Resolution 2023-32733RESOLUTION NO.; 2023-32733
A RESOLUTION OF THE MAYOR AND CITY COMMISSION OF THE
CITY OF MIAMI BEACH, FLORIDA, ACCEPTING THE WRITTEN
RECOMMENDATION OF THE CITY MANAGER, AND WAIVING, BY
517THS VOTE, THE COMPETITIVE BIDDING REQUIREMENT AS TO
FUTURE CYBERSECURITY-RELATED EQUIPMENT, SOFTWARE,
AND/OR SERVICES SPECIFICALLY INVOLVING CITY'S CRITICAL
CYBERSECURITY INFRASTRUCTURE (INCLUDING NETWORK
SCHEMATICS, HARDWARE AND SOFTWARE CONFIGURATIONS,
ENCRYPTION INFORMATION OR INFORMATION THAT IDENTIFIES
DETECTION, INVESTIGATION, OR RESPONSE PRACTICES FOR
SUSPECTED OR CONFIRMED CYBERSECURITY INCIDENTS),
FINDING SUCH WAIVER TO BE IN THE CITY'S BEST INTEREST, IN
ORDER TO PROTECT THE CONFIDENTIAL AND EXEMPT NATURE
OF CITY'S CYBERSECURITY SYSTEMS AND ASSETS, AS
EXPRESSLY AUTHORIZED BY THE FLORIDA LEGISLATURE;
FURTHER, AUTHORIZING THE CITY MANAGER AND CITY CLERK TO
NEGOTIATE AND EXECUTE AGREEMENTS FOR CYBERSECURITY
EQUIPMENT, SOFTWARE OR SERVICES WITH SELECTED
PROVIDERS UP TO AN AMOUNT NOT -TO -EXCEED $500,000,
PROVIDED THAT THE CITY ADMINISTRATION SHALL ENDEAVOR
TO OBTAIN AT LEAST TWO (2) QUOTATIONS FROM QUALIFIED
SUPPLIERS/VENDORS PRIOR TO ENTERING INTO ANY CONTRACT
PURSUANT TO THIS RESOLUTION; AND FURTHER REQUIRING THE
ADMINISTRATION TO REPORT TO THE CITY COMMISSION ALL
PURCHASES MADE PURSUANT TO THIS RESOLUTION ON A
QUARTERLY BASIS, VIA LETTER TO COMMISSION.
WHEREAS, with the increasing reliance on technology and the growing threat of
cyber attacks, phishing, ransomware, and other cyber intrusions, governments have
been taking proactive steps to strengthen their cyber security and data privacy
measures; and
WHEREAS, in 2022, the Florida Legislature enacted a series of bills to tackle
cyber security and ransomware incidents, to protect the public, and ensure the security
of government systems and data; and
WHEREAS, Section 282.31-85 of the Florida Statutes establishes a
comprehensive framework for managing and mitigating cyber security risks, including
the use of best practices for information technology security, risk assessments, and
incident response plans, and requires local governments to regularly update their cyber
security measures to adapt to evolving threats and vulnerabilities; and
WHEREAS, the City's Information Technology (IT) Department is tasked with
procuring various services to enhance the City's cyber security infrastructure and
defense mechanisms; and
WHEREAS, the procurement process and issuance of competitive solicitations
for cybersecurity services necessarily requires sensitive information about the City's
purchases and cyber security strategies, which could compromise the effectiveness of
these strategies and potentially jeopardize the City's cyber defenses; and
WHEREAS, Florida Statute 119.0725 provides municipalities with the authority to
exempt information critical to cyber infrastructure from public records disclosure to
ensure the security and resilience of such infrastructure; and
WHEREAS, specifically, pursuant to Fla. Stat. §119.0725(1)(b), the following are
confidential and exempt from public record requirements: (1) cybersecurity insurance
coverage limits and deductible self-insurance amounts, (2) information related to critical
infrastructure, and (3) network schematics, hardware and software configurations, or
encryption information or information that identifies detection, investigation, or response
practices for suspected or confirmed cybersecurity incidents; and
WHEREAS, further, Fla. Stat. §119.0725(1)(b) defines critical infrastructure as
"existing and proposed information technology systems and assets, whether physical or
virtual, the incapacity or destruction of which would negatively affect security, economic
security, public health, or public safety"; and
WHEREAS, the City recognizes the critical importance of maintaining the
security and integrity of its cyber infrastructure and information systems, and is
committed to upholding all applicable laws and regulations while proactively
safeguarding its cyber environment against potential threats and vulnerabilities; and
WHEREAS, the protection of sensitive cyber security information is essential to
safeguarding the City's technological assets and ensuring the privacy of its residents;
and
WHEREAS, as a result, the Mayor and City Commission wish to waive
competitive bid requirements for procurements specifically related to cyber security, as
further articulated in the Commission Memorandum accompanying this Resolution; and
WHEREAS, for the reasons set forth herein and in the accompanying City
Commission memorandum, the City Manager has recommended the waiver of the
competitive bidding requirement for future purchases of cybersecurity-related
equipment, software, and/or services specifically involving the City's critical
cybersecurity infrastructure (including existing and proposed information technology
systems and assets, whether physical or virtual, the incapacity or destruction of which
would negatively affect security, economic security, public health, or public safety), up to
an amount not -to -exceed $500,000; and
2
WHEREAS, the Mayor and City Commission wish to accept the City Manager's
recommendation, provided that the City Administration shall endeavor to obtain at least
two (2) quotations from qualified suppliers/vendors prior to entering into any contract
pursuant to this Resolution.
