These rules are amended to update and clarify existing language consistent with generally accepted practices for cybersecurity standards for information technology resources.  

  •  

    AGENCY FOR STATE TECHNOLOGY

    RULE NOS.:RULE TITLES:

    74-2.001Purpose and Applicability; Definitions

    74-2.002Identify

    74-2.003Protect

    74-2.004Detect

    74-2.005Respond

    74-2.006Recover

    PURPOSE AND EFFECT: These rules are amended to update and clarify existing language consistent with generally accepted practices for cybersecurity standards for information technology resources.

    SUMMARY: Management and operation of state information technology resources.

    SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:

    The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the Agency.

    The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: Based on the SERC checklist, this rulemaking will not have an adverse impact on regulatory costs in excess of $1 million within five years as established in s.120.541(2)(a), F.S.

    Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.

    RULEMAKING AUTHORITY: 282.318(6), FS

    LAW IMPLEMENTED: 282.318, FS

    IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE SCHEDULED AND ANNOUNCED IN THE FAR.

    THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Melonie White at (850)412-6050, or at Melonie.White@ast.myflorida.com.

     

    THE FULL TEXT OF THE PROPOSED RULE IS:

     

    74-2.001 Purpose and Applicability; Definitions

    (1) Purpose and Applicability.

    (a) No change.

    (b) This rule establishes cybersecurity standards for information technology (IT) resources. These standards are documented in rules 74-2.001 through 74-2.006, F.A.C. State Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 February 12, 2014, and the Federal Information Security Management Act of 2002 (44 U.S.C. §3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the FCS as they may be helpful to agencies when drafting their security procedures. The Florida Cybersecurity Standards:

    1. No change.

    Function Unique Identifier

    Function

    Category Unique Identifier

    Category

    ID

    Identify

    ID.AM

    Asset Management

    ID.BE

    Business Environment

    ID.GV

    Governance

    ID.RA

    Risk Assessment

    ID.RM

    Risk Management Strategy

    ID.SC

    Supply Chain Risk Management

    PR

    Protect

    PR.AC

    Identity Management and Access Control

    PR.AT

    Awareness & Training

    PR.DS

    Data Security

    PR.IP

    Information Protection Processes & Procedures

    PR.MA

    Maintenance

    PR.PT

    Protective Technology

    DE

    Detect

    DE.AE

    Anomalies & Events

    DE.CM

    Security Continuous Monitoring

    DE.DP

    Detection Processes

    RS

    Respond

    RS.RP

    Response Planning

    RS.CO

    Communications

    RS.AN

    Analysis

    RS.MI

    Mitigation

    RS.IM

    Improvements

    RC

    Recover

    RC.RP

    Recovery Planning

    RC.IM

    Improvements

    RC.CO

    Communications

    Category Unique Identifier subcategory references are detailed in rules 74-2.002 ‒ 74-2.006, F.A.C., and are used throughout the FCS as applicable.

    2. No change.

    3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the agency is unable to implement a security standard, or the standard is not cost-effective due to the specific nature of a system or its environment. The agency shall document the reasons why the minimum standards cannot be satisfied and the compensating controls to be employed. After the agency analyzes the issue and related risk a compensating security control or deviation may be employed if the agency documents the analysis and risk steering workgroup accepts the associated risk. This documentation is exempt from section 119.07(1), F.S., pursuant to sections 282.318 (4)(d), and (4)(f), F.S., and, shall be securely submitted to AST upon acceptance.

    (2) Each agency shall:

    (a) No change.

    (b) Document the result of Submit the assessment within to AST with the agency’s strategic and operational plan. (ASOP). Annually submit the ASOP to AST via the submission process established and maintained by AST.

    (c) Reassess annually and Annually update the ASOP assessment to reflect progress toward compliance with this rule.

    (3) Definitions.

    (a) The following terms are defined:

    1. No change.

    2. No change.

    3. Authentication – A process of determining the validity of one or more credentials used to claim a digital identity. Breach – see section 282.0041(2), F.S.

    4. Authentication protocol – See Rule 74-5.001, F.A.C. Compensating security controls – a management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a required security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an IT resource.

    5. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.

    6. Compensating security controls – See Rule 74-5.001, F.A.C.

    7. Complex password – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types:  uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).

    8.5. Confidential information – records that, pursuant to Florida’s public records laws or other controlling law, are exempt from public disclosure.

