General, Identify, Protect, Detect, Respond  

  •  

    AGENCY FOR STATE TECHNOLOGY

    RULE NOS.:RULE TITLES:

    74-2.001Purpose and Applicability; Definitions

    74-2.002Identify

    74-2.003Protect

    74-2.004Detect

    74-2.005Respond

    74-2.006Recover

    Form AST 100, Florida Enterprise Information Security Risk Assessment Survey

    NOTICE OF CHANGE

    Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 41 No. 204, October 20, 2015 issue of the Florida Administrative Register.

    74-2.001 Purpose and Applicability; Definitions

    (1) Purpose and Applicability.

    (a) Rules 74-2.001, F.A.C., through 74-2.006, F.A.C., will be known as the Florida Cybersecurity Standards (FCS).

    (b) This rule Rule establishes cybersecurity standards for information technology (IT) resources. These standards are documented in rules Rules 74-2.001, F.A.C., through 74-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014, and the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the FCS as they may be helpful to agencies when drafting their security procedures. The Florida Cybersecurity Standards:

    1. Establish minimum standards to be used by state agencies to secure IT resources. The FCS consist of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The FCS is visually represented as follows:

     

    Function Unique Identifier

    Function

    Category Unique Identifier

    Category

    ID

    Identify

    ID.AM

    Asset Management

    ID.BE

    Business Environment

    ID.GV

    Governance

    ID.RA

    Risk Assessment

    ID.RM

    Risk Management Strategy

    PR

    Protect

    PR.AC

    Access Control

    PR.AT

    Awareness & Training

    PR.DS

    Data Security

    PR.IP

    Information Protection Processes & Procedures

    PR.MA

    Maintenance

    PR.PT

    Protective Technology

    DE

    Detect

    DE.AE

    Anomalies & Events

    DE.CM

    Security Continuous Monitoring

    DE.DP

    Detection Processes

    RS

    Respond

    RS.RP

    Response Planning

    RS.CO

    Communications

    RS.AN

    Analysis

    RS.MI

    Mitigation

    RS.IM

    Improvements

    RC

    Recover

    RC.RP

    Recovery Planning

    RC.IM

    Improvements

    RC.CO

    Communications

     

    Category Unique Identifier subcategory references are detailed in rules 74-2.002 – 74-2.006 below, and are used throughout the FCS as applicable.

    2. No change.

    3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard or the standard is not cost-effective due to the specific nature of a system or its environment. The agency shall document the reasons why the minimum standards cannot be satisfied and the compensating controls to be employed. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from section Section 119.07(1), F.S., pursuant to sections Section 282.318 (4)(d) and (4)(f), F.S, and, shall be securely submitted to AST upon acceptance.

    (2) through (3)(a) No change.

    1. Agency – shall have the same meaning as state agency, as provided in section Section 282.0041, F.S., except that, per section Section 282.318(2), F.S., the term also includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.

    2. No change.

    3. Breach – see section Section 282.0041(2), F.S.

    4. Compensating security controls – a A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a required security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an IT resource.

    5. No change.

    6. Critical infrastructure – the physical and cyber systems and assets so vital to Florida that their incapacity or destruction would have a debilitating effect on security, state economic security, state public health or safety, or any combination thereof.

    76. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

    87. Customer – an entity in receipt of services or information rendered by a state agency. This term does not include state agencies with regard to information sharing activities.

    9. Data-at-rest – stationary data which is stored physically in any digital form

    108. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners does not include customers.

    119. Information Security Manager (ISM) – the person appointed pursuant to section Section 282.318(4)(a), F.S.

    1210. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

    13. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

    1411. Information technology resources (IT resources) – see section 282.0041(2), F.S. a broad term that describes a set of technology-related assets. While in some cases the term may include services and maintenance, as used in this rule, the term means computer hardware, software, networks, devices, connections, applications, and data.

    15. Legacy applications – programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life, but are still required to meet mission objectives or fulfill program area requirements.

    1612. Personal information – see sections Section 501.171(1)(g)1. and 817.568, F.S.

    17. Separation of Duties – an internal control concept of having more than one person required to complete a critical process. This is an internal control intended to prevent fraud, abuse, and errors.

