To update language and clarify information technology security guidelines and requirements.  

AGENCY FOR STATE TECHNOLOGY

RULE NOS.:RULE TITLES:

74-2.001Purpose and Applicability; Definitions

74-2.002Identify

74-2.003Protect

74-2.004Detect

74-2.005Respond

74-2.006Recover

Form AST 100, Florida Enterprise Information Security Risk Assessment Survey

PURPOSE AND EFFECT: To update language and clarify information technology security guidelines and requirements.

SUMMARY: Update language and clarify information technology guidelines and requirements.

SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:

The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the Agency. The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: the economic review conducted by the Agency.

Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

RULEMAKING AUTHORITY: 282.318(5) FS.

LAW IMPLEMENTED: 282.318(3) FS.

A HEARING WILL BE HELD AT THE DATE, TIME AND PLACE SHOWN BELOW:

DATE AND TIME: November 13, 2015, 9:00 a.m.

PLACE: First District Court of Appeal, 2000 Drayton Drive, Room 1183, Tallahassee, Florida 32399

Pursuant to the provisions of the Americans with Disabilities Act, any person requiring special accommodations or persons who require translation services is asked to advise the agency at least five days before the workshop/meeting by contacting:  Danielle Alvarez at (850)412-6049 or at danielle.alvarez@ast.myflorida.com. If you are hearing or speech impaired, please contact the agency using the Florida Relay Service, 1(800)955-8771 (TDD) or 1(800)955-8770 (voice).

THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Danielle Alvarez at (850)412-6049 or at danielle.alvarez@ast.myflorida.com

THE FULL TEXT OF THE PROPOSED RULE IS:

74-2.001 Purpose and Applicability; Definitions

(1) Purpose and Applicability.

(a) Rules 74-2.001, F.A.C., through 74-2.006, F.A.C., will be known as the Florida Cybersecurity Standards (FCS).

(b) This Rule establishes cybersecurity standards for information technology (IT) resources. These standards are documented in Rules 74-2.001, F.A.C., through 74-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014, and the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the FCS as they may be helpful to agencies when drafting their security procedures. The Florida Cybersecurity Standards:

1. Establish minimum standards to be used by state agencies to secure IT resources. The FCS consist of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The FCS is visually represented as follows:

Category Unique Identifier subcategory references are detailed in rules 74-2.002 – 74-2.006 below, and are used throughout the FCS as applicable.

2. Define minimum management, operational, and technical security controls to be used by state agencies to secure IT resources.

3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard or the standard is not cost-effective due to the specific nature of a system or its environment. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from Section 119.07(1), F.S., pursuant to Section 282.318 (4)(f), F.S, and shall be securely submitted to AST upon acceptance.

(2) Each agency shall:

(a) Perform an assessment that documents the gaps between requirements of this rule and controls that are in place.

(b) Submit the assessment to AST with the agency’s strategic and operational plan.

(c) Annually update the assessment to reflect progress toward compliance with this rule.

(3) Definitions.

(a) The following terms are defined:

1. Agency – shall have the same meaning as state agency, as provided in Section 282.0041, F.S., except that, per Section 282.318(2), F.S., the term also includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.

2. Agency-owned (also agency-managed) – any device, service, or technology owned, leased, or managed by the agency for which an agency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.

3. Breach – see Section 282.0041(2), F.S.

4. Compensating security controls – A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a required security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an IT resource.

5. Confidential information – records that, pursuant to Florida’s public records laws or other controlling law, are exempt from public disclosure.

6. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

7. Customer – an entity in receipt of services or information rendered by a state agency.  This term does not include state agencies with regard to information sharing activities.  

8. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners does not include customers.

9. Information Security Manager (ISM) – the person appointed pursuant Section 282.318(4)(a), F.S.

10. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

11. Information technology resources (IT resources) – a broad term that describes a set of technology-related assets. While in some cases the term may include services and maintenance, as used in this rule, the term means computer hardware, software, networks, devices, connections, applications, and data.

12. Personal information - see Section 501.171(1)(g)1., F.S.

13. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

14. User – a worker or non-worker who has been provided access to a system or data.

15. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

16. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

(b) With the exception of the terms identified below, the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), is hereby incorporated by reference into this rule for terms used herein:

1. Risk assessment – see Section 282.0041(18), F.S.

2. Continuity Of Operations Plan (COOP) – disaster-preparedness plans created pursuant to Section 252.365(3), F.S.

3. Incident – see Section 282.0041(10), F.S.

4. Threat – see Section 282.0041(26), F.S.

Rulemaking Authority § 282.318(5), Fla. Stat. (2015). Law Implemented § 282.318(3), Fla. Stat. (2015).

