General, Identify, Protect, Detect, Respond  

AGENCY FOR STATE TECHNOLOGY

RULE NOS.:RULE TITLES:

74-2.001Purpose and Applicability; Definitions

74-2.002Identify

74-2.003Protect

74-2.004Detect

74-2.005Respond

74-2.006Recover

Form AST 100, Florida Enterprise Information Security Risk Assessment Survey

NOTICE OF CHANGE

Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 41 No. 204, October 20, 2015 issue of the Florida Administrative Register.

74-2.001 Purpose and Applicability; Definitions

(1) Purpose and Applicability.

(a) Rules 74-2.001, F.A.C., through 74-2.006, F.A.C., will be known as the Florida Cybersecurity Standards (FCS).

(b) This rule Rule establishes cybersecurity standards for information technology (IT) resources. These standards are documented in rules Rules 74-2.001, F.A.C., through 74-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014, and the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the FCS as they may be helpful to agencies when drafting their security procedures. The Florida Cybersecurity Standards:

1. Establish minimum standards to be used by state agencies to secure IT resources. The FCS consist of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The FCS is visually represented as follows:

Category Unique Identifier subcategory references are detailed in rules 74-2.002 – 74-2.006 below, and are used throughout the FCS as applicable.

2. No change.

3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard or the standard is not cost-effective due to the specific nature of a system or its environment. The agency shall document the reasons why the minimum standards cannot be satisfied and the compensating controls to be employed. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from section Section 119.07(1), F.S., pursuant to sections Section 282.318 (4)(d) and (4)(f), F.S, and, shall be securely submitted to AST upon acceptance.

(2) through (3)(a) No change.

1. Agency – shall have the same meaning as state agency, as provided in section Section 282.0041, F.S., except that, per section Section 282.318(2), F.S., the term also includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.

2. No change.

3. Breach – see section Section 282.0041(2), F.S.

4. Compensating security controls – a A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a required security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an IT resource.

5. No change.

6. Critical infrastructure – the physical and cyber systems and assets so vital to Florida that their incapacity or destruction would have a debilitating effect on security, state economic security, state public health or safety, or any combination thereof.

76. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

87. Customer – an entity in receipt of services or information rendered by a state agency. This term does not include state agencies with regard to information sharing activities.

9. Data-at-rest – stationary data which is stored physically in any digital form. 

108. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners does not include customers.

119. Information Security Manager (ISM) – the person appointed pursuant to section Section 282.318(4)(a), F.S.

1210. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

13. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

1411. Information technology resources (IT resources) – see section 282.0041(2), F.S. a broad term that describes a set of technology-related assets. While in some cases the term may include services and maintenance, as used in this rule, the term means computer hardware, software, networks, devices, connections, applications, and data.

15. Legacy applications – programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life, but are still required to meet mission objectives or fulfill program area requirements.

1612. Personal information – see sections Section 501.171(1)(g)1. and 817.568, F.S.

17. Separation of Duties – an internal control concept of having more than one person required to complete a critical process. This is an internal control intended to prevent fraud, abuse, and errors.

1813. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

1914. User – a worker or non-worker who has been provided access to a system or data.

2015. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

2116. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

(b) With the exception of the terms identified in subsections 1. – 4. below, the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), maintained at: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf, is hereby incorporated by reference into this rule for terms used herein:

1. Risk assessment – see section Section 282.0041(18), F.S.

2. Continuity Of Operations Plan (COOP) – disaster-preparedness plans created pursuant to section Section 252.365(3), F.S.

3. Incident – see section Section 282.0041(10), F.S.

4. Threat – see section Section 282.0041(26), F.S.

74-2.002 Identify

The identify function of the FCS is visually represented as such:

(1)(a) through (1)(c)1. No change.

2. Design and document its information security architecture using a defense-in-depth breadth approach. Design and documentation shall be assessed and updated periodically based on an agency-defined, risk-driven frequency that considers potential viable threat vectors (i.e., paths or tools that a threat actor may use to attack a target).

3. Consider diverse suppliers, per NIST direction, when designing the information security architecture.

(d)1. through (d)5. No change.

