure, and Testing).Standards and Best PracticesFL[DS] maintains its technology Standards within Rule Chapters 60GG-1, F.A.C through 60GG-5, F.A.C., published policies, and guidance in accordance with section 282.0051(1)(f), F.S. The Enterprise Architecture provides context for when and how a Standard is used. A Standard is an established method in the public or private sector that helps organizations ensure a minimum level of performance. The Standards and best practices provide tactical requirements and recommendations associated with current technology tools and services. ?Project Management and OversightIn accordance with section?282.0051, F.S., FL[DS] is responsible for numerous functions and activities with the focus of de-risking Technology Projects. They are project oversight, project management, and independent verification and validation.???The Enterprise Architecture should serve as a foundation to streamline these functions throughout the project lifecycle. Streamlining these functions will reduce administrative burden, lower operating costs, and create opportunities to produce Value through efficiency and implementation of best practices.?Form FL[DS]-01 Technology Initiative Management Form and Supporting ArtifactsEach area of the framework has its own set of deliverables, which requires supporting Artifacts, to document Enterprise Agency specifications, processes, and activities when deploying technology Solutions. The Artifacts ensure that there is a purpose for each Initiative, requirements are outlined, implementation is transparent, and expectations are measured. Artifacts must be maintained and submitted to FL[DS] by the Enterprise Agency or vendor/partner. The documentation must support the information provided by the Enterprise Agency or vendor/partner in the FL[DS]-01, Technology Initiative Management Form. If an agency requests, a vendor/partner must maintain and submit the FL[DS]-01 and its supporting Artifacts for submission to the Enterprise Repository. This applies to all deliverables and Artifacts required by this document. The intent is to reduce duplication of effort. Enterprise Repository FL[DS] will create and maintain an Enterprise Repository of completed FL[DS]-01, Technology Management Forms or their equivalent, and supporting documentation for storage in the Enterprise. Enterprise Architecture FrameworkThe Enterprise Architecture provides guidance for the design, planning, and implementation of technology Initiatives across the State of Florida. The framework consists of seven Enterprise Architecture Domains that must be addressed throughout the life cycle of technology related Initiatives. Enterprise Architecture Domains are intended to be completed to systematically build upon each other progressively in conjunction with the project implementation phase. This framework is intended to be used for all projects that create a material change to technologies used within the Enterprise. ) This framework must be applied to all Technology Asset(s) acquisitions exceeding $100,000.Initiation of a project is accomplished by submitting the FL[DS]-01, Technology Initiative Management Form, with the Strategy, Business, and Systems Domains completed in accordance with rule 60GG-5.002(7)(a). The Security, Data, Infrastructure, and Testing Domains must be completed in accordance with rule 60GG-5.002(7)(b), F.A.C. The Security Domain must be considered during implementation of all other domains. The Security, Data, Infrastructure, and Testing Domain requirements must be included in any external contract as a mandatory requirement for acceptance.The following domains and deliverables identified within provide Standards for assessing an Enterprise Agency’s compliance with the Enterprise Architecture when planning, implementing, and evaluating Technology Assets in Operation, Technology Assets in Development, and Technology Assets Planned. Enterprise Agencies may submit requests in writing to the State CIO to confirm whether the Enterprise Agency’s technology assets are in compliance with the Enterprise Architecture Standards. The State CIO or designee will provide a response verifying compliance or provide additional guidance for bringing the Enterprise Agency into compliance with the Enterprise Architecture Standards.Strategy DomainThe Strategy Domain works as a foundation to ensure that all Initiatives have a clear vision, viable Use Cases, and defined strategic goals. The Strategy Domain defines the purpose of the Initiative, the problem in need of a Solution, and the intended results. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:STRATEGY DOMAIN DELIVERABLES5.1.1 Problem and Opportunity: Identify the problems and opportunities that will drive the development of project goals. Describe the service being delivered, through the use of technology. Describe how the existing technology supports the delivery of service.Summarize the problem being addressed by the Solution. Identify opportunities for innovation and improvement expected as a result of the success of the project.5.1.2 Impacts: Identify stakeholders and how they will be impacted to increase understanding of how the consumer will benefit and utilize the service. Identify the consumers of the relevant services.Describe how the services are provided.Identify and list tangible benefits to the consumers of services.Describe how innovation will improve the delivery of services.5.1.3 Project Goals: Create written project goals to ensure the project succeeds on schedule and on budget. Establish timelines. Identify deadlines. Create milestones for project implementation.5.1.4 Metrics: Establish metrics to measure outcomes and evaluate the project’s success, which will be used to ensure Accountability. Identify the metrics that will be used to measure the project’s success.Explain how the metrics will be used to evaluate the project’s success, meaning criteria are easily measurable and non-negotiable during the procurement phase of the project. List the ways in which improvement will be measured (e.g., impact to revenues, expenditures, and/or operational efficiencies).Indicate if the metrics will be tied to any vendor penalty/incentive.Business DomainThe Business Domain transforms the strategy into tactical requirements for implementation. This domain requires the drafting of business requirements inclusive of Use Cases and Functional Requirements. Once the business requirements are complete, the Enterprise Architecture requires the identification of a funding source and a budget for the Technology Project. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:BUSINESS DOMAIN DELIVERABLES5.2.1 Requirements: Identify federal and state mandates to ensure that Enterprise Agencies meet the requirements for program administration.List any statutory, administrative, department, Security, or other compliance related requirements. Include within the list required implementation dates, if applicable.Include?within the list?required implementation dates,?if applicable.5.2.2 Use Case(s)?for?the Solution: Define the Use Case(s) to ensure the Solution will address the problem(s) and opportunities identified.Describe a scenario to demonstrate how the project will fulfill the need(s).?Describe the ways in which a user interacts with a system or product. Identify the success scenarios, the failure scenarios, and any critical variations or exceptions. This may be written or made visual with the help of a Use Case model tool.5.2.3 Functional Requirements: Identify the Functional Requirements needed for Stakeholders’ interaction with the Solution.Summarize and define the actions to be performed by Stakeholders and the specific action needed to be performed to achieve the outcomes defined in the Use Case(s). Actions can be something performed by Stakeholders and systems.5.2.4 Allocated budget: Identify the baseline for the lifecycle of the project to ensure the project is within budget. Provide the estimated amount budgeted for the Technology Project. The estimated Technology Project budget must specify baseline costs expected over the entire procurement and project lifecycle, identifying all one-time costs from project initiation to implementation, and any recurring costs.Identify and describe the planned sources of project funds, e.g., General Revenue, Trust Fund, Grants.Specify total amount recurring and non-recurring.Systems DomainThe Systems Domain is comprised of the selection of platforms, development of applications, and integration of existing assets. The selection of technology assets must be conducted through a systematic process that includes identifying whether opportunities to improve efficiencies and determining whether Interoperability exists across the Enterprise. The systematic process should also evaluate potential reuse of applications currently deployed within the Enterprise and analyzing market best practice. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:SYSTEMS DOMAIN DELIVERABLES5.3.1 Currently deployed assets within the Enterprise: Assess currently deployed assets that provide similar functionality to identify potential cost savings and support Interoperability. The Enterprise Agency must verify that there is not available technology within the Enterprise that appropriately solves the Use Case(s).5.3.2 Market analysis (If new deployment in Enterprise): Assess market options that provide similar functionality to identify alternative Solutions and potential cost savings. The Enterprise Agency must explore available technology in the market that would better solve the Use Case(s).5.3.3 Technical Architecture: Describe the Technical Architecture to provide an understanding of the agency’s complete technological environment. The Enterprise Agency must develop a diagram demonstrating the arrangement, interaction, and interdependence of the technical assets within the Solution and how it fits in the Enterprise Agency architecture.5.3.4 Compliance with Enterprise, industry, and Security Standards: Alignment with Enterprise, industry, and Security Standards.The Enterprise Agency must indicate which industry Standards are being used (i.e.