74-2.002 Identify

The identify function of the FCS is visually represented as such:

(1) Asset Management. Each agency shall ensure that IT resources are identified and managed. Identification and management shall be consistent with the IT resource’s relative importance to business objectives and the organization’s risk strategy.  Specifically, each agency shall:

(a) Ensure that physical devices and systems within the organization are inventoried and managed (ID.AM-1).

(b) Ensure that software platforms and applications within the organization are inventoried and managed (ID.AM-2).

(c) Ensure that organizational communication and data flows are mapped and systems are designed or configured to regulate information flow based on data classification (ID.AM-3). Each agency shall:

1. Establish procedures that ensure only agency-owned or approved IT resources are connected to the agency internal network and resources.

2. Design and document its information security architecture using a defense-in-depth approach. Design and documentation shall be assessed and updated periodically based on an agency-defined, risk-driven frequency that considers viable threat vectors.

3. Consider diverse suppliers, per NIST direction, when designing the information security architecture.

(d) Each agency shall ensure that interdependent external information systems are catalogued (ID.AM-4).  Agencies shall:

1. Verify or enforce required security controls on interconnected external IT resources in accordance with the information security policy or security plan.

2. Implement service level agreements for non-agency provided technology services to ensure appropriate security controls are established and maintained.

3. For non-interdependent external IT resources, execute information sharing or processing agreements with the entity receiving the shared information or hosting the external system in receipt of shared information.

4. Restrict or prohibit portable storage devices either by policy or a technology that enforces security controls for such devices.

5. Authorize and document inter-agency system connections.

6. Require external service providers adhere to agency security policies, document agency oversight expectations, and periodically monitor provider compliance.

(e) Each agency shall ensure that IT resources (hardware, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:

1. Perform and document a criticality analysis for each categorized IT resource.

2. Designate an authorizing official for each categorized IT resource and document the authorizing official’s approval of the security categorization.

3. Create a contingency plan for each categorized IT resource. The contingency plan shall be based on resource classification and include documentation of cybersecurity roles and responsibilities.

4. Identify and maintain a reference list of exempt, and confidential and exempt agency information or software and the associated applicable state and federal statutes and rules.

(f) Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., contractors, vendors, suppliers, users, customers, partners) (ID.AM-6). Each agency is responsible for:

1. Informing workers that they are responsible for safeguarding their passwords and other authentication methods.

2. Informing workers that they shall not share their agency accounts, passwords, personal identification numbers, security tokens, smart cards, identification badges, or other devices used for identification and authentication purposes.

3. Informing workers that they shall immediately report suspected unauthorized activity, in accordance with agency incident reporting procedures.

4. Informing users that they shall take reasonable precautions to protect IT resources in their possession from loss, theft, tampering, unauthorized access, and damage.

5. Informing users that they will be held accountable for their activities.

6. Informing workers that they have no reasonable expectation of privacy with respect to agency-owned or agency-managed IT resources.

7. Ensuring that monitoring, network sniffing, and related security activities are only to be performed by workers who have been assigned security-related responsibilities in their approved position descriptions.

8. Appointing an Information Security Manager (ISM). Agency responsibilities related to ISMs include:

a. Notifying the Agency for State Technology (AST) of ISM appointments and reappointments.

b. Specifying ISM responsibilities in the ISM’s position description.

c. Establishing an information security program that includes information security policies, procedures, standards, and guidelines; an information security awareness program; an information security risk management process, including the comprehensive risk assessment required by Section 282.318, F.S.; a Computer Security Incident Response Team; and a disaster recovery program that aligns with the agency’s Continuity of Operations (COOP) Plan.

d. Each agency ISM shall be responsible for the information security program plan.

9. Performing background checks and ensuring that a background investigation is performed on all individuals hired as IT workers with access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher. See 74-2.002(4)(a), F.A.C. These positions often, if not always, have privileged access. As such, in addition to agency-required background screening, background checks conducted by agencies shall include a federal criminal history check that screens for felony convictions for the following disqualifying criteria:

a. Computer related or IT crimes;

b. Identity theft crimes;

c. Financially-related crimes, such as: fraudulent practices, false pretenses and frauds, credit card crimes;

d. Forgery and counterfeiting;

e. Violations involving checks and drafts;

f. Misuse of medical or personnel records; and

g. Theft.

