RULE NO.:RULE TITLE:
74-2.002Identify
NOTICE OF CHANGE
Notice is hereby given that the following changes have been made to the proposed rule in accordance with subparagraph 120.54(3)(d)1., F.S., published in Vol. 44 No. 183, September 19, 2018 issue of the Florida Administrative Register.
74-2.002 Identify.
(1) through (3), No change.
(4) Risk Assessment.
(a) Approach. Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, that derives from the NIST Risk Management Framework (RMF) which is hereby incorporated by reference and may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html (rev. 9/11/2018). The Risk Assessment steps provided in the table below must be followed; however, agencies may identify and, based on the risk to be managed, consider other risk assessment security control requirements and frequency of activities necessary to manage the risk at issue.
In accordance with section 282.318(4)(d), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, a comprehensive risk assessment. In completing the risk assessment, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://www.flrules.org/Gateway/reference.asp?No=Ref-06499. When establishing risk management processes, it may be helpful for agencies to review NIST Risk Management Framework Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.
(b) No change.
(5) through (6) No change.