74-2.001. Purpose and Applicability; Definitions  

1321. Establish minimum standards to be used by state agencies to secure IT resources. The FCS consist of five high-level functions: 153Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The FCS is visually represented as follows:

281Category Unique Identifier subcategory references are detailed in rules 74-2.002 ‒ 74-2.006, F.A.C., and are used throughout the FCS as applicable.

3022. D304efine minimum management, operational, and technical security controls to be used by state agencies to secure IT resources.

3223. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard or the standard is not cost-effective due to the specific nature of a system or its environment. The agency shall document the reasons why the minimum standards cannot be satisfied and the compensating controls to be employed. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from section 421119.07(1), F.S., 423pursuant to sections 426282.318 427(4)(d), and (4)(f), F.S., and, shall be securely submitted to AST upon acceptance.

4991. Agency – shall have the same meaning as state agency, as provided in section 514282.0041, F.S., 516except that, per section 520282.318(2), F.S., 522the term also includes 526the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services544.

5452. Agency-owned (also agency-managed) – any device, service, or technology owned, leased, or managed by the agency for which an agency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.

5873. Authentication – A process of determining the validity of one or more credentials used to claim as digital identity.

6074. 608Authentication protocol – see rule 74-5.002, F.A.C615.

6165. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.

6426. Compensating controls – see rule 74-5.001, F.A.C.

6507. Complex password – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).

7018. Confidential information – records that, pursuant to Florida’s public records laws or other controlling law, are exempt from public disclosure.

7229. Critical infrastructure – systems and assets, whether physical or virtual so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

76910. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

78911. Customer – an entity in receipt of services or information rendered by a state agency. This term does not include state agencies with regard to information sharing activities.

81812. Cybersecurity event – within the context of rules 74-2.001-74-2.006, F.A.C., a cybersecurity event is a cybersecurity change that may have an impact on agency operations (including mission, capabilities, or reputation).

84913. Data-at-rest – stationary data which is stored physically in any digital form.

86214. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners do not include customers.

89215. Information Security Manager (ISM) – the person appointed pursuant to section 904282.318(4)(a), F.S.

90616. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

93017. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

96218. Information technology resources (IT resources) – see section 971282.0041(13), F.S.

97319. Legacy applications 976– programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life but are still required to meet mission objectives or fulfill program area requirements.

101620. Mobile Device – any computing device that can be conveniently relocated from one network to another.

103321. Multi-Factor Authentication – see rule 74-5.001, F.A.C.

104122. Personal information – see sections 501.171(1)(g)1., and 1049817.568, F.S.

105123. Privileged user – a user that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

107524. Privileged accounts – an information system account with authorizations of a privileged user.

108925. Remote access – access by users (or information systems) communicating externally to an information security perimeter.

110626. Removable Media – any data storage medium or device sufficiently portable to allow for convenient relocation from one network to another.

112827. Separation of duties – an internal control concept of having more than one person required to complete a critical process. This is an internal control intended to prevent fraud, abuse, and errors.

116128. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

118629. Supplier (commonly referred to as “vendor”) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided on the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.

123230. Token control – see rule 74-5.001, F.A.C.

124031. User – a worker or non-worker who has been provided access to a system or data.

125732. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

129733. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

14021. Risk assessment – see section 1408282.0041(18), F.S.

14102. Continuity of Operations Plan (COOP) – disaster-preparedness plans created pursuant to section 1423252.365(3), F.S.

14253. Incident – see s1430ection 1431282.0041(10), F.S.

14334. Threat – see section 1438282.0041(26), F.S.