To update the rules consistent with Chapter 2021-234, Laws of Florida.  

DEPARTMENT OF MANAGEMENT SERVICES

Florida Digital Service

RULE NOS.:RULE TITLES:

60GG-2.001Purpose and Applicability; Definitions

60GG-2.002Identify

60GG-2.003Protect

60GG-2.004Detect

60GG-2.005Respond

60GG-2.006Recover

PURPOSE AND EFFECT: To update the rules consistent with Chapter 2021-234, Laws of Florida.

SUMMARY: The proposed amendments update the cybersecurity rules consistent with statutory revisions and industry standards.

SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:

The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the Agency.

The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: The agency, utilizing the expertise of Florida Digital Service personnel, determined no SERC was required based on the nature of the rule and after completing the SERC checklist analysis.

Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

RULEMAKING AUTHORITY: 282.318(11), F.S.

LAW IMPLEMENTED: 282.318(3), 282.0041 F.S.

IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE SCHEDULED AND ANNOUNCED IN THE FAR.

THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Andrea Barber, Government Analyst, 4050 Esplanade Way, Tallahassee, Florida 32399, Rulemaking@dms.fl.gov, (850)901-6279. A copy of the proposed rule is also available at https://www.dms.myflorida.com/agency_administration/general_counsel/rulemaking.

THE FULL TEXT OF THE PROPOSED RULE IS:

CHAPTER 60GG-2

STATE OF FLORIDA CYBERSECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY

60GG-2.001 Purpose and Applicability; Definitions; Agency Requirements

(1) Purpose and Applicability.

(a) Rules 60GG-2.001 through 60GG-2.006, F.A.C., will be known as the State of Florida Cybersecurity Standards (SFCS).

(b) These rules establish This rule establishes cybersecurity standards for information technology (IT) resources. These standards are documented in Rules 60GG-2.001 through 60GG-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, and the Federal Information Security Management Act of 2002 (44 U.S.C. §3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the SFCS as they may be helpful to Aagencies when drafting their cybersecurity security procedures. For procurement of IT commodities and services, the commodity or service must comply with the National Institute of Standards and Technology Cybersecurity Framework. The SFCS Florida Cybersecurity Standards:­­­­

1. Establish minimum standards to be used by state Aagencies to secure IT resources. The SFCS consists consist of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The SFCS are is visually represented as follows:

Category Unique Identifier subcategory references are detailed in Rules 60GG-2.002 ‒ 60GG-2.006, F.A.C., and are used throughout the SFCS as applicable.

2. Define minimum management, operational, and technical security controls to be used by state Aagencies to secure IT resources.

3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the Aagency is unable to implement a security standard, or the standard is not cost-effective due to the specific nature of a system or its environment. The Aagency shall document the reasons why the minimum standards cannot be satisfied and the Ccompensating Ccontrols to be employed. After the Aagency analyzes the issue and related risk, a compensating security control or deviation may be employed if the Aagency documents the analysis and risk steering workgroup, as outlined in Rule 60GG-2.002(5), F.A.C., accepts the associated risk. This documentation is exempt from sSection 119.07(1), F.S., pursuant to sSections 282.318(4)(d), and (4)(e), F.S., and, upon acceptance by the risk steering workgroup, shall be securely submitted to the Florida Digital Service (FL[DS]) DMS upon acceptance.

(2) Each agency shall:

(a) Perform an assessment that documents the gaps between requirements of this rule and controls that are in place.

(b) Submit the assessment to DMS with the agency’s strategic and operational plan.

(c) Reassess annually and update the ASOP to reflect progress toward compliance with this rule.

(2) (3)  Definitions.

(a) This rule defines the following terms used in Rule Chapter 60GG-2, F.A.C. The following terms are defined:

1. Agency – shall have the same meaning as state agency, as provided in sSection 282.0041, F.S., except that, per sSection 282.318(2), F.S., the term also includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.

2. Agency-owned (also Aagency-managed) – any device, service, or technology owned, leased, or managed by the Aagency for which an Aagency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.

3. No change.

4. Authentication protocol – a defined sequence of messages between a claimant and the relying parties (RP) or credential service provider (CSP) that demonstrate that the claimant has control of a valid token to establish his or her identity. see Rule 60GG-5.002, F.A.C.

5. Breach – means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the entity which acquires, maintains, stores, or uses the data does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.

6 5. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.

7 6. Compensating Ccontrols – a management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. see Rule 60GG-5.001, F.A.C.

8 7. Complex Ppassword – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).

8. Confidential information – records that, pursuant to Florida’s public records laws or other controlling law, are exempt from public disclosure.

9. Continuity of Operations Plan (COOP) – disaster-preparedness plan created pursuant to section 252.365(3), F.S.

10 9. Critical Iinfrastructure – systems and assets, whether physical or virtual so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

11 10. Critical Pprocess – a process that is susceptible to fraud, cyberattack, unauthorized activity, or disruption seriously impacting an Aagency’s mission.

