These rules are amended to update and clarify existing language consistent with generally accepted practices for cybersecurity standards for information technology resources.  

AGENCY FOR STATE TECHNOLOGY

RULE NOS.:RULE TITLES:

74-2.001Purpose and Applicability; Definitions

74-2.002Identify

74-2.003Protect

74-2.004Detect

74-2.005Respond

74-2.006Recover

PURPOSE AND EFFECT: These rules are amended to update and clarify existing language consistent with generally accepted practices for cybersecurity standards for information technology resources.

SUMMARY: Management and operation of state information technology resources.

SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:

The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the Agency.

The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: Based on the SERC checklist, this rulemaking will not have an adverse impact on regulatory costs in excess of $1 million within five years as established in s.120.541(2)(a), F.S.

Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

RULEMAKING AUTHORITY: 282.318(6), FS

LAW IMPLEMENTED: 282.318, FS

IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE SCHEDULED AND ANNOUNCED IN THE FAR.

THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Melonie White at (850)412-6050, or at Melonie.White@ast.myflorida.com.

THE FULL TEXT OF THE PROPOSED RULE IS:

74-2.001 Purpose and Applicability; Definitions

(1) Purpose and Applicability.

(a) No change.

(b) This rule establishes cybersecurity standards for information technology (IT) resources. These standards are documented in rules 74-2.001 through 74-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 February 12, 2014, and the Federal Information Security Management Act of 2002 (44 U.S.C. §3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the FCS as they may be helpful to agencies when drafting their security procedures. The Florida Cybersecurity Standards:

1. No change.

Category Unique Identifier subcategory references are detailed in rules 74-2.002 ‒ 74-2.006, F.A.C., and are used throughout the FCS as applicable.

2. No change.

3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard, or the standard is not cost-effective due to the specific nature of a system or its environment. The agency shall document the reasons why the minimum standards cannot be satisfied and the compensating controls to be employed. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from section 119.07(1), F.S., pursuant to sections 282.318 (4)(d), and (4)(f), F.S., and, shall be securely submitted to AST upon acceptance.

(2) Each agency shall:

(a) No change.

(b) Document the result of Submit the assessment within to AST with the agency’s strategic and operational plan. (ASOP). Annually submit the ASOP to AST via the submission process established and maintained by AST.

(c) Reassess annually and Annually update the ASOP assessment to reflect progress toward compliance with this rule.

(3) Definitions.

(a) The following terms are defined:

1. No change.

2. No change.

3. Authentication – A process of determining the validity of one or more credentials used to claim a digital identity. Breach – see section 282.0041(2), F.S.

4. Authentication protocol – See Rule 74-5.001, F.A.C. Compensating security controls – a management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a required security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an IT resource.

5. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.

6. Compensating security controls – See Rule 74-5.001, F.A.C.

7. Complex password – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types:  uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).

8.5. Confidential information – records that, pursuant to Florida’s public records laws or other controlling law, are exempt from public disclosure.

9.6. Critical infrastructure – the systems and assets, whether physical or virtual, and cyber systems and assets so vital to the U.S. Florida that the their incapacity or destruction of such systems and assets would have a debilitating impact effect on security, national state economic security, national state public health or safety, or any combination of those matters thereof.

10.7. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

11.8. Customer – an entity in receipt of services or information rendered by a state agency. This term does not include state agencies with regard to information sharing activities.

12. Cybersecurity event – within the context of 74-2.001-74-2.006, a cybersecurity event is a cybersecurity change that may have an impact on agency operations (including mission, capabilities, or reputation).

13.9. Data-at-rest – stationary data which is stored physically in any digital form.

14.10. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners do does not include customers.

15.11. Information Security Manager (ISM) – the person appointed pursuant to section 282.318(4)(a), F.S.

16.12. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

17.13. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

18.14. Information technology resources (IT resources) – see section 282.0041(13), F.S.

19.15. Legacy applications – programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life, but are still required to meet mission objectives or fulfill program area requirements.

20. Mobile Device – any computing device that can be conveniently relocated from one network to another.

21. Multi-Factor Authentication – See Rule 74-5.001, F.A.C.

22. 16. Personal information – see sections 501.171(1)(g)1., and 817.568, F.S.

23. Privileged user – a user that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

24. Privileged accounts – an information system account with authorizations of a privileged user.

25. Remote access – access by users (or information systems) communicating external to an information security perimeter.

