60FF-3.001: Customer Access to State Long Distance Communications System
60FF-3.002: Modifications, Additions, Reductions or Terminations to Existing SUNCOM Service Initiated by a Customer
60FF-3.003: Additions or Modifications, Reductions or Terminations to Existing SUNCOM Service Initiated by the Department
60FF-3.004: Network Protection Standards for State Network
60FF-3.005: Security Breach Protection Provisions Required for Department Approved Use of Third Party Equipment, Services and Software
60FF-3.006: Department Response to System Failures and Security Breaches
60FF-3.007: SUNCOM Cost Recovery for System Failures and Security Breaches Caused by Third Parties
60FF-3.008: Management and Distribution of State Numbers and Addresses
60FF-3.009: Delegation to the Department of Education
60FF-3.010: Florida State Government Listings
PURPOSE AND EFFECT: Because SUNCOM was a component of the State Technology Office (STO), the elimination of the STO left SUNCOM without rules. These proposed rules reestablish SUNCOM rules with significant and fundamental changes because of changes to Statutes, technology and deregulation of the telecommunications industry that were not accounted for in the STO rules.
SUMMARY: These proposed rules state that SUNCOM reserves the right to choose the best method of access to long distance for Customers (based on economic considerations and available technology); establish criteria and means for customers to modify or terminate their use of existing SUNCOM services; establish criteria and means for SUNCOM to modify or terminate existing SUNCOM services. These proposed rules also add SUNCOM security requirements which includes descriptions of security principles that will be followed on the network, how SUNCOM will handle security breaches and customer responsibilities when purchasing non-SUNCOM network equipment, software or services (this includes requiring vendors to assume some liability for damages to SUNCOM and/or its customers from the security breaches they cause). These proposed rules also establish SUNCOM as owner, distributor and delegator of State telephone numbers and electronic addresses; describes State Government Listings process; and delegates authority for public/educational broadcasting to the Department of Education.
SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS: No Statement of Estimated Regulatory Cost was prepared.
Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.
SPECIFIC AUTHORITY: 282.102 (9) FS.
LAW IMPLEMENTED: 282.102, 282.103, 282.104, 282.105, 282.106, 282.107 FS.
IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE HELD AT THE DATE, TIME AND PLACE SHOWN BELOW:
DATE AND TIME: January 28, 2008, 1:00 p.m.; February 7, 2008, 9:00 a.m.; February 20, 2008, 9:00 a.m.
PLACE: Betty Easley Conference Center, Room 152, 4075 Esplanade Way, Tallahassee, Florida
THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Carolyn Mason, Department of Management Services, Communications and Information Technology, 4030 Esplanade Way, Suite 125K, Tallahassee, FL 32309; Carolyn.mason@dms.myflorida.com or telephone (850)922-7503
Interested parties are encouraged to obtain electronic copies of these proposed rules via an electronic mail request to Carolyn Mason and send Ms. Mason specific excerpts with clearly identifiable suggestions on how the proposed wording can be improved (i.e. using underline and strike through to signify suggested changes). All parties providing such suggestions should include information identifying themselves and the organization they represent with contact information.
THE FULL TEXT OF THE PROPOSED RULE IS:
STATE NETWORK USAGE AND SECURITY POLICIES
60FF-3.001 Customer Access to State Long Distance Communications System.
The Department of Management Services (the Department) reserves the right to select the most economical method of access for Long Distance Customers, based on the volume of minutes used monthly by the Customer, the cost to provide access from the Customer to the State Network, and the available technology.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.002 Modifications, Additions, Reductions or Terminations to Existing SUNCOM Service Initiated by a Customer.
The Customer of a SUNCOM Service is required to adhere to the appropriate technical specifications and procedures associated with the applicable service, as outlined in the Portfolio of Services. To obtain approval for any modifications, additions, reductions, or terminations of SUNCOM Services, the Customer shall follow the Customer Service Authorization (CSA) process, as described in Chapter 60FF-2, F.A.C., at least 45 days in advance of the requested effective date. Failure to provide notification for the termination or modification of a service in the Communications Service Authorization and Billing System (CSAB System) within the required time frame shall result in continued charges for the existing service.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.003 Additions or Modifications, Reductions or Terminations to Existing SUNCOM Service Initiated by the Department.
(1) The Department shall initiate changes or terminate a Customer’s SUNCOM service based on any of the following reasons:
(a) Discontinuation of a service offering by the Department.
(b) Lack of usage of the service by the Customer.
(c) The provision of the service is not a cost-effective solution for the Customer, the Department or the State.
(d) A change to the service is required to maintain its compliance with appropriate technical specifications and procedures as outlined in the Portfolio of Services.
(e) A change to the service is required because the service offering has changed
(f) The SUNCOM Provider supplying the service has changed.
(g) Violation of a security standard, as specified in Rules 60FF-3.004-.006, F.A.C.
(h) The Customer is no longer eligible for SUNCOM Services in accordance with Sections 282.103-.107, F.S.