12 11. Customer – an entity in receipt of services or information rendered by an a state Aagency. This term does not include state agencies with regard to information sharing activities.

13 12. Cybersecurity Eevent – within the context of Rules 60GG-2.001 – 60GG-2.006, F.A.C., a cybersecurity event is a cybersecurity change that may have an impact on Aagency operations (including mission, capabilities, or reputation).

14 13. Data-at-rest – stationary data which is stored physically in any digital form.

15 14. External Ppartners – non-state agency entities doing business with an a state Aagency, including other governmental entities, third parties, contractors, vendors, Ssuppliers, and partners. External Ppartners do not include customers.

16. Incident – means a violation or imminent Threat of violation, whether such a violation is accidental or deliberate, of information technology resources, security, policies, or practices. An imminent Threat of violation refers to a situation in which the state agency has a factual basis for believing that a specific incident is about to occur.

17. Industry Sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

18 15. Information Security Manager (ISM) – the person designated appointed pursuant to sSection 282.318(4)(a), F.S.

19 16. Information Ssystem Oowner – the Aagency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

17. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

20 18. Information Ttechnology Rresources (IT Rresources) – data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training. see Section 282.0041(19), F.S.

21 19. Legacy Aapplications – programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life but are still required to meet mission objectives or fulfill program area requirements.

22. Malware – means a computer program that is covertly or maliciously placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data applications or operating systems.

23 20. Mobile Device – any computing device that can be conveniently relocated from one network to another.

21. Multi-Factor Authentication – see Rule 60GG-5.001, F.A.C.

22. Personal information – see Sections 501.171(1)(g)1., and 817.568, F.S.

24 23. Privileged Uuser – a Uuser that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary Uusers are not authorized to perform.

25 24. Privileged Aaccounts – an information system account with authorizations of a Pprivileged Uuser.

26 25. Remote Aaccess – access by Uusers (or information systems) communicating externally to an information security perimeter.

26. Removable Media – any data storage medium or device sufficiently portable to allow for convenient relocation from one network to another.

27. Risk Assessment – the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.

28 27. Separation of Dduties – an internal control concept of having more than one person required to complete a Ccritical Pprocess. This is an internal control intended to prevent fraud, abuse, and errors.

29 28. Stakeholder – a person, group, organization, or state Aagency involved in or affected by a course of action related to state Aagency-owned IT Rresources.

30 29. Supplier (commonly referred to as “Vvendor”) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided to on the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.

31. Threat – any circumstance or event that has the potential to adversely impact an Agency’s operations or assets through an information system via unauthorized access, destruction, disclosure, or modification of information or denial of service.

32 30. Token Ccontrol – the process of ensuring, through the use of a secure authentication protocol, that the token has remained in control of and is being presented by the identity that the token was issued to and has not been modified. see Rule 60GG-5.001, F.A.C.

33 31. User – a Wworker or non-worker who has been provided access to a system or data.

34 32. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Aagency, is under the direct control of the Aagency, whether or not they are paid by the Aagency (see User; Worker).

35 33. Worker – a member of the Wworkforce. A Wworker may or may not use IT Rresources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Aagency, is under the direct control of the Aagency, whether or not they are paid by the Aagency.

(b) With the exception of the terms identified in subparagraphs 1.-4., the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), maintained at: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf, is hereby incorporated by reference into this rule : http://www.flrules.org/Gateway/reference.asp?No=Ref-06494.

1. Risk assessment – see section 282.0041(28), F.S.

2. Continuity of Operations Plan (COOP) – disaster-preparedness plans created pursuant to Section 252.365(3), F.S.

3. Incident – see Section 282.0041(18), F.S.information technology resources

4. Threat – see Section 282.0041(36), F.Sn.

(3) In accordance with section 282.318, F.S., each Agency must:

(a) Notify FL[DS] of all confirmed Threats, Incidents, or Breaches of state IT Resources.

(b) Ensure that the written specifications for cybersecurity requirements in solicitations, contracts, and service-level agreements for IT Resources and information technology services meet or exceed the applicable standards, guidelines, and best practices outlined in the National Institute of Standards and Technology Cybersecurity Framework.

(c) Submit the Agency’s strategic and operational cybersecurity plans to FL[DS] by July 31 each year. The Agency’s strategic and operational cybersecurity plans must be based on the statewide cybersecurity strategic plan created by FL[DS]. The Agency’s strategic and operational cybersecurity plans must:

1. Cover a 3-year period.

2. Define security goals, intermediate objectives, and projected Agency costs for the strategic issues of Agency information security policy, risk management, security training, security Incident response, and disaster recovery.

3. Include performance metrics that can be objectively measured to reflect the status of the Agency’s progress in meeting security goals and objectives identified in the Agency’s strategic information security plan.

4. Include a progress report and a project plan.

a. The progress report must measure the Agency’s progress made towards the Agency’s prior strategic and operational cybersecurity plan.

b. The project plan must include activities, timelines, and deliverables for security objectives that the Agency will implement during the current fiscal year.