NOW, THEREFORE, BE IT DULY RESOLVED BY THE MAYOR AND CITY
COMMISSION OF THE CITY OF MIAMI BEACH, FLORIDA, that the Mayor and City
Commission hereby accept the written recommendation of the City Manager, and
waive, by 5/7ths vote, the competitive bidding requirement as to future cybersecurity-
related equipment, software, and/or services specifically involving the City's critical
cybersecurity infrastructure (including network schematics, hardware and software
configurations, encryption information or information that identifies detection,
investigation, or response practices for suspected or confirmed cybersecurity incidents),
and find such waiver to be in the City's best interest, in order to protect the confidential
and exempt nature of City's cybersecurity systems and assets, as expressly authorized
by the Florida Legislature; further, authorize the City Manager and City Clerk to
negotiate and execute agreements for cybersecurity equipment, software or services
with selected providers up to an amount not -to -exceed $500,000, provided that the City
Administration shall endeavor to obtain at least two (2) quotations from qualified
suppliers/vendors prior to entering into any contract pursuant to this Resolution; and
further, require the Administration to report to the City Commission all purchases made
pursuant to this Resolution on a quarterly basis, via Letter to Commission.
PASSED and ADOPTED this 13 day of Se004" Ab (2023.
ATTEST:
2023
Rafael t. Granado, City Clerk"-'
W
Dan Gelber, Mayor
IRfORP" BhTED'
• 4z� �l �
3
APPROVED AS TO
FORM & LANGUAGE
& FOR EXECUTION
7-3
City Auomey t f oate
MIAMI BEACH
COMMISSION MEMORANDUM
TO: Honorable Mayor and Members of the City Commission
FROM: Alina T. Hudak, City Manager
DATE: September 13, 2023
SUBJECT: A RESOLUTION OF THE MAYOR AND CITY COMMISSION OF THE CITY
OF MIAMI BEACH, FLORIDA, ACCEPTING THE WRITTEN
RECOMMENDATION OF THE CITY MANAGER, AND WAIVING, BY 5/7TH
VOTE, THE COMPETITIVE BIDDING REQUIREMENT AS TO FUTURE
CYBER SECURITY RELATED SOFTWARE AND/OR SERVICES
SPECIFICALLY INVOLVING CITY'S CRITICAL CYBERSECURITY
INFRASTRUCTURE (INCLUDING NETWORKS CHEMATICS, HARDWARE
AND SOFTWARE CONFIGURATIONS, ENCRYPTION INFORMATION OR
INFORMATION THAT IDENTIFIES DETECTION, INVESTIGATION, OR
RESPONSE PRACTICES FOR SUSPECTED OR CONFIRMED
CYBERSECURITY INCIDENTS), FINDING SUCH WAIVER TO BE IN THE
CITY'S BEST INTEREST, IN ORDER TO PROTECT THE CONFIDENTIAL
AND EXEMPT NATURE OF CITY'S CYBERSECURITY SYSTEMS AND
ASSETS, AS EXPRESSLY AUTHORIZED BY THE FLORIDA
LEGISLATURE; FURTHER, AUTHORIZING THE CITY MANAGER AND
CITY CLERK TO NEGOTIATE AND EXECUTE AGREEMENTS FOR CYBER
SECURITY SOFTWARE OR SERVICES WITH SELECTED PROVIDERS
UP TO AN AMOUNT NOT -TO -EXCEED $500,000; AND FURTHER
REQUIRING THE ADMINISTRATION TO REPORT TO THE CITY
COMMISSION ALL PURCHASES MADE PURSUANT TO THIS
RESOLUTION ON A QUARTERLY BASIS, VIA LETTER TO COMMISSION.
