disclaimer the following presentation is an abbreviated description of 60ff-1, 60ff-2 and 60ff-3,...

DisclaimerDisclaimer

The following presentation is an abbreviated description of 60FF-1, The following presentation is an abbreviated description of 60FF-1, 60FF-2 and 60FF-3, Florida Administrative Code. The presentation is 60FF-2 and 60FF-3, Florida Administrative Code. The presentation is meant to convey the general intent of the rules and the means by meant to convey the general intent of the rules and the means by which the Department of Management Services will fulfill its statutory which the Department of Management Services will fulfill its statutory duties in providing the State communications network known as duties in providing the State communications network known as SUNCOM. This presentation and other SUNCOM documentation SUNCOM. This presentation and other SUNCOM documentation related to the rules are not substitutes for the actual rules nor do they related to the rules are not substitutes for the actual rules nor do they provide comprehensive or final interpretations of the rules. provide comprehensive or final interpretations of the rules.

Reasons for SUNCOM Rule Reasons for SUNCOM Rule ChangesChanges

Demise of State Technology OfficeDemise of State Technology Office STO owned SUNCOM rules under 60DDSTO owned SUNCOM rules under 60DD

Core of 60DD was over twenty years oldCore of 60DD was over twenty years oldMarketplace changesMarketplace changes

Industry competition led SUNCOM to replace leased backbone Industry competition led SUNCOM to replace leased backbone with public switched network serviceswith public switched network services

Technology changesTechnology changes Continuing ramifications of the Internet ProtocolContinuing ramifications of the Internet Protocol Open systemsOpen systems

Make rules comport with StatutesMake rules comport with Statutes Subsection 282.103 (3), F.S. calls for “exemptions” for use of Subsection 282.103 (3), F.S. calls for “exemptions” for use of

communications services outside of SUNCOMcommunications services outside of SUNCOM CPLA CPLA process had vague statutory basis, i.e. nothing in F.S. process had vague statutory basis, i.e. nothing in F.S.

about hardware approvalsabout hardware approvals

Rule Change Process:Rule Change Process:Publications, Announcements and InputPublications, Announcements and Input

RequiredRequired Administrative weeklyAdministrative weekly WorkshopWorkshop One Public Hearing (if requested)One Public Hearing (if requested)

AdditionalAdditional Invitations to CIOs with draftsInvitations to CIOs with drafts Invitations to customers with draftsInvitations to customers with drafts Two extra public hearingsTwo extra public hearings Meetings with:Meetings with:

JJointoint A Administrativedministrative P Proceduresrocedures C Committeeommittee

TTechnologyechnology R Revieweview W Workgrouporkgroup

House, Senate and Governor’s Office staffHouse, Senate and Governor’s Office staff Web siteWeb site postings postings

Latest internal rule draftsLatest internal rule draftsMeeting announcementsMeeting announcementsLog of input and changesLog of input and changes

Email inputEmail inputPosted rulesPosted rules

Intent of New RulesIntent of New Rules

Foster collaborationFoster collaborationMinimize duplicationMinimize duplicationPromote compatibilityPromote compatibilityLeverage economies of scaleLeverage economies of scale Bulk purchasing powerBulk purchasing power Standardization of solutionsStandardization of solutions

Maximize network predictability and up-timeMaximize network predictability and up-timeProvide for basic network securityProvide for basic network securityGovern SUNCOM relationshipsGovern SUNCOM relationships With customersWith customers With vendorsWith vendors

60FF-1 Highlights60FF-1 Highlights

Definitions of termsDefinitions of terms

Usage eligibility etc.Usage eligibility etc.

Notices and requests to SUNCOMNotices and requests to SUNCOM Notice of Security ConcernNotice of Security Concern Exemption RequestExemption Request Clearance RequestClearance Request Network Solution Replacement DeclarationNetwork Solution Replacement Declaration

Notice of Security ConcernNotice of Security Concern60FF-1.005, F.A.C.60FF-1.005, F.A.C.

Petitioners:Petitioners: Any customer using State IntranetAny customer using State Intranet Any vendor implementing an IP Network Solution for a SUNCOM customerAny vendor implementing an IP Network Solution for a SUNCOM customer

Purpose:Purpose: Notify SUNCOM of (potential) network security exposuresNotify SUNCOM of (potential) network security exposures Establish collaborative conditionsEstablish collaborative conditions Get SUNCOM’s helpGet SUNCOM’s help Secure SUNCOM’s sanctionSecure SUNCOM’s sanction

Circumstances:Circumstances: A Customer establishes or is aware of existing or expected conditions not in A Customer establishes or is aware of existing or expected conditions not in

compliance with SUNCOM security standardscompliance with SUNCOM security standards A vendor plans to implement a Network Solution in violation of SUNCOM security A vendor plans to implement a Network Solution in violation of SUNCOM security

standardsstandardsSUNCOM possible responsesSUNCOM possible responses

AuthorizeAuthorize Conditionally authorizeConditionally authorize Negotiate alternativesNegotiate alternatives DisallowDisallow

Process

Exemption RequestExemption Request60FF-1.007-1.012, F.A.C.60FF-1.007-1.012, F.A.C.