5. Include an assessment that documents the gaps between requirements of this rule and current Agency controls.

(d) Conduct a comprehensive Risk Assessment every 3 years and in accordance with Rule 60GG-2.002(4), F.A.C.

Rulemaking Authority 282.318(11) FS. Law Implemented 282.0041 and 282.318(3) FS. History‒New 3-10-16, Amended 1-2-19, Formerly 74-2.001,           .

60GG-2.002 Identify.

The identify function of the SFCS is visually represented as such:

(1) Asset Management. Each Aagency shall ensure that IT Rresources are identified and managed. Identification and management shall be consistent with the IT Rresource’s relative importance to Aagency objectives and the organization’s risk strategy. Specifically, each Aagency shall:

(a) through (b) No change.

(c) Ensure that organizational communication and data flows are mapped and systems are designed or configured to regulate information flow based on data classification (ID.AM-3). Each Aagency shall:

1. Establish procedures that ensure only Aagency-owned or approved IT Rresources are connected to the Aagency internal network and resources.

2. Design and document its information security architecture using a defense-in-breadth approach. Design and documentation shall be assessed and updated periodically based on an Aagency-defined, risk-driven frequency that considers potential Tthreat vectors (i.e., paths or tools that a Tthreat actor may use to attack a target).

3. Consider diverse Ssuppliers when designing the information security architecture.

(d) Each Aagency shall ensure that interdependent external information systems are catalogued (ID.AM-4). Agencies shall:

1. Verify or enforce required security controls on interconnected external IT Rresources in accordance with the information security policy or security plan.

2. Implement service level agreements for non-Aagency provided technology services to ensure appropriate security controls are established and maintained.

3. For non-interdependent external IT Rresources, execute information sharing or processing agreements with the entity receiving the shared information or hosting the external system in receipt of shared information.

4. through 5. No change.

6. Require that (e.g., contractually) external service providers adhere to Aagency security policies.

7. Document Aagency oversight expectations, and periodically monitor provider compliance.

(e) Each Aagency shall ensure that IT Rresources (hardware, data, personnel, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:

1. Perform a criticality analysis for each categorized IT Rresource and document the findings of the analysis conducted.

2. Designate an authorizing official for each categorized IT Rresource and document the authorizing official’s approval of the security categorization.

3. Create a contingency plan for each categorized IT Rresource. The contingency plan shall be based on resource classification and identify related cybersecurity roles and responsibilities.

4. Identify and maintain a reference list of exempt, and confidential and exempt Aagency information or software and the associated applicable state and federal statutes and rules.

(f) Establish cybersecurity roles and responsibilities for the entire Wworkforce and third-party Sstakeholders (ID.AM-6). Each Aagency is responsible for:

1. Informing Wworkers that they are responsible for safeguarding their passwords and other Aauthentication methods.

2. Informing Wworkers that they shall not share their Aagency accounts, passwords, personal identification numbers, security tokens, smart cards, identification badges, or other devices used for identification and Aauthentication purposes.

3. Informing Wworkers that use, or oversee or manage Wworkers that use, IT equipment that they shall report suspected unauthorized activity, in accordance with Aagency-established Iincident reporting procedures.

4. Informing Uusers that they shall take precautions that are appropriate to protect IT Rresources in their possession from loss, theft, tampering, unauthorized access, and damage. Consideration will be given to the impact that may result if the IT Rresource is lost, and safety issues relevant to protections identified in this subsection.

5. Informing Uusers of the extent that they will be held accountable for their activities.

6. Informing Wworkers that they have no reasonable expectation of privacy with respect to Aagency-owned or Aagency-managed IT Rresources.

7. Ensuring that monitoring, network sniffing, and related security activities are only to be performed by Wworkers who have been assigned security-related responsibilities either via their approved position descriptions or tasks assigned to them.

8. Appointing an Information Security Manager (ISM). Agency responsibilities related to the ISM include:

a. Notifying FL[DS] the Department of Management Services (DMS) of ISM designations appointments and redesignations reappointments.

b. No change.

c. Establishing an information security program that includes information security policies, procedures, standards, and guidelines; an information security awareness program; an information security risk management process, including the comprehensive Rrisk Aassessment required by sSection 282.318, F.S.; a Cybersecurity Computer Security Incident Response Team; and a disaster recovery program that aligns with the Aagency’s Continuity of Operations (COOP) Plan.

d. Each Aagency ISM shall be responsible for the information security program plan.

9. Performing background checks and ensuring that a background investigation is performed on all individuals hired as IT Wworkers with access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher. See paragraph 60GG-2.002(4)(a), F.A.C. These positions often, if not always, have privileged access. As such, in addition to Aagency-required background screening, background checks conducted by Aagencies shall include a federal criminal history check that screens for felony convictions that concern or involve the following:

a. through g. No change.

Each Aagency shall establish appointment selection disqualifying criteria for individuals hired as IT Wworkers that will have access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher.