    9.6. Critical infrastructure – the systems and assets, whether physical or virtual, and cyber systems and assets so vital to the U.S. Florida that the their incapacity or destruction of such systems and assets would have a debilitating impact effect on security, national state economic security, national state public health or safety, or any combination of those matters thereof.

    10.7. Critical process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or seriously impacting an agency’s mission.

    11.8. Customer – an entity in receipt of services or information rendered by a state agency. This term does not include state agencies with regard to information sharing activities.

    12. Cybersecurity event – within the context of 74-2.001-74-2.006, a cybersecurity event is a cybersecurity change that may have an impact on agency operations (including mission, capabilities, or reputation).

    13.9. Data-at-rest – stationary data which is stored physically in any digital form.

    14.10. External partners – non-state agency entities doing business with a state agency, including other governmental entities, third parties, contractors, vendors, suppliers and partners. External partners do does not include customers.

    15.11. Information Security Manager (ISM) – the person appointed pursuant to section 282.318(4)(a), F.S.

    16.12. Information system owner – the agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

    17.13. Industry sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

    18.14. Information technology resources (IT resources) – see section 282.0041(13), F.S.

    19.15. Legacy applications – programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life, but are still required to meet mission objectives or fulfill program area requirements.

    20. Mobile Device – any computing device that can be conveniently relocated from one network to another.

    21. Multi-Factor Authentication – See Rule 74-5.001, F.A.C.

    22. 16. Personal information – see sections 501.171(1)(g)1., and 817.568, F.S.

    23. Privileged user – a user that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform.

    24. Privileged accounts – an information system account with authorizations of a privileged user.

    25. Remote access – access by users (or information systems) communicating external to an information security perimeter.

    26. Removable Media – any data storage medium or device sufficiently portable to allow for convenient relocation from one network to another.

    27.17. Separation of dDuties – an internal control concept of having more than one person required to complete a critical process. This is an internal control intended to prevent fraud, abuse, and errors.

    28.18. Stakeholder – a person, group, organization, or state agency involved in or affected by a course of action related to state agency-owned IT resources.

    29. Supplier (commonly referred to as “vendor”) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided to the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.

    30. Token control – See Rule 74-5.001, F.A.C.

    31.19. User – a worker or non-worker who has been provided access to a system or data.

    32.20. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency (see User; Worker).

    33.21. Worker – a member of the workforce. A worker may or may not use IT resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the agency, is under the direct control of the agency, whether or not they are paid by the agency.

    (b) With the exception of the terms identified in subparagraphs 1.-4., the NIST Glossary of Key Information Security Terms, Revision 2, National Institute of Standards and Technology, U.S. Department of Commerce (May 2013), maintained at: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf, is hereby incorporated by reference into this rule: http://www.flrules.org/Gateway/reference.asp?No=Ref-06494.

    1. No change.

    2. Continuity oOf Operations Plan (COOP) – disaster-preparedness plans created pursuant to section 252.365(3), F.S.

    3. No change.

    4. No change.

    Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended_______.

     

    74-2.002 Identify.

    The identify function of the FCS is visually represented as such:

    Function

    Category

    Subcategory

    Identify (ID)

    Asset Management (AM)

    ID.AM-1: Inventory agency physical devices and systems

    ID.AM-2: Inventory agency software platforms and applications

    ID.AM-3: Map agency communication and data flows

    ID.AM-4: Catalog interdependent external information systems

    ID.AM-5: Prioritize IT resources based on classification, criticality, and business value

    ID.AM-6: Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders

    Business Environment

    (BE)

    ID.BE-1: Identify and communicate the agency’s role in the business mission/processes

    ID.BE-2: Identify and communicate the agency’s place in critical infrastructure and its industry sector to workers

    ID.BE-3: Establish and communicate priorities for agency mission, objectives, and activities

    ID.BE-4: Identify dependencies and critical functions for delivery of critical services

    ID.BE-5: Implement resiliency requirements to support the delivery of critical services for all operating states (e.g., normal operations, under duress, during recovery)

    Governance

    (GV)

    ID.GV-1: Establish and communicate an organizational cyber information security policy

    ID.GV-2: Coordinate and align cybersecurity information security roles and & responsibilities with internal roles and external partners

    ID.GV-3: Understand and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations

    ID.GV-4: Ensure that governance and risk management processes address cybersecurity risks

    Risk Assessment

    (RA)

