Purpose and Applicability; Definitions, Identify  

AGENCY FOR STATE TECHNOLOGY

RULE NO.: RULE TITLE:

74-2.001: Purpose and Applicability; Definitions

74-2.002: Identify

NOTICE OF CHANGE

Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 44 No. 183, September 19, 2018 issue of the Florida Administrative Register.

74-2.001 Purpose and Applicability; Definitions

(1) No change.

(2) Each agency shall:

(a) No change.

(b) Submit the assessment to AST with the agency’s strategic and operational plan. Document the result of the assessment within the agency’s strategic and operational plan (ASOP). Annually submit the ASOP to AST via the submission process established and maintained by AST.

(c) No change.

(3) Definitions

(a) The following terms are defined:

1. through 5. No change.

6. Compensating security controls – See Rule 74-5.001.

7. through 24. No change.

25. Remote access – access by users (or information systems) communicating externally to an information security perimeter.

26. through 33. No change.

(b) No change.

74-2.002 Identify.

(1) through (3) No change.

(4) Risk Assessment.

(a) Approach. Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, that derives from the NIST Risk Management Framework (RMF) which is hereby incorporated by reference and may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html (rev. 9/11/2018). The Risk Assessment steps provided in the table below must be followed; however, agencies may identify and, based on the risk to be managed, consider other risk assessment security control requirements and frequency of activities necessary to manage the risk at issue.

In accordance with section 282.318(4)(d)(c), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, a comprehensive completed Florida Cybersecurity Standard (FCS) rRisk aAssessment Tool. In completing the risk assessment FCS Assessment Tool, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at:  http://www.flrules.org/Gateway/reference.asp?No=Ref-06499. When establishing risk management processes, it may be helpful for agencies to review NIST Risk Management Framework Special Publications – they can be downloaded from the following website:  http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or lost of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

(b) No change.

(5) through (6) No change.

74-2.003 through 74-2.006, No change.