    1813. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

    1914. User – a worker or non-worker who has been provided access to a system or data.

    2015. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

    2116. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

    (b) With the exception of the terms identified in subsections 1. – 4. below, the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), maintained at: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf, is hereby incorporated by reference into this rule for terms used herein:

    1. Risk assessment – see section Section 282.0041(18), F.S.

    2. Continuity Of Operations Plan (COOP) – disaster-preparedness plans created pursuant to section Section 252.365(3), F.S.

    3. Incident – see section Section 282.0041(10), F.S.

    4. Threat – see section Section 282.0041(26), F.S.

     

    74-2.002 Identify

    The identify function of the FCS is visually represented as such:

     

    Function

    Category

    Subcategory

    Identify (ID)

    Asset Management (AM)

    ID.AM-1: Inventory agency physical devices and systems

    ID.AM-2: Inventory agency software platforms and applications

    ID.AM-3: Map agency communication and data flows

    ID.AM-4: Catalog interdependent external information systems

    ID.AM-5: Prioritize IT resources based on classification, criticality, and business value

    ID.AM-6: Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g. suppliers, customers, partners)

    Business Environment

    (BE)

    ID.BE-1: Identify and communicate the agency’s role in the business mission/processes

    ID.BE-2: Identify and communicate the agency’s place in critical infrastructure and its industry sector to workers.

    ID.BE-3: Establish and communicate priorities for agency mission, objectives, and activities.

    ID.BE-4: Identify dependencies and critical functions for delivery of critical services.

    ID.BE-5: Implement resiliency requirements to support the delivery of critical services.

    Governance

    (GV)

    ID.GV-1: Establish an organizational information security policy

    ID.GV-2: Coordinate and align information security roles & responsibilities with internal roles and external partners

    ID.GV-3: Understand and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations

    ID.GV-4: Ensure that governance and risk management processes address cybersecurity risks

    Risk Assessment

    (RA)

    ID.RA-1: Identify and document asset vulnerabilities

    ID.RA-2: Receive threat and vulnerability information from information sharing forums and sources

    ID.RA-3: Identify and document threats, both internal and external

    ID.RA-4: Identify potential business impacts and likelihoods

    ID.RA-5: Use threats, vulnerabilities, likelihoods, and impacts to determine risk

    ID.RA-6: Identify and prioritize risk responses

    Risk Management Strategy

    (RM)

    ID.RM-1: Establish, manage, and ensure organizational stakeholders understand the approach to be employed via the agree with risk management processes

    ID.RM-2: Determine and clearly express organizational risk tolerance

    ID.RM-3: Ensure that the organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

     

    (1)(a) through (1)(c)1. No change.

    2. Design and document its information security architecture using a defense-in-depth breadth approach. Design and documentation shall be assessed and updated periodically based on an agency-defined, risk-driven frequency that considers potential viable threat vectors (i.e., paths or tools that a threat actor may use to attack a target).

    3. Consider diverse suppliers, per NIST direction, when designing the information security architecture.

    (d)1. through (d)5. No change.

    6. Require (e.g., contractually) external service providers adhere to agency security policies. ,

    7. Document document agency oversight expectations, and periodically monitor provider compliance.

    (e) Each agency shall ensure that IT resources (hardware, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:

    1. Perform and document a criticality analysis for each categorized IT resource and document the findings of the analysis conducted.

    2. No change.

    3. Create a contingency plan for each categorized IT resource. The contingency plan shall be based on resource classification and identify related include documentation of cybersecurity roles and responsibilities.

    4. No change.

    (f) Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., contractors, vendors, suppliers, users, customers, partners) (ID.AM-6). Each agency is responsible for:

    1. through 2. No change.

    3. Informing workers that use, or oversee or manage workers that use, IT equipment that they shall immediately report suspected unauthorized activity, in accordance with agency-established incident reporting procedures.

    4. Informing users that they shall take reasonable precautions that are appropriate to protect IT resources in their possession from loss, theft, tampering, unauthorized access, and damage. Consideration will be given to the impact that may result if the IT resource is lost, and safety issues relevant to protections identified in this subsection.

    5. Informing users of the extent that they will be held accountable for their activities.

    6. No change.

    7. Ensuring that monitoring, network sniffing, and related security activities are only to be performed by workers who have been assigned security-related responsibilities either via in their approved position descriptions or tasks assigned to them.