    ID.RA-1: Identify and document asset vulnerabilities

    ID.RA-2: Receive cyber threat intelligence and vulnerability information from information sharing forums and sources

    ID.RA-3: Identify and document threats, both internal and external

    ID.RA-4: Identify potential business impacts and likelihoods

    ID.RA-5: Use threats, vulnerabilities, likelihoods, and impacts to determine risk

    ID.RA-6: Identify and prioritize risk responses

    Risk Management

    Strategy

    (RM)

    ID.RM-1: Establish, manage, and ensure organizational stakeholders understand the approach to be employed via the risk management processes

    ID.RM-2: Determine and clearly express organizational risk tolerance

    ID.RM-3: Ensure that the organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

     

    Supply Chain Risk Management (SC)

    ID.SC-1: Establish management processes to identify, establish, assess, and manage cyber supply chain risk which are agreed to by organizational stakeholders

    ID.SC-2: Identify, prioritize, and assess suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process

    ID.SC-3: Require suppliers and third-party providers (by contractual requirement when necessary) to implement appropriate measures designed to meet the objectives of the organization’s information security program or cyber supply chain risk management plan

    ID.SC-4: Routinely assess suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers

    ID.SC-5: Conduct response and recovery planning and testing with suppliers and third-party providers

    (1) Asset Management. Each agency shall ensure that IT resources are identified and managed. Identification and management shall be consistent with the IT resource’s relative importance to agency business objectives and the organization’s risk strategy. Specifically, each agency shall:

    (a) through (c), No change.

    (d) Each agency shall ensure that interdependent external information systems are catalogued (ID.AM-4). Agencies shall:

    1. through 5. No change.

    6. Require that (e.g., contractually) external service providers adhere to agency security policies.

    7. No change.

    (e) Each agency shall ensure that IT resources (hardware, data, personnel, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:

    1. through 3. No change.

    4. Identify and maintain a reference list of exempt, and confidential and exempt, agency information or software and the associated applicable state and federal statutes and rules.

    (f) Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (ID.AM-6). Each agency is responsible for:

    1. through 2. No change.

    3. Informing workers that use, or oversee or manage workers that use, IT equipment that they shall immediately report suspected unauthorized activity, in accordance with agency-established incident reporting procedures.

    4. through 7. No change.

    8. Appointing an Information Security Manager (ISM). Agency responsibilities related to the ISMs include:

    a. No change.

    b. Specifying ISM responsibilities in the ISM’s position description.

    c. through d. No change.

    9. No change.

    (2) Business Environment. Each agency’s cybersecurity roles, responsibilities, and IT risk management decisions shall align with the agency’s mission, objectives, and activities. To accomplish this, agencies shall:

    (a) through (d), No change.

    (e) Implement information resilience requirements to support the delivery of critical services for all operating states (ID.BE-5).

    (3) Governance. Each agency shall establish policies, procedures, and processes to manage and monitor the agency’s regulatory, legal, risk, environmental, and operational IT requirements based on the agency’s assessment of risk. Procedures shall address providing timely notification to management of cybersecurity risks. Agencies shall also:

    (a) Establish and communicate or adopt a comprehensive cybersecurity information security policy (ID.GV-1).

    (b) Coordinate and align cybersecurity information security roles and responsibilities with internal roles and external partners (ID.GV-2).

    (c) through (d), No change.

    (4) Risk Assessment.

    (a) Approach. Each agency shall identify and manage the cybersecurity risk to agency operations (including mission, functions, image, or reputation), agency assets, and individuals using the following approach, that derives from the NIST Risk Management Framework (RMF) which is hereby incorporated by reference and may be found at: http://csrc.nist.gov/groups/SMA/fisma/framework.html The Risk Assessment steps provided in the table below must be followed; however, agencies may identify and, based on the risk to be managed, consider other risk assessment security control requirements and frequency of activities necessary to manage the risk at issue.

    Risk Assessments Table -No change.

    Potential Impact Table – No change.