(2) Business Environment. Each agency shall understand, prioritize, and document the agency’s mission; objectives; internal stakeholders; type of confidential and/or exempt data created, received, transmitted or maintained by the agency; and activities involving use or disclosure of that data. Agencies shall use this information to make risk management decisions related to IT security and inform agency employees delegated cybersecurity responsibilities and risk management duties. Each agency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the agency’s mission, objectives, and activities. To accomplish this, agencies shall:

(a) Identify and communicate the agency’s role in the business mission of the state (ID.BE-1).

(b) Identify and communicate the agency’s place in critical infrastructure and its industry sector to inform internal stakeholders of IT strategy and direction (ID.BE-2).

(c) Establish and communicate priorities for agency mission, objectives, and activities (ID.BE-2).

(d) Identify dependencies and critical functions for delivery of critical services (ID.BE-2).

(e) Implement resiliency requirements to support the delivery of critical services (ID.BE-2).

(3) Governance. Each agency shall establish policies, procedures, and processes to manage and monitor the agency’s regulatory, legal, risk, environmental, and operational IT requirements. Procedures shall address providing timely notification to management of cybersecurity risks. Agencies shall also:

(a) Establish or adopt a comprehensive information security policy (ID.GV-1).

(b) Coordinate and align information security roles and responsibilities with internal roles and external partners (ID.GV-2).

(c) Document and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations (ID.GV-3).

(d) Ensure governance and risk management processes address cybersecurity risks (ID.GV-4).

(4) Risk Assessment.

(a) Approach.  Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, which derives from the NIST Risk Management Framework (RMF):

Agencies are required to consider the following security objectives when assessing risk: confidentiality, integrity and availability. When determining the potential impact to these security objectives agencies will use the following table, taken from the Federal Information Processing Standards (FIPS) Publication No. 199 (February 2004):

In accordance with Section 282.318(4)(c), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, the Florida Enterprise Information Security Risk Assessment Survey (Form # AST-100), which is hereby incorporated by reference. In completing the AST 100 form, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address the particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference. When establishing risk management processes may be helpful for agencies to review NIST RFM Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/groups/SMA/fisma/framework.html, as can NIST Special Publication 800-30. When assessing risk agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

(b) Other agency risk management activities that agencies shall perform:

1. Identify and document asset vulnerabilities (ID.RA-1), business processes and protection requirements.  Establish procedures to analyze systems and applications to ensure security controls are effective and appropriate.

2. Receive and manage threat and vulnerability information from information sharing forums and sources (ID.RA-2).

3. Identify and document internal and external threats (ID.RA-3).

4. Identify potential business impacts and likelihoods (ID.RA-4).

5. Use threats, vulnerabilities, likelihoods, and impacts to determine risk (ID.RA-5).

6. Identify and prioritize risk responses, implement risk mitigation plans, and monitor and document plan implementation (ID.RA-6).

(5) Risk Management. Each agency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each agency shall:

(a) Establish risk management processes that are managed and agreed to by organizational stakeholders and the agency head (ID.RM-1).

1. Establish a risk management workgroup that ensures that risk management processes are authorized by agency stakeholders.

(b) Determine and clearly document organizational risk tolerance based on the confidential and exempt nature of the data created, received, maintained, or transmitted by the agency; by the agency’s role in critical infrastructure and sector specific analysis (ID.RM-2).

(c) Determine risk tolerance as informed by its role in the state’s mission and performance of a sector specific risk analysis (ID.RM-3).

(d) Establish parameters for IT staff participation in procurement activities.

(e) Identify the IT issues IT staff must address during procurement activities (e.g., system hardening, logging, performance, service availability, incident notification, and recovery expectations).

(f) Implement appropriate security controls for software applications obtained, purchased, leased, or developed to minimize risks to the confidentiality, integrity, and availability of the application, its data, and other IT resources.

(g) Prior to introducing new IT resources or modifying current IT resources, perform an impact analysis. The purpose of this analysis is to assess the effects of the technology or modifications on the existing environment. Validate that IT resources conform to agency standard configurations prior to implementation into the production environment.

Rulemaking Authority § 282.318(5), FS. (2015). Law Implemented § 282.318(3), FS. New_______,

74-2.003 Protect

The protect function of the FCS is visually represented as such:

(1) Access Control. Each agency shall ensure that access to IT resources is limited to authorized users, processes, or devices, and to authorized activities and transactions. Specifically:

(a) Each agency shall manage identities and credentials for authorized devices and users (PR.AC-1).  Control measures shall, at a minimum:

1. Require that all agency-owned or approved computing devices, including mobile devices, use unique user authentication.

