DisclaimerDisclaimer
The following presentation is an abbreviated description of 60FF-1, The following presentation is an abbreviated description of 60FF-1, 60FF-2 and 60FF-3, Florida Administrative Code. The presentation is 60FF-2 and 60FF-3, Florida Administrative Code. The presentation is meant to convey the general intent of the rules and the means by meant to convey the general intent of the rules and the means by which the Department of Management Services will fulfill its statutory which the Department of Management Services will fulfill its statutory duties in providing the State communications network known as duties in providing the State communications network known as SUNCOM. This presentation and other SUNCOM documentation SUNCOM. This presentation and other SUNCOM documentation related to the rules are not substitutes for the actual rules nor do they related to the rules are not substitutes for the actual rules nor do they provide comprehensive or final interpretations of the rules. provide comprehensive or final interpretations of the rules.
Reasons for SUNCOM Rule Reasons for SUNCOM Rule ChangesChanges
Demise of State Technology OfficeDemise of State Technology Office STO owned SUNCOM rules under 60DDSTO owned SUNCOM rules under 60DD
Core of 60DD was over twenty years oldCore of 60DD was over twenty years oldMarketplace changesMarketplace changes
Industry competition led SUNCOM to replace leased backbone Industry competition led SUNCOM to replace leased backbone with public switched network serviceswith public switched network services
Technology changesTechnology changes Continuing ramifications of the Internet ProtocolContinuing ramifications of the Internet Protocol Open systemsOpen systems
Make rules comport with StatutesMake rules comport with Statutes Subsection 282.103 (3), F.S. calls for “exemptions” for use of Subsection 282.103 (3), F.S. calls for “exemptions” for use of
communications services outside of SUNCOMcommunications services outside of SUNCOM CPLA CPLA process had vague statutory basis, i.e. nothing in F.S. process had vague statutory basis, i.e. nothing in F.S.
about hardware approvalsabout hardware approvals
Rule Change Process:Rule Change Process:Publications, Announcements and InputPublications, Announcements and Input
RequiredRequired Administrative weeklyAdministrative weekly WorkshopWorkshop One Public Hearing (if requested)One Public Hearing (if requested)
AdditionalAdditional Invitations to CIOs with draftsInvitations to CIOs with drafts Invitations to customers with draftsInvitations to customers with drafts Two extra public hearingsTwo extra public hearings Meetings with:Meetings with:
JJointoint A Administrativedministrative P Proceduresrocedures C Committeeommittee
TTechnologyechnology R Revieweview W Workgrouporkgroup
House, Senate and Governor’s Office staffHouse, Senate and Governor’s Office staff Web siteWeb site postings postings
Latest internal rule draftsLatest internal rule draftsMeeting announcementsMeeting announcementsLog of input and changesLog of input and changes
Email inputEmail inputPosted rulesPosted rules
Intent of New RulesIntent of New Rules
Foster collaborationFoster collaborationMinimize duplicationMinimize duplicationPromote compatibilityPromote compatibilityLeverage economies of scaleLeverage economies of scale Bulk purchasing powerBulk purchasing power Standardization of solutionsStandardization of solutions
Maximize network predictability and up-timeMaximize network predictability and up-timeProvide for basic network securityProvide for basic network securityGovern SUNCOM relationshipsGovern SUNCOM relationships With customersWith customers With vendorsWith vendors
60FF-1 Highlights60FF-1 Highlights
Definitions of termsDefinitions of terms
Usage eligibility etc.Usage eligibility etc.
Notices and requests to SUNCOMNotices and requests to SUNCOM Notice of Security ConcernNotice of Security Concern Exemption RequestExemption Request Clearance RequestClearance Request Network Solution Replacement DeclarationNetwork Solution Replacement Declaration
Notice of Security ConcernNotice of Security Concern60FF-1.005, F.A.C.60FF-1.005, F.A.C.
Petitioners:Petitioners: Any customer using State IntranetAny customer using State Intranet Any vendor implementing an IP Network Solution for a SUNCOM customerAny vendor implementing an IP Network Solution for a SUNCOM customer
Purpose:Purpose: Notify SUNCOM of (potential) network security exposuresNotify SUNCOM of (potential) network security exposures Establish collaborative conditionsEstablish collaborative conditions Get SUNCOM’s helpGet SUNCOM’s help Secure SUNCOM’s sanctionSecure SUNCOM’s sanction
Circumstances:Circumstances: A Customer establishes or is aware of existing or expected conditions not in A Customer establishes or is aware of existing or expected conditions not in
compliance with SUNCOM security standardscompliance with SUNCOM security standards A vendor plans to implement a Network Solution in violation of SUNCOM security A vendor plans to implement a Network Solution in violation of SUNCOM security
standardsstandardsSUNCOM possible responsesSUNCOM possible responses
AuthorizeAuthorize Conditionally authorizeConditionally authorize Negotiate alternativesNegotiate alternatives DisallowDisallow
Process
Exemption RequestExemption Request60FF-1.007-1.012, F.A.C.60FF-1.007-1.012, F.A.C.