- National Institute of Standards and Technology Federal Information Protection Standards, International Society of Automation, US Department of Defense Standards).Security DomainThe Security Domain works to identify risk, ensure Security compliance, monitor threats, and respond to, and recover from incidents across the domains. Compliance requires that all Information Systems adhere to the Security Domain and Chapter 60GG-2, F.A.C., directives. To comply with Enterprise Architecture, a System Security Plan is required, must remain current, and be made available in the Enterprise Repository. Each State Enterprise Agency shall work with FL[DS] to transition from a “.com” domain to “.” domain.For Technology Assets in Operation and Technology Assets in Development, Enterprise Agencies must within 120 calendar days of the effective date of this rule, propose to FL[DS] a plan and timeline for establishing compliance with Security Domain Standards. Enterprise Agencies must quarterly provide an update on the status of planning and compliance with Security Domain Standards for FL[DS] review. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:SECURITY DOMAIN DELIVERABLES5.4.1 Security Testing: All Information Systems must employ a process intended to reveal or highlight flaws in the system that could put Data and functionality at risk. Provide policies and procedures for testing, as well as any applicable testing results demonstrating that all Information Systems must complete Security Testing. Testing includes, but is not limited to: Vulnerability Scanning, Security Scanning, Penetration Testing, Risk Assessment and Code Review.Provide policies and procedures that demonstrate compliance with Chapter 60GG-2, F.A.C. 5.4.2 Comprehensive Risk Assessment and Risk Management Framework: Managing organizational risk is paramount to effective information Security and Privacy?programs.Provide policies and procedures that demonstrate compliance with the process(s) outlined in Chapter 60GG-2, F.A.C., which integrate Security, Privacy, and cyber supply chain?risk management activities into the system development life cycle. 5.4.3 Transition to the . Namespace: Reduces the risk of malicious action by bad actors while allowing FL[DS] to apply domain standardization and protection to all state government websites.Create an action plan for the Enterprise Agency’s transition to an namespace per the FL Cybersecurity Task Force to facilitate the conversion of state agency websites. 5.4.4 Cybersecurity Adoption: Reduces the risk and cost associated with Cybersecurity across the Enterprise.If an Enterprise Agency chooses to use any tool, Solution, service, or system funded by the Office of the State CIO or designee, the Enterprise must adopt and use the tool, Solution, service, or system as the primary option.5.4.5 Identity and Access Management: Create an IAM plan to facilitate authenticated, secure, and reliable transactions through the validation of the identity of Enterprise devices, applications, entities, and individuals. Create policies and procedures for Identity and Access Management.Data DomainThe Data Domain ensures that Data across the Enterprise is identifiable, cataloged, and accessible to authorized agencies and ensures the confidentiality, integrity, and availability of Data. All Initiatives that store Data must provide a Data Dictionary that provides descriptions of Data elements, identification of Data owned by other entities, and provide Access to the metadata necessary for inclusion with the State of Florida’s Data Catalog. Initiatives that store Data must apply appropriately restricted, authorized, and secure Access as defined in the System Security Plan. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:DATA DOMAIN DELIVERABLES5.5.1 Data Element Inventory and Data Dictionary: Create a Data Element Inventory and Data Dictionary to ensure that all state Data assets are inventoried and accounted for across the Enterprise. The Enterprise Agency must ensure metadata for datasets are included in, and appropriately available, in the Enterprise Data Catalog.The Enterprise Agency must ensure the business terms for the dataset are completed and documented in the Data Dictionary.5.5.2 Interoperability capabilities and considerations: Document how the Enterprise Agency collects Data and provide a plan to reduce duplicative Data collection. The Enterprise Agency must confirm Data is not already being collected within the Enterprise to reduce duplicative collection.Agencies must consider how Enterprise Agency specific Data can be shared across the Enterprise.5.5.3 Data Management Plan: Provide a Data Management Plan to identify why the Data is being collected and how the Enterprise Agency will manage Access and changes to the Data. A plan that describes the lifecycle of the Data that is collected and managed as a part of this system from collection through archival.5.5.4 Data Sharing Agreements: Establish