    8.a. through b. No change.

    c. Establishing an information security program that includes information security policies, procedures, standards, and guidelines; an information security awareness program; an information security risk management process, including the comprehensive risk assessment required by section Section 282.318, F.S.; a Computer Security Incident Response Team; and a disaster recovery program that aligns with the agency’s Continuity of Operations (COOP) Plan.

    d. No change.

    9. Performing background checks and ensuring that a background investigation is performed on all individuals hired as IT workers with access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher. See rule 74-2.002(4)(a), F.A.C. These positions often, if not always, have privileged access. As such, in addition to agency-required background screening, background checks conducted by agencies shall include a federal criminal history check that screens for felony convictions that concern or involve for the following disqualifying criteria:

    a. through g. No change.

    Each agency shall establish appointment selection disqualifying criteria for individuals hired as IT workers that will have access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher.

    (2) Business Environment. Each agency shall understand, prioritize, and document the agency’s mission; objectives; internal stakeholders; type of confidential and/or exempt data created, received, transmitted or maintained by the agency; and activities involving use or disclosure of that data. Agencies shall use this information to make risk management decisions related to IT security and inform agency employees delegated cybersecurity responsibilities and risk management duties. Each agency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the agency’s mission, objectives, and activities. To accomplish this, agencies shall:

    (a) through (c) No change.

    (d) Identify system dependencies and critical functions for delivery of critical services (ID.BE-2).

    (e) Implement information resilience resiliency requirements to support the delivery of critical services (ID.BE-2).

    (3) No change.

    (4) Risk Assessment.

    (a) Approach.  Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, that which derives from the NIST Risk Management Framework (RMF) which is hereby incorporated by reference and may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html. The Risk Assessment steps provided in the table below must be followed; however, agencies may identify and, based on the risk to be managed, consider other risk assessment security control requirements and frequency of activities necessary to manage the risk at issue.

     

    Risk Assessments

    Categorize:

    Categorize information systems and the information processed, stored, and transmitted by that system based on a security an impact analysis. 

    Select:

    Select an initial set of baseline security controls for information systems based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

    Implement:

    Implement the selected baseline security controls and document how the controls are deployed within information systems and environment of operation.

    Assess:

    Assess the baseline security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for systems. 

    Authorize:

    Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the state nation resulting from the operation of the information system and the decision that this risk is acceptable. 

    Monitor:

    Monitor and assess selected baseline security controls in information systems on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of systems to appropriate agency organizational officials. 

     

    Agencies are required to consider the following security objectives when assessing risk and determining what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity and availability. When determining the potential impact to these security objectives agencies will use the following table, taken from the Federal Information Processing Standards (FIPS) Publication No. 199 (February 2004), which is hereby incorporated into this rule by reference and may be found at:

    http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.:

     

     

    POTENTIAL IMPACT

    Security Objectives:

    LOW

    MODERATE

    HIGH

    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

    The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

    The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

    Integrity

    Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

    The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

    The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

    The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

    Availability

    Ensuring timely and reliable access to and use of information.

    The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

    The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

    The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

     

    In accordance with section Section 282.318(4)(c), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, the Florida Enterprise Information Security Risk Assessment Survey (Form # AST-100), which is hereby incorporated by reference and maintained at:

    http://www.ast.myflorida.com/publications.asp. In completing the AST 100 form, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address the particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf. When establishing risk management processes may be helpful for agencies to review NIST RFM Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/groups/SMA/fisma/framework.html, as can NIST Special Publication 800-30. When assessing risk agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

    (b) Other agency risk management activities that agencies shall perform:

    1. Identify and document asset vulnerabilities (ID.RA-1), business processes and protection requirements.  Establish procedures to analyze systems and applications to ensure security controls are effective and appropriate.

    2. Receive and manage threat and vulnerability information from information sharing forums and sources that contain information relevant to the risks or threats (ID.RA-2).

    3. through 6. No change.

    (5) Risk Management. Each agency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each agency shall:

    (a) Establish risk management processes that are managed and agreed to by organizational agency stakeholders and the agency head (ID.RM-1).