26. Removable Media – any data storage medium or device sufficiently portable to allow for convenient relocation from one network to another.

27.17. Separation of dDuties – an internal control concept of having more than one person required to complete a critical process. This is an internal control intended to prevent fraud, abuse, and errors.

28.18. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

29. Supplier (commonly referred to as “vendor”) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided to the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.

30. Token control – See Rule 74-5.001, F.A.C.

31.19. User – a worker or non-worker who has been provided access to a system or data.

32.20. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

33.21. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

(b) With the exception of the terms identified in subparagraphs 1.-4., the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), maintained at: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf, is hereby incorporated by reference into this rule: http://www.flrules.org/Gateway/reference.asp?No=Ref-06494.

1. No change.

2. Continuity oOf Operations Plan (COOP) – disaster-preparedness plans created pursuant to section 252.365(3), F.S.

3. No change.

4. No change.

Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended_______.

74-2.002 Identify.

The identify function of the FCS is visually represented as such:

(1) Asset Management. Each agency shall ensure that IT resources are identified and managed. Identification and management shall be consistent with the IT resource’s relative importance to agency business objectives and the organization’s risk strategy. Specifically, each agency shall:

(a) through (c), No change.

(d) Each agency shall ensure that interdependent external information systems are catalogued (ID.AM-4). Agencies shall:

1. through 5. No change.

6. Require that (e.g., contractually) external service providers adhere to agency security policies.

7. No change.

(e) Each agency shall ensure that IT resources (hardware, data, personnel, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:

1. through 3. No change.

4. Identify and maintain a reference list of exempt, and confidential and exempt, agency information or software and the associated applicable state and federal statutes and rules.

(f) Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (ID.AM-6). Each agency is responsible for:

1. through 2. No change.

3. Informing workers that use, or oversee or manage workers that use, IT equipment that they shall immediately report suspected unauthorized activity, in accordance with agency-established incident reporting procedures.

4. through 7. No change.

8. Appointing an Information Security Manager (ISM). Agency responsibilities related to the ISMs include:

a. No change.

b. Specifying ISM responsibilities in the ISM’s position description.

c. through d. No change.

9. No change.

(2) Business Environment. Each agency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the agency’s mission, objectives, and activities. To accomplish this, agencies shall:

(a) through (d), No change.

(e) Implement information resilience requirements to support the delivery of critical services for all operating states (ID.BE-5).

(3) Governance. Each agency shall establish policies, procedures, and processes to manage and monitor the agency’s regulatory, legal, risk, environmental, and operational IT requirements based on the agency’s assessment of risk. Procedures shall address providing timely notification to management of cybersecurity risks. Agencies shall also:

(a) Establish and communicate or adopt a comprehensive cybersecurity information security policy (ID.GV-1).

(b) Coordinate and align cybersecurity information security roles and responsibilities with internal roles and external partners (ID.GV-2).

(c) through (d), No change.

(4) Risk Assessment.

(a) Approach. Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, that derives from the NIST Risk Management Framework (RMF) which is hereby incorporated by reference and may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html The Risk Assessment steps provided in the table below must be followed; however, agencies may identify and, based on the risk to be managed, consider other risk assessment security control requirements and frequency of activities necessary to manage the risk at issue.

Risk Assessments Table -No change.

Potential Impact Table – No change.

In accordance with section 282.318(4)(c), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, a completed Florida Cybersecurity Standard (FCS) Risk Assessment Tool. In completing the FCS Assessment Tool, the Florida Enterprise Information Security Risk Assessment Survey (Form #AST-100), which is hereby incorporated by reference and maintained at: https://www.flrules.org/Gateway/reference.asp?No=Ref-06533. In completing the AST 100 form, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that the particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://www.flrules.org/Gateway/reference.asp?No=Ref-06499. When establishing risk management processes, it may be helpful for agencies to review NIST Risk Management Framework RFM Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

(b) Other agency risk management activities that agencies shall perform:

1. No change.

2. Receive and manage cyber threat intelligence and vulnerability information from information sharing forums and sources that contain information relevant to the risks or threats (ID.RA-2).

3. through 6., No change.

(5) Risk Management. Each agency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each agency shall:

(a) Establish risk management processes that are managed and agreed to by agency stakeholders and the agency head (ID.RM-1).