RECOMMENDATION
Adopt the Resolution
BACKGROUNDIHISTORY
With the increasing reliance on technology and the growing threat of cyber-attacks, phishing,
ransomware, and other cyber intrusions, govemmehts have been taking proactive steps to
strengthen their cyber security and data privacy measures.
In 2022, the Florida Legislature enacted a series of bills to tackle cyber security and
ransomware incidents to Protect the public, and ensure the security of govemment systems
and data. Section 20.3185 of the Florida Statutes establishes a comprehensive framework
for managing and mitigating cyber security risks, including the use of best practices for
information technology security, risk assessments, and incident response plans, and requires
local governments to regularly update their cyber security measures to adapt to evolving
Page 642 of 2938
threats and vulnerabilities.
The Citys Information Technology (IT) Department is tasked with procuring various services
to enhance the Citys cyber security infrastructure and defense mechanisms. The
procurement process often involves sensitive information about the Citys purchases and
cyber security strategies, which could compromise the effectiveness of these strategies and
Fotentially jeopardize the Citys cyber defenses.
lorida Statute 119.0725 provides municipalities with the authority to exempt information
critical to cyber infrastructure from public records disclosure to ensure the security and
resilience of such infrastructure. Specifically, per 119.0725, the following are confidential
and exempt from public record requirements: (1) cybersecurity insurance coverage limits and
deductible self-insurance amounts, (2) information related fo critical infrastructure, and (3)
network schematics, hardware and software configurations, or encryption information or
information that identifies detection, investigation, or res onse practices for suspected or
confirmed cybersecurity incidents. Section T(b) of 119.07 5 defines critical infrastructure as
"existing and proposed information technology systems and assets, whether physical or
virtual, the incapacity or destruction of which would negatively affect security, economic
security, public health, or public safety.
The City recognizes the critical importance of maintaining the security and integrity of its cyber
infrastructure and information systems and is committed to upholding all applicable laws and
regulations while proactively safeguarding its cyber environment against potential threats and
vulnerabilities; the protection of sensitive cyber security information is essential to
safeguarding the Citys technological assets and ensuring the privacy of its residents. As a
result, the Administration recommends waiving all future competitive bid requirements for
procurements specifically related to cybersecurrty.
Historically, the City has purchased from competitively solicited piggyback contracts awarded
by state and national cooperatives.
These cooperatives provide an advantage of increased buying power through contracts that
aggregate the volume of like purchases required by public sector agencies across the state
or the country. and national cooperatives and IT will continue utilize the process.
IT will be tasked with identifying products and or services that qualifies as cyber security.
Product and or services manufacturer will identify. if purchase is a direct or an indirect
purchase. For direct purchases, the department will enter into direct negotiations with the
manufacturer. For indirect purchases, the department will issue a quote following the contract
roadmapto all resellers. Both processes, whether direct or indirect, will be executed using
competitively solicited pigg%yback contracts awarded by state and national cooperatives which
will be in the best interesfof the City.
is recommended that the Mayor and City (
s recommendation of the City Manager to
iding requirements as to future cybersecur
rolvina the C!Ws critical cybersecurdv
ivesy anon, or
wnd find such r
and exempt nai
ry the Florida L
rid execute agi
er to be in
of the Citv',
sion approve the Resolution accepting
j5iths vote, the formal competitive
software and/or services specifically
cture (including network schematics,
formation or information that identifies
suspected or confirmed cybersecu.*
best interest, in order to protect the
:urdy systems and assets, as expressly
; fufther, authorize the City Manager and City Clerk to
for cybersecurity software or services with selected
Page 643 of 2938
providers up to an amount not -to -exceed $500,000; and further, require the Administration to
report to the City Commission all purchases made pursuant to MIS Kesolution on a quarterly
basis, via Letterlo Commission.
Applicable Area
Citywide
I'-1111 [-Z
� ► : : • - 1 t ; . i t
No
Strateaoc Connection
Organizational I nnovation - Maximize the use of innovative technology.