6. Require (e.g., contractually) external service providers adhere to agency security policies. ,

7. Document document agency oversight expectations, and periodically monitor provider compliance.

(e) Each agency shall ensure that IT resources (hardware, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:

1. Perform and document a criticality analysis for each categorized IT resource and document the findings of the analysis conducted.

2. No change.

3. Create a contingency plan for each categorized IT resource. The contingency plan shall be based on resource classification and identify related include documentation of cybersecurity roles and responsibilities.

4. No change.

(f) Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., contractors, vendors, suppliers, users, customers, partners) (ID.AM-6). Each agency is responsible for:

1. through 2. No change.

3. Informing workers that use, or oversee or manage workers that use, IT equipment that they shall immediately report suspected unauthorized activity, in accordance with agency-established incident reporting procedures.

4. Informing users that they shall take reasonable precautions that are appropriate to protect IT resources in their possession from loss, theft, tampering, unauthorized access, and damage. Consideration will be given to the impact that may result if the IT resource is lost, and safety issues relevant to protections identified in this subsection.

5. Informing users of the extent that they will be held accountable for their activities.

6. No change.

7. Ensuring that monitoring, network sniffing, and related security activities are only to be performed by workers who have been assigned security-related responsibilities either via in their approved position descriptions or tasks assigned to them.

8.a. through b. No change.

c. Establishing an information security program that includes information security policies, procedures, standards, and guidelines; an information security awareness program; an information security risk management process, including the comprehensive risk assessment required by section Section 282.318, F.S.; a Computer Security Incident Response Team; and a disaster recovery program that aligns with the agency’s Continuity of Operations (COOP) Plan.

d. No change.

9. Performing background checks and ensuring that a background investigation is performed on all individuals hired as IT workers with access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher. See rule 74-2.002(4)(a), F.A.C. These positions often, if not always, have privileged access. As such, in addition to agency-required background screening, background checks conducted by agencies shall include a federal criminal history check that screens for felony convictions that concern or involve for the following disqualifying criteria:

a. through g. No change.

Each agency shall establish appointment selection disqualifying criteria for individuals hired as IT workers that will have access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher.

(2) Business Environment. Each agency shall understand, prioritize, and document the agency’s mission; objectives; internal stakeholders; type of confidential and/or exempt data created, received, transmitted or maintained by the agency; and activities involving use or disclosure of that data. Agencies shall use this information to make risk management decisions related to IT security and inform agency employees delegated cybersecurity responsibilities and risk management duties. Each agency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the agency’s mission, objectives, and activities. To accomplish this, agencies shall:

(a) through (c) No change.

(d) Identify system dependencies and critical functions for delivery of critical services (ID.BE-2).

(e) Implement information resilience resiliency requirements to support the delivery of critical services (ID.BE-2).

(3) No change.

(4) Risk Assessment.

(a) Approach.  Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, that which derives from the NIST Risk Management Framework (RMF) which is hereby incorporated by reference and may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html. The Risk Assessment steps provided in the table below must be followed; however, agencies may identify and, based on the risk to be managed, consider other risk assessment security control requirements and frequency of activities necessary to manage the risk at issue.

Agencies are required to consider the following security objectives when assessing risk and determining what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity and availability. When determining the potential impact to these security objectives agencies will use the following table, taken from the Federal Information Processing Standards (FIPS) Publication No. 199 (February 2004), which is hereby incorporated into this rule by reference and may be found at:

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.:

In accordance with section Section 282.318(4)(c), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, the Florida Enterprise Information Security Risk Assessment Survey (Form # AST-100), which is hereby incorporated by reference and maintained at:

http://www.ast.myflorida.com/publications.asp. In completing the AST 100 form, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address the particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf. When establishing risk management processes may be helpful for agencies to review NIST RFM Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/groups/SMA/fisma/framework.html, as can NIST Special Publication 800-30. When assessing risk agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

(b) Other agency risk management activities that agencies shall perform:

1. Identify and document asset vulnerabilities (ID.RA-1), business processes and protection requirements.  Establish procedures to analyze systems and applications to ensure security controls are effective and appropriate.