Petitioners:Petitioners: Required UserRequired User

Purpose:Purpose: To notify SUNCOM of a communications needTo notify SUNCOM of a communications need

Informal notice required upon identifying the Informal notice required upon identifying the Business ObjectiveBusiness ObjectiveTwo-parts in escalating detailTwo-parts in escalating detail

To obtain permission to use non-SUNCOM servicesTo obtain permission to use non-SUNCOM services

Circumstances:Circumstances: Seeking to use a Seeking to use a Network Solution Network Solution not provided by SUNCOMnot provided by SUNCOM Using an existing Network Solution not provided by SUNCOM after December, 2008 if not Using an existing Network Solution not provided by SUNCOM after December, 2008 if not

previously approved through a CPLApreviously approved through a CPLA Expanding any Expanding any CPLACPLA approved Network Solution approved Network Solution Continuing to use a CPLA approved Network Solution after the CPLA term (contract) ends Continuing to use a CPLA approved Network Solution after the CPLA term (contract) ends

for anything other than Maintenancefor anything other than Maintenance

SUNCOM possible responseSUNCOM possible response Seek collaborationSeek collaboration ApproveApprove Conditionally approveConditionally approve Deny and suggest the SUNCOM alternativeDeny and suggest the SUNCOM alternative

Process

Clearance RequestClearance Request60FF-1.013-1.014, F.A.C.60FF-1.013-1.014, F.A.C.

Petitioner:Petitioner: Eligible Users Eligible Users who are a part of the State Intranet and are not who are a part of the State Intranet and are not

Required UsersRequired Users

Purpose:Purpose: Prevent security exposures from Prevent security exposures from Network Solutions Network Solutions not covered not covered

by by Exemption RequestsExemption Requests

Circumstances:Circumstances: Customer wishes to implement a non-SUNCOM IP based Customer wishes to implement a non-SUNCOM IP based

Network SolutionNetwork Solution

SUNCOM ResponsesSUNCOM Responses Seek collaborationSeek collaboration ApproveApprove Conditionally approveConditionally approve Deny and suggest the SUNCOM alternativeDeny and suggest the SUNCOM alternative

Process

Network Solution Replacement DeclarationNetwork Solution Replacement Declaration60FF-1.006, F.A.C.60FF-1.006, F.A.C.

Petitioner:Petitioner: Any SUNCOM customerAny SUNCOM customer

Purpose:Purpose: Verify termination of a Verify termination of a Network Solution Network Solution for which no exemption, for which no exemption,

CPLACPLA or security sanction has been obtained or security sanction has been obtained

Circumstances:Circumstances: Customer intends to discontinue use of an unsanctioned Customer intends to discontinue use of an unsanctioned

Network Solution or configurationNetwork Solution or configuration Customer was unable to obtain necessary SUNCOM approval Customer was unable to obtain necessary SUNCOM approval

for a Network Solutionfor a Network Solution

SUNCOM ResponsesSUNCOM Responses AcknowledgeAcknowledge Negotiate more rapid replacementNegotiate more rapid replacement

60FF-2 Highlights60FF-2 Highlights

Defines order processing and related Defines order processing and related responsibilities of SUNCOM, customers responsibilities of SUNCOM, customers and vendorsand vendors Codifies most of current processCodifies most of current process Allows for modernizationAllows for modernization

Governs payment processing for Governs payment processing for SUNCOM, customers and vendorsSUNCOM, customers and vendors

60FF-3 Highlights60FF-3 HighlightsProvides conditions for changing or Provides conditions for changing or terminating servicesterminating services

Provides Security Protection StandardsProvides Security Protection Standards

Provides for address distribution and Provides for address distribution and authorization on the State Networkauthorization on the State Network

60FF-3 Security Protection 60FF-3 Security Protection Standards HighlightsStandards Highlights

Any conditions that allow for Any conditions that allow for Unauthorized Activity Unauthorized Activity are prohibited.are prohibited.Absent approval through a Absent approval through a Notice of Security ConcernNotice of Security Concern, the following are prohibited , the following are prohibited when they are not managed by SUNCOM: when they are not managed by SUNCOM:

BackdoorsBackdoors Virtual Connections with the State Intranet;Virtual Connections with the State Intranet; Tunnels with the State IntranetTunnels with the State Intranet Remote access with the State Intranet.Remote access with the State Intranet.