1. Establish a risk steering workgroup management team that ensures that risk management processes are authorized by agency stakeholders. The risk steering workgroup management team must include a member of the agency IT unit, and shall determine the appropriate meeting frequency and agency stakeholders.

(b) No change.

(c) Determine risk tolerance as necessary, based upon: their analysis of sector specific risks; the agency’s industry sector; agency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for agencies that maintain this information); and the agency’s role in the state’s mission (ID.RM-3).

(d) through (g), No change.

(6) Supply Chain Risk Management. Each agency shall establish priorities, constraints, risk tolerances, and assumptions to support risk decisions associated with managing supply chain risk. Each agency shall:

(a) Establish management processes to identify, establish, assess, and manage cyber supply chain risks which are agreed to by organizational stakeholders (ID.SC-1).

(b) Identify, prioritize, and assess suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process (ID.SC-2).

(c) Require suppliers and third-party providers (by contractual agreement when necessary) to implement appropriate measures designed to meet the objectives of the organization’s information security program or cyber supply chain risk management plan (ID.SC-3).

(d) Routinely assess suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers (ID.SC-4).

(e). Conduct response and recovery planning and testing with suppliers and third-party providers (ID.SC-5).

Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-16-16, Amended, ____________.

74-2.003 Protect.

The protect function of the FCS is visually represented as such:

(1) Access Control. Each agency shall ensure that access to IT resources is limited to authorized users, processes, or devices, and to authorized activities and transactions. Specifically:

(a) Each agency shall manage identities and credentials for authorized devices and users (PR.AC-1). Control measures shall, at a minimum include authentication token(s) unique to the individual.

Agencies shall:

1. through 2. No change.

3. Require inactivity timeouts that log off terminate or lock workstations or secure sessions with a complex password.

4. Locked workstations or sessions must be locked in a way that requires user authentication with an authentication token(s) unique to the individual user to disengage.

4. Secure workstations with a password-protected screensaver, set at no more than 15 minutes.

5. When Force users to change their passwords are used as the sole authentication token, require users to use complex passwords that are changed at least every 30-90 days, based on assessed risk of the system.

6. through 8. No change.

9. Require Consider the use of multi-factor authentication (MFA) for access to networks or applications any application that have has a categorization of moderate, high, or contain contains exempt, or confidential and exempt, information. This excludes externally hosted systems designed to deliver services to agency customers, where the agency documents the analysis and the risk steering workgroup accepts the associated risk MFA is not necessary or viable.

10. Require MFA for Require MFA for any application that has a categorization of high or is administered by remote connection to the internal network.

11. Require MFA for network access to privileged accounts.

(b) Each agency shall manage and protect physical access to assets (PR.AC-2). In doing so, agency security procedures or controls shall:

1. Address protection of IT resources from environmental hazards (e.g., temperature, humidity, air movement, dust, and faulty power) in accordance with manufacturer manufacturers’ specifications.

2. through 3. No change.

4. Specify physical access to central information resource facilities and/or equipment that is restricted to authorized personnel.

5. Detail visitor access protocols, including recordation procedures, and in locations housing systems categorized as moderate-impact or high-impact, require that visitors be supervised by authorized personnel.

6. No change.

(c) ) Each agency shall manage remote access (PR.AC-3). In doing so, agencies shall:

1. No change.

2. Specify that only secure, agency-managed, secure remote access methods may be used to remotely connect computing devices to the agency internal network.

3. No change.

(d) Each agency shall ensure that access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties (PR.AC-4). In doing so, agencies shall:

1. through 4. No change.

(e) Each agency shall ensure that network integrity is protected, incorporating network segregation and segmentation where appropriate (PR.AC-5).

(f) Proof and bond identities to credentials and assert in interactions when appropriate (PR.AC-6).

(g) Authenticate users, devices, and other assets commensurate with the risk of the transaction (PR.AC-7).

(2) Awareness and Training. Agencies shall provide all their workers cybersecurity awareness education and training so as to ensure they perform their cybersecurity information security-related duties and responsibilities consistent with agency policies and procedures. In doing so, each agency shall:

(a) through (d) No change.

(e) Ensure that physical and cybersecurity information security personnel understand their roles and responsibilities (PR.AT-5).

(3) For each of the above subsections the following shall also be addressed:

(a) through (c) No change.