Petitioners:Petitioners: Required UserRequired User
Purpose:Purpose: To notify SUNCOM of a communications needTo notify SUNCOM of a communications need
Informal notice required upon identifying the Informal notice required upon identifying the Business ObjectiveBusiness ObjectiveTwo-parts in escalating detailTwo-parts in escalating detail
To obtain permission to use non-SUNCOM servicesTo obtain permission to use non-SUNCOM services
Circumstances:Circumstances: Seeking to use a Seeking to use a Network Solution Network Solution not provided by SUNCOMnot provided by SUNCOM Using an existing Network Solution not provided by SUNCOM after December, 2008 if not Using an existing Network Solution not provided by SUNCOM after December, 2008 if not
previously approved through a CPLApreviously approved through a CPLA Expanding any Expanding any CPLACPLA approved Network Solution approved Network Solution Continuing to use a CPLA approved Network Solution after the CPLA term (contract) ends Continuing to use a CPLA approved Network Solution after the CPLA term (contract) ends
for anything other than Maintenancefor anything other than Maintenance
SUNCOM possible responseSUNCOM possible response Seek collaborationSeek collaboration ApproveApprove Conditionally approveConditionally approve Deny and suggest the SUNCOM alternativeDeny and suggest the SUNCOM alternative
Process
Clearance RequestClearance Request60FF-1.013-1.014, F.A.C.60FF-1.013-1.014, F.A.C.
Petitioner:Petitioner: Eligible Users Eligible Users who are a part of the State Intranet and are not who are a part of the State Intranet and are not
Required UsersRequired Users
Purpose:Purpose: Prevent security exposures from Prevent security exposures from Network Solutions Network Solutions not covered not covered
by by Exemption RequestsExemption Requests
Circumstances:Circumstances: Customer wishes to implement a non-SUNCOM IP based Customer wishes to implement a non-SUNCOM IP based
Network SolutionNetwork Solution
SUNCOM ResponsesSUNCOM Responses Seek collaborationSeek collaboration ApproveApprove Conditionally approveConditionally approve Deny and suggest the SUNCOM alternativeDeny and suggest the SUNCOM alternative
Process
Network Solution Replacement DeclarationNetwork Solution Replacement Declaration60FF-1.006, F.A.C.60FF-1.006, F.A.C.
Petitioner:Petitioner: Any SUNCOM customerAny SUNCOM customer
Purpose:Purpose: Verify termination of a Verify termination of a Network Solution Network Solution for which no exemption, for which no exemption,
CPLACPLA or security sanction has been obtained or security sanction has been obtained
Circumstances:Circumstances: Customer intends to discontinue use of an unsanctioned Customer intends to discontinue use of an unsanctioned
Network Solution or configurationNetwork Solution or configuration Customer was unable to obtain necessary SUNCOM approval Customer was unable to obtain necessary SUNCOM approval
for a Network Solutionfor a Network Solution
SUNCOM ResponsesSUNCOM Responses AcknowledgeAcknowledge Negotiate more rapid replacementNegotiate more rapid replacement
60FF-2 Highlights60FF-2 Highlights
Defines order processing and related Defines order processing and related responsibilities of SUNCOM, customers responsibilities of SUNCOM, customers and vendorsand vendors Codifies most of current processCodifies most of current process Allows for modernizationAllows for modernization
Governs payment processing for Governs payment processing for SUNCOM, customers and vendorsSUNCOM, customers and vendors
60FF-3 Highlights60FF-3 HighlightsProvides conditions for changing or Provides conditions for changing or terminating servicesterminating services
Provides Security Protection StandardsProvides Security Protection Standards
Provides for address distribution and Provides for address distribution and authorization on the State Networkauthorization on the State Network
60FF-3 Security Protection 60FF-3 Security Protection Standards HighlightsStandards Highlights
Any conditions that allow for Any conditions that allow for Unauthorized Activity Unauthorized Activity are prohibited.are prohibited.Absent approval through a Absent approval through a Notice of Security ConcernNotice of Security Concern, the following are prohibited , the following are prohibited when they are not managed by SUNCOM: when they are not managed by SUNCOM:
BackdoorsBackdoors Virtual Connections with the State Intranet;Virtual Connections with the State Intranet; Tunnels with the State IntranetTunnels with the State Intranet Remote access with the State Intranet.Remote access with the State Intranet.