2. Require users to log off or lock their workstations prior to leaving the work area.

3. Require inactivity timeouts that terminate or secure sessions with a complex password.

4. Secure workstations with a password-protected screensaver, set at no more than 15 minutes.

5. Force users to change their passwords at least every 30-90 days, based on assessed risk of the system.

6. Address responsibilities of information stewards that include administering access to systems and data based on the documented authorizations and facilitate periodic review of access rights with information owners. Frequency of reviews shall be based on system categorization or assessed risk.

7. Establish access disablement timeframes for worker separations. The IT function shall be notified within the established timeframes. Notification timeframes shall consider risks associated with system access post-separation.

8. Ensure IT access is removed when the IT resource is no longer required.

9. Consider the use of multi-factor authentication (MFA) for any application that has a categorization of moderate or contains confidential, or confidential and exempt information. This excludes externally hosted systems designed to deliver services to customers, where MFA is not necessary or viable.

10. Require MFA for any application that has a categorization of high or is administered by remote connection to the internal network.

11. Require MFA for network access to privileged accounts.

(b) Each agency shall manage and protect physical access to assets (PR.AC-2). In doing so, agency security procedures or controls shall:

1. Address protection of IT resources from environmental hazards (e.g., temperature, humidity, air movement, dust, and faulty power) in accordance with manufacturers’ specifications.

2. Implement procedures to manage physical access to IT facilities and/or equipment.

3. Identify physical controls that are appropriate for the size and criticality of the IT resources.

4. Specify physical access to central information resource facilities and/or equipment that is restricted to authorized personnel.

5. Detail visitor access protocols, including recordation procedures, and in locations housing systems categorized as moderate-impact or high-impact, require that visitors be supervised.

6. Address how the agency will protect network integrity by incorporating network segregation.

(c) Each agency shall manage remote access (PR.AC-3). In doing so, agencies shall:

1. Address how the agency will securely manage and document remote access.

2. Specify that only agency-managed, secure remote access methods may be used to remotely connect computing devices to the agency internal network.

3. For systems containing exempt, or confidential and exempt data, ensure written agreements and procedures are in place to ensure security for sharing, handling or storing confidential data with entities outside the agency.

(d) Each agency shall ensure that access permissions are managed, incorporating the principles of least privilege and separation of duties (PR.AC-4). In doing so, agencies shall:

1. Execute interconnection security agreements to authorize, document, and support continual management of inter-agency connected systems.

2. Manage access permissions by incorporating the principles of “least privilege” and “separation of duties.”

3. Specify that all workers be granted access to agency IT resources based on the principles of “least privilege” and “need to know.”

4. Specify that system administrators restrict and tightly control the use of system development utility programs that may be capable of overriding system and application controls.

(e) Each agency shall ensure that network integrity is protected, incorporating network segregation where appropriate (PR.AC-5).

(2) Awareness and Training. Agencies shall provide all their workers cybersecurity awareness education and training so as to ensure they perform their information security-related duties and responsibilities consistent with agency policies and procedures.  In doing so, each agency shall:

(a) Inform and train all workers (PR.AT-1).

(b) Ensure that privileged users understand their roles and responsibilities (PR.AT-2).

(c) Ensure that third-party stakeholders understand their roles and responsibilities (PR.AT-3).

(d) Ensure that senior executives understand their roles and responsibilities (PR.AT-4).

(e) Ensure that physical and information security personnel understand their roles and responsibilities (PR.AT-5).

(3)For each of the above subsections the following shall also be addressed:

(a) Appoint a worker to coordinate the agency information security awareness program. If an IT security worker does not coordinate the security awareness program, they shall be consulted for content development purposes.

(b) Establish a program that includes, at a minimum, annual security awareness training and on-going education and reinforcement of security practices.

(c) Provide training to workers within 30 days of start date.

(d) Include security policy adherence expectations for the following, at a minimum: disciplinary procedures and implications, acceptable use restrictions, data handling (procedures for handling exempt and confidential and exempt information), telework and computer security incident reporting procedures.  Incident reporting procedures shall:

1. Establish requirements for workers to immediately report loss of mobile devices, security tokens, smart cards, identification badges, or other devices used for identification and authentication purposes according to agency reporting procedures.

(e) Where technology permits, provide training prior to system access.  For specialized agency workers (e.g., law enforcement officers) who are required to receive extended off-site training prior to reporting to their permanent duty stations, initial security awareness training shall be provided within 30 days of the date they report to their permanent duty station.

(f) Require, prior to access, workers verify in writing that they will comply with agency IT security policies and procedures.

