Miami-Dade Legislative Item
File Number: 220398
Printable PDF Format Download Adobe Reader    Clerk's Official Copy   
File Number: 220398 File Type: Ordinance Status: Adopted
Version: 0 Reference: 22-22 Control: Board of County Commissioners
File Name: SOFTWARE AND HARDWARE BE MADE IN THE UNITED STATES Introduced: 2/17/2022
Requester: NONE Cost: Final Action: 3/1/2022
Agenda Date: 3/1/2022 Agenda Item Number: 7A
Notes: Title: ORDINANCE RELATING TO PROCUREMENT OF CYBERSECURITY PRODUCTS AND VENDOR ACCESS TO COUNTY CYBERSECURITY INFRASTRUCTURE; CREATING SECTION 2-8.2.6.2 OF THE CODE OF MIAMI-DADE COUNTY, FLORIDA; PROVIDING THAT SOLICITATIONS AND CONTRACTS FOR THE PURCHASE OF CYBERSECURITY PRODUCTS REQUIRE THAT SOFTWARE AND HARDWARE BE MADE IN THE UNITED STATES; REQUIRING HEIGHTENED SECURITY REVIEW OF EMPLOYEES OF VENDORS WITH ACCESS TO COUNTY CYBERSECURITY; PROVIDING EXCEPTIONS; AND PROVIDING SEVERABILITY, INCLUSION IN THE CODE, AND AN EFFECTIVE DATE [SEE ORIGINAL ITEM UNDER FILE NO. 212021]
Indexes: SECURITY
  SOFTWARE
  PROCUREMENT
Sponsors: Jose "Pepe" Diaz, Prime Sponsor
  Sen. Rene Garcia, Co-Sponsor
  Sally A. Heyman, Co-Sponsor
  Rebeca Sosa, Co-Sponsor
  Sen. Javier D. Souto, Co-Sponsor
Sunset Provision: No Effective Date: Expiration Date:
Registered Lobbyist: None Listed

Legislative History
Acting Body Date Agenda Item Action Sent To Due Date Returned Pass/Fail
Board of County Commissioners 3/1/2022 7A Adopted P
REPORT: County Attorney Geri Bonzon-Keenan read the titles of the foregoing proposed ordinances (Agenda Items 7A through 7H) into the record. Hearing no questions or comments, the Board proceeded to vote simultaneously on Agenda Items 7A, 7D and 7E, as presented.
County Attorney 2/17/2022 Assigned Oren Rosenthal 2/18/2022
County Infrastructure, Operations and Innovations Committee 2/10/2022 1G1 AMENDED Forwarded to BCC with a favorable recommendation with committee amendments following public hearing P
REPORT: Assistant County Attorney Jorge Martinez-Esteve read into the record the title of the foregoing proposed ordinance. Chairwoman Regalado opened the public hearing on the foregoing proposed ordinance, and Mr. Tim Gomez appeared before the committee to speak in support of this proposed ordinance. Assistant County Attorney Eduardo W. Gonzalez read the proposed amendment into the record as requested by Board of County Commissioners (BCC) Chairman Jose ‘Pepe’ Diaz as follows: “Include whereas clauses identifying the federal prohibitions on purchasing technology from prohibiting companies in their Fiscal Year 2018 and Fiscal Year 2019 National Defense Authorization Act in identifying the entities currently on the prohibited telecommunications companies list including Le Navel Computers, Kaspersky Lab, Huawei Technologies Company, ZET Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company and, “In Section 1, in the list of the exceptions to the requirements to purchase cyber security software and hardware produced in the United States. Allow for the purchase of foreign cyber security software and hardware from companies in subsidiaries which are not on the list of prohibited telecommunications companies as that list may be amended from time to time, pursuant to the Fiscal Year 2019 National Defense Authorization Act.” Mr. Tim Gomez expressed his support for the proposed ordinance as amended. Hearing no other persons wishing to speak, Chairwoman Regalado closed the public hearing. In response to Commissioner Higgins’s question, Assistant County Attorney Gonzalez clarified the ordinance intended to follow the National Defense Act because the federal government had included in the act exceptions and requirements. In response to Commissioner Monestime's question regarding whether the ordinance also applied to contracts under $1 million that were not subject to Board approval, Mr. Lars Schmekel, Chief Information Security Officer, Enterprise Security Office, Information Technology Department (ITD), replied the ordinance applied to all procurements regardless of whether a contract required Board approval. He indicated the Board was amenable to extending the ordinance requirements to all purchases of these types of products. Assistant County Attorney Gonzalez advised Commissioner Monestime’s interpretation of the ordinance was correct because, as written, it only applied to contracts requiring approval and ratification by the Board. In response to Commissioner Monestime’s concerning how this ordinance would impact the ability to procure the best available products, Mr. Schmekel commented that the NDA Act guidelines were observed because it outlined the prohibited companies and subcontractors that the federal government can no longer contract. Mr. Schmekel pointed out that most of the cyber securities companies had no subsidiaries in China, and those companies were either European or United States companies with research and development operating from Israel. He noted there was no anticipation that the ordinance would affect the County's ability to procure world-class cyber security technologies. In regards to Commissioner Monestime's question about what type of strengthened security review procedure was used to screen potential employees and county vendors, Mr. Schmekel advised the department would employ the same process used for employees and technicians providing services to the Miami-Dade Police Department (MDPD). He explained the requirements and noted the requirements included undergoing a nationwide background check with certification compliance. In response to Commissioner Cohen Higgins's concerns regarding the cost effectiveness of the ordinance, Mr. Schmekel indicated the purchase of cyber security products would be done through the competitive bid process and observing NDA's guidelines. He noted the County's ability to purchase the best technologies at the best price would not be hindered since the County could purchase those products from companies outside the United States. He indicated the fiscal impact of this proposed ordinance was unknown due to unpredictable market conditions. Hearing no further questions or comments, the committee members proceeded to vote on the foregoing proposed ordinance with committee amendments.
Legislative Text

