Welcome to FloridaProcurements.com (FlaProc), your authoritative resource for navigating Florida’s government contracting landscape, with particular focus on transportation and technology opportunities. FlaProc provides free, expert guidance to help companies identify and secure state contracting opportunities throughout Florida. 

This resource is maintained by Attorney Sean Gellis of Gellis Law, PLLC, one of less than 75 attorneys Board Certified in State and Federal Government and Administrative Practice by The Florida Bar. Mr. Gellis brings unique insight to government contracting, having served as the Chief of Staff of the Florida Department of Management Services (DMS), General Counsel of the Florida Department of Transportation (FDOT), and Deputy General Counsel of the Florida Office of Insurance Regulation – positions that provided direct oversight of technology initiatives and issues of statewide importance. His record in bid protest litigation reflects the sophisticated advocacy and strategic thinking he brings to government contracting matters, particularly in complex transportation and technology procurements. Sean also leads Procurement Insider, a confidential subscription service that provides technology vendors with strategic intelligence and insider analysis of Florida government opportunities. Learn more about transforming your approach to government contracting at www.gellislaw.com/procurement-insider

Florida’s New AI-Enhanced Cybersecurity Initiative: Bold Vision or Potential Pitfall?

A Critical Analysis of Florida’s ATRIS Procurement Strategy

Florida’s Department of Management Services (DMS) recently released an Invitation to Negotiate (ITN) for an Advanced Threat Response and Intelligence System (ATRIS), positioning it as a transformative advancement in the state’s cybersecurity posture. As someone who has navigated Florida’s complex government technology procurement landscape from inside state government—serving as both Chief of Staff at DMS and General Counsel at FDOT—I see this initiative through a unique lens that many vendors and observers might miss.

While Florida’s proactive approach to cybersecurity deserves commendation, a thorough analysis of the procurement documentation—including the detailed Technical Reply requirements—reveals significant structural concerns that could undermine this well-intentioned initiative. Having overseen numerous large-scale technology procurements during my government service, I recognize patterns in this ATRIS ITN that mirror previous initiatives that ultimately failed to deliver expected value.

Inside the ATRIS Procurement: Technical Scope and Framework

The ITN (DMS-24/25-259) and accompanying Technical Reply outline an ambitious vision for enhancing Florida’s cybersecurity capabilities through advanced artificial intelligence. A detailed examination reveals:

Procurement Structure and Timeline

• Two-Phase Implementation:
  • Phase I (3 years): Proof of concept development and validation, including requirements gathering, system design, prototype development, testing, documentation, and demonstration
  • Phase II (3 years): Optional renewal for full implementation and ongoing support services
• Significant Financial Parameters: Annual budget ceiling of $500,000, potentially totaling $3 million over the full contract term
• Phased Milestone Approach: Clearly defined deliverables across a six-year timeline, with checkpoints for evaluation and decision-making

Technical Requirements

The Technical Reply specifies that ATRIS must include:

• AI/ML-Enhanced Threat Intelligence: Automated aggregation and analysis of external threat reports, breach reports, CVEs, and threat intelligence feeds
• Internal Data Integration: Application of threat intelligence to existing internal signals, logs, and security tools
• Automated Response Workflows: Mechanisms to execute response actions based on analyzed data
• Scalable Architecture: Framework that can evolve with growing security needs and future technology advancements
• Comprehensive Documentation: Detailed technical documentation including source code and APIs

Intellectual Property Framework

• Contractor Rights: The contractor retains ownership of intellectual property developed during the contract
• State License: Florida secures a perpetual, irrevocable, royalty-free license to use, modify, and distribute ATRIS
• Foreign Country Restrictions: Explicit prohibitions against transferring ATRIS technology to “Foreign Countries of Concern” including China, Russia, Iran, North Korea, Cuba, Venezuela, and Syria

The Promising Aspects: Florida’s Cybersecurity Vision Shows Foresight

Florida’s focus on enhancing its cybersecurity capabilities comes at a critical time. The state’s digital infrastructure faces increasingly sophisticated threats while protecting essential government functions, citizen data, and financial systems. Several aspects of this initiative demonstrate commendable strategic thinking:

Recognition of Evolving Threat Landscape

Florida correctly identifies the changing nature of cybersecurity challenges. State governments have become high-value targets for nation-state actors, ransomware groups, and sophisticated criminal organizations. Traditional security approaches focusing on perimeter defense and signature-based detection have proven inadequate against modern adversaries who employ advanced persistent threats, fileless malware, and social engineering tactics.