    1. Establish a risk management team workgroup that ensures that risk management processes are authorized by agency stakeholders. The risk management team must include a member of the agency IT unit, and shall determine the appropriate meeting frequency and agency stakeholders.

    (b) Identify Determine and clearly document organizational risk tolerance based on the confidential and exempt nature of the data created, received, maintained, or transmitted by the agency; by the agency’s role in critical infrastructure and sector specific analysis (ID.RM-2).

    (c) Determine risk tolerance as necessary, based upon: their analysis of sector specific risks; the agency’s industry sector; agency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for agencies that maintain this information); and the agency’s informed by its role in the state’s mission and performance of a sector specific risk analysis (ID.RM-3).

    (d) Establish parameters for IT staff participation in procurement activities.

    (e) through (g) No change.

     

    74-2.003 Protect

    The protect function of the FCS is visually represented as such:

     

    Function

    Category

    Subcategory

    Protect (PR)

    Access Control (AC)

    PR.AC-1: Manage identities and credentials for authorized devices and users

    PR.AC-2: Manage and protect physical access to assets

    PR.AC-3: Manage remote access

    PR.AC-4: Manage access permissions, incorporate the principles of least privilege and separation of duties

    PR.AC-5: Protect network integrity, incorporate network segregation where appropriate

    Awareness and Training (AT)

    PR.AT-1: Inform and train all users

    PR.AT-2: Ensure that privileged users understand roles and responsibilities

    PR.AT-3: Ensure that third-party stakeholders (e.g., suppliers, customers, partners) understand roles and responsibilities

    PR.AT-4: Ensure that senior executives understand roles and responsibilities

    PR.AT-5: Ensure that physical and information security personnel understand roles & responsibilities

    Data Security

    (DS)

    PR.DS-1: Protect data-at-rest

    PR.DS-2: Protect data-in-transit

    PR.DS-3: Formally manage assets managed throughout removal, transfers, and disposition

    PR.DS-4: Ensure that adequate capacity is maintained to support availability needs

    PR.DS-5: Implement data leak protection measures

    PR.DS-6: Use integrity checking mechanisms to verify software, firmware, and information integrity

    PR.DS-7: Logically or physically separate Separate the development and testing environment(s) from the production environment

    Information Protection Processes and Procedures

    PR.IP-1: Create and maintain a baseline configuration of information technology/industrial control systems

    PR.IP-2: Implement a System Development Life Cycle to manage systems

    PR.IP-3: Establish configuration change control processes

    PR.IP-4: Conduct, maintain, and periodically test backups of information

    PR.IP-5: Meet policy and regulatory requirements that are relevant to of the physical operating environment for organizational assets

    PR.IP-6: Destroy data according to policy

    PR.IP-7: Continuously improve protection processes

    PR.IP-8: Share effectiveness of protection technologies with stakeholders appropriate parties that should or must receive this information

    PR.IP-9: Establish and manage response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery)

    PR.IP-10: Test response and recovery plans

    PR.IP-11: Include cybersecurity in human resources practices (e.g., deprovisioning, personnel screening)

    PR.IP-12: Develop and implement a vulnerability management plan

    Maintenance (MA)

    PR.MA-1: Perform and log maintenance and repair of organizational assets in a timely manner, with approved and controlled tools

    PR.MA-2: Approve, log, and perform remote maintenance of agency assets in a manner that prevents unauthorized access

    Protective Technology (PT)

    PR.PT-1: Determine, document, implement, and review audit/log records in accordance with policy

    PR.PT-2: Protect and restrict removable media usage according to policy

    PR.PT-3: Control access to systems and assets, incorporate the principle of least functionality

    PR.PT-4: Protect communications and control networks

     

    (1)(a)1. through 6. No change.

    7. Establish access disablement and notification timeframes for worker separations. The agency will identify the appropriate person in the IT unit to receive notification function shall be notified within the established timeframes. Notification timeframes shall consider risks associated with system access post-separation.

    8. No change.

    9. Consider the use of multi-factor authentication (MFA) for any application that has a categorization of moderate or contains exempt confidential, or confidential and exempt information. This excludes externally hosted systems designed to deliver services to customers, where MFA is not necessary or viable.

    10. through (d)2. No change.