    In accordance with section 282.318(4)(c), F.S., each agency shall complete and submit to AST no later than July 31, 2017, and every three years thereafter, a completed Florida Cybersecurity Standard (FCS) Risk Assessment Tool. In completing the FCS Assessment Tool, the Florida Enterprise Information Security Risk Assessment Survey (Form #AST-100), which is hereby incorporated by reference and maintained at: https://www.flrules.org/Gateway/reference.asp?No=Ref-06533. In completing the AST 100 form, agencies shall follow the six-step process (“Conducting the Risk Assessment”) outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that the particular agency’s threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://www.flrules.org/Gateway/reference.asp?No=Ref-06499. When establishing risk management processes, it may be helpful for agencies to review NIST Risk Management Framework RFM Special Publications – they can be downloaded from the following website: http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

    (b) Other agency risk management activities that agencies shall perform:

    1. No change.

    2. Receive and manage cyber threat intelligence and vulnerability information from information sharing forums and sources that contain information relevant to the risks or threats (ID.RA-2).

    3. through 6., No change.

    (5) Risk Management. Each agency shall ensure that the organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each agency shall:

    (a) Establish risk management processes that are managed and agreed to by agency stakeholders and the agency head (ID.RM-1).

    1. Establish a risk steering workgroup management team that ensures that risk management processes are authorized by agency stakeholders. The risk steering workgroup management team must include a member of the agency IT unit, and shall determine the appropriate meeting frequency and agency stakeholders.

    (b) No change.

    (c) Determine risk tolerance as necessary, based upon: their analysis of sector specific risks; the agency’s industry sector; agency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for agencies that maintain this information); and the agency’s role in the state’s mission (ID.RM-3).

    (d) through (g), No change.

    (6) Supply Chain Risk Management. Each agency shall establish priorities, constraints, risk tolerances, and assumptions to support risk decisions associated with managing supply chain risk. Each agency shall:

    (a) Establish management processes to identify, establish, assess, and manage cyber supply chain risks which are agreed to by organizational stakeholders (ID.SC-1).

    (b) Identify, prioritize, and assess suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process (ID.SC-2).

    (c) Require suppliers and third-party providers (by contractual agreement when necessary) to implement appropriate measures designed to meet the objectives of the organization’s information security program or cyber supply chain risk management plan (ID.SC-3).

    (d) Routinely assess suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers (ID.SC-4).

    (e). Conduct response and recovery planning and testing with suppliers and third-party providers (ID.SC-5).

    Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-16-16, Amended, ____________.

     

    74-2.003 Protect.

    The protect function of the FCS is visually represented as such:

    Function

    Category

    Subcategory

    Protect (PR)

    Identity Management, Authentication, and Access Control (AC)

    PR.AC-1: Issue, manage, verify, revoke, and audit Manage identities and credentials for authorized devices, processes, and users

    PR.AC-2: Manage and protect physical access to assets

    PR.AC-3: Manage remote access

    PR.AC-4: Manage access permissions and authorizations, incorporate the principles of least privilege and separation of duties

    PR.AC-5: Protect network integrity, by incorporating incorporate network segregation and segmentation where appropriate

    PR.AC-6:  Proof and bond identities to credentials, asserting in interactions when appropriate (see token control definition)

    PR.AC-7:  Authenticate credentials assigned to users, devices, and other assets commensurate with the risk of the transaction.

    Awareness and Training (AT)

    PR.AT-1: Inform and train all users

    PR.AT-2: Ensure that privileged users understand roles and responsibilities

    PR.AT-3: Ensure that third-party stakeholders understand roles and responsibilities

    PR.AT-4: Ensure that senior executives understand roles and responsibilities

    PR.AT-5: Ensure that physical and cybersecurity information security personnel understand their roles and & responsibilities

    Data Security

    (DS)

    PR.DS-1: Protect data-at-rest

    PR.DS-2: Protect data-in-transit

    PR.DS-3: Formally manage assets managed throughout removal, transfers, and disposition

    PR.DS-4: Ensure that adequate capacity is maintained to support availability needs

    PR.DS-5: Implement data leak protection measures

    PR.DS-6: Use integrity checking mechanisms to verify software, firmware, and information integrity

    PR.DS-7: Logically or physically separate the development and testing environment(s) from the production environment

    PR.DS-8:  Use integrity checking mechanisms to verify hardware integrity

    Information Protection Processes and Procedures

    PR.IP-1: Create and maintain a baseline configuration that incorporates all security principles for of information technology/industrial control systems

    PR.IP-2: Implement a System Development Life Cycle (SDLC) to manage systems

    PR.IP-3: Establish configuration change control processes

    PR.IP-4: Conduct, maintain, and periodically test backups of information

    PR.IP-5: Meet policy and regulatory requirements that are relevant to the physical operating environment for organizational assets