(2) Business Environment. Each Aagency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the Aagency’s mission, objectives, and activities. To accomplish this, Aagencies shall:

(a) Identify and communicate the Aagency’s role in the business mission of the state (ID.BE-1).

(b) Identify and communicate the Aagency’s place in Ccritical Iinfrastructure and its Iindustry Ssector to inform internal Sstakeholders of IT strategy and direction (ID.BE-2).

(c) Establish and communicate priorities for Aagency mission, objectives, and activities (ID.BE-3).

(d) through (e) No change.

(3) Governance. Each Aagency shall establish policies, procedures, and processes to manage and monitor the Aagency’s operational IT requirements based on the Aagency’s assessment of risk. Procedures shall address providing timely notification to management of cybersecurity risks. Agencies shall also:

(a) No change.

(b) Coordinate and align cybersecurity roles and responsibilities with internal roles and Eexternal Ppartners (ID.GV-2).

(c) through (d) No change.

(4) Risk Assessment.

(a) Approach. Each Aagency shall identify and manage the cybersecurity risk to Aagency operations (including mission, functions, image, or reputation), Aagency assets, and individuals using the following approach derived that derives from the NIST Risk Management Framework (RMF) which may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html. The Risk Assessment steps provided in the table below must be followed; however, Aagencies may identify and, based on the risk to be managed, consider other Rrisk Aassessment security control requirements and frequency of activities necessary to manage the risk at issue.

Agencies are required to consider the following security objectives when assessing risk and determining what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity, and availability. When determining the potential impact to these security objectives Aagencies will use the following table, taken from the Federal Information Processing Standards (FIPS) Publication No. 199 (February 2004), which is hereby incorporated into this rule by reference and may be found at [insert new FAR link]: http://www.flrules.org/Gateway/reference.asp?No=Ref-06498.

In accordance with sSection 282.318(4)(d), F.S., each Aagency shall complete and submit to FL[DS] DMS no later than July 31, 2017, and every three years thereafter, a comprehensive Rrisk Aassessment. In completing the Rrisk Aassessment, Aagencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that particular Aagency’s Tthreat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://www.flrules.org/Gateway/reference.asp?No=Ref-06499. When establishing risk management processes, it may be helpful for Aagencies to review NIST Risk Management Framework Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, Aagencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

(b) Other Aagency risk management activities that Aagencies shall perform:

1. No change.

2. Receive and manage cyber Tthreat intelligence from information sharing forums and sources that contain information relevant to the risks or Tthreats (ID.RA-2).

3. Identify and document internal and external Tthreats (ID.RA-3).

4. No change.

5. Use Tthreats, vulnerabilities, likelihoods, and impacts to determine risk (ID.RA-5).

6. No change.

(5) Risk Management. Each Aagency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each Aagency shall:

(a) Establish risk management processes that are managed and agreed to by Aagency Sstakeholders and the Aagency head (ID.RM-1).

1. Establish a risk steering workgroup that ensures risk management processes are authorized by Aagency Sstakeholders. The risk steering workgroup must include a member of the Aagency IT unit and shall determine the appropriate meeting frequency and Aagency Sstakeholders.

(b) Identify and clearly document organizational risk tolerance based on the confidential and exempt nature of the data created, received, maintained, or transmitted by the Aagency; by the Aagency’s role in Ccritical Iinfrastructure and sector specific analysis (ID.RM-2).

(c) Determine risk tolerance as necessary, based upon: analysis of sector specific risks,; the Aagency’s Iindustry Ssector; Aagency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for Aagencies that maintain this information),; and the Aagency’s role in the state’s mission (ID.RM-3).

(d) No change.

(e) Identify the IT issues IT staff must address during procurement activities (e.g., system hardening, logging, performance, service availability, Iincident notification, and recovery expectations).

(f) Implement appropriate security controls for software applications obtained, purchased, leased, or developed to minimize risks to the confidentiality, integrity, and availability of the application, its data, and other IT Rresources.

(g) Prior to introducing new IT Rresources or modifying current IT Rresources, perform an impact analysis. The purpose of this analysis is to assess the effects of the technology or modifications on the existing environment. Validate that IT Rresources conform to Aagency standard configurations prior to implementation into the production environment.

(6) Supply Chain Risk Management. Each Aagency shall establish priorities, constraints, risk tolerances, and assumptions to support risk decisions associated with managing supply chain risk. Each Aagency shall:

(a) Establish management processes to identify, establish, assess, and manage cyber supply chain risks which are agreed to by organizational Sstakeholders (ID.SC-1).

(b) Identify, prioritize, and assess Ssuppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process (ID.SC-2).

(c) Require Ssuppliers and third-party providers (by contractual agreement when necessary) to implement appropriate measures designed to meet the objectives of the organization’s information security program or cyber supply chain risk management plan (ID.SC-3).

(d) Routinely assess Ssuppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of Ssuppliers/providers (ID.SC-4).

(e) Conduct response and recovery planning and testing with Ssuppliers and third-party providers (ID.SC-5).

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS. History‒New 3-16-16, Amended 2-5-19, Formerly 74-2.002,           .