a process for managing Data Sharing Agreements to mitigate the risk of loss and duplication of Data.The Enterprise Agency must create and adopt a process for reviewing existing Enterprise Agency Data Sharing Agreements. Create an available repository of Data Sharing Agreements. Infrastructure DomainThe Infrastructure Domain establishes the strategic components necessary for hosting technology Solutions. Section 282.206, F.S., provides that each State Enterprise Agency adopts a Cloud-First Policy that considers Cloud-Computing Solutions in its sourcing strategy for technology Initiatives or upgrades whenever possible and feasible. Regardless of the type of environment, technology Initiatives that have custom development must adhere to a minimum three-tiered deployment environment consisting of Development, Testing, and Production Environments. New in-house or contracted custom development is to be created in a Development Environment, replicated to test for execution of an appropriate test plan, and then moved to production for business use. The Production and Testing Environments must be functional replicas to ensure proper testing. The Cloud-First Policy must comply with section 282.206, F.S., and rule 60GG-4, F.A.C. Each State Enterprise Agency must also provide public internet protocol (IP) addresses or uniform resource locators (URLs) and domain name to be used with the application. The Infrastructure Domain requires the Enterprise Agency to develop a disaster recovery plan. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:INFRASTRUCTURE DOMAIN DELIVERABLES5.6.1 Infrastructure Diagram: Create a diagram to provide the context in which the Solution will exist. Create and maintain a visual diagram of the physical and software assets that comprise the Solution including where the assets are located and how the assets are connected. Identify the Development, Test, and Production Environments as appropriate.5.6.2 Cloud-First Policy compliance: Establishing a Cloud-First Policy supports Interoperability throughout the Enterprise, which may increase efficiencies, and create cost savings. The Enterprise Agency must develop a cloud strategy that aligns with section 282.206, F.S., and Chapter 60GG-4, F.A.C.5.6.3 IP addresses, URLs, domain names, and domain providers: Creating a plan for maintaining IP addresses, URLs, domain names, and domain providers allows for an inventory that identifies resources that are set to expire and require updating.The Enterprise Agency must create a plan that identifies the IP addresses, URLs, domain names, and domain provider(s) used to publicly identify an online interface. A maintenance schedule must be established.5.6.4 Disaster recovery plan: Creating a disaster recovery plan reduces risks an agency may face during a disaster.The Enterprise Agency must create a Data recovery plan that identifies a strategy for processing critical applications during a major hardware or software failure, or the destruction of facilities. Testing DomainThe Testing Domain provides assurance the Solution meets the requirements and capacity to bring the Solution online. All Initiatives must include User Acceptance Testing based on documented functional requirements, Use Cases, and metrics. Once an Initiative has passed the User Acceptance Test, a user guide, and training plan must be created. The user guide must provide simple instructions on the use of the Solution. The training plan will outline how the Solution will be communicated to the users and the steps users will take to understand how to gain Access and use the Solution.All technology Initiatives intended to support more than 100 users (inclusive of internal and external) must undergo Load Testing by an independent vendor prior to going to production. The objective of the Load Test is to determine Scalability, elasticity, and potential breaking points. For the following deliverables, the Enterprise Agency designee shall collect, document, and ensure accuracy and availability of documentation within the Enterprise Repository:TESTING DOMAIN DELIVERABLESTesting Environment. The Enterprise Agency must ensure the Testing Environment is included in the Infrastructure Diagram. The Testing Environment must be a replica of the Production Environment. User guide. An Enterprise Agency or vendor must develop a user guide that provides instruction on the use of the application or system from the perspective of a user.Training plan. An Enterprise Agency or vendor must develop a plan to ensure that all users groups receive training necessary to use the application or system.User Acceptance Test results. An Enterprise Agency or vendor must demonstrate that the system solves the Use Case(s) and fulfills business requirements.Load Test results. An independent vendor must provide to the Enterprise Agency the results of a test that shows the maximum number of connections and transactions supported by the system for application without degradation of service. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download