(d) Include security policy adherence expectations for the following, at a minimum: disciplinary procedures and implications, acceptable use restrictions, data handling (procedures for handling exempt and confidential and exempt information), telework and cybersecurity computer security incident reporting procedures. Incident reporting procedures shall:

1. No change.

(e) through (g), No change.

(h) Inform workers of what constitutes inappropriate use of IT resources. Inappropriate use shall include, but may not be limited to, the following:

1. through 3. No change.

4. Propagating “chain” letters.

4.5. Political campaigning or unauthorized fundraising.

5.6. Use for personal profit, benefit or gain.

6.7. Offensive, indecent, or obscene access or activities, unless required by job duties.

7.8. Harassing, threatening, or abusive activity.

8.9. Any activity that leads to performance degradation.

9.10. Auto-forwarding to external e-mail addresses.

10.11. Unauthorized, non-work-related access to: chat rooms, political groups, singles clubs or dating services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and sites containing obscene materials.

(4) Data Security. Each agency shall manage and protect records and data, including data-at-rest, consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Agencies shall establish procedures, and develop and maintain agency cryptographic implementations. Key management processes and procedures for cryptographic keys used for encryption of data will be fully documented and will cover key generation, distribution, storage, periodic changes, compromised key processes, and prevention of unauthorized substitution. Also, key management processes must be in place and verified prior to encrypting data at rest, to prevent data loss and support availability. In protecting data security, agencies shall:

(a) No change.

(b) No change.

(c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).

1. Ensure any records stored on storage media to be Before equipment is disposed of or released for reuse, are sanitized or destroyed sanitize or destroy media in accordance with organization-developed procedures and the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies.

2. through 4. No change.

(d) No change.

(e) No change.

1. Appropriate handling and protection of exempt, and confidential and exempt, information. Policies shall be reviewed and acknowledged by all workers.

2. through 5., no change.

(f) no change.

(g) No change.

(h) Use integrity checking mechanisms to verify hardware integrity (PR.DS-8). In doing so, agencies shall establish processes to protect against and/or detect unauthorized changes to hardware used to support systems with a categorization of high-impact.

(5) Information Protection Processes and Procedures. Each agency shall ensure that security policies, processes and procedures are maintained and used to manage protection of information systems and assets. Such policies, processes and procedures shall:

(a) Include a current baseline configuration of information systems which incorporate security principles (PR.IP-1). Baselines shall:

1. No change.

2. Include documented firewall and router configuration standards, and include a current network diagram.

3. through d 4. No change.

(b) through (c) No change.

(d) Ensure backups of information are conducted, maintained, and tested periodically (PR.IP-4).

(e) through (j), No change.

(k) Include cybersecurity in human resources practices (e.g., deprovisioning de-provisioning, personnel screening) (PR.IP-11).

(l) No change.

(6) Maintenance. Each agency shall perform maintenance and repairs of information systems and components consistent with agency-developed policies and procedures. Each agency shall:

(a) Perform and log maintenance and repair of IT resources in a timely manner, with tools that have been approved and are administered by the agency to be used for such activities (PR.MA-1).

(b) through (c), No change.

(7) Protective Technology. Each agency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each agency shall:

(a) through (b) No change.

(c) Incorporate Control access to systems and assets, utilizing the principle of least functionality by configuring systems to only provide essential capabilities trust (PR.PT-3).

(d) No change.

(e) Implement mechanisms (e.g., failsafe, load balancing across duplicated systems, hot swap) to achieve resilience requirements in normal and adverse situations (PR.PT-5).

Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended                         .

74-2.004 Detect.

The detect function of the FCS is visually represented as such:

(1) Anomalies and Events. Each agency shall develop policies and procedures that will facilitate detection of anomalous activity in a timely manner and that will allow the agency to understand the potential impact of events. Such policies and procedures shall:

(a) No change.

(b) Detect and analyze anomalous cybersecurity events to determine attack targets and methods (DE.AE-2).

1. Monitor for unauthorized wireless access points when connected to the agency internal network, and immediately remove them upon detection.

2. Implement procedures to establish accountability for accessing and modifying exempt, or confidential and exempt, data stores to ensure inappropriate access or modification is detectable.

(c) Collect Aggregate and correlate cybersecurity event data from multiple sources and sensors (DE.AE-3).

(d) Determine the impact of cybersecurity events (DE.AE-4).

(e) Establish incident alert thresholds (DE.AE-5).