Potential for Operational Improvements

The Technical Reply’s specification of AI and machine learning capabilities reflects a sophisticated understanding of modern security challenges:

• Enhanced Detection Capabilities: The requirement for ML algorithms to identify subtle patterns and anomalies demonstrates forward-thinking security architecture
• Reduced Alert Fatigue: The focus on correlating information from diverse sources addresses a critical operational challenge for security teams
• Faster Incident Response: Automated response mechanisms could reduce containment time from hours to minutes
• More Efficient Resource Allocation: Security staff could focus on high-value analytical tasks rather than routine alert triage

Accountability Mechanisms

The ITN includes several positive accountability features:

• Clear Performance Metrics: Defined deliverables with specific timelines
• Financial Consequences: Monetary penalties for missed deadlines ($100-$250 per day late depending on deliverable)
• Structured Testing Requirements: Comprehensive evaluation protocol with documentation requirements
• Intellectual Property Protections: Strong safeguards regarding technology transfer to foreign entities

The Concerning: Structural Problems That Could Undermine Success

Despite these promising aspects, a close analysis of the Technical Reply reveals several structural issues that raise serious concerns about the likelihood of successful implementation and return on taxpayer investment.

1. The “Design” Trap: Custom Solutions vs. Commercial Products

The Technical Reply explicitly calls for the contractor to “design, develop, create, test, deliver, customize, and otherwise provide” a custom ATRIS system rather than implement existing commercial solutions. This approach ignores decades of lessons from government IT projects.

During my tenure as DMS Chief of Staff, I witnessed firsthand how custom-designed technology systems typically led to:

• Exponential Cost Growth: What begins as a $3 million project often balloons to many times that amount through change orders, scope expansions, and “necessary” customizations
• Accelerated Obsolescence: Custom-built systems typically lack the continuous investment in R&D that commercial products receive, leading to functional obsolescence within 3-5 years
• Integration Challenges: Custom systems frequently struggle to integrate with both existing and future commercial technologies
• Vendor Dependency: Once significant investment has been made in a custom solution, the state becomes effectively locked into a single vendor relationship

The detailed design requirements in the Technical Reply—specifying architecture development, interface design, and prototype construction—reinforce that Florida is pursuing a custom-built solution rather than adapting proven commercial platforms.

2. The Proof of Concept Paradox: Paying for Designs Without Implementation

The two-phase approach creates a troubling scenario where Florida may spend up to $1.5 million over three years for designs and prototypes without any guarantee of actual implementation. The Technical Reply confirms that Phase II is entirely optional and contingent on evaluation of Phase I.

This creates multiple problems:

• Misaligned Incentives: Vendors are incentivized to propose complex, expensive designs rather than practical, implementable solutions
• Delayed Security Benefits: While spending occurs immediately, actual security improvements may be years away or never materialize
• Resource Diversion: Limited cybersecurity funding gets directed toward conceptual work rather than operational improvements

The detailed milestone schedule in the Technical Reply reveals that actual system deployment doesn’t begin until Year Four—contingent on renewal—meaning that Florida could invest three years of effort without deploying operational security improvements.

3. The AI Governance Gap: Missing Controls for Critical Technology

While the Technical Reply emphasizes AI and machine learning capabilities, it contains surprisingly little discussion of AI governance, raising several concerns:

• Data Protection Considerations: How will Florida ensure that sensitive state data used to train AI models doesn’t create security vulnerabilities?
• Algorithmic Transparency: What oversight mechanisms will ensure that AI-driven security decisions remain explainable and auditable?
• Ethical Boundaries: What limits will be placed on automated response actions to prevent unintended consequences?
• Continuous Monitoring: How will Florida ensure that AI systems don’t develop problematic behaviors over time?

While the Technical Reply includes detailed specifications for developing AI capabilities, it lacks equivalent detail on governing those capabilities once deployed.

4. Implementation Risk: The Deployment Challenge

The Technical Reply reveals that even if Phase II is approved, the first six months of the renewal term would be dedicated to “System Deployment” and “Training and Onboarding”—pushing actual operational benefits even further into the future.

This extended timeline between concept and implementation creates:

• Technology Obsolescence Risk: By the time ATRIS reaches full deployment, the threat landscape and technology environment will have evolved significantly
• Stakeholder Transition Challenges: Personnel involved in early design phases may no longer be present during implementation
• Fiscal Uncertainty: Securing consistent funding across six fiscal years and potentially multiple administrations introduces additional risk

The history of Florida technology procurements includes numerous examples of projects that encountered significant challenges during the transition from design to implementation phases.

