 |
Florida Administrative Code (Last Updated: April 18, 2024) |
 |
60. Department of Management Services |
|
60GG. Florida Digital Service |
|
60GG-2. STATE OF FLORIDA CYBERSECURITY STANDARDS |
1The identify function of the FCS is visually represented as such:
12Function
13Category
14Subcategory
15Identify (ID)
17Asset Management (AM)
20ID.AM-1: Inventory Agency physical devices and systems
27ID.AM-2: Inventory Agency software platforms and applications
34ID.AM-3: Map Agency communication and data flows
41ID.AM-4: Catalog interdependent external information systems
47ID.AM-5: Prioritize IT Resources based on classification, criticality, and business value
58ID.AM-6: Establish cybersecurity roles and responsibilities for the entire Workforce and third-party Stakeholders
71Business Environment
73(BE)
74ID.BE-1: Identify and communicate the Agency’s role in the business mission/processes
85ID.BE-2: Identify and communicate the Agency’s place in Critical Infrastructure and its Industry Sector to Workers
101ID.BE-3: Establish and communicate priorities for Agency mission, objectives, and activities
112ID.BE-4: Identify dependencies and critical functions for delivery of critical services
123ID.BE-5: Implement resiliency requirements to support the delivery of critical services for all operating states (e.g., normal operations, under duress, during recovery)
145Governance
146(GV)
147ID.GV-1: Establish and communicate an 152organizational cyber security policy
156ID.GV-2: Coordinate and align 160cybersecurity roles and responsibilities with internal roles and External Partners
170ID.GV-3: Understand and manage 174legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
186ID.GV-4: Ensure that 189governance and risk management processes address cybersecurity risks
197Risk Assessment
199(RA)
200ID.RA-1: Identify and document 204asset vulnerabilities
206ID.RA-2: Receive cyber 209Threat intelligence from information sharing forums and sources
217ID.RA-3: 218Identify and document 221Threats, both internal and external
226ID.RA-4: 227Identify potential business impacts and likelihoods
233ID.RA-5: 234Use Threats, vulnerabilities, likelihoods, and impacts to determine risk
243ID.RA-6: Identify and prioritize 247risk responses
249Risk Management
251Strategy
252(RM)
253ID.RM-1: Establish, manage, and ensure 258organizational Stakeholders understand the approach to be employed via the risk management processes
271ID.RM-2: 272Determine and clearly express organizational risk tolerance
279ID.RM-3: Ensure that 282the organization’s determination of risk tolerance is informed by its role in Critical Infrastructure and sector specific risk analysis
301Supply Chain Risk Management (SC)
306ID.SC-1: Establish management processes to identify, establish, assess, and manage cyber supply chain risk which are agreed to by organizational Stakeholders
327ID.SC-2: Identify, prioritize, and assess Suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process
350ID.SC-3: Require Suppliers and third-party providers (by contractual requirement when necessary) to implement appropriate measures designed to meet the objectives of the organization’s information security program or cyber supply chain risk management plan
383ID.SC-4: Routinely assess Suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of Suppliers/providers
414ID.SC-5: Conduct response and recovery planning and testing with Suppliers and third-party providers
427(1) Asset Management. Each agency shall ensure that IT Resources are identified and managed. Identification and management shall be consistent with the IT Resource’s relative importance to agency objectives and the organization’s risk strategy. Specifically, each agency shall:
465(a) Ensure that physical devices and systems within the organization are inventoried and managed (ID.AM-1).
480(b) Ensure that software platforms and applications within the organization are inventoried and managed (ID.AM-2).
495(c) Ensure that organizational communication and data flows are mapped and systems are designed or configured to regulate information flow based on data classification (ID.AM-3). Each Agency shall:
5231. Establish procedures that ensure only Agency-owned or approved IT Resources are connected to the Agency internal network and resources.
5432. Design and document its information security architecture using a defense-in-breadth approach. Design and documentation shall be assessed and updated periodically based on an Agency-defined, risk-driven frequency that considers potential Threat vectors (i.e., paths or tools that a Threat actor may use to attack a target).