    PR.IP-6: Destroy data according to policy

    PR.IP-7: Continuously improve protection processes

    PR.IP-8: Share effectiveness of protection technologies with stakeholders that should or must receive this information

    PR.IP-9: Establish and manage response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery)

    PR.IP-10: Test response and recovery plans

    PR.IP-11: Include cybersecurity in human resources practices (e.g., deprovisioning, personnel screening)

    PR.IP-12: Develop and implement a vulnerability management plan

    Maintenance (MA)

    PR.MA-1: Perform and log maintenance and repair of organizational assets in a timely manner, with approved and controlled tools

    PR.MA-2: Approve, log, and perform remote maintenance of agency assets in a manner that prevents unauthorized access

    Protective Technology (PT)

    PR.PT-1: Determine, document, implement, and review audit/log records in accordance with policy

    PR.PT-2: Protect and restrict removable media usage according to policy

    PR.PT-3: Control access to systems and assets, Iincorporate the principle of least functionality by configuring systems to provide only essential capabilities.

    PR.PT-4: Protect communications and control networks

    PR.PT-5: Implement mechanisms (e.g., failsafe, load balancing, hot swap) to achieve resilience requirements in normal and adverse situations

    (1) Access Control. Each agency shall ensure that access to IT resources is limited to authorized users, processes, or devices, and to authorized activities and transactions. Specifically:

    (a) Each agency shall manage identities and credentials for authorized devices and users (PR.AC-1). Control measures shall, at a minimum include authentication token(s) unique to the individual.

    Agencies shall:

    1. through 2. No change.

    3. Require inactivity timeouts that log off terminate or lock workstations or secure sessions with a complex password.

    4. Locked workstations or sessions must be locked in a way that requires user authentication with an authentication token(s) unique to the individual user to disengage.

    4. Secure workstations with a password-protected screensaver, set at no more than 15 minutes.

    5. When Force users to change their passwords are used as the sole authentication token, require users to use complex passwords that are changed at least every 30-90 days, based on assessed risk of the system.

    6. through 8. No change.

    9. Require Consider the use of multi-factor authentication (MFA) for access to networks or applications any application that have has a categorization of moderate, high, or contain contains exempt, or confidential and exempt, information. This excludes externally hosted systems designed to deliver services to agency customers, where the agency documents the analysis and the risk steering workgroup accepts the associated risk MFA is not necessary or viable.

    10. Require MFA for Require MFA for any application that has a categorization of high or is administered by remote connection to the internal network.

    11. Require MFA for network access to privileged accounts.

    (b) Each agency shall manage and protect physical access to assets (PR.AC-2). In doing so, agency security procedures or controls shall:

    1. Address protection of IT resources from environmental hazards (e.g., temperature, humidity, air movement, dust, and faulty power) in accordance with manufacturer manufacturers’ specifications.

    2. through 3. No change.

    4. Specify physical access to central information resource facilities and/or equipment that is restricted to authorized personnel.

    5. Detail visitor access protocols, including recordation procedures, and in locations housing systems categorized as moderate-impact or high-impact, require that visitors be supervised by authorized personnel.

    6. No change.

    (c) ) Each agency shall manage remote access (PR.AC-3). In doing so, agencies shall:

    1. No change.

    2. Specify that only secure, agency-managed, secure remote access methods may be used to remotely connect computing devices to the agency internal network.

    3. No change.

    (d) Each agency shall ensure that access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties (PR.AC-4). In doing so, agencies shall:

    1. through 4. No change.

    (e) Each agency shall ensure that network integrity is protected, incorporating network segregation and segmentation where appropriate (PR.AC-5).

    (f) Proof and bond identities to credentials and assert in interactions when appropriate (PR.AC-6).

    (g) Authenticate users, devices, and other assets commensurate with the risk of the transaction (PR.AC-7).

    (2) Awareness and Training. Agencies shall provide all their workers cybersecurity awareness education and training so as to ensure they perform their cybersecurity information security-related duties and responsibilities consistent with agency policies and procedures. In doing so, each agency shall:

    (a) through (d) No change.

    (e) Ensure that physical and cybersecurity information security personnel understand their roles and responsibilities (PR.AT-5).

    (3) For each of the above subsections the following shall also be addressed:

    (a) through (c) No change.

    (d) Include security policy adherence expectations for the following, at a minimum: disciplinary procedures and implications, acceptable use restrictions, data handling (procedures for handling exempt and confidential and exempt information), telework and cybersecurity computer security incident reporting procedures. Incident reporting procedures shall:

    1. No change.

    (e) through (g), No change.