Authorization of these conditions and non-SUNCOM firewalls require the following:Authorization of these conditions and non-SUNCOM firewalls require the following: Firewall transaction logs and;Firewall transaction logs and; Appropriate and modern processes and tools for protecting the State Intranet and;Appropriate and modern processes and tools for protecting the State Intranet and; Trained staff and;Trained staff and; Monitoring activities and;Monitoring activities and; Necessary transparency for SUNCOM.Necessary transparency for SUNCOM.

Use of scanning, discovery and automatic traffic generating tools must be approved Use of scanning, discovery and automatic traffic generating tools must be approved to prevent:to prevent:

Alarming SUNCOM, its Providers and Customers.Alarming SUNCOM, its Providers and Customers. Impairing the State NetworkImpairing the State Network

RemediesRemedies To limit damages and exposuresTo limit damages and exposures To establish liability and liquidated damagesTo establish liability and liquidated damages

Return to sending page

60FF-3 Address Distribution 60FF-3 Address Distribution HighlightsHighlights

SUNCOM will distribute or authorize all SUNCOM will distribute or authorize all Internet Protocol Version Six (IPV6) Internet Protocol Version Six (IPV6) addresses on the State Networkaddresses on the State NetworkCustomers must register all private IPV4 Customers must register all private IPV4 addresses used outside of the customer’s addresses used outside of the customer’s Sub-networkSub-network SUNCOM will resolve duplicate usage in favor SUNCOM will resolve duplicate usage in favor

of the first to registerof the first to register

Customers must provide a full listing of Customers must provide a full listing of addresses upon request from SUNCOMaddresses upon request from SUNCOM

Summary of Rules StatusSummary of Rules Status

Rules went into effect June 25Rules went into effect June 25thth, 2008, 2008No more No more CPLAsCPLAsNew processes now requiredNew processes now required

Exemption RequestsExemption Requests Notices of Security ConcernNotices of Security Concern Network Solution Replacement DeclarationsNetwork Solution Replacement Declarations

SUNCOM will ultimately provide complete plain language guides SUNCOM will ultimately provide complete plain language guides that preclude the need to read most of the rulesthat preclude the need to read most of the rules

On-line Exemption forms have replaced on-line CPLAsOn-line Exemption forms have replaced on-line CPLAs SUNCOM Portfolio of Services will contain plain language explanations SUNCOM Portfolio of Services will contain plain language explanations

and templatesand templates These guides are not substitutes for the rules (per disclaimer on These guides are not substitutes for the rules (per disclaimer on

first slidefirst slide))Future rule adjustmentsFuture rule adjustments

To correspond with AEIT rulesTo correspond with AEIT rules To improve and refine with legislationTo improve and refine with legislation

DefinitionsDefinitions

Business ObjectiveBusiness ObjectiveClearance RequestClearance RequestCPLACPLAEligible UserEligible UserExemption RequestExemption RequestMaintenanceMaintenanceNetwork SolutionNetwork SolutionNetwork Solution Replacement DeclarationNetwork Solution Replacement DeclarationNotice of Security ConcernNotice of Security ConcernRequired UserRequired UserSub-networkSub-networkUnauthorized ActivityUnauthorized Activity

Hit “Esc” to return to sending page

Definition: Business ObjectiveDefinition: Business Objective

An operational or cost savings benefit An operational or cost savings benefit expected from use of Network Equipment, expected from use of Network Equipment, Software or Services. The mere Software or Services. The mere implementation, ownership or use of implementation, ownership or use of Network Equipment, Software or Services Network Equipment, Software or Services or Communications Devices shall not be or Communications Devices shall not be considered to be a genuine Business considered to be a genuine Business Objective.Objective.

Return to sending page Definitions Table of Contents

Definition: CDefinition: Clearance Requestlearance Request

A request from a Customer, that is not a A request from a Customer, that is not a Required User, to implement a Network Required User, to implement a Network Solution that uses Internet technology and Solution that uses Internet technology and is not provided through SUNCOM.is not provided through SUNCOM.

See 60FF-1.013 & 1.014.See 60FF-1.013 & 1.014.


Definition:Definition: CPLACPLACommunications Purchase or Lease AuthorizationCommunications Purchase or Lease Authorization

The means that was used by Required The means that was used by Required Users to seek and obtain approval from Users to seek and obtain approval from DMS to purchase or lease DMS to purchase or lease communications equipment prior to communications equipment prior to establishment of Chapter 60FF, F.A.C.establishment of Chapter 60FF, F.A.C.