    3. Specify that all workers be granted access to agency IT resources based on the principles of “least privilege” and “need to know determination.”

    4. through (2)(e) No Change.

    (3) For each of the above subsections the following shall also be addressed:

    (a) Appoint a worker to coordinate the agency information security awareness program. If an IT security worker does not coordinate the security awareness program, they shall be consulted for content development purposes. Agencies will ensure that all workers (including volunteer workers) are clearly notified of applicable obligations, established via agency policies, to maintain compliance with such controls.

    (b) through (4)(b)4. No change.

    (c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).

    1. Before equipment is disposed of or released for reuse, sanitize or destroy information media in accordance with the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies.

    2. through (e)1. No change.

    2. Retention and destruction Destruction of confidential and exempt information in accordance with the records retention requirements as provided in the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies. when the applicable retention schedule requirement has been reached and when the information no longer holds business value, regardless of media type.

    3. through (5)(b)2. No change.

    3. The application development team at each agency shall implement appropriate security controls to minimize risks to agency IT resources and meet the security requirements of the application owner. Agencies will identify in their policies, processes and procedures the security coding guidelines the agency will follow when obtaining, purchasing, leasing or developing software. Software applications obtained, purchased, leased, or developed by the agency will be based on secure coding guidelines.

    4. through (e) No change.

    (f) Manage and dispose of records/data in accordance with the records retention requirements as provided in the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies applicable retention schedule and policy (PR.IP-6).

    (g)1. through 2. No change.

    3. Ensure system security plans are confidential per section Section 282.318, F.S., and shall be available to the agency ISM.

    4. Require that each agency application or system with a categorization of moderate-impact or higher have a documented system security plan (SSP). For existing production systems that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent documentation efforts.  The SSP shall, at a minimum, include provisions that:

    i. through vii. No change.

    5. Require information system owners (ISOs) to define application security-related business requirements using role-based access controls and rule-based security policies role or rule-based security, where technology permits.

    6. No change.

    7. Create procedures to address inspection of content stored, processed or transmitted on agency-owned or managed IT resources, including attached removable media.  Inspection shall be performed where authorization has been provided by stakeholders that should or must receive this information authorized workers.

    8. Establish parameters for agency-managed devices that prohibit installation (without worker consent), of clients that allow the agency to inspect private partitions or personal data.

    9. through 11. No change.

    (h) Ensure that effectiveness of protection technologies is shared with stakeholders that should or must receive this information appropriate parties (PR.IP-8).

    (i) through (l) No change.

    (6)(5) Maintenance. Each agency shall perform maintenance and repairs of information systems and components consistent with agency-developed policies and procedures. Each agency shall:

    (a) Perform and log maintenance and repair of IT resources in a timely manner, with tools that have been approved and are administered by and the agency to be used for such activities controlled tools (PR.MA-1).

    (b) Approve, encrypt, log and perform remote maintenance of IT resources in a manner that prevents unauthorized access (PR.MA-2).

    (c) Not engage in new development of custom authenticators.  Agencies assess the feasibility of replacing agency-developed custom authenticators in legacy applications.

    (7)(6) Protective Technology. Each agency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each agency shall:

    (a) Determine and document required audit/log records, implement logging of audit records, and protect and review logs in accordance with agency-developed policy. Agency-developed policy Policy shall be based on resource criticality. Where possible, ensure that electronic audit records allow actions of users to be uniquely traced to those users so they can be held accountable for their actions. Maintain logs identifying where access to exempt, or confidential and exempt data was permitted. The logs shall support unique identification of individuals and permit an audit of the logs to trace activities through the system, including the capability to determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the individual (PR.PT-1).

    (b) Protect and restrict removable media according to in accordance with agency-developed the information security policy (PR.PT-2).

    (c) Control access to systems and assets, utilizing the principle of lease trust incorporating the principle of least functionality (PR.PT-3).

    (d) Protect communications and control networks by establishing perimeter security measures to prevent unauthorized connections to agency IT resources (PR.PT-4). Agencies shall:

    1. No change.

    2. Agencies shall require host-based (e.g., a system controlled by a central or main computer) boundary protection on mobile computing devices where technology permits (i.e., detection agent).

