74-2.001. Purpose and Applicability; Definitions  

Effective on Wednesday, January 2, 2019
  • 1(1) Purpose and Applicability.

    5(a) Rules 774-2.001 8through 74-2.006, F.A.C., will be known as the Florida Cybersecurity Standards (FCS).

    20(b) This rule 23establishes cybersecurity standards for information technology (IT) resources. These standards are documented in rules 3774-2.001 38through 3974-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. 57This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, and the Federal Information Security Management Act of 2002 (8844 U.S.C. §3541, 91et seq.93). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the FCS as they may be helpful to agencies when drafting their security procedures. The Florida Cybersecurity Standards:

    1321. Establish minimum standards to be used by state agencies to secure IT resources. The FCS consist of five high-level functions: 153Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The FCS is visually represented as follows:

    190Function Unique Identifier


    194Category Unique Identifier





    201Asset Management


    204Business Environment




    209Risk Assessment


    212Risk Management Strategy


    216Supply Chain Risk Management




    223Identity Management and Access Control


    229Awareness & Training


    233Data Security


    236Information Protection Processes & Procedures




    244Protective Technology




    249Anomalies & Events


    253Security Continuous Monitoring


    257Detection Processes




    262Response Planning












    275Recovery Planning





    281Category Unique Identifier subcategory references are detailed in rules 74-2.002 ‒ 74-2.006, F.A.C., and are used throughout the FCS as applicable.

    3022. D304efine minimum management, operational, and technical security controls to be used by state agencies to secure IT resources.

    3223. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard or the standard is not cost-effective due to the specific nature of a system or its environment. The agency shall document the reasons why the minimum standards cannot be satisfied and the compensating controls to be employed. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from section 421119.07(1), F.S., 423pursuant to sections 426282.318 427(4)(d), and (4)(f), F.S., and, shall be securely submitted to AST upon acceptance.

    440(2) Each agency shall:

    444(a) Perform an assessment that documents the gaps between requirements of this rule and controls that are in place.

    463(b) Submit the assessment to AST with the agency’s strategic and operational plan.

    476(c) Reassess annually and update the ASOP to reflect progress toward compliance with this rule.

    491(3) Definitions.

    493(a) The following terms are defined:

    4991. Agency – shall have the same meaning as state agency, as provided in section 514282.0041, F.S., 516except that, per section 520282.318(2), F.S., 522the term also includes 526the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services544.

    5452. Agency-owned (also agency-managed) – any device, service, or technology owned, leased, or managed by the agency for which an agency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.

    5873. Authentication – A process of determining the validity of one or more credentials used to claim as digital identity.

    6074. 608Authentication protocol – see rule 74-5.002, F.A.C615.

    6165. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.

    6426. Compensating controls – see rule 74-5.001, F.A.C.

    6507. Complex password – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).

    7018. Confidential information – records that, pursuant to Florida’s public records laws or other controlling law, are exempt from public disclosure.

    7229. Critical infrastructure – systems and assets, whether physical or virtual so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

    76910. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

    78911. Customer – an entity in receipt of services or information rendered by a state agency. This term does not include state agencies with regard to information sharing activities.

    81812. Cybersecurity event – within the context of rules 74-2.001-74-2.006, F.A.C., a cybersecurity event is a cybersecurity change that may have an impact on agency operations (including mission, capabilities, or reputation).

    84913. Data-at-rest – stationary data which is stored physically in any digital form.

    86214. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners do not include customers.

    89215. Information Security Manager (ISM) – the person appointed pursuant to section 904282.318(4)(a), F.S.

    90616. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

    93017. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

    96218. Information technology resources (IT resources) – see section 971282.0041(13), F.S.

    97319. Legacy applications 976– programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life but are still required to meet mission objectives or fulfill program area requirements.

    101620. Mobile Device – any computing device that can be conveniently relocated from one network to another.

    103321. Multi-Factor Authentication – see rule 74-5.001, F.A.C.

    104122. Personal information – see sections 501.171(1)(g)1., and 1049817.568, F.S.

    105123. Privileged user – a user that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

    107524. Privileged accounts – an information system account with authorizations of a privileged user.

    108925. Remote access – access by users (or information systems) communicating externally to an information security perimeter.

    110626. Removable Media – any data storage medium or device sufficiently portable to allow for convenient relocation from one network to another.

    112827. Separation of duties – an internal control concept of having more than one person required to complete a critical process. This is an internal control intended to prevent fraud, abuse, and errors.

    116128. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

    118629. Supplier (commonly referred to as “vendor”) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided on the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.

    123230. Token control – see rule 74-5.001, F.A.C.

    124031. User – a worker or non-worker who has been provided access to a system or data.

    125732. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

    129733. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

    1350(b) With the exception of the terms identified in subparagraphs 1.-4., the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), maintained at: http://nvlpubs.nist.gov/1386n1387istpubs/ir/2013/1388N1389I1390ST.IR.7298r2.pdf, 1391is hereby incorporated by reference into this rule: 1399http://www.flrules.org/Gateway/reference.asp?No=Ref-064941401.

    14021. Risk assessment – see section 1408282.0041(18), F.S.

    14102. Continuity of Operations Plan (COOP) – disaster-preparedness plans created pursuant to section 1423252.365(3), F.S.

    14253. Incident – see s1430ection 1431282.0041(10), F.S.

    14334. Threat – see section 1438282.0041(26), F.S.

    1440Rulemaking Authority 1442282.318(5) FS. 1444Law Implemented 1446282.318(3) FS. 1448History‒New 14493-10-16, Amended 1-2-19.


Rulemaking Events:

Historical Versions(1)

Select effective date to view different version.