(g) Document parameters that govern personal use of agency IT resources and define what constitutes personal use. Personal use, if allowed by the agency, shall not interfere with the normal performance of any worker’s duties, or consume significant or unreasonable amounts of state IT resources (e.g., bandwidth, storage).

(h) Inform workers of what constitutes inappropriate use of IT resources. Inappropriate use shall include, but may not be limited to, the following:

1. Distribution of malware

2. Disablement or circumvention of security controls

3. Forging headers

4. Propagating “chain” letters

5. Political campaigning or unauthorized fundraising

6. Use for personal profit, benefit or gain

7. Offensive, indecent, or obscene access or activities, unless required by job duties

8. Harassing, threatening, or abusive activity

9. Any activity that leads to performance degradation

10. Auto-forwarding to external e-mail addresses

11. Unauthorized, non-work related access to: chat rooms, political groups, singles clubs or dating services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and sites containing obscene materials.

(4) Data Security. Each agency shall manage and protect records and data, including data-at-rest, consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Agencies shall establish procedures, and develop and maintain agency cryptographic implementations. Key management processes and procedures for cryptographic keys used for encryption of data will be fully documented and will cover key generation, distribution, storage, periodic changes, compromised key processes, and prevention of unauthorized substitution. Also, key management processes must be in place and verified prior to encrypting data at rest, to prevent data loss and support availability. In protecting data security, agencies shall:

(a) Protect data-at-rest by establishing (PR.DS-1):

1. Procedures that ensure only agency-owned or approved IT resources are used to store confidential or exempt information.

2. Procedures that ensure agency-owned or approved portable IT resources containing confidential or mission critical data are encrypted.

3. Procedures that ensure agency-owned or approved portable IT resources that connect to the agency internal network use agency-managed security software.

4. Inform users not to store unique copies of agency data on workstations or mobile devices.

(b) Protect data-in-transit (PR.DS-2). Each agency shall:

1. Encrypt confidential and exempt information during transmission, except when the transport medium is owned or managed by the agency and controls are in place to protect the data during transit.

2. Ensure that wireless transmissions of agency data employ cryptography for authentication and transmission.

3. Make passwords unreadable during transmission and storage.

4. Encrypt mobile IT resources that store, process, or transmit exempt, or confidential and exempt agency data.

(c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).

1. Before equipment is disposed of or released for reuse, sanitize or destroy information media according to the applicable retention schedule.

2. Destruction of confidential or exempt information shall be conducted such that the information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or reconstruction.

3. Document procedures for sanitization of agency-owned IT resources prior to reassignment or disposal.

4. Equipment sanitization shall be performed such that confidential or exempt information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or reconstruction. File deletion and media formatting are not acceptable methods of sanitization. Acceptable methods of sanitization include using software to overwrite data on computer media, degaussing, or physically destroying media.

(d) Maintain adequate capacity to ensure system availability and data integrity (PR.DS-4).

1. Ensure adequate audit/log capacity.

2. Protect against or limit the effects of denial of service attacks.

(e) Implement protections against data leaks or unauthorized data disclosures by establishing policies and procedures that address (PR.DS-5):

1. Appropriate handling and protection of exempt, and confidential and exempt information. Policies shall be reviewed and acknowledged by all workers.

2. Destruction of confidential and exempt information when the applicable retention schedule requirement has been reached and when the information no longer holds business value, regardless of media type.

3. Access agreements for agency information systems.

4. Boundary protection

5. Transmission confidentiality and integrity

(f) Employ integrity checking mechanisms to verify software, firmware, and information integrity (PR.DS-6).

1. Application controls shall be established to ensure the accuracy and completeness of data, including validation and integrity checks, to detect data corruption that may occur through processing errors or deliberate actions.

(g) Physically or logically separate development and testing environment(s) from the production environment and ensure that production exempt, or confidential and exempt data is not used for development where technology permits. Production exempt, or confidential and exempt data may be used for testing if the data owner authorizes the use and regulatory prohibitions do not exist; the test environment limits access and access is audited; and production exempt, and confidential and exempt data is removed from the system when testing is completed. Data owner authorization shall be managed via technical means, to the extent practical (PR.DS-7).

(5) Information Protection Processes and Procedures. Each agency shall ensure that security policies, processes and procedures are maintained and used to manage protection of information systems and assets. Such policies, processes and procedures shall:

(a) Include a current baseline configuration of information systems (PR.IP-1). Baselines shall:

1. Specify standard hardware and secure standard configurations.

2. Include documented firewall and router configuration standards, and include a current network diagram.

3. Require that vendor default settings, posing security risks, are changed or disabled for agency-owned or managed IT resources, including encryption keys, accounts, passwords, and SNMP (Simple Network Management Protocol) community strings, and ensure device security settings are enabled where appropriate.