5893. Consider diverse Suppliers when designing the information security architecture.
599(d) Each Agency shall ensure that interdependent external information systems are catalogued (ID.AM-4). Agencies shall:
6141. Verify or enforce required security controls on interconnected external IT Resources in accordance with the information security policy or security plan.
6362. Implement service level agreements for non-Agency provided technology services to ensure appropriate security controls are established and maintained.
6553. For non-interdependent external IT Resources, execute information sharing or processing agreements with the entity receiving the shared information or hosting the external system in receipt of shared information.
6844. Restrict or prohibit portable storage devices either by policy or a technology that enforces security controls for such devices.
7045. Authorize and document inter-agency system connections.
7116. Require that (e.g., contractually) external service providers adhere to Agency security policies.
7247. Document Agency oversight expectations, and periodically monitor provider compliance.
734(e) Each Agency shall ensure that IT Resources (hardware, data, personnel, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:
7641. Perform a criticality analysis for each categorized IT Resource and document the findings of the analysis conducted.
7822. Designate an authorizing official for each categorized IT Resource and document the authorizing official’s approval of the security categorization.
8023. Create a contingency plan for each categorized IT Resource. The contingency plan shall be based on resource classification and identify related cybersecurity roles and responsibilities.
8284. Identify and maintain a reference list of exempt, and confidential and exempt Agency information or software and the associated applicable state and federal statutes and rules.
855(f) Establish cybersecurity roles and responsibilities for the entire Workforce and third-party Stakeholders (ID.AM-6). Each Agency is responsible for:
8741. Informing Workers that they are responsible for safeguarding their passwords and other Authentication methods.
8892. Informing Workers that they shall not share their Agency accounts, passwords, personal identification numbers, security tokens, smart cards, identification badges, or other devices used for identification and Authentication purposes.
9193. Informing Workers that use, or oversee or manage Workers that use, IT equipment that they shall report suspected unauthorized activity, in accordance with Agency-established Incident reporting procedures.
9474. Informing Users that they shall take precautions that are appropriate to protect IT Resources in their possession from loss, theft, tampering, unauthorized access, and damage. Consideration will be given to the impact that may result if the IT Resource is lost, and safety issues relevant to protections identified in this subsection.
9995. Informing Users of the extent that they will be held accountable for their activities.
10146. Informing Workers that they have no reasonable expectation of privacy with respect to Agency-owned or Agency-managed IT Resources.
10337. Ensuring that monitoring, network sniffing, and related security activities are only to be performed by Workers who have been assigned security-related responsibilities either via their approved position descriptions or tasks assigned to them.
10678. Appointing an Information Security Manager (ISM). Agency responsibilities related to the ISM include:
1081a. Notifying FL[DS] of ISM designations and redesignations.
1089b. Specifying ISM responsibilities in the ISM position description.
1098c. Establishing an information security program that includes information security policies, procedures, standards, and guidelines; an information security awareness program; an information security risk management process, including the comprehensive Risk Assessment required by section 1132282.318, F.S.; 1134a Cybersecurity Incident Response Team; and a disaster recovery program that aligns with the Agency’s COOP Plan.
1151d. Each Agency ISM shall be responsible for the information security program plan.
11649. Performing background checks and ensuring that a background investigation is performed on all individuals hired as IT Workers with access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher. These positions often, if not always, have privileged access. As such, in addition to Agency-required background screening, background checks conducted by Agencies shall include a federal criminal history check that screens for felony convictions that concern or involve the following:
1252a. Computer related or IT crimes;
1258b. Identity theft crimes;
1262c. Financially-related crimes, such as: fraudulent practices, false pretenses and frauds, credit card crimes;
1276d. Forgery and counterfeiting;
1280e. Violations involving checks and drafts;
1286f. Misuse of medical or personnel records; and,
1294g. Theft.
1296Each Agency shall establish appointment selection disqualifying criteria for individuals hired as IT Workers that will have access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher.