Definition: Definition: Eligible UserEligible User

Qualifying user of SUNCOM Services including Qualifying user of SUNCOM Services including state agencies, county and municipal agencies, state agencies, county and municipal agencies, public schools and districts, private, nonprofit public schools and districts, private, nonprofit elementary and secondary schools (provided elementary and secondary schools (provided they do not have an endowment in excess of they do not have an endowment in excess of $50 million), state universities, community $50 million), state universities, community colleges, libraries, water management districts, colleges, libraries, water management districts, state commissions and councils, and nonprofit state commissions and councils, and nonprofit corporations. Any entity ordering or using or corporations. Any entity ordering or using or paying for a SUNCOM Service must be an paying for a SUNCOM Service must be an Eligible User.Eligible User.


Definition: Exemption RequestDefinition: Exemption Request

A request from Required Users seeking A request from Required Users seeking Department approval to use Network Department approval to use Network Solutions that are not provided through Solutions that are not provided through SUNCOM.SUNCOM.

See 60FF-1.007 through 60FF-1.012, See 60FF-1.007 through 60FF-1.012, F.A.C.F.A.C.


Definition: MaintenanceDefinition: Maintenance

Activity to ensure the ongoing availability Activity to ensure the ongoing availability of a Network Solution through replacement of a Network Solution through replacement of parts, software patches and associated of parts, software patches and associated services without expanding the scope, services without expanding the scope, functionality, volume by more than 10% functionality, volume by more than 10% over the volume that was approved by over the volume that was approved by SUNCOM, or changes to the architecture SUNCOM, or changes to the architecture of the Network Solution.of the Network Solution.


Definition: NDefinition: Network Solutionetwork Solution

Use of Network Equipment, Network Use of Network Equipment, Network Software and/or Network Services to meet Software and/or Network Services to meet a Business Objective.a Business Objective.


Definition: Network Solution Replacement DeclarationDefinition: Network Solution Replacement Declaration

A commitment from a Customer to replace A commitment from a Customer to replace a Custom Network Solution with a a Custom Network Solution with a SUNCOM solution by a specific date.SUNCOM solution by a specific date.

See 60FF-1.006, F.A.C.See 60FF-1.006, F.A.C.


Definition: Notice of Security ConcernDefinition: Notice of Security Concern

A statement warning DMS that a condition A statement warning DMS that a condition exists that may violate DMS Security exists that may violate DMS Security Standards.Standards.

See 60FF-1.005, F.A.C.See 60FF-1.005, F.A.C.


Definition: Required UserDefinition: Required User

All state agencies and state universities All state agencies and state universities mandated to use SUNCOM in Section mandated to use SUNCOM in Section 282.103, F.S.282.103, F.S.

282.103 SUNCOM Network; exemptions from the required use.--

(1) There is created within the Department of Management Services the SUNCOM Network which shall be developed to serve as the state communications system for providing local and long-distance communications services to state agencies, political subdivisions of the state, municipalities, state universities, and nonprofit corporations …

(3) All state agencies and state universities are required to use the SUNCOM Network for agency and state university communications services as the services…If a SUNCOM Network service does not meet the communications requirements of an agency or university, the agency or university shall notify the State Technology Office in writing and detail the requirements for that communications service. If the office is unable to meet an agency's or university's requirements by enhancing SUNCOM Network service, the office may grant the agency or university an exemption from the required use of specified SUNCOM Network services.


Definition: Sub-NetworkDefinition: Sub-Network

Network established by Customers within, Network established by Customers within, or attached to, the broader State Network or attached to, the broader State Network that is maintained by SUNCOM.that is maintained by SUNCOM.


Definition: Unauthorized…Definition: Unauthorized…AccessAccess - Any sign-on and/or log-on activity accessing any part of the - Any sign-on and/or log-on activity accessing any part of the State Network and/or connected devices performed by an State Network and/or connected devices performed by an Unauthorized User.Unauthorized User.

ActivityActivity - Unauthorized Access to, Unauthorized Connection to, - Unauthorized Access to, Unauthorized Connection to, Unauthorized Traffic on and Unauthorized Use of the State Network.Unauthorized Traffic on and Unauthorized Use of the State Network.

ConnectionConnection - Any virtual private network, private virtual circuit, - Any virtual private network, private virtual circuit, extranet and/or point-to-point connection to the State Network that has extranet and/or point-to-point connection to the State Network that has not been disclosed to and recorded by the Department.not been disclosed to and recorded by the Department.

TrafficTraffic - Any communications transported across the State Network - Any communications transported across the State Network that is not directly relevant to state business and/or that is directed to that is not directly relevant to state business and/or that is directed to or from an Unauthorized User.or from an Unauthorized User.

UserUser - Individual user not affiliated with and authorized by a current - Individual user not affiliated with and authorized by a current Customer of SUNCOM who is using the State Network.Customer of SUNCOM who is using the State Network.


disclaimer the following presentation is an abbreviated description of 60ff-1, 60ff-2 and 60ff-3,...

Documents