60GG-2.003 Protect.

The protect function of the SFCS is visually represented as such:

(1) Access Control. Each Aagency shall ensure that access to IT Rresources is limited to authorized Uusers, processes, or devices, and to authorized activities and transactions. Specifically:

(a) Each Aagency shall manage identities and credentials for authorized devices and Uusers (PR.AC-1). Control measures shall, at a minimum include authentication token(s) unique to the individual.

Agencies shall:

1. Require that all Aagency-owned or approved computing devices, including Mmobile Ddevices, use unique Uuser Aauthentication.

2. Require Uusers to log off or lock their workstations prior to leaving the work area.

3. No change.

4. Locked workstations or sessions must be locked in a way that requires Uuser Aauthentication with an authentication token(s) unique to the individual Uuser to disengage.

5. When passwords are used as the sole authentication token, require Uusers to use Ccomplex Ppasswords that are changed at least every 90 days.

6. No change.

7. Establish access disablement and notification timeframes for Wworker separations. The Aagency will identify the appropriate person in the IT unit to receive notification. Notification timeframes shall consider risks associated with system access post-separation.

8. Ensure IT access is removed when the IT Rresource is no longer required.

9. Require multi-factor authentication (MFA) for access to networks or applications that have a categorization of moderate, high, or contain exempt, or confidential and exempt, information. This excludes externally hosted systems designed to deliver services to Aagency Ccustomers where the Aagency documents the analysis and the risk steering workgroup accepts the associated risk.

10. Require MFA for access to Pprivileged Aaccounts.

(b) Each Aagency shall manage and protect physical access to assets (PR.AC-2). In doing so, Aagency security procedures or controls shall:

1. Address protection of IT Rresources from environmental hazards (e.g., temperature, humidity, air movement, dust, and faulty power) in accordance with manufacturer specifications.

2. No change.

3. Identify physical controls that are appropriate for the size and criticality of the IT Rresources.

4. through 5. No change.

6. Address how the Aagency will protect network integrity by incorporating network segregation.

(c) Each Aagency shall manage Rremote Aaccess (PR.AC-3). In doing so, Aagencies shall:

1. Address how the Aagency will securely manage and document Rremote Aaccess.

2. Specify that only secure, Aagency-managed, Rremote Aaccess methods may be used to remotely connect computing devices to the Aagency internal network.

3. For systems containing exempt, or confidential and exempt data, ensure written agreements and procedures are in place to ensure security for sharing, handling or storing confidential data with entities outside the Aagency.

(d) Each Aagency shall ensure that access permissions and authorizations, are managed, incorporating the principles of least privilege and Sseparation of Dduties (PR.AC-4). In doing so, Aagencies shall:

1. No change.

2. Manage access permissions by incorporating the principles of “least privilege” and “Sseparation of Dduties.”

3. Specify that all Wworkers be granted access to Aagency IT Rresources based on the principles of “least privilege” and “need to know determination.”

4. No change.

(e) Each Aagency shall ensure that network integrity is protected, incorporating network segregation and segmentation where appropriate (PR.AC-5).

(f) No change.

(g) Authenticate Uusers, devices, and other assets commensurate with the risk of the transaction (PR.AC-7).

(2) Awareness and Training. Agencies shall provide all their Wworkers cybersecurity awareness education and training so as to ensure they perform their cybersecurity related duties and responsibilities consistent with Aagency policies and procedures. In doing so, each Aagency shall:

(a) Inform and train all Wworkers (PR.AT-1).

(b) Ensure that Pprivileged Uusers understand their roles and responsibilities (PR.AT-2).

(c) Ensure that third-party Sstakeholders understand their roles and responsibilities (PR.AT-3).

(d) through (e) No change.

(3) For each of the above subsections the following shall also be addressed:

(a) Appoint a Wworker to coordinate the Aagency information security awareness program. If an IT security Wworker does not coordinate the security awareness program, they shall be consulted for content development purposes. Agencies will ensure that all Wworkers (including volunteer workers) are clearly notified of applicable obligations, established via Aagency policies, to maintain compliance with such controls.

(b) No change.

(c) Provide training to Wworkers within 30 days of start date.

(d) Include security policy adherence expectations for the following, at a minimum: disciplinary procedures and implications, acceptable use restrictions, data handling (procedures for handling exempt and confidential and exempt information), telework and Ccybersecurity Iincident reporting procedures. Incident reporting procedures shall:

1. Establish requirements for Wworkers to immediately report loss of Mmobile Ddevices, security tokens, smart cards, identification badges, or other devices used for identification and Aauthentication purposes according to Aagency reporting procedures.

(e) Where technology permits, provide training prior to system access. For specialized Aagency Wworkers (e.g., law enforcement officers) who are required to receive extended off-site training prior to reporting to their permanent duty stations, initial security awareness training shall be provided within 30 days of the date they report to their permanent duty station.

(f) Require, prior to access, Wworkers verify in writing that they will comply with Aagency IT security policies and procedures.