(2) Security Continuous Monitoring. Each agency shall determine the appropriate level of monitoring that will occur regarding IT resources necessary to identify cybersecurity events and verify the effectiveness of protective measures. Such activities shall include:

(a) through (h), No change.

(i) Performing vulnerability scans (DE.CM-8). These shall be a part of the System Development Life Cycle (SDLC).

(3) Detection Processes. Each agency shall maintain and test detection processes and procedures to ensure timely and adequate awareness of anomalous events. These procedures shall be based on assigned risk and include the following:

(a) through (e), No change.

Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, amended______________________.

74-2.005 Respond.

The respond function of the FCS is visually represented as such:

(1) Response Planning. Each agency shall establish and maintain response processes and procedures and validate execution capability to ensure timely agency response for detected cybersecurity incidents events. Each agency shall execute a response plan during or after an incident event (RS.RP-1).

(a) Agencies shall establish a Computer Security Incident Response Team (CSIRT) to respond to cybersecurity suspected computer security incidents. CSIRT members shall convene immediately, upon notice of cybersecurity suspected computer security incidents. Responsibilities of CSIRT members include:

1. Convening a simple majority of CSIRT members at least quarterly to review, at a minimum, established processes and escalation protocols.

2. Receiving incident response training at least annually on cybersecurity threats, trends, and evolving practices. Training shall be coordinated as a part of the information security program.

3. CSIRT membership shall include, at a minimum, a member from the information security team, the CIO (or designee), and a member from the Inspector General’s Office. who shall act in ad advisory capacity. For agencies that are Health Information Portability and Accountability Act (HIPAA) covered entities as defined by 45 CFR 164.103, CSIRT membership shall also include the agency’s designated HIPAA privacy official or their designee. The CSIRT team shall report findings to agency management.

4. The CSIRT shall determine the appropriate response required for each cybersecurity suspected computer security incident.

5. The agency security incident reporting process must include notification procedures, established pursuant to section 501.171, F.S., section 282.318, F.S., and as specified in executed agreements with external parties. For reporting incidents to AST and the Cybercrime Office (as established within the Florida Department of Law Enforcement via section 943.0415, F.S.), agencies shall report observed incident indicators via the AST Incident Reporting Portal to provide early warning and proactive response capability to other State of Florida agencies. Such indicators may include any known attacker IP addresses, malicious uniform resource locator (URL) addresses, malicious code file names and/or associated file hash values. the following reporting timeframes shall be followed:

(2) Communications. Each agency shall coordinate response activities with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Each agency shall:

(a) No change.

(b) Require that incidents events be reported consistent with established criteria and in accordance with agency incident reporting procedures. Criteria shall require immediate reporting, including instances of lost identification and authentication resources (RS.CO-2).

(c) through (e), No change.

(3) Analysis. Each agency shall conduct analysis to adequately respond and support recovery activities. Related activities include:

(a) Each agency shall establish notification thresholds and investigate notifications from detection systems (RS.AN-1).

(b) Each agency shall assess and identify the impact of incidents the incident (RS.AN-2).

(c) Each agency shall perform forensics, where deemed appropriate (RS.AN-3).

(d) Each agency shall categorize incidents, consistent with response plans (RS.AN-4). Each incident report and analysis, including findings and corrective actions, shall be documented.

(e) Establish processes to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (RS.AN-5).

(4) Mitigation. Each agency shall perform incident mitigation activities. The objective of incident mitigation activities shall be to: attempt to contain and prevent recurrence of incidents (RS.MI-1); mitigate incident effects and resolve eradicate the incident (RS.MI-2); and address vulnerabilities or document as accepted risks.

(5) No change.

Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended          .

74-2.006 Recover.

The recover function of the FCS is visually represented as such:

(1) Recovery Planning. Each agency shall execute and maintain recovery processes and procedures to ensure timely restoration of systems or assets affected by cybersecurity incidents events. Each agency shall:

(a) Execute a recovery plan during or after an incident event (RC.RP-1).

(b) through (e), No change.

(2) through (3), No change.

Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended            .

NAME OF PERSON ORIGINATING PROPOSED RULE: Thomas Vaughn, Chief Information Security Officer

NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: Eric Larson, Executive Director and State Chief Information Officer

DATE PROPOSED RULE APPROVED BY AGENCY HEAD: September 11, 2018

DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAR: 03/09/18