4. Allow only agency-approved software to be installed on agency-owned IT resources.

(b) Establish a System Development Life Cycle (SDLC) to manage system implementation and maintenance (PR.IP-2). In doing so, agencies shall:

1. Develop and implement processes that include reviews of security requirements and controls to ascertain effectiveness and appropriateness relative to new technologies and applicable state and federal regulations.

2. Ensure security reviews are approved by the ISM and Chief Information Officer (or designee) before new or modified applications or technologies are moved into production. For IT resources housed in a state data center, the security review shall also be approved by the data center before the new or modified applications or technologies are moved into production.

3. The application development team at each agency shall implement appropriate security controls to minimize risks to agency IT resources and meet the security requirements of the application owner. Software applications obtained, purchased, leased, or developed by the agency will be based on secure coding guidelines.

4. Where technology permits, the agency shall ensure anti-malware software is maintained on agency IT resources.

(c) Establish a configuration change control process to manage upgrades and modifications to existing IT resources (PR.IP-3). In doing so, agencies shall:

1. Determine types of changes that are configuration-controlled (e.g. emergency patches, releases, and other out-of-band security packages).

2. Develop a process to review and approve or disapprove proposed changes based on a security impact analysis (e.g., implementation is commensurate with the risk associated with the weakness or vulnerability).

3. Develop a process to document change decisions.

4. Develop a process to implement approved changes and review implemented changes.

5. Develop an oversight capability for change control activities.

6. Develop procedures to ensure security requirements are incorporated into the change control process.

(d) Ensure backups of information are conducted, maintained, and tested periodically (PR.IP-4).

(e) Establish policy and regulatory expectations for protection of the physical operating environment for agency-owned or managed IT resources (PR.IP-5).

(f)Manage and dispose of records/data in accordance with the applicable retention schedule and policy (PR.IP-6).

(g) Establish a policy and procedure review process that facilitates continuous improvement to protection processes (PR.IP-7).  Each agency shall:

1. Ensure system security control selection occurs during the beginning of the SDLC and is documented in final design documentation.

2. Ensure system security plans shall document controls necessary to protect production data in the production environment and copies of production data used in non-production environments.

3. Ensure system security plans are confidential per Section 282.318, F.S., and shall be available to the agency ISM.

4. Require that each agency application or system with a categorization of moderate-impact or higher have a documented system security plan (SSP). For existing production systems that lack a SSP, a risk assessment shall be performed to determine prioritization of subsequent documentation efforts.  The SSP shall, at a minimum, include provisions that:

i. Align the system with the agency’s enterprise architecture

ii. Define the authorization boundary for the system

iii. Describe the mission-related business purpose

iv. Provide the security categorization, including security requirements and rationale (compliance, availability, etc.)

v. Describe the operational environment, including relationships, interfaces, or dependencies on external services

vi. Provide an overview of system security requirements

vii. Identify authorizing official or designee, who reviews and approves prior to implementation

5. Require information system owners (ISOs) to define application security-related business requirements using role or rule-based security, where technology permits.

6. Require ISOs to establish and authorize the types of privileges and access rights appropriate to system users, both internal and external.

7. Create procedures to address inspection of content stored, processed or transmitted on agency-owned or managed IT resources, including attached removable media.  Inspection shall be performed by authorized workers.

8. Establish parameters for agency-managed devices that prohibit installation, without worker consent, of clients that allow the agency to inspect private partitions or personal data.

9. Require ISOs ensure segregation of duties when establishing system authorizations.

10. Establish controls that prohibit a single individual from having the ability to complete all steps in a transaction or control all stages of a critical process.

11. Require agency information owners to identify exempt, and confidential and exempt information in their systems.

(h) Ensure that effectiveness of protection technologies is shared with appropriate parties (PR.IP-8).

(i) Develop, implement and manage response plans (e.g., Incident Response and Business Continuity) and recovery plans (e.g., Incident Recovery and Disaster Recovery) (PR.IP-9).

(j) Establish a procedure that ensures that agency response and recovery plans are regularly tested (PR.IP-10).

(k) Include cybersecurity in human resources practices (e.g., de-provisioning, personnel screening) (PR.IP-11).

(l) Each agency shall develop and implement a vulnerability management plan (PR.IP-12).