TITLE
ORDINANCE RELATING TO PROCUREMENT OF CYBERSECURITY PRODUCTS AND VENDOR ACCESS TO COUNTY CYBERSECURITY INFRASTRUCTURE; CREATING SECTION 2-8.2.6.2 OF THE CODE OF MIAMI-DADE COUNTY, FLORIDA; PROVIDING THAT SOLICITATIONS AND CONTRACTS FOR THE PURCHASE OF CYBERSECURITY PRODUCTS REQUIRE THAT SOFTWARE AND HARDWARE BE MADE IN THE UNITED STATES; REQUIRING HEIGHTENED SECURITY REVIEW OF EMPLOYEES OF VENDORS WITH ACCESS TO COUNTY CYBERSECURITY; PROVIDING EXCEPTIONS; AND PROVIDING SEVERABILITY, INCLUSION IN THE CODE, AND AN EFFECTIVE DATE

BODY
WHEREAS, Miami-Dade County utilizes information technology in all aspects of County government to provide all aspects of government services to the County�s residents and visitors; and
WHEREAS, the County�s information technology infrastructure is critical to providing life, health and safety services such as police, fire and rescue, water and sewer, and management of environmental resources; and
WHEREAS, while information technology has provided a means to dramatically increase efficiency and reduce costs in government services, it is also potentially susceptible to targeted attacks by malicious actors seeking to disrupt, interfere or profit from intrusion into government information technology systems; and
WHEREAS, foreign governments are among those entities seeking to gain access to government information technology infrastructures for political, military and economic espionage and other purposes; and
WHEREAS, recent attacks on information technology infrastructure by both known and unknown foreign governments and governmental sponsored organizations demonstrate the need for increased security and vigilance against state and state sponsored intrusions; and
WHEREAS, cybersecurity products developed outside the United States of America are more susceptible to foreign government intervention and manipulation; and
>>WHEREAS, the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Public Law 115-232, prohibits certain federal agencies from purchasing technology products from companies on the prohibited telecommunications companies list including Lenovo Computers, Kaspersky Lab, Huawei Technologies Company, ZTE Corporation, Hytera Communications Corporation, Hangzhou Hikvision Digital Technologies Company, and Dahua Technology Company; and<<1
WHEREAS, this Board desires to harden the County�s information technology infrastructure by requiring that solicitations for cybersecurity products require that such products be made in the United States of America and that County vendors with access to County cybersecurity systems be subject to heightened review by the County Mayor or County Mayor�s designee,
BE IT ORDAINED BY THE BOARD OF COUNTY COMMISSIONERS OF MIAMI-DADE COUNTY, FLORIDA:
Section 1. Section 2-8.2.6.2 of the Code of Miami-Dade County, Florida, is hereby created as follows:
Sec. 2-8.2.6.2. Cybersecurity and Information Technology Procurement and Protection Program.
(1) Policy and Scope: This section shall be known as the "Cybersecurity and Information Technology Procurement and Protection Program" and is intended to set forth requirements to purchase cybersecurity products produced in the United States for contracts that are subject to approval or ratification by the Board of County Commissioners and to provide heightened review of vendors with access to County cybersecurity systems.