Authorization of these conditions and non-SUNCOM firewalls require the following:Authorization of these conditions and non-SUNCOM firewalls require the following: Firewall transaction logs and;Firewall transaction logs and; Appropriate and modern processes and tools for protecting the State Intranet and;Appropriate and modern processes and tools for protecting the State Intranet and; Trained staff and;Trained staff and; Monitoring activities and;Monitoring activities and; Necessary transparency for SUNCOM.Necessary transparency for SUNCOM.
Use of scanning, discovery and automatic traffic generating tools must be approved Use of scanning, discovery and automatic traffic generating tools must be approved to prevent:to prevent:
Alarming SUNCOM, its Providers and Customers.Alarming SUNCOM, its Providers and Customers. Impairing the State NetworkImpairing the State Network
RemediesRemedies To limit damages and exposuresTo limit damages and exposures To establish liability and liquidated damagesTo establish liability and liquidated damages
Return to sending page
60FF-3 Address Distribution 60FF-3 Address Distribution HighlightsHighlights
SUNCOM will distribute or authorize all SUNCOM will distribute or authorize all Internet Protocol Version Six (IPV6) Internet Protocol Version Six (IPV6) addresses on the State Networkaddresses on the State NetworkCustomers must register all private IPV4 Customers must register all private IPV4 addresses used outside of the customer’s addresses used outside of the customer’s Sub-networkSub-network SUNCOM will resolve duplicate usage in favor SUNCOM will resolve duplicate usage in favor
of the first to registerof the first to register
Customers must provide a full listing of Customers must provide a full listing of addresses upon request from SUNCOMaddresses upon request from SUNCOM
Summary of Rules StatusSummary of Rules Status
Rules went into effect June 25Rules went into effect June 25thth, 2008, 2008No more No more CPLAsCPLAsNew processes now requiredNew processes now required
Exemption RequestsExemption Requests Notices of Security ConcernNotices of Security Concern Network Solution Replacement DeclarationsNetwork Solution Replacement Declarations
SUNCOM will ultimately provide complete plain language guides SUNCOM will ultimately provide complete plain language guides that preclude the need to read most of the rulesthat preclude the need to read most of the rules
On-line Exemption forms have replaced on-line CPLAsOn-line Exemption forms have replaced on-line CPLAs SUNCOM Portfolio of Services will contain plain language explanations SUNCOM Portfolio of Services will contain plain language explanations
and templatesand templates These guides are not substitutes for the rules (per disclaimer on These guides are not substitutes for the rules (per disclaimer on
first slidefirst slide))Future rule adjustmentsFuture rule adjustments
To correspond with AEIT rulesTo correspond with AEIT rules To improve and refine with legislationTo improve and refine with legislation
DefinitionsDefinitions
Business ObjectiveBusiness ObjectiveClearance RequestClearance RequestCPLACPLAEligible UserEligible UserExemption RequestExemption RequestMaintenanceMaintenanceNetwork SolutionNetwork SolutionNetwork Solution Replacement DeclarationNetwork Solution Replacement DeclarationNotice of Security ConcernNotice of Security ConcernRequired UserRequired UserSub-networkSub-networkUnauthorized ActivityUnauthorized Activity
Hit “Esc” to return to sending page
Definition: Business ObjectiveDefinition: Business Objective
An operational or cost savings benefit An operational or cost savings benefit expected from use of Network Equipment, expected from use of Network Equipment, Software or Services. The mere Software or Services. The mere implementation, ownership or use of implementation, ownership or use of Network Equipment, Software or Services Network Equipment, Software or Services or Communications Devices shall not be or Communications Devices shall not be considered to be a genuine Business considered to be a genuine Business Objective.Objective.
Return to sending page Definitions Table of Contents
Definition: CDefinition: Clearance Requestlearance Request
A request from a Customer, that is not a A request from a Customer, that is not a Required User, to implement a Network Required User, to implement a Network Solution that uses Internet technology and Solution that uses Internet technology and is not provided through SUNCOM.is not provided through SUNCOM.
See 60FF-1.013 & 1.014.See 60FF-1.013 & 1.014.
Return to sending page Definitions Table of Contents
Definition:Definition: CPLACPLACommunications Purchase or Lease AuthorizationCommunications Purchase or Lease Authorization
The means that was used by Required The means that was used by Required Users to seek and obtain approval from Users to seek and obtain approval from DMS to purchase or lease DMS to purchase or lease communications equipment prior to communications equipment prior to establishment of Chapter 60FF, F.A.C.establishment of Chapter 60FF, F.A.C.
Return to sending page Definitions Table of Contents
Definition: Definition: Eligible UserEligible User
Qualifying user of SUNCOM Services including Qualifying user of SUNCOM Services including state agencies, county and municipal agencies, state agencies, county and municipal agencies, public schools and districts, private, nonprofit public schools and districts, private, nonprofit elementary and secondary schools (provided elementary and secondary schools (provided they do not have an endowment in excess of they do not have an endowment in excess of $50 million), state universities, community $50 million), state universities, community colleges, libraries, water management districts, colleges, libraries, water management districts, state commissions and councils, and nonprofit state commissions and councils, and nonprofit corporations. Any entity ordering or using or corporations. Any entity ordering or using or paying for a SUNCOM Service must be an paying for a SUNCOM Service must be an Eligible User.Eligible User.