2. Receive and manage threat and vulnerability information from information sharing forums and sources that contain information relevant to the risks or threats (ID.RA-2).

3. through 6. No change.

(5) Risk Management. Each agency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each agency shall:

(a) Establish risk management processes that are managed and agreed to by organizational agency stakeholders and the agency head (ID.RM-1).

1. Establish a risk management team workgroup that ensures that risk management processes are authorized by agency stakeholders. The risk management team must include a member of the agency IT unit, and shall determine the appropriate meeting frequency and agency stakeholders.

(b) Identify Determine and clearly document organizational risk tolerance based on the confidential and exempt nature of the data created, received, maintained, or transmitted by the agency; by the agency’s role in critical infrastructure and sector specific analysis (ID.RM-2).

(c) Determine risk tolerance as necessary, based upon: their analysis of sector specific risks; the agency’s industry sector; agency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for agencies that maintain this information); and the agency’s informed by its role in the state’s mission and performance of a sector specific risk analysis (ID.RM-3).

(d) Establish parameters for IT staff participation in procurement activities.

(e) through (g) No change.

74-2.003 Protect

The protect function of the FCS is visually represented as such:

(1)(a)1. through 6. No change.

7. Establish access disablement and notification timeframes for worker separations. The agency will identify the appropriate person in the IT unit to receive notification function shall be notified within the established timeframes. Notification timeframes shall consider risks associated with system access post-separation.

8. No change.

9. Consider the use of multi-factor authentication (MFA) for any application that has a categorization of moderate or contains exempt confidential, or confidential and exempt information. This excludes externally hosted systems designed to deliver services to customers, where MFA is not necessary or viable.

10. through (d)2. No change.

3. Specify that all workers be granted access to agency IT resources based on the principles of “least privilege” and “need to know determination.”

4. through (2)(e) No Change.

(3) For each of the above subsections the following shall also be addressed:

(a) Appoint a worker to coordinate the agency information security awareness program. If an IT security worker does not coordinate the security awareness program, they shall be consulted for content development purposes. Agencies will ensure that all workers (including volunteer workers) are clearly notified of applicable obligations, established via agency policies, to maintain compliance with such controls.

(b) through (4)(b)4. No change.

(c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).

1. Before equipment is disposed of or released for reuse, sanitize or destroy information media in accordance with the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies.

2. through (e)1. No change.

2. Retention and destruction Destruction of confidential and exempt information in accordance with the records retention requirements as provided in the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies. when the applicable retention schedule requirement has been reached and when the information no longer holds business value, regardless of media type.

3. through (5)(b)2. No change.

3. The application development team at each agency shall implement appropriate security controls to minimize risks to agency IT resources and meet the security requirements of the application owner. Agencies will identify in their policies, processes and procedures the security coding guidelines the agency will follow when obtaining, purchasing, leasing or developing software. Software applications obtained, purchased, leased, or developed by the agency will be based on secure coding guidelines.

4. through (e) No change.

(f) Manage and dispose of records/data in accordance with the records retention requirements as provided in the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies applicable retention schedule and policy (PR.IP-6).

(g)1. through 2. No change.

3. Ensure system security plans are confidential per section Section 282.318, F.S., and shall be available to the agency ISM.

4. Require that each agency application or system with a categorization of moderate-impact or higher have a documented system security plan (SSP). For existing production systems that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent documentation efforts.  The SSP shall, at a minimum, include provisions that:

i. through vii. No change.

5. Require information system owners (ISOs) to define application security-related business requirements using role-based access controls and rule-based security policies role or rule-based security, where technology permits.

6. No change.

7. Create procedures to address inspection of content stored, processed or transmitted on agency-owned or managed IT resources, including attached removable media.  Inspection shall be performed where authorization has been provided by stakeholders that should or must receive this information authorized workers.

8. Establish parameters for agency-managed devices that prohibit installation (without worker consent), of clients that allow the agency to inspect private partitions or personal data.

9. through 11. No change.

(h) Ensure that effectiveness of protection technologies is shared with stakeholders that should or must receive this information appropriate parties (PR.IP-8).