(5) Maintenance. Each agency shall perform maintenance and repairs of information systems and components consistent with agency-developed policies and procedures. Each agency shall:

(a) Perform and log maintenance and repair of IT resources in a timely manner, with approved and controlled tools (PR.MA-1).

(b) Approve, encrypt, log and perform remote maintenance of IT resources in manner that prevents unauthorized access (PR.MA-2).

(c) Not engage in new development of custom authenticators.  Agencies assess the feasibility of replacing custom authenticators in legacy applications.

(6) Protective Technology. Each agency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each agency shall:

(a) Determine and document required audit/log records, implement logging of audit records, and protect and review logs in accordance with policy. Policy shall be based on resource criticality. Where possible, ensure that electronic audit records allow actions of users to be uniquely traced to those users so they can be held accountable for their actions. Maintain logs identifying where access to exempt, or confidential and exempt data was permitted. The logs shall support unique identification of individuals and permit an audit of the logs to trace activities through the system, including the capability to determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the individual (PR.PT-1).

(b) Protect and restrict removable media according to the information security policy (PR.PT-2).

(c) Control access to systems and assets, incorporating the principle of least functionality (PR.PT-3).

(d) Protect communications and control networks by establishing perimeter security measures to prevent unauthorized connections to agency IT resources (PR.PT-4).  Agencies shall:

1. Place databases containing mission critical, exempt, or confidential and exempt data in an internal network zone, segregated from the demilitarized zone (DMZ).

2. Agencies shall require host-based boundary protection on mobile computing devices where technology permits (i.e., detection agent).

Rulemaking Authority § 282.318(5), Fla. Stat. (2015). Law Implemented § 282.318(3), Fla. Stat. (2015).

74-2.004 Detect

The detect function of the FCS is visually represented as such:

(1) Anomalies and Events. Each agency shall develop policies and procedures that will facilitate detection of anomalous activity in a timely manner and that will allow the agency to understand the potential impact of events.  Such policies and procedures shall:

(a) Establish and manage a baseline of network operations and expected data flows for users and systems (DE.AE-1).

(b) Detect and analyze anomalous events to determine attack targets and methods (DE.AE-2).

1. Monitor unauthorized wireless access points when connected to the agency internal network, and immediately remove them upon detection.

2. Implement procedures to establish accountability for accessing and modifying exempt, or confidential and exempt data stores to ensure inappropriate access or modification is detectable.

(c) Aggregate and correlate event data from multiple sources and sensors (DE.AE-3).

(d) Determine the impact of events (DE.AE-4).

(e) Establish incident alert thresholds (DE.AE-5).

(2) Security Continuous Monitoring. Each agency shall monitor IT resources at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Such activities shall include:

(a) Monitoring the network is to detect potential cybersecurity events (DE.CM-1).

(b) Monitoring for unauthorized IT resource connections to the internal agency network.

(c) Monitoring the physical environment to detect potential cybersecurity events (DE.CM-2).

(d) Monitoring user activity to detect potential cybersecurity events (DE.CM-3).

(e) Monitoring for malicious code (DE.CM-4).

(f) Monitoring for unauthorized mobile code (DE.CM-5).

(g) Monitoring external service provider activity to detect potential cybersecurity events (DE.CM-6).

(h) Monitoring for unauthorized personnel, connections, devices, and software (DE.CM-7).

(i) Performing vulnerability scans (DE.CM-8). These shall be a part of the SDLC.

(3) Detection Processes. Each agency shall maintain and test detection processes and procedures to ensure timely and adequate awareness of anomalous events. These procedures shall be based on assigned risk and include the following:

(a) Defining roles and responsibilities for detection to ensure accountability (DE.DP-1).

(b) Ensuring that detection activities comply with all applicable requirements (DE.DP-2).

(c) Testing detection processes (DE.DP-3).

(d) Communicating event detection information to appropriate parties (DE.DP-4).

(e) Continuously improving detection processes (DE.DP-5).

Rulemaking Authority § 282.318(5), Fla. Stat. (2015). Law Implemented § 282.318(3), Fla. Stat. (2015).

74-2.005 Respond

The respond function of the FCS is visually represented as such:

(1) Response Planning. Each agency shall establish and maintain response processes and procedures and validate execution capability to ensure timely agency response for detected cybersecurity events. Each agency shall execute a response plan during or after an event (RS.RP-1).

(a) Agencies shall establish a Computer Security Incident Response Team (CSIRT) to respond to suspected computer security incidents. CSIRT members shall convene immediately, upon notice of suspected computer security incidents. Responsibilities of CSIRT members include:

1. Convening at least quarterly to review, at a minimum, established processes and escalation protocols.

2. Receiving training at least annually on cybersecurity threats, trends, and evolving practices. Training shall be coordinated as a part of the information security program.