(g) Document parameters that govern personal use of Aagency IT Rresources and define what constitutes personal use. Personal use, if allowed by the Aagency, shall not interfere with the normal performance of any Wworker’s duties, or consume significant or unreasonable amounts of state IT Rresources (e.g., bandwidth, storage).

(h) Inform Wworkers of what constitutes inappropriate use of IT Rresources. Inappropriate use shall include, but may not be limited to, the following:

1. Distribution of Mmalware.

2. through 10. No change.

(4) Data Security. Each Aagency shall manage and protect records and data, including Ddata-at-rest, consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Agencies shall establish procedures, and develop and maintain Aagency cryptographic implementations. Key management processes and procedures for cryptographic keys used for encryption of data will be fully documented and will cover key generation, distribution, storage, periodic changes, compromised key processes, and prevention of unauthorized substitution. Also, key management processes must be in place and verified prior to encrypting data at rest, to prevent data loss and support availability. In protecting data security, Aagencies shall:

(a) Protect Ddata-at-rest by establishing (PR.DS-1):

1. Procedures that ensure only Aagency-owned or approved IT Rresources are used to store confidential or exempt information.

2. Procedures that ensure Aagency-owned or approved portable IT Rresources containing confidential or mission critical data are encrypted.

3. Procedures that ensure Aagency-owned or approved portable IT Rresources that connect to the Aagency internal network use Aagency-managed security software.

4. Inform Uusers not to store unique copies of Aagency data on workstations or Mmobile Ddevices.

(b) Protect data-in-transit (PR.DS-2). Each Aagency shall:

1. Encrypt confidential and exempt information during transmission, except when the transport medium is owned or managed by the Aagency and controls are in place to protect the data during transit.

2. Ensure that wireless transmissions of Aagency data employ cryptography for Aauthentication and transmission.

3. No change.

4. Encrypt mobile IT Rresources that store, process, or transmit exempt, or confidential and exempt Aagency data.

(c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).

1. through 2. No change.

3. Document procedures for sanitization of Aagency-owned IT Rresources prior to reassignment or disposal.

4. No change.

(d) No change.

1. through 2. No change.

(e) Implement protections against data leaks or unauthorized data disclosures by establishing policies and procedures that address (PR.DS-5):

1. Appropriate handling and protection of exempt, and confidential and exempt, information. Policies shall be reviewed and acknowledged by all Wworkers.

2. No change.

3. Access agreements for Aagency information systems.

4. through 5. No change.

(f) through (g) No change.

(h) Use integrity checking mechanisms to verify hardware integrity (PR.DS-8). In doing so, Aagencies shall establish processes to protect against and/or detect unauthorized changes to hardware used to support systems with a categorization of high-impact.

(5) Information Protection Processes and Procedures. Each Aagency shall ensure that security policies, processes and procedures are maintained and used to manage protection of information systems and assets. Such policies, processes and procedures shall:

(a) Include a current baseline configuration of information systems which incorporate security principles (PR.IP-1). Baselines shall:

1. through 2. No Change.

3. Require that vendor default settings, posing security risks, are changed or disabled for Aagency-owned or managed IT Rresources, including encryption keys, accounts, passwords, and SNMP (Simple Network Management Protocol) community strings, and ensure device security settings are enabled where appropriate.

4. Allow only Aagency-approved software to be installed on Aagency-owned IT Rresources.

(b) Establish a System Development Life Cycle (SDLC) to manage system implementation and maintenance (PR.IP-2). In doing so, Aagencies shall:

1. No change.

2. Ensure security reviews are approved by the ISM and Chief Information Officer (or designee) before new or modified applications or technologies are moved into production. For IT Rresources housed in a state data center, the security review shall also be approved by the data center before the new or modified applications or technologies are moved into production.

3. The application development team at each Aagency shall implement appropriate security controls to minimize risks to Aagency IT resources and meet the security requirements of the application owner. Agencies will identify in their policies, processes and procedures the security coding guidelines the Aagency will follow when obtaining, purchasing, leasing or developing software.

4. Where technology permits, the Aagency shall ensure anti-Mmalware software is maintained on Aagency IT Rresources.

(c) Establish a configuration change control process to manage upgrades and modifications to existing IT Rresources (PR.IP-3). In doing so, Aagencies shall:

1. through 6. No change.

(d) No change.

(e) Establish policy and regulatory expectations for protection of the physical operating environment for Aagency-owned or managed IT Rresources (PR.IP-5).

(f) No change.

(g) Establish a policy and procedure review process that facilitates continuous improvement to protection processes (PR.IP-7). Each Aagency shall:

1. through 2. No change.

3. Ensure system security plans are confidential per sSection 282.318, F.S., and shall be available to the Aagency ISM.

4. Require that each Aagency application or system with a categorization of moderate-impact or higher have a documented system security plan (SSP). For existing production systems that lack a SSP, a Rrisk Aassessment shall be performed to determine prioritization of subsequent documentation efforts. The SSP shall include provisions that:

(I) Align the system with the Aagency’s enterprise architecture.