(i) The Customer fails to pay for SUNCOM Services as described in subsection 60FF-2.003(4), F.A.C.
(2) When a change to a Customer’s service is required, the Department shall notify the Customer of required changes to the Customer’s service. It the Customer disputes the basis for the change or wishes to request an extension, the Customer shall respond within 30 days from such notice, with a written request to justify why the Department should not make the proposed change to the Customer’s service.
(a) If the Department denies the request, the Department shall enter the change into the CSAB System on behalf of the Customer and provide notification of its action to the Customer.
(b) If no response from the Customer is received by the Department within the 30-day period, the Department shall enter the change into the CSAB System on behalf of the Customer and provide notification of its action to the Customer.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.004 Network Protection Standards for State Network.
To protect the integrity of state communications services, Customers shall adhere to the following security specifications and directives:
(1) Any configurations of Network Equipment, Network Software or Communications Devices that allow for Unauthorized Activity are prohibited.
(2) The Department prohibits configurations which directly or indirectly circumvent the State firewall creating Backdoor Connections without SUNCOM managed or sanctioned filtering.
(3) The Department prohibits configurations creating non-SUNCOM managed Virtual Connections, tunnels (encrypted and non-encrypted) or remote access Connections to or from the State Intranet directly or indirectly circumventing the State firewall.
(4) Any inbound or outbound connectivity to the State Intranet via Virtual Connections, tunnels (encrypted and non-encrypted) or remote access shall be registered by the Customer with the Department. To register, Customers shall adhere to Rule 60FF-1.004 or 60FF-1.0011, F.A.C., (depending upon its required usage status) by submitting an Exemption Request (for Required Users) or Clearance Request (for other Intranet users). A 12 month utilization log shall be maintained by the Customer and made available to the Department upon request.
(5) No scanning tools, Traffic generating stress testing of applications or communications, or network topology discovery tools are allowed to be used on or across the SUNCOM network without written authorization from the Department. Said authorization shall be granted based upon the Department verifying that:
(a) The extent of the activity shall not affect or alarm SUNCOM, its Providers and Customers.
(b) And the activity shall not impair the capacity of SUNCOM circuits to accommodate communications traffic.
(c) And the initiator of the activity shall coordinate the timing and extent of the activity to minimize impact on the State Network and its Customers.
(6) The Information Security Manager, as established by Section 282.318(2)(a), (1), F.S., or the highest level information security official for the Customer, shall work with the Department to ensure that the Customer adheres to the Department’s security rules and any SUNCOM service requirement based on the appropriate technical specifications and procedures associated with the applicable service, as outlined in the Portfolio of Services. The Customer’s security designee and network administrator are responsible for keeping any Unauthorized Traffic or Connection from traversing the SUNCOM network.
(7) Additional Network Services outside the official SUNCOM offering are subject to the Security Breach Protection provisions stated in Rules 60FF-3.005 through 60FF-3.006, F.A.C., and shall be documented by the Customer, as required in Rule 60FF-1.009, F.A.C., for Required Users or in subsection 60FF-1.011(4), F.A.C., for non-Required Users. This documentation shall be made available to the Department for review upon request.
(8) SUNCOM communication Traffic shall be monitored by the Department for Unauthorized Activity. Violations shall be reported to the Customer having appeared to have facilitated the Unauthorized Activity and/or the appropriate authority with jurisdiction over associated prevention and enforcement. After the Department has notified the Customer, access to the SUNCOM network may be terminated by the Department until any Unauthorized Traffic has been eliminated if the Department believes it could threaten the State Network or its Customers.
(9) The Customer shall provide documentation of network topology and configuration information to the Department during Network Security audits or during resolution or investigation of security incidents.
(10) Customers shall be responsible for resolving all security problems and vulnerabilities defined in these rules for conditions within the Customer’s purview and shall cooperate with the Department on SUNCOM resolution efforts for conditions jointly within the purview of the Department and the Customer.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.005 Security Breach Protection Provisions Required for Department Approved Use of Third Party Network Equipment, Services and Software.
All Required Users and Users of the State Intranet shall adhere to these requirements for any purchase or lease of Network Services, Network Software or Network Equipment through means other than SUNCOM Services.
(1) Any procurement solicitation, contract, purchase order or agreement for Network Services, Network Software, Network Equipment through means other than SUNCOM Services must include the following:
(a) This phrase, “The vendor agrees to provide equipment, software and services in accordance with and adherence to Chapters 60FF-1 through 60FF-3
(b) A description of the relative amount of liability for System Failures and Security Breaches that shall be assumed by the purchasing entity, the vendor and the Department when the cause of System Failures or Security Breaches are within the shared control of these parties.
(c) This phrase, “The vendor shall assume one hundred percent (100%) liability for System Failures and/or Security Breaches which result from the vendor’s failure to properly implement or coordinate implementation (which includes providing due diligent communications with other parties having roles in implementing or accommodating implementation) of the services, equipment or software described in this contract/purchase order/agreement or result from the inherent flaws or limitations of the services, equipment or software described in this contract/purchase order/agreement.”