A Better Approach: Learning from Past Missteps

Florida has a challenging history with custom technology initiatives that offers valuable lessons. From the CONNECT unemployment system’s well-documented problems to numerous other costly IT projects, the pattern is clear: custom-designed systems rarely deliver as promised and often become expensive burdens rather than valuable assets.

Based on my experience overseeing major government technology initiatives, I recommend Florida consider an alternative approach that would better serve both security objectives and taxpayer interests:

1. Leverage Existing Solutions, Not Custom Design

Rather than soliciting custom system designs, Florida would be better served by:

• Adopting Established Platforms: Contract with providers of proven security orchestration, automation, and response (SOAR) platforms already serving major enterprises and governments
• Focusing on Configuration vs. Customization: Emphasize adapting commercial products to Florida’s environment rather than building Florida-specific solutions
• Prioritizing Integration Excellence: Direct vendor expertise toward connecting existing security investments rather than creating new ones
• Leveraging Competitive Innovation: Benefit from the R&D investments that leading security vendors are already making in AI capabilities

While the Technical Reply’s perpetual license provisions provide some protection, the fact remains that Florida would be better served by leveraging existing commercial solutions rather than commissioning a new custom system.

2. Focus on Services, Not Development

Instead of paying vendors to design systems, Florida should:

• Prioritize Operational Excellence: Contract for managed security services that deliver specific performance outcomes rather than technology assets
• Adopt a Security-as-a-Service Model: Shift from capital investments in custom systems to operational investments in security capabilities
• Implement Outcome-Based Contracting: Define and measure specific security improvements rather than system specifications
• Maintain Technology Flexibility: Structure agreements that allow Florida to benefit from evolving security technologies without contract renegotiation

The Technical Reply’s focus on development milestones rather than security outcomes highlights this misalignment of priorities.

3. Establish Clear AI Governance

Florida has an opportunity to lead in responsible government AI adoption by:

• Defining Ethical Boundaries: Establishing clear limits on automated security actions
• Ensuring Human Oversight: Requiring appropriate supervision of AI-driven decision processes
• Protecting Training Data: Implementing strict controls on how state data is used in AI model development
• Requiring Algorithmic Transparency: Ensuring that AI-driven security decisions remain explainable and auditable
• Establishing Continuous Monitoring: Implementing ongoing assessment of AI system behaviors and outcomes

4. Accelerate Security Benefits

The current procurement structure defers actual security improvements for years. Florida should:

• Implement Immediate Enhancements: Prioritize solutions that can deliver security benefits within months, not years
• Adopt a Progressive Deployment Model: Implement core capabilities quickly while continuing to enhance functionality over time
• Focus on Operational Impact: Measure success by concrete security improvements rather than development milestones
• Balance Innovation with Proven Solutions: Combine innovative approaches with established security practices

The Bottom Line: Good Intentions Need Better Implementation

Florida’s focus on enhancing cybersecurity is commendable and necessary. The state faces sophisticated threats while protecting essential government functions and citizen data. The Technical Reply demonstrates that Florida has a sophisticated understanding of modern security challenges and has taken steps to protect its intellectual property interests.

However, the procurement approach for ATRIS appears to repeat patterns that have led to past IT disappointments and missed opportunities. The structure—focusing on custom development over commercial solutions, deferring implementation for years, and lacking clear AI governance—creates significant risks that could ultimately undermine the state’s security objectives.

Vendors considering participation should carefully weigh the significant investment required against the uncertainty of implementation. For taxpayers and stakeholders concerned with effective government operations, this procurement merits close attention. The state’s cybersecurity needs are real and urgent—but addressing them requires learning from past procurement missteps rather than repeating them with new technology.

As Florida moves forward with this initiative, I hope decision-makers will consider the alternative approaches outlined here. With thoughtful reconsideration of the procurement strategy, Florida has an opportunity to not only enhance its cybersecurity posture but also establish a model for effective government technology acquisition that other states could follow.

Sean Gellis is a Board Certified specialist in State and Federal Government and Administrative Practice with over a decade of government experience, including service as General Counsel of the Florida Department of Transportation and Chief of Staff of the Department of Management Services. Through Gellis Law, PLLC, he provides strategic counsel on government technology procurement, administrative law, and regulatory matters.