(i) through (l) No change.

(6)(5) Maintenance. Each agency shall perform maintenance and repairs of information systems and components consistent with agency-developed policies and procedures. Each agency shall:

(a) Perform and log maintenance and repair of IT resources in a timely manner, with tools that have been approved and are administered by and the agency to be used for such activities controlled tools (PR.MA-1).

(b) Approve, encrypt, log and perform remote maintenance of IT resources in a manner that prevents unauthorized access (PR.MA-2).

(c) Not engage in new development of custom authenticators.  Agencies assess the feasibility of replacing agency-developed custom authenticators in legacy applications.

(7)(6) Protective Technology. Each agency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each agency shall:

(a) Determine and document required audit/log records, implement logging of audit records, and protect and review logs in accordance with agency-developed policy. Agency-developed policy Policy shall be based on resource criticality. Where possible, ensure that electronic audit records allow actions of users to be uniquely traced to those users so they can be held accountable for their actions. Maintain logs identifying where access to exempt, or confidential and exempt data was permitted. The logs shall support unique identification of individuals and permit an audit of the logs to trace activities through the system, including the capability to determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the individual (PR.PT-1).

(b) Protect and restrict removable media according to in accordance with agency-developed the information security policy (PR.PT-2).

(c) Control access to systems and assets, utilizing the principle of lease trust incorporating the principle of least functionality (PR.PT-3).

(d) Protect communications and control networks by establishing perimeter security measures to prevent unauthorized connections to agency IT resources (PR.PT-4). Agencies shall:

1. No change.

2. Agencies shall require host-based (e.g., a system controlled by a central or main computer) boundary protection on mobile computing devices where technology permits (i.e., detection agent).

74-2.004 Detect

The detect function of the FCS is visually represented as such:

(1) No change.

(2) Security Continuous Monitoring. Each agency shall determine the appropriate level of monitoring monitor IT resources that will occur regarding IT resources at discrete intervals necessary to identify cybersecurity events and verify the effectiveness of protective measures. Such activities shall include:

(a) Monitoring the network is to detect potential cybersecurity events (DE.CM-1).

(b) through (3)(c) No change.

(d) Communicating event detection information to stakeholders appropriate parties that should or must receive this information appropriate parties (DE.DP-4).

(e) No change.

74-2.005 Respond

(1) through (1)(a)4. No change.

5. The agency security incident reporting process must include notification procedures, established pursuant to section Section 501.171, F.S., section Section 282.318, F.S., and as specified in executed agreements with external parties. For reporting incidents to AST and the Cybercrime Office (as established within the Florida Department of Law Enforcement via section 943.0415, F.S.), the following reporting timeframes shall be followed:

(2) Communications. Each agency shall coordinate response activities with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Each agency shall:

(a) No change.

(b) Require that events be reported consistent with established criteria and in accordance with agency incident reporting procedures. Criteria shall, at a minimum, require immediate reporting, including instances of lost identification and authentication resources (RS.CO-2).

(c) through (3)(d) No change.

(4) Mitigation. Each agency shall perform incident mitigation activities.  The objective of incident mitigation activities shall be to: attempt to contain and prevent recurrence of incidents (RS.MI-1); mitigate incident effects and eradicate the incident (RS.MI-2); and address vulnerabilities or document as accepted risks. Mitigation. Each agency shall perform activities to prevent expansion, contain or prevent recurrence of an event (RS.MI-1), mitigate its effects, and eradicate the incident (RS.MI-2); and mitigate newly identified vulnerabilities or document as accepted risks.

(5) Improvements. Each agency shall improve organizational response activities by incorporating lessons learned from current and previous detection/response activities into response plans (RS.IM-1). Agencies shall update response strategies in accordance with agency-established policy (RS.IM-2).

74-2.006 Recover

(1) through (3)(c) No change.

REASON: The changes to 74-2.001-74-2.006, F.A.C., and incorporated forms are supported by the record or public hearings held on the rule, were made in response to timely-submitted written material submitted to the agency or address comments submitted by JAPC for consideration and written response.