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.006 Department Response to System Failures and Security Breaches.
(1) If there is a Security Breach or System Failure resulting from implementation of Network Services, Network Software or Network Equipment purchased or leased from sources other than SUNCOM by Required Users and Users of the State Intranet, the Department shall take whatever action the Department deems necessary to protect the integrity of the State Network and SUNCOM Customers.
(a) This can include the Department’s assumption of exclusive control, through the Department’s staff or its vendors, of said Network Services, Network Software, Network Equipment.
(b) And/or this can result in temporary termination of SUNCOM Services to the SUNCOM Customer responsible for said Network Services, Network Software, or Network Equipment.
(2) Government entities and associated vendors that are responsible for any and all said Network Services, Network Software, or Network Equipment shall grant the Department exclusive access to and control of any resources that the Department declares to be related to the failure or breach, remedy thereto and ongoing prevention of recurrence.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.007 SUNCOM Cost Recovery for System Failures and Security Breaches Caused by Third Parties.
If there is a Security Breach or System Failure that affects SUNCOM or any SUNCOM Customer resulting from a breach as described in Rule 60FF-3.005, F.A.C., the providing vendor shall pay the Department liquidated damages in proportion to the vendor’s liability share. The amount of the liquidated damages shall be equal to the Department’s costs to resolve the breach, repair consequential damages and establish protections to prevent recurrence. The Department’s costs shall consist of SUNCOM staff time, any equipment, expenses or vendor charges related to the effort.
(1) SUNCOM Average Hourly Rate shall be the basis for remuneration for SUNCOM staff time which is calculated using the following formula: The total amount of Salary and Benefits appropriated to the budget entity responsible for SUNCOM under the current General Appropriations Act divided by the number of Full Time Equivalent labor hours from the same source (Full Time Equivalent positions times 2,080).
(2) The vendor shall also pay all costs associated with damages experienced by SUNCOM Customers affected by the System Failure or Security Breach in proportion to the vendor’s relative liability. The costs associated with said damages shall be calculated in a good faith and equitable manner by each affected SUNCOM Customer.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.008 Management and Distribution of State Numbers and Addresses.
(1) The Department, as the provider of the State Network, shall own, manage and establish standards for the communications addressing, directory services, and the state numbering plans for state communications and the State Network.
(a) This includes distributing and/or authorizing all numbers and addresses to Customers of the network, and delegating management of subsidiary groups of numbers and addresses to Customers of the network.
(2) Telephone numbers and electronic addresses provided by the Department as part of the SUNCOM Service offering belong to the Department and cannot be given to another entity should SUNCOM service be terminated without the Department’s expressed written consent.
(3) Required Users shall cooperate with the Department’s efforts to carry out these responsibilities and other Customers shall cooperate with such efforts as they relate to the SUNCOM Services purchased by the Customers.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (8), (12), 282.103, 282.104, 282.105, 282.106, 282.107 FS. History– New________.
60FF-3.009 Delegation to the Department of Education.
The authority to acquire, lease, and utilize broadcast communications equipment, facilities, and services is hereby delegated to the Department of Education in the procurement of broadcast equipment, facilities, and services for use by the public and educational broadcast entities licensed by the Federal Communications Commission. The Department of Education shall brief the Department on these delegated activities and shall permit the Department to audit activities delegated herein when the Federal Communications Commission initiates an action related to these delegations or the Department of Education engages in a related procurement process.
Specific Authority 282.102(9) FS. Law Implemented 282.102(2), (5), (8), (12), 282.103 FS. History–New________.
60FF-3.010
(1) The Department shall provide the State of Florida government listing information for all local commercial directories and coordinate the maintainance of government and personnel listing information on the state government Web site www.411.myflorida.com. The Department shall have final authority regarding State of Florida government listing publishing, format, distribution and standardization for all local commercial directories and on the state government Web site www.411.myflorida.com.
(2) Each Eligible User shall be responsible for submitting updated listing information through means provided by the Department on the state government Web site at www.411.myflorida.com, or by email to help@dms.myflorida.com, or by writing to: Department of Management Services, SUNCOM, Attention: Directory Records Listings Information, 4030 Esplanade Way, Tallahassee, Florida 32399-0950.
(3) Each Eligible User shall pay the expense for its listings in the local commercial telephone directories.
(4) Each Eligible User shall provide to the Department and continually maintain current information regarding primary and secondary contact persons with authority to present data regarding the Eligible User to the Department.
(5) Each Eligible User shall provide and maintain a contact person for escalation and response to complaints or inquiries regarding data respective to the organization and as required by the
(6) To ensure that all state government listings in local commercial directories and the government and personnel listings on the state government Web site remain current, each Eligible User has a continuing duty to provide updated information to the Department throughout the calendar year. Each Eligible User shall submit notification requesting deletion of listings no longer applicable to the Eligible User concerned.
Specific Authority 282.102(9) FS. Law Implemented 282.103, 282.104, 282.105, 282.106, 282.107 FS. History–New________.