Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party cloud storage services that collect personal information in Florida? What are the requirements?

Using Third-Party Cloud Storage Services in Florida

If you are a state agency in Florida, you may use third-party cloud storage services that collect personal information, but you must comply with certain requirements. These requirements are outlined in FLREG 60GG-4.002, FLREG 60GG-4.003, FLREG 60GG-4.004, and FLREG 60GG-4.001.

FLREG 60GG-4.002 requires state agencies to establish formal procedures for procuring information technology that establish a preference for cloud computing. When procuring cloud services, state agencies must consult with the Florida Digital Service to ensure compatibility and security. State agencies must also maintain a comprehensive, documented record of applications, workload, data, and services procured or placed into a cloud service provider environment. Additionally, state agencies must ensure that security and interoperability with applications that interface outside the cloud service provider’s cloud are well documented and addressed, including data egress charge models. Technical security controls must be commensurate with the data’s classification, and contracts must reflect the restriction on the geographic location of data to the continental United States unless approved in writing by the agency head or designee. Prior to execution of the contract and deployment of a cloud computing service, the state agency shall ensure that the cloud service provider delivers audit reports based on the classification of the data, for the agency assessment of the effectiveness and suitability of the cloud service provider. During the contract term, the state agency will ensure that security controls required under subsection (5) above are well documented and addressed. The state agency will maintain data ownership and will include contractual provisions for portability for risk management purposes. The state agency will include contract provisions, associated with end of contract or breach of contract, that fully document the exit strategy for cloud computing services or applications, including data acquisition, migration strategy, high-level timeline, and costs. The contract will provide for performance and service level monitoring and reporting from the cloud service provider to the state agency. The state agency will ensure contractual financial consequences are included in the contract in the event of the cloud service provider’s failure to perform as agreed under the terms of the service level agreement, consistent with applicable law.

FLREG 60GG-4.003 requires state agencies to document the controls and processes that are in place to proactively control cloud spend and maintain acceptable budgeted versus actual variances. State agencies must establish and document, in advance of contract execution, an acceptable threshold for budgeted variance and mitigation plan based upon risk tolerance. State agencies must perform a documented review of budgeted versus actual cloud spend on a monthly basis and maintain records for at least 24 months or in compliance with retention schedules, whichever is longer.

FLREG 60GG-4.004 requires state agencies to document a risk mitigation strategy including but not limited to an exit strategy specific to application criticality and business continuity needs. The state agency will ensure that the documented risk mitigation strategy is supported by the contract with the cloud service provider. The state agency will identify and document all current security rules and applicable standards that apply to state agency applications regardless of hosting infrastructure. The state agency will base the data classification on the Federal Information Processing Standards (FIPS) Publication No. 199. The state agency will develop a security plan that documents compliance with applicable data classification requirements. The state agency will conduct and document a security assessment for the implementation of each cloud service, which will contain data classified as moderate or higher based on the data classification of FIPS Publication No. 199, and consider the potential risk of breach of data deployed in the cloud. This assessment may be performed by a third party (to include a government entity).

FLREG 60GG-4.001 states that these rules apply to state agencies as defined in Section 282.0041, F.S. These rules are designed to further state agency implementation of the cloud-first policy as provided in Section 282.206, F.S., that requires state agencies to show a preference for cloud computing services that minimize or do not require the purchasing, financing, or leasing of state data center infrastructure when cloud-computing solutions meet the needs of the agency, reduce costs, and meet or exceed the applicable state and federal laws, regulations, and standards for information technology security.

Therefore, if you are a state agency in Florida, you may use third-party cloud storage services that collect personal information, but you must comply with the requirements outlined in FLREG 60GG-4.002, FLREG 60GG-4.003, FLREG 60GG-4.004, and FLREG 60GG-4.001.

Jurisdiction

Florida