(II) through (VII) No change.

5. Require Iinformation Ssystem Oowners (ISOs) to define application security-related business requirements using role-based access controls and rule-based security policies where technology permits.

6. Require ISOs to establish and authorize the types of privileges and access rights appropriate to system Uusers, both internal and external.

7. Create procedures to address inspection of content stored, processed or transmitted on Aagency-owned or managed IT Rresources, including attached Rremovable Mmedia. Inspection shall be performed where authorization has been provided by Sstakeholders that should or must receive this information.

8. Establish parameters for Aagency-managed devices that prohibit installation (without Wworker consent) of clients that allow the Aagency to inspect private partitions or personal data.

9. No change.

10. Establish controls that prohibit a single individual from having the ability to complete all steps in a transaction or control all stages of a Ccritical Pprocess.

11. Require Aagency information owners to identify exempt, and confidential and exempt information in their systems.

(h) Ensure that effectiveness of protection technologies is shared with Sstakeholders that should or must receive this information (PR.IP-8).

(i) No change.

(j) Establish a procedure that ensures that Aagency response and recovery plans are regularly tested (PR.IP-10).

(k) No change.

(l) Each Aagency shall develop and implement a vulnerability management plan (PR.IP-12).

(6) Maintenance. Each Aagency shall perform maintenance and repairs of information systems and components consistent with Aagency-developed policies and procedures. Each Aagency shall:

(a) Perform and log maintenance and repair of IT Rresources, with tools that have been approved and are administered by the Aagency to be used for such activities (PR.MA-1).

(b) Approve, encrypt, log and perform remote maintenance of IT Rresources in a manner that prevents unauthorized access (PR.MA-2).

(c) Not engage in new development of custom authenticators. Agencies assess the feasibility of replacing Aagency-developed authenticators in Llegacy Aapplications.

(7) Protective Technology. Each Aagency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each Aagency shall:

(a) Determine and document required audit/log records, implement logging of audit records, and protect and review logs in accordance with Aagency-developed policy. Agency-developed policy shall be based on resource criticality. Where possible, ensure that electronic audit records allow actions of Uusers to be uniquely traced to those Uusers so they can be held accountable for their actions. Maintain logs identifying where access to exempt, or confidential and exempt data was permitted. The logs shall support unique identification of individuals and permit an audit of the logs to trace activities through the system, including the capability to determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the individual (PR.PT-1).

(b) Protect and restrict Rremovable Mmedia in accordance with Aagency-developed information security policy (PR.PT-2).

(c) No change.

(d) Protect communications and control networks by establishing perimeter security measures to prevent unauthorized connections to Aagency IT Rresources (PR.PT-4). Agencies shall:

1. through 2. No change.

(e) No change.

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended 1-2-19, Formerly 74-2.003,           .

60GG-2.004 Detect.

The detect function of the SFCS is visually represented as such:

(1) Anomalies and Events. Each Aagency shall develop policies and procedures that will facilitate detection of anomalous activity and that allow the Aagency to understand the potential impact of events.

Such policies and procedures shall:

(a) Establish and manage a baseline of network operations and expected data flows for Uusers and systems (DE.AE-1).

(b) Detect and analyze anomalous Ccybersecurity Eevents to determine attack targets and methods (DE.AE-2).

1. Monitor for unauthorized wireless access points connected to the Aagency internal network, and immediately remove them upon detection.

2. No change.

(c) Collect and correlate Ccybersecurity Eevent data from multiple sources and sensors (DE.AE-3).

(d) Determine the impact of Ccybersecurity Eevents (DE.AE-4).

(e) Establish Iincident alert thresholds (DE.AE-5).

(2) Security Continuous Monitoring. Each Aagency shall determine the appropriate level of monitoring that will occur regarding IT Rresources necessary to identify Ccybersecurity Eevents and verify the effectiveness of protective measures. Such activities shall include:

(a) Monitoring the network to detect potential Ccybersecurity Eevents (DE.CM-1).

(b) Monitoring for unauthorized IT Rresource connections to the internal Aagency network.

(c) Monitoring the physical environment to detect potential Ccybersecurity Eevents (DE.CM-2).

(d) Monitoring Uuser activity to detect potential Ccybersecurity Eevents (DE.CM-3).

(e) through (f) No change.

(g) Monitoring external service provider activity to detect potential Ccybersecurity Eevents (DE.CM-6).

(h) through (i) No change.

(3) Detection Processes. Each Aagency shall maintain and test detection processes and procedures to ensure awareness of anomalous events. These procedures shall be based on assigned risk and include the following:

(a) through (c) No change.

(d) Communicating event detection information to Sstakeholders that should or must receive this information (DE.DP-4).

(e) No change.

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended 1-2-19, Formerly 74-2.004,           .

60GG-2.005 Respond.

The respond function of the SFCS is visually represented as such:

(1) Response Planning. Each Aagency shall establish and maintain response processes and procedures and validate execution capability to ensure Aagency response for detected Ccybersecurity Iincidents. Each Aagency shall execute a response plan during or after an Iincident (RS.RP-1).