1341(2) Business Environment. Each Agency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the Agency’s mission, objectives, and activities. To accomplish this, Agencies shall:
1368(a) Identify and communicate the Agency’s role in the business mission of the state (ID.BE-1).
1383(b) Identify and communicate the Agency’s place in Critical Infrastructure and its Industry Sector to inform internal Stakeholders of IT strategy and direction (ID.BE-2).
1407(c) Establish and communicate priorities for Agency mission, objectives, and activities (ID.BE-3).
1419(d) Identify system dependencies and critical functions for delivery of critical services (ID.BE-4).
1432(e) Implement information resilience requirements to support the delivery of critical services for all operating states (ID.BE-5).
1449(3) Governance. Each Agency shall establish policies, procedures, and processes to manage and monitor the Agency’s operational IT requirements based on the Agency’s assessment of risk. Procedures shall address providing timely notification to management of cybersecurity risks. Agencies shall also:
1489(a) Establish and communicate a comprehensive cybersecurity policy (ID.GV-1).
1498(b) Coordinate and align cybersecurity roles and responsibilities with internal roles and External Partners (ID.GV-2).
1513(c) Document and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations (ID.GV-3).
1530(d) Ensure governance and risk management processes address cybersecurity risks (ID.GV-4).
1541(4) Risk Assessment.
1544(a) Approach. Each Agency shall identify and manage the cybersecurity risk to Agency operations (including mission, functions, image, or reputation), Agency assets, and individuals using the following approach derived from the NIST Risk Management Framework (RMF). The Risk Assessment steps provided in the table below must be followed; however, Agencies may identify and, based on the risk to be managed, consider other Risk Assessment security control requirements and frequency of activities necessary to manage the risk at issue.
1622Risk Assessments
1624Categorize:
1625Categorize information systems and the information processed, stored, and transmitted by that system based on a security impact analysis.
1644Select:
1645Select baseline security for information systems based on the security categorization; tailoring and supplementing the security baseline as needed based on organization assessment of risk and local conditions.
1673Implement:
1674Implement the selected baseline security and document how the controls are deployed within information systems and environment of operation.
1693Assess:
1694Assess the baseline security using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for systems.
1729Authorize:
1730Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the state resulting from the operation of the information system and the decision that this risk is acceptable.
1768Monitor:
1769Monitor and assess selected baseline security in information systems on an ongoing basis including assessing control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of systems to appropriate Agency officials.
1814Agencies are required to consider the following security objectives when assessing risk and determining what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity, and availability. When determining the potential impact to these security objectives Agencies will use the following table.
1863POTENTIAL IMPACT
1865Security Objectives:
1867LOW
1868MODERATE
1869HIGH
1870Confidentiality
1871Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
1888The unauthorized disclosure of information could be expected to have a 1899limited 1900adverse effect on organizational operations, organizational assets, or individuals.
1909The unauthorized disclosure of information could be expected to have a 1920serious 1921adverse effect on organizational operations, organizational assets, or individuals.
1930The unauthorized disclosure of information could be expected to have a 1941severe or catastrophic 1944adverse effect on organizational operations, organizational assets, or individuals.
1953Integrity
1954Guarding against improper information modification 1959or destruction, and includes ensuring information non-repudiation and 1967authenticity.
1968The unauthorized modification or destruction of information could be expected to have a 1981limited 1982adverse effect on organizational operations, organizational assets, or individuals.
1991The unauthorized modification or destruction of information could be expected to have a 2004serious 2005adverse effect on organizational operations, organizational assets, or individuals.
2014The unauthorized modification or destruction of information could be expected to have a 2027severe or catastrophic 2030adverse effect on organizational operations, organizational assets, or individuals.
2039Availability
2040Ensuring timely and reliable access to and use of information.
2050The disruption of access to or use of information or an information system could be expected to have a 2069limited 2070adverse effect on organizational operations, organizational assets, or individuals.
2079The disruption of access to or use of information or an information system could be expected to have a 2098serious 2099adverse effect on organizational operations, organizational assets, or individuals.