Legislative Tracking
nformation Technology
ATTACHMENTS:
Description
4 Resolution
o Florida Statue 282.3185
o Florida Statue 119-0725
Page 644 of 2938
The Florida Senate
2022 Florida Statutes (including 2022C, 2022D, 2022A, and 2023B)
'Title XDC
�Fter 282 SECTION 3185
PUBLIC BUSINESS COMMUNICATIONS AND DATA j Local government cybersecurity.
PROCESSING
i
Entire Chapter
282.3185 Local government cybersecurity.—
(1) SHORT TITLE. —This section maybe cited as the "Local Government Cybersecurity Act."
(2) DEFINITION. —As used in this section, the term "local government" means any county or municipality.
(3) CYBERSECURITY TRAINING. —
(a) The Florida Digital Service shall:
1. Develop a basic cybersecurity training curriculum for local government employees. All local government
employees with access to the local government's network must complete the basic cybersecurity training within 30
days after commencing employment and annually thereafter.
2. Develop an advanced cybersecurity training curriculum for local governments which is consistent with the
cybersecurity training required under s. 282.318(3)(g). All local government technology professionals and employees
with access to highly sensitive information must complete the advanced cybersecurity training within 30 days after
commencing employment and annually thereafter.
(b) The Florida Digital Service may provide the cybersecurity training required by this subsection incollaboration
with the Cybercrime Office of the Department of Law Enforcement, a private sector entity, or an institution of the State
University System.
(4) CYBERSECURTTY STANDARDS. —
(a) Each local government shall adopt cybersecurity standards that safeguard its data, information technology,
and information technology resources to ensure availability, confidentiality, and integrity. The cybersecurity standards
must be consistent with generally accepted best practices for cybersecurity, including the National Institute of
Standards and Technology Cybersecurity Framework.
(b) Each county with a population of 75,000 or more must adopt the cybersecurity standards required by this
subsection by January 1, 2024. Each county with a population of less than 75,000 must adopt the cybersecurity
standards required -by this subsection by January 1, 2025.
(c) Each municipality with a population of 25,000 or more must adopt the cybersecurity standards required by this
subsection by January 1, 2024. Each municipality with a population of less than 25,000 must adopt the cybersecurity
standards required by this subsection by January 1, 2025.
(d) Each local government shall notify the Florida Digital Service of its compliance with this subsection as soon as
possible.
(5) INCIDENT NOTIFICATION. —
(a) A local government shall provide notification of a cybersecurity incident or ransomware incident to the
Cybersecurity Operations Center, Cybercrime Office of the Department of Law Enforcement, and sheriff who has
jurisdiction over the local government in accordance with paragraph (b). The notification must include, at a minimum,
the following information:
1. A summary of the facts surrounding the cybersecurity incident or ransomware incident.
2. The date on which the local government most recently backed up its data; the physical location of the backup, if
the backup was affected; and if the backup was created using cloud computing.
3. The types of data compromised by the cybersecurity incident or ransomware incident.
4. The estimated fiscal impact of the cybersecurity incident or ransomware incident.
5. In the case of a ransomware incident, the details of the ransom demanded.
Page 648 of 2938
6. A statement requesting or declining assistance from the Cybersecurity Operations Center, the Cybercrime Office
of the Department of Law Enforcement, or the sheriff who has jurisdiction over the local government.
(b)1. A local government shall report all ransomware incidents and any cybersecurity incident determined by the
local government to be of severity level 3, 4, or 5 as provided in s. 28Z.31g(3)(c) to the Cybersecurity Operations Center,
the Cybercrime Office of the Department of Law Enforcement, and the sheriff who has jurisdiction over the local
government as soon as possible but no later than 48 hours after discovery of the cybersecurity incident and no later
than 12 hours after discovery of the ransomware incident. The report must contain the information required in
paragraph (a).
2. The Cybersecurity Operations Center shall notify the President of the Senate and the Speaker of the House of
Representatives of any severity level 3, 4, or 5 incident as soon as possible but no later than 12 hours after receiving a
local government's incident report. The notification must include a high-level description of the incident and the likely
effects.
(c) A local government may report a cybersecurity incident determined by the local government to be of severity
level 1 or 2 as provided in s. 282.318(3)(c) to the Cybersecurity Operations Center, the Cybercrime Office of the
Department of Law Enforcement, and the sheriff who has jurisdiction over the local government. The report shall
contain the information required in paragraph (a).
(d) The Cybersecurity Operations Center shall provide a consolidated incident report on a quarterly basis to the
President of the Senate, the Speaker of the House of Representatives, and the Florida Cybersecurity Advisory Council.