    (h) Inform workers of what constitutes inappropriate use of IT resources. Inappropriate use shall include, but may not be limited to, the following:

    1. through 3. No change.

    4. Propagating “chain” letters.

    4.5. Political campaigning or unauthorized fundraising.

    5.6. Use for personal profit, benefit or gain.

    6.7. Offensive, indecent, or obscene access or activities, unless required by job duties.

    7.8. Harassing, threatening, or abusive activity.

    8.9. Any activity that leads to performance degradation.

    9.10. Auto-forwarding to external e-mail addresses.

    10.11. Unauthorized, non-work-related access to: chat rooms, political groups, singles clubs or dating services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and sites containing obscene materials.

    (4) Data Security. Each agency shall manage and protect records and data, including data-at-rest, consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. Agencies shall establish procedures, and develop and maintain agency cryptographic implementations. Key management processes and procedures for cryptographic keys used for encryption of data will be fully documented and will cover key generation, distribution, storage, periodic changes, compromised key processes, and prevention of unauthorized substitution. Also, key management processes must be in place and verified prior to encrypting data at rest, to prevent data loss and support availability. In protecting data security, agencies shall:

    (a) No change.

    (b) No change.

    (c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).

    1. Ensure any records stored on storage media to be Before equipment is disposed of or released for reuse, are sanitized or destroyed sanitize or destroy media in accordance with organization-developed procedures and the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies.

    2. through 4. No change.

    (d) No change.

    (e) No change.

    1. Appropriate handling and protection of exempt, and confidential and exempt, information. Policies shall be reviewed and acknowledged by all workers.

    2. through 5., no change.

    (f) no change.

    (g) No change.

    (h) Use integrity checking mechanisms to verify hardware integrity (PR.DS-8). In doing so, agencies shall establish processes to protect against and/or detect unauthorized changes to hardware used to support systems with a categorization of high-impact.

    (5) Information Protection Processes and Procedures. Each agency shall ensure that security policies, processes and procedures are maintained and used to manage protection of information systems and assets. Such policies, processes and procedures shall:

    (a) Include a current baseline configuration of information systems which incorporate security principles (PR.IP-1). Baselines shall:

    1. No change.

    2. Include documented firewall and router configuration standards, and include a current network diagram.

    3. through d 4. No change.

    (b) through (c) No change.

    (d) Ensure backups of information are conducted, maintained, and tested periodically (PR.IP-4).

    (e) through (j), No change.

    (k) Include cybersecurity in human resources practices (e.g., deprovisioning de-provisioning, personnel screening) (PR.IP-11).

    (l) No change.

    (6) Maintenance. Each agency shall perform maintenance and repairs of information systems and components consistent with agency-developed policies and procedures. Each agency shall:

    (a) Perform and log maintenance and repair of IT resources in a timely manner, with tools that have been approved and are administered by the agency to be used for such activities (PR.MA-1).

    (b) through (c), No change.

    (7) Protective Technology. Each agency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each agency shall:

    (a) through (b) No change.

    (c) Incorporate Control access to systems and assets, utilizing the principle of least functionality by configuring systems to only provide essential capabilities trust (PR.PT-3).

    (d) No change.

    (e) Implement mechanisms (e.g., failsafe, load balancing across duplicated systems, hot swap) to achieve resilience requirements in normal and adverse situations (PR.PT-5).

    Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended                         .

     

    74-2.004 Detect.

    The detect function of the FCS is visually represented as such:

    Function

    Category

    Subcategory

    Detect (DE)

    Anomalies and Events (AE)

    DE.AE-1: Establish and manage a baseline of network operations and expected data flows for users and systems

    DE.AE-2: Analyze detected cybersecurity events to understand attack targets and methods

    DE.AE-3: Collect Aggregate and correlate cybersecurity event data from multiple sources and sensors

    DE.AE-4: Determine the impact of cybersecurity events

    DE.AE-5: Establish incident alert thresholds

    Security Continuous Monitoring (CM)

    DE.CM-1: Monitor the network to detect potential cybersecurity events

    DE.CM-2: Monitor the physical environment to detect potential cybersecurity events

    DE.CM-3: Monitor personnel activity to detect potential cybersecurity events

    DE.CM-4: Detect malicious code

    DE.CM-5: Detect unauthorized mobile code

    DE.CM-6: Monitor external service provider activity to detect potential cybersecurity events