     

    74-2.004 Detect

    The detect function of the FCS is visually represented as such:

     

    Function

    Category

    Subcategory

    Detect (DE)

    Anomalies and Events (AE)

    DE.AE-1: Establish and manage a baseline of network operations and expected data flows for users and systems

    DE.AE-2: Analyze detected events to understand attack targets and methods

    DE.AE-3: Aggregate and correlate event data from multiple sources and sensors

    DE.AE-4: Determine the impact of events

    DE.AE-5: Establish incident alert thresholds

    Security Continuous Monitoring (CM)

    DE.CM-1: Monitor the network to detect potential cybersecurity events

    DE.CM-2: Monitor the physical environment to detect potential cybersecurity events

    DE.CM-3: Monitor personnel activity to detect potential cybersecurity events

    DE.CM-4: Detect malicious code

    DE.CM-5: Detect unauthorized mobile code

    DE.CM-6: Monitor external service provider activity to detect potential cybersecurity events

    DE.CM-7: Monitor for unauthorized personnel, connections, devices, and software

    DE.CM-8: Perform vulnerability scans

    Detection Processes (DP)

    DE.DP-1: Define roles and responsibilities for detection to ensure accountability

    DE.DP-2: Ensure that detection activities comply with all applicable requirements

    DE.DP-3: Test detection processes

    DE.DP-4: Communicate event detection information to appropriate parties stakeholders that should or must receive this information

    DE.DP-5: Continuously improve detection processes

     

    (1) No change.

    (2) Security Continuous Monitoring. Each agency shall determine the appropriate level of monitoring monitor IT resources that will occur regarding IT resources at discrete intervals necessary to identify cybersecurity events and verify the effectiveness of protective measures. Such activities shall include:

    (a) Monitoring the network is to detect potential cybersecurity events (DE.CM-1).

    (b) through (3)(c) No change.

    (d) Communicating event detection information to stakeholders appropriate parties that should or must receive this information appropriate parties (DE.DP-4).

    (e) No change.

     

    74-2.005 Respond

    (1) through (1)(a)4. No change.

    5. The agency security incident reporting process must include notification procedures, established pursuant to section Section 501.171, F.S., section Section 282.318, F.S., and as specified in executed agreements with external parties. For reporting incidents to AST and the Cybercrime Office (as established within the Florida Department of Law Enforcement via section 943.0415, F.S.), the following reporting timeframes shall be followed:

     

    Rating

    Initial Notification

    Definition of Effect Rating

    Minimal

    Monthly aggregate

    Effect on IT resources managed by internal processes

    Low

    Weekly

    Minimal effect on IT resources

    Medium

    One business day

    Moderate effect on IT resources

    High

    Within 4 hours

    Severe effect on IT resources or delivery of services

    Critical

    Immediately

    Severe effect on IT resources, believed to impact multiple agencies or delivery of services

     

    (2) Communications. Each agency shall coordinate response activities with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Each agency shall:

    (a) No change.

    (b) Require that events be reported consistent with established criteria and in accordance with agency incident reporting procedures. Criteria shall, at a minimum, require immediate reporting, including instances of lost identification and authentication resources (RS.CO-2).

    (c) through (3)(d) No change.

    (4) Mitigation. Each agency shall perform incident mitigation activities.  The objective of incident mitigation activities shall be to: attempt to contain and prevent recurrence of incidents (RS.MI-1); mitigate incident effects and eradicate the incident (RS.MI-2); and address vulnerabilities or document as accepted risks. Mitigation. Each agency shall perform activities to prevent expansion, contain or prevent recurrence of an event (RS.MI-1), mitigate its effects, and eradicate the incident (RS.MI-2); and mitigate newly identified vulnerabilities or document as accepted risks.

    (5) Improvements. Each agency shall improve organizational response activities by incorporating lessons learned from current and previous detection/response activities into response plans (RS.IM-1). Agencies shall update response strategies in accordance with agency-established policy (RS.IM-2).

     

    74-2.006 Recover

    (1) through (3)(c) No change.

     

    REASON: The changes to 74-2.001-74-2.006, F.A.C., and incorporated forms are supported by the record or public hearings held on the rule, were made in response to timely-submitted written material submitted to the agency or address comments submitted by JAPC for consideration and written response.