The report provided to the Florida Cybersecurity Advisory Council may not contain the name of any local
government, network information, or system identifying information but must contain sufficient relevant information
to allow the Florida Cybersecurity Advisory Council to fulfill its responsibilities as required in s. 202.319(9).
(6) AFTER -ACTION REPORT. —A local government must submit to the Florida Digital Service, within 1 week
after the remediation of a cybersecurity incident or ransomware incident, an after -action report that summarizes the
incident, the incident's resolution, and any insights gained as a result of the incident. By December 1, 2022, the Florida
Digital Service shall establish guidelines and processes for submitting an after -action report.
Histary.—s. 3, ch. 2022-220.
Disclaimer: The information on this system is unverified. The journals or printed bills of the respective chambers
should be consulted for official purposes.
Copyright ® 2000- 2023 State of Florida.
Page 649 of 2938
The Florida Senate
2023 Florida Statutes
Title X SECTION 0725
PUBLIC OFFICERS, EMPLOYEES, PUBLIC RECORDS j Agency cybersecurity information;
AND RECORDS public records exemption; public
Entire Chaff E meetings exemption
119.0725 Agency cybersecurity information; public records exemption; public meetings exemption.—
(1) As used in this section, the term:
(a) "Breach" means unauthorized access of data in electronic form containing personal information. Good faith
access of personal information by an employee or agent of an agency does not constitute a breach, provided that the
information is not used for a purpose unrelated to the business or subject to further unauthorized use.
(b) "Critical infrastructure" means existing and proposed information technology and operational technology
systems and assets, whether physical or virtual, the incapacity or destruction of which would negatively affect
security, economic security, public health, or public safety.
(c) "Cybersecurity" has the same meaning as in s. 282.0041.
(d) "Data" has the same meaning as in s. 282.0041.
(e) "Incident" means a violation or imminent threat of violation, whether such violation is accidental or deliberate,
of information technology resources, security, policies, or practices. As used in this paragraph, the term "imminent
threat of violation" means a situation in which the agency has a factual basis for believing that a specific incident is
about to occur.
(f) "Information technology" has the same meaning as in s. 282,0041.
(g) "Operational technology" means the hardware and software that cause or detect a change through the direct
monitoring or control of physical devices, systems, processes, or events.
(2) The following information held by an agency is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of
the State Constitution:
(a) Coverage limits and deductible or self-insurance amounts of insurance or other risk mitigation coverages
acquired for the protection of information technology systems, operational technology systems, or data of an agency.
(b) Information relating to critical infrastructure.
(c) Cybersecurity incident information reported pursuant to S. 282,318 or s. 282.3185.
(d) Network schematics, hardware and software configurations, or encryption information or information that
identifies detection, investigation, or response practices for suspected or confirmed cybersecurity incidents, including
suspected or confirmed breaches, if the disclosure of such information would facilitate unauthorized access to or
unauthorized modification, disclosure, or destruction of:
1. Data or information, whether physical or virtual; or
2. Information technology resources, which include an agency's existing or proposed information technology
systems.
(3) Any portion of a meeting that would reveal information made confidential and exempt under subsection (2) is
exempt from s. 286.011 and s. 24(b), Art. I of the State Constitution. An exempt portion of a meeting may not be off the
record and must be recorded and transcribed. The recording and transcript are confidential and exempt from s.
119.07(1) and s. 24(a), Art. I of the State Constitution.
(4) The public records exemptions contained in this section apply to information held by an agency before, on, or
after July 1, 2022.
(5)(a) . Information made confidential and exempt pursuant to this section shall be made available to a law
enforcement agency, the Auditor General, the Cybercrime Office of the Department of Law Enforcement, the Florida
Digital Service within the Department of Management Services, and, for agencies under the jurisdiction of the
Governor, the Chief Inspector General.
Page 650 of 2938
(b) Such confidential and exempt information may be disclosed by an agency in the furtherance of its official
duties and responsibilities or to another agency or governmental entity in the furtherance of its statutory duties and
responsibilities.
(6) Agencies may report information about cybersecurity incidents in the aggregate.
(7) This section is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand
repealed on October 2, 2027, unless reviewed and saved from repeal through reenactment by the Legislature.
History.—s.1, ch. 2022-221.
Disclaimer: The information on this system is unverified. The journals or printed bills of the respective chambers
should be consulted for official purposes.
Copyright m 2000- 2023 State of Florida.
Page 651 of 2938