    DE.CM-7: Monitor for unauthorized personnel, connections, devices, and software

    DE.CM-8: Perform vulnerability scans

    Detection Processes (DP)

    DE.DP-1: Define roles and responsibilities for detection to ensure accountability

    DE.DP-2: Ensure that detection activities comply with all applicable requirements

    DE.DP-3: Test detection processes

    DE.DP-4: Communicate event detection information to stakeholders that should or must receive this information

    DE.DP-5: Continuously improve detection processes

    (1) Anomalies and Events. Each agency shall develop policies and procedures that will facilitate detection of anomalous activity in a timely manner and that will allow the agency to understand the potential impact of events. Such policies and procedures shall:

    (a) No change.

    (b) Detect and analyze anomalous cybersecurity events to determine attack targets and methods (DE.AE-2).

    1. Monitor for unauthorized wireless access points when connected to the agency internal network, and immediately remove them upon detection.

    2. Implement procedures to establish accountability for accessing and modifying exempt, or confidential and exempt, data stores to ensure inappropriate access or modification is detectable.

    (c) Collect Aggregate and correlate cybersecurity event data from multiple sources and sensors (DE.AE-3).

    (d) Determine the impact of cybersecurity events (DE.AE-4).

    (e) Establish incident alert thresholds (DE.AE-5).

    (2) Security Continuous Monitoring. Each agency shall determine the appropriate level of monitoring that will occur regarding IT resources necessary to identify cybersecurity events and verify the effectiveness of protective measures. Such activities shall include:

    (a) through (h), No change.

    (i) Performing vulnerability scans (DE.CM-8). These shall be a part of the System Development Life Cycle (SDLC).

    (3) Detection Processes. Each agency shall maintain and test detection processes and procedures to ensure timely and adequate awareness of anomalous events. These procedures shall be based on assigned risk and include the following:

    (a) through (e), No change.

    Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, amended______________________.

    74-2.005 Respond.

    The respond function of the FCS is visually represented as such:

    Function

    Category

    Subcategory

    Respond (RS)

    Response Planning (RP)

    RS.RP-1: Execute response plan during or after an incident event

    Communications (CO)

    RS.CO-1: Ensure that personnel know their roles and order of operations when a response is needed

    RS.CO-2: Report incidents events consistent with established criteria

    RS.CO-3: Share information consistent with response plans

    RS.CO-4: Coordinate with stakeholders consistent with response plans

    RS.CO-5: Engage in voluntary information sharing with external stakeholders to achieve broader cybersecurity situational awareness

    Analysis (AN)

    RS.AN-1: Investigate notifications from detection systems

    RS.AN-2: Understand the impact of incidents

    RS.AN-3: Perform forensic analysis

    RS.AN-4: Categorize incidents consistent with response plans

    RS.AN-5: Establish processes to receive, analyze, and respond to vulnerabilities disclosed to the agency from internal and external sources

    Mitigation (MI)

    RS.MI-1: Contain incidents

    RS.MI-2: Mitigate incidents

    RS.MI-3: Mitigate newly identified vulnerabilities or document accepted risks

    Improvements (IM)

    RS.IM-1: Incorporate lessons learned in response plans

    RS.IM-2: Periodically update response strategies

    (1) Response Planning. Each agency shall establish and maintain response processes and procedures and validate execution capability to ensure timely agency response for detected cybersecurity incidents events. Each agency shall execute a response plan during or after an incident event (RS.RP-1).

    (a) Agencies shall establish a Computer Security Incident Response Team (CSIRT) to respond to cybersecurity suspected computer security incidents. CSIRT members shall convene immediately, upon notice of cybersecurity suspected computer security incidents. Responsibilities of CSIRT members include:

    1. Convening a simple majority of CSIRT members at least quarterly to review, at a minimum, established processes and escalation protocols.

    2. Receiving incident response training at least annually on cybersecurity threats, trends, and evolving practices. Training shall be coordinated as a part of the information security program.

    3. CSIRT membership shall include, at a minimum, a member from the information security team, the CIO (or designee), and a member from the Inspector General’s Office. who shall act in ad advisory capacity. For agencies that are Health Information Portability and Accountability Act (HIPAA) covered entities as defined by 45 CFR 164.103, CSIRT membership shall also include the agency’s designated HIPAA privacy official or their designee. The CSIRT team shall report findings to agency management.