2108The disruption of access to or use of information or an information system could be expected to have a 2127severe or catastrophic 2130adverse effect on organizational operations, organizational assets, or individuals.
2139In accordance with section 2143282.318(4)(d), F.S., 2145each Agency shall complete and submit to FL[DS] no later than July 31, 2017, and every three years thereafter, a comprehensive Risk Assessment. In completing the Risk Assessment, Agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that particular Agency’s Threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: 2230http://www.flrules.org/Gateway/reference.asp?No=Ref-064992232. When establishing risk 2236management 2237processes, it may be helpful for Agencies to review NIST Risk Management Framework Special Publications – they 2254can be downloaded from the following 2260website: http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, Agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.
2306(b) Other Agency risk management activities that Agencies shall perform:
23161. Identify and document asset vulnerabilities (ID.RA-1), business processes and protection requirements. Establish procedures to analyze systems and applications to ensure security controls are effective and appropriate.
23432. Receive and manage cyber Threat intelligence from information sharing forums and sources that contain information relevant to the risks or Threats (ID.RA-2).
23663. Identify and document internal and external Threats (ID.RA-3).
23754. Identify potential business impacts and likelihoods (ID.RA-4).
23835. Use Threats, vulnerabilities, likelihoods, and impacts to determine risk (ID.RA-5).
23946. Identify and prioritize risk responses, implement risk mitigation plans, and monitor and document plan implementation (ID.RA-6).
2411(5) Risk Management. Each Agency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each Agency shall:
2439(a) Establish risk management processes that are managed and agreed to by Agency Stakeholders and the Agency head (ID.RM-1).
24581. Establish a risk steering workgroup that ensures risk management processes are authorized by Agency Stakeholders. The risk steering workgroup must include a member of the Agency IT unit and shall determine the appropriate meeting frequency and Agency Stakeholders.
2497(b) Identify and clearly document organizational risk tolerance based on the confidential and exempt nature of the data created, received, maintained, or transmitted by the Agency; by the Agency’s role in Critical Infrastructure and sector specific analysis (ID.RM-2).
2535(c) Determine risk tolerance as necessary, based upon analysis of sector specific risks, the Agency’s Industry Sector; Agency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for Agencies that maintain this information), and the Agency’s role in the state’s mission (ID.RM-3).
2578(d) Establish parameters for IT staff participation in procurement activities.
2588(e) Identify the IT issues IT staff must address during procurement activities (e.g., system hardening, logging, performance, service availability, incident notification, and recovery expectations).
2612(f) Implement appropriate security controls for software applications obtained, purchased, leased, or developed to minimize risks to the confidentiality, integrity, and availability of the application, its data, and other IT Resources.
2643(g) Prior to introducing new IT Resources or modifying current IT Resources, perform an impact analysis. The purpose of this analysis is to assess the effects of the technology or modifications on the existing environment. Validate that IT Resources conform to Agency standard configurations prior to implementation into the production environment.
2694(6) Supply Chain Risk Management. Each Agency shall establish priorities, constraints, risk tolerances, and assumptions to support risk decisions associated with managing supply chain risk. Each Agency shall:
2722(a) Establish management processes to identify, establish, assess, and manage cyber supply chain risks which are agreed to by organizational Stakeholders (ID.SC-1).
2744(b) Identify, prioritize, and assess Suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process (ID.SC-2).
2768(c) Require Suppliers and third-party providers (by contractual agreement when necessary) to implement appropriate measures designed to meet the objectives of the organization’s information security program or cyber supply chain risk management plan (ID.SC-3).
2802(d) Routinely assess Suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of Suppliers/providers (ID.SC-4).
2834(e) Conduct response and recovery planning and testing with suppliers and third-party provi2847ders (ID.SC-5).
2849Rulemaking Authority 2851282.318(11) FS. 2853Law Implemented 2855282.318(3) FS. 2857History‒New 3-16-16, Amended 2-5-19, Formerly 74-2.002, Amended 9-18-22.