Return to sending page Definitions Table of Contents
Definition: Exemption RequestDefinition: Exemption Request
A request from Required Users seeking A request from Required Users seeking Department approval to use Network Department approval to use Network Solutions that are not provided through Solutions that are not provided through SUNCOM.SUNCOM.
See 60FF-1.007 through 60FF-1.012, See 60FF-1.007 through 60FF-1.012, F.A.C.F.A.C.
Return to sending page Definitions Table of Contents
Definition: MaintenanceDefinition: Maintenance
Activity to ensure the ongoing availability Activity to ensure the ongoing availability of a Network Solution through replacement of a Network Solution through replacement of parts, software patches and associated of parts, software patches and associated services without expanding the scope, services without expanding the scope, functionality, volume by more than 10% functionality, volume by more than 10% over the volume that was approved by over the volume that was approved by SUNCOM, or changes to the architecture SUNCOM, or changes to the architecture of the Network Solution.of the Network Solution.
Return to sending page Definitions Table of Contents
Definition: NDefinition: Network Solutionetwork Solution
Use of Network Equipment, Network Use of Network Equipment, Network Software and/or Network Services to meet Software and/or Network Services to meet a Business Objective.a Business Objective.
Return to sending page Definitions Table of Contents
Definition: Network Solution Replacement DeclarationDefinition: Network Solution Replacement Declaration
A commitment from a Customer to replace A commitment from a Customer to replace a Custom Network Solution with a a Custom Network Solution with a SUNCOM solution by a specific date.SUNCOM solution by a specific date.
See 60FF-1.006, F.A.C.See 60FF-1.006, F.A.C.
Return to sending page Definitions Table of Contents
Definition: Notice of Security ConcernDefinition: Notice of Security Concern
A statement warning DMS that a condition A statement warning DMS that a condition exists that may violate DMS Security exists that may violate DMS Security Standards.Standards.
See 60FF-1.005, F.A.C.See 60FF-1.005, F.A.C.
Return to sending page Definitions Table of Contents
Definition: Required UserDefinition: Required User
All state agencies and state universities All state agencies and state universities mandated to use SUNCOM in Section mandated to use SUNCOM in Section 282.103, F.S.282.103, F.S.
282.103 SUNCOM Network; exemptions from the required use.--
(1) There is created within the Department of Management Services the SUNCOM Network which shall be developed to serve as the state communications system for providing local and long-distance communications services to state agencies, political subdivisions of the state, municipalities, state universities, and nonprofit corporations …
(3) All state agencies and state universities are required to use the SUNCOM Network for agency and state university communications services as the services…If a SUNCOM Network service does not meet the communications requirements of an agency or university, the agency or university shall notify the State Technology Office in writing and detail the requirements for that communications service. If the office is unable to meet an agency's or university's requirements by enhancing SUNCOM Network service, the office may grant the agency or university an exemption from the required use of specified SUNCOM Network services.
Return to sending page Definitions Table of Contents
Definition: Sub-NetworkDefinition: Sub-Network
Network established by Customers within, Network established by Customers within, or attached to, the broader State Network or attached to, the broader State Network that is maintained by SUNCOM.that is maintained by SUNCOM.
Return to sending page Definitions Table of Contents
Definition: Unauthorized…Definition: Unauthorized…AccessAccess - Any sign-on and/or log-on activity accessing any part of the - Any sign-on and/or log-on activity accessing any part of the State Network and/or connected devices performed by an State Network and/or connected devices performed by an Unauthorized User.Unauthorized User.
ActivityActivity - Unauthorized Access to, Unauthorized Connection to, - Unauthorized Access to, Unauthorized Connection to, Unauthorized Traffic on and Unauthorized Use of the State Network.Unauthorized Traffic on and Unauthorized Use of the State Network.
ConnectionConnection - Any virtual private network, private virtual circuit, - Any virtual private network, private virtual circuit, extranet and/or point-to-point connection to the State Network that has extranet and/or point-to-point connection to the State Network that has not been disclosed to and recorded by the Department.not been disclosed to and recorded by the Department.
TrafficTraffic - Any communications transported across the State Network - Any communications transported across the State Network that is not directly relevant to state business and/or that is directed to that is not directly relevant to state business and/or that is directed to or from an Unauthorized User.or from an Unauthorized User.
UserUser - Individual user not affiliated with and authorized by a current - Individual user not affiliated with and authorized by a current Customer of SUNCOM who is using the State Network.Customer of SUNCOM who is using the State Network.
Return to sending page Definitions Table of Contents