3. CSIRT membership shall include, at a minimum, a member from the information security team, the CIO (or designee), and a member from the Inspector General’s Office. For agencies that are Health Information Portability and Accountability Act (HIPAA) covered entities as defined by 45 CFR 164.103, CSIRT membership shall also include the agency’s designated HIPAA privacy official or their designee. The CSIRT team shall report findings to agency management.

4. The CSIRT shall determine the appropriate response required for each suspected computer security incident.

5. The agency security incident reporting process must include notification procedures, established pursuant to Section 501.171, F.S., Section 282.318, F.S., and as specified in executed agreements with external parties. For reporting incidents to AST and the Cybercrime Office, the following reporting timeframes shall be followed:

(2) Communications. Each agency shall coordinate response activities with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Each agency shall:

(a) Inform workers of their roles and order of operations when a response is needed (RS.CO-1).

(b) Require that events be reported consistent with established criteria and in accordance with agency incident reporting procedures. Criteria shall, at a minimum, require immediate reporting, including instances of lost identification and authentication resources (RS.CO-2).

(c) Share information, consistent with response plans (RS.CO-3).

(d) Coordinate with stakeholders, consistent with response plans (RS.CO-4).

(e) Establish communications with external stakeholders to share and receive information to achieve broader cybersecurity situational awareness (RS.CO-5). Where technology permits, enable automated security alerts.  Establish processes to receive, assess, and act upon security advisories.

(3) Analysis. Each agency shall conduct analysis to adequately respond and support recovery activities.  Related activities include:

(a) Each agency shall establish notification thresholds and investigate notifications from detection systems (RS.AN-1).

(b) Each agency shall assess and identify the impact of the incident (RS.AN-2).

(c) Each agency shall perform forensics, where deemed appropriate (RS.AN-3).

(d) Each agency shall categorize incidents, consistent with response plans (RS.AN-4). Each incident report and analysis, including findings and corrective actions, shall be documented.

(4) Mitigation. Each agency shall perform activities to prevent expansion, contain or prevent recurrence of an event (RS.MI-1), mitigate its effects, and eradicate the incident (RS.MI-2); and mitigate newly identified vulnerabilities or document as accepted risks.

(5) Improvements. Each agency shall improve organizational response activities by incorporating lessons learned from current and previous detection/response activities into response plans (RS.IM-1). Agencies shall update response strategies in accordance with established policy (RS.IM-2).

Rulemaking Authority § 282.318(5), Fla. Stat. (2015). Law Implemented § 282.318(3), Fla. Stat. (2015).

74-2.006 Recover

The recover function of the FCS is visually represented as such:

(1) Recovery Planning. Each agency shall execute and maintain recovery processes and procedures to ensure timely restoration of systems or assets affected by cybersecurity events. Each agency shall:

(a) Execute a recovery plan during or after an event (RC.RP-1).

(b) Mirror data and software, essential to the continued operation of critical agency functions, to an off-site location or regularly back up a current copy and store at an off-site location.

(c) Develop procedures to prevent loss of data, and ensure that agency data, including unique copies, are backed up.

(d) Document disaster recovery plans that address protection of critical IT resources and provide for the continuation of critical agency functions in the event of a disaster. Plans shall address shared resource systems, which require special consideration, when interdependencies may affect continuity of critical agency functions.

(e) IT disaster recovery plans shall be tested at least annually; results of the annual exercise shall document plan procedures that were successful and specify any modifications required to improve the plan.

(2) Improvements. Each agency shall improve recovery planning and processes by incorporating lessons learned into future activities.  Such activities shall include:

(a) Incorporating lessons learned in recovery plans (RC.IM-1).

(b) Updating recovery strategies (RC.IM-2).

(3) Communications. Each agency shall coordinate restoration activities with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.  Such activities shall include:

(a) Managing public relations (RC.CO-1).

(b) Attempts to repair reputation after an event, if applicable (RC.CO-2).

(c) Communicating recovery activities to stakeholders, internal and external where appropriate (RC.CO-3).

Rulemaking Authority § 282.318(5), Fla. Stat. (2015). Law Implemented § 282.318(3), Fla. Stat. (2015).

NAME OF PERSON ORIGINATING PROPOSED RULE: Danielle Alvarez, Chief Information Security Officer

NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: Jason Allison, Executive Director

DATE PROPOSED RULE APPROVED BY AGENCY HEAD: October 16, 2015

DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAR: December 22, 2014