    4. The CSIRT shall determine the appropriate response required for each cybersecurity suspected computer security incident.

    5. The agency security incident reporting process must include notification procedures, established pursuant to section 501.171, F.S., section 282.318, F.S., and as specified in executed agreements with external parties. For reporting incidents to AST and the Cybercrime Office (as established within the Florida Department of Law Enforcement via section 943.0415, F.S.), agencies shall report observed incident indicators via the AST Incident Reporting Portal to provide early warning and proactive response capability to other State of Florida agencies. Such indicators may include any known attacker IP addresses, malicious uniform resource locator (URL) addresses, malicious code file names and/or associated file hash values. the following reporting timeframes shall be followed:

    Rating

    Initial Notification

    Definition of Effect Rating

    Minimal

    Monthly aggregate

    Effect on IT resources managed by internal processes

    Low

    Weekly

    Minimal effect on IT resources

    Medium

    One business day

    Moderate effect on IT resources

    High

    Within 4 hours

    Severe effect on IT resources or delivery of services

    Critical

    Immediately

    Severe effect on IT resources, believed to impact multiple agencies or delivery of services

    (2) Communications. Each agency shall coordinate response activities with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Each agency shall:

    (a) No change.

    (b) Require that incidents events be reported consistent with established criteria and in accordance with agency incident reporting procedures. Criteria shall require immediate reporting, including instances of lost identification and authentication resources (RS.CO-2).

    (c) through (e), No change.

    (3) Analysis. Each agency shall conduct analysis to adequately respond and support recovery activities. Related activities include:

    (a) Each agency shall establish notification thresholds and investigate notifications from detection systems (RS.AN-1).

    (b) Each agency shall assess and identify the impact of incidents the incident (RS.AN-2).

    (c) Each agency shall perform forensics, where deemed appropriate (RS.AN-3).

    (d) Each agency shall categorize incidents, consistent with response plans (RS.AN-4). Each incident report and analysis, including findings and corrective actions, shall be documented.

    (e) Establish processes to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (RS.AN-5).

    (4) Mitigation. Each agency shall perform incident mitigation activities. The objective of incident mitigation activities shall be to: attempt to contain and prevent recurrence of incidents (RS.MI-1); mitigate incident effects and resolve eradicate the incident (RS.MI-2); and address vulnerabilities or document as accepted risks.

    (5) No change.

    Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended          .

     

    74-2.006 Recover.

    The recover function of the FCS is visually represented as such:

    Function

    Category

    Subcategory

    Recover (RC)

    Recovery Planning (RP)

    RC.RP-1: Execute recovery plan during or after a cybersecurity incident an event

    Improvements (IM)

    RC.IM-1: Incorporate lessons learned in recovery plans

    RC.IM-2: Periodically update recovery strategies

    Communications (CO)

    RC.CO-1: Manage public relations

    RC.CO-2: Repair reputation after an event

    RC.CO-3: Communicate recovery activities to internal stakeholders and executive and management teams

    (1) Recovery Planning. Each agency shall execute and maintain recovery processes and procedures to ensure timely restoration of systems or assets affected by cybersecurity incidents events. Each agency shall:

    (a) Execute a recovery plan during or after an incident event (RC.RP-1).

    (b) through (e), No change.

    (2) through (3), No change.

    Rulemaking Authority 282.318(5) FS. Law Implemented 282.318(3) FS. History‒New 3-10-16, Amended            .

     

    NAME OF PERSON ORIGINATING PROPOSED RULE: Thomas Vaughn, Chief Information Security Officer

    NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: Eric Larson, Executive Director and State Chief Information Officer

    DATE PROPOSED RULE APPROVED BY AGENCY HEAD: September 11, 2018

    DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAR: 03/09/18

     

Document Information

Comments Open:
9/19/2018
Summary:
Management and operation of state information technology resources.
Purpose:
These rules are amended to update and clarify existing language consistent with generally accepted practices for cybersecurity standards for information technology resources.
Rulemaking Authority:
282.318(6), FS
Law:
282.318, FS
Contact:
Melonie White at (850) 412-6050, or at Melonie.White@ast.myflorida.com.
Related Rules: (6)
74-2.001. Purpose and Applicability; Definitions
74-2.002. Identify
74-2.003. Protect
74-2.004. Detect
74-2.005. Respond
More ...