“This is one of the first times — at least in recent history — where, whether for licenses or subscriptions, purchases have been made with an enterprise focus in mind,” Grant said. “This is a use case to show you what it can look like.”
The roughly 20 participating agencies collectively represent “the overwhelming majority of [state government] employees,” Grant said, and they agreed to share telemetry data as part of this initiative.
The $15.9 million for the contract comes out of $30 million of one-time cybersecurity funding that the Legislature set aside for FL[DS] last year. Grant said this new approach to purchasing was more cost-effective than the current state term contract and saved an estimated $4.1 million. The deal also sees vendors provide support with implementing and managing the newly acquired infrastructure.
The announcement comes alongside FL[DS] goals to revamp the state’s approach to technology acquisition and win the trust of other state agencies and local government.
Procurement processes have traditionally been a pain point for the state, with the CIO citing past technology projects that ran heavily over budget or were canceled after spending significant sums.
He called for pushing agencies to evaluate technologies more deeply before buying them.
“If you want to change the performance of technology projects, you have to start before you buy it; you cannot wait until it’s time to perform oversight.” Grant said. “There is no current requirement. You can spend $100 million in the state of Florida on technology and never have to run a capacity test, never have to run a load test to be able to tell us how many transactions per second before it breaks.”
FL[DS] is working to modernize the enterprise architecture, to provide agencies with a clear framework of standards they can consider when making IT procurements. Those could include having the prospective software undergo penetration testing and testing the development and production environments.
But following these vetting standards will be voluntary, something Grant said is key to getting other agencies to trust the Digital Service.
“I’m not going to go in and be the auditor that beats them up and says, ‘Have you done? Have you done?” Grant said. “We can get the trust if we work collaboratively. And so, we’re going to have really high standards, but also deploy a self-governance model.”
What Grant said he hopes will motivate agencies to pre-assess IT purchases is that if agencies follow the guidance and something still goes wrong, FL[DS] will share the blame; if agencies bypass the advice, they alone will be on the hook.
Lack of trust has been a problem in the past for FL[DS], which is still working to get agencies and local governments to see it as an ally. Grant said local agencies suffering cyber incidents are sometimes reluctant to give FL[DS] the level of access it needs to be truly helpful, due to concern that the Digital Service will penalize them if it discovers something amiss.
This both hamstrings FL[DS]’s ability to assist and creates risk that the compromise will spread to other parts of the state network, Grant said.
Establishing a managed virtual cybersecurity operations center (CSOC) is another significant goal for FL[DS], with work underway, Grant said. He said it will be multi-vendor to avoid over-reliance on one provider.
One of the CSOC’s core responsibilities will include managing and defending the state’s data assets. But plenty of groundwork needs to be laid first, because the state currently lacks a clear accounting of all the data held by its various agencies. Better information will let FL[DS] respond to incidents and prepare recovery efforts more effectively, Grant said.
“We don’t know what we have, where we keep it, who owns it, who manages it, why it matters, what it’s dependent on,” Grant said. “We may know it in different pockets: the State Data Center may know it for the operation of the State Data Center. That does not mean that the State Data Center knows it for an agency that has an application sitting in the State Data Center, as one example.”
Grant also said the CSOC will work to shift all state agencies from .com websites to more secure .gov ones.