(a) Agencies shall establish a cybersecurity Computer Security Iincident Rresponse Tteam (CSIRT) to respond to Ccybersecurity Iincidents. CSIRT members shall convene immediately, upon notice of Ccybersecurity Iincidents. Responsibilities of CSIRT members include:

1. No change.

2. Receiving Iincident response training annually. Training shall be coordinated as a part of the information security program.

3. CSIRT membership shall include, at a minimum, a member from the cybersecurity information security team, the CIO (or designee), and a member from the Inspector General’s Office who shall act in an advisory capacity. The CSIRT team shall report findings to Aagency management.

4. The CSIRT shall determine the appropriate response required for each Ccybersecurity Iincident.

5. The Aagency Cybersecurity security Iincident reporting process must include notification procedures, established pursuant to sSection 501.171, F.S., sSection 282.318, F.S., and as specified in executed agreements with external parties. For reporting Iincidents to FL[DS] DMS and the Cybercrime Office (as established within the Florida Department of Law Enforcement and in accordance with via sSection 943.0415, F.S.), Aagencies shall report observed Iincident indicators to FL[DS] via the DMS Incident Reporting Portal to provide early warning and proactive response capability to other State of Florida agencies. Such indicators may include any known attacker IP addresses, malicious uniform resource locator (URL) addresses, malicious code file names and/or associated file hash values.

(2) Communications. Each Aagency shall coordinate response activities with internal and external Sstakeholders, as appropriate, to include external support from law enforcement Aagencies. Each Aagency shall:

(a) Inform Wworkers of their roles and order of operations when a response is needed (RS.CO-1).

(b) Require that Iincidents be reported consistent with established criteria and in accordance with Aagency Iincident reporting procedures. Criteria shall require immediate reporting, including instances of lost identification and Aauthentication resources (RS.CO-2).

(c) No change.

(d) Coordinate with Sstakeholders, consistent with response plans (RS.CO-4).

(e) Establish communications with external Sstakeholders to share and receive information to achieve broader cybersecurity situational awareness (RS.CO-5). Where technology permits, enable automated security alerts. Establish processes to receive, assess, and act upon security advisories.

(3) Analysis. Each Aagency shall conduct analysis to adequately respond and support recovery activities. Related activities include:

(a) Each Aagency shall establish notification thresholds and investigate notifications from detection systems (RS.AN-1).

(b) Each Aagency shall assess and identify the impact of Iincidents (RS.AN-2).

(c) Each Aagency shall perform forensics, where deemed appropriate (RS.AN-3).

(d) Each Aagency shall categorize Iincidents, consistent with response plans (RS.AN-4). Each Iincident report and analysis, including findings and corrective actions, shall be documented.

(e) No change.

(4) Mitigation. Each Aagency shall perform Iincident mitigation activities. The objective of Iincident mitigation activities shall be to: attempt to contain and prevent recurrence of Iincidents (RS.MI-1); mitigate Iincident effects and resolve the Iincident (RS.MI-2); and address vulnerabilities or document as accepted risks.

(5) Improvements. Each Aagency shall improve organizational response activities by incorporating lessons learned from current and previous detection/response activities into response plans (RS.IM-1). Agencies shall update response strategies in accordance with Aagency-established policy (RS.IM-2).

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended 1-2-19, Formerly 74-2.005,           .

60GG-2.006 Recover.

The recover function of the SFCS is visually represented as such:

(1) Recovery Planning. Each Aagency shall execute and maintain recovery processes and procedures to ensure restoration of systems or assets affected by Ccybersecurity Iincidents. Each Aagency shall:

(a) Execute a recovery plan during or after an Iincident (RC.RP-1).

(b) Mirror data and software, essential to the continued operation of critical Aagency functions, to an off-site location or regularly back up a current copy and store at an off-site location.

(c) Develop procedures to prevent loss of data, and ensure that Aagency data, including unique copies, are backed up.

(d) Document disaster recovery plans that address protection of critical IT Rresources and provide for the continuation of critical Aagency functions in the event of a disaster. Plans shall address shared resource systems, which require special consideration, when interdependencies may affect continuity of critical Aagency functions.

(e) No change.

(2) Improvements. Each Aagency shall improve recovery planning and processes by incorporating lessons learned into future activities. Such activities shall include:

(a) through (b) No change.

(3) Communications. Each Aagency shall coordinate restoration activities with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. Such activities shall include:

(a) through (b) No change.

(c) Communicating recovery activities to Sstakeholders, internal and external where appropriate (RC.CO-3) ,           .

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended 1-2-19, Formerly 74-2.006.

NAME OF PERSON ORIGINATING PROPOSED RULE: Jamie Grant, State Chief Information Officer, Florida Digital Service

NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: J. Todd Inman, Secretary, Department of Management Services

DATE PROPOSED RULE APPROVED BY AGENCY HEAD: May 20, 2022

DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAR: November 1, 2021