(2) Definitions.

For purposes of this section:

a. �County Mayor� wherever used in this section shall mean the County Mayor and his or her designee.

b. �Cybersecurity products� shall mean software or hardware that include technologies, processes, and practices designed to protect information technology networks, devices, programs, and data from attack, damage, or unauthorized access.

c. �Produced in the United States� shall mean, with respect to cybersecurity products, a product for which all development and production occurs in the United States.

d. �Heightened security review� shall mean any and all security screening conducted on County employees with access to cybersecurity products or any other additional security screenings or reviews the County Mayor or County Mayor�s designee determines necessary to protect the security of the County�s information technology networks, devices, programs, and data.

(3) Cybersecurity Procurement and Contracting Requirement: All solicitations and contracts for cybersecurity products shall include terms and specifications requiring that any cybersecurity products be produced in the United States.

(4) Exceptions: The requirement set forth in subsection 3 shall not apply, if:

(a) A required cybersecurity product is not produced in the United States, or if such required cybersecurity product is produced in the United States, it is not of a satisfactory quality to meet the needs of Miami-Dade County; [[or]]


(b) upon a written recommendation of the County Mayor approved by a majority vote of the Board members present, compliance with the procurement and contracting requirements in subsection 3 is not consistent with the best interests of the public[[.]]>>;or

(c) the cybersecurity product is purchased from a company or subsidiary that is not on the list of prohibited telecommunications companies in the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Public Law 115-232, as that list may be amended from time.<<

(5) Heightened Review of Employees of Vendors with Cybersecurity Access: All employees of County vendors who have access to County owned, licensed or operated cybersecurity products shall be subject to heightened security review prior to such County vendor employees being granted access to County cybersecurity products.

(6) Federal law, Florida law and International Agreements: This section shall be applied in a manner consistent with existing federal law, State of Florida law and any obligations applicable to Miami-Dade County under international agreements.
Section 2. The requirements of this ordinance shall not apply to any contract or project that was advertised for competition or is under contract before the effective date of this ordinance.
Section 3. If any section, subsection, sentence, clause or provision of this ordinance is held invalid, the remainder of this ordinance shall not be affected by such invalidity.
Section 4. It is the intention of the Board of County Commissioners, and it is hereby ordained that the provisions of this ordinance, including any sunset provision, shall become and be made a part of the Code of Miami-Dade County, Florida. The sections of this ordinance may be renumbered or relettered to accomplish such intention, and the word "ordinance" may be changed to "section," "article," or other appropriate word.
Section 5. This ordinance shall become effective ten (10) days after the date of enactment unless vetoed by the Mayor, and if vetoed, shall become effective only upon an override by this Board.
1 Committee amendments are indicated as follows: Words double stricken through and/or [[double bracketed]] are deleted, words double underlined and/or >>double arrowed<< are added.


Home  |   Agendas  |   Minutes  |   Legislative Search  |   Lobbyist Registration  |   Legislative Reports
2024 BCC Meeting Calendar  |   Miami-Dade County Code of Ordinances   |   ADA Notice  |  

Home  |  Using Our Site  |  About Phone Directory  |  Privacy  |  Disclaimer

E-mail your comments, questions and suggestions to Webmaster  

Web Site � 2024 Miami-Dade County.
All rights reserved.