 |
Florida Administrative Code (Last Updated: October 28, 2024) |
 |
60. Department of Management Services |
|
60GG. Florida Digital Service |
|
60GG-2. STATE OF FLORIDA CYBERSECURITY STANDARDS |
1(1) Purpose and Applicability.
5(a) Rules 60GG-2.001 through 60GG-2.006, F.A.C., will be known as the State of Florida Cybersecurity Standards (SFCS).
22(b) These rules 25establish cybersecurity standards for information technology (IT) resources. Agencies must comply with these standards in the management and operation of state IT resources. 48This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, and the Federal Information Security Management Act of 2002 (7944 U.S.C. §3541, 82et seq.84). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the SFCS as they may be helpful to Agencies when drafting their cybersecurity procedures. For 120procurement of IT commodities and services, the commodity or service must comply with the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (April 2018). 145The SFCS:
1471. Establish minimum standards to be used by Agencies to secure IT resources. The SFCS consists of five high-level functions: 167Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The SFCS are visually represented as follows:
204Function Unique Identifier
207Function
208Category Unique Identifier
211Category
212ID
213Identify
214ID.AM
215Asset Management
217ID.BE
218Business Environment
220ID.GV
221Governance
222ID.RA
223Risk Assessment
225ID.RM
226Risk Management Strategy
229ID.SC
230Supply Chain Risk Management
234PR
235Protect
236PR.AC
237Identity Management and Access Control
242PR.AT
243Awareness & Training
246PR.DS
247Data Security
249PR.IP
250Information Protection Processes & Procedures
255PR.MA
256Maintenance
257PR.PT
258Protective Technology
260DE
261Detect
262DE.AE
263Anomalies & Events
266DE.CM
267Security Continuous Monitoring
270DE.DP
271Detection Processes
273RS
274Respond
275RS.RP
276Response Planning
278RS.CO
279Communications
280RS.AN
281Analysis
282RS.MI
283Mitigation
284RS.IM
285Improvements
286RC
287Recover
288RC.RP
289Recovery Planning
291RC.IM
292Improvements
293RC.CO
294Communications
295Category Unique Identifier subcategory references are detailed in Rules 30460GG305-2.002 ‒ 30760GG308-2.006, F.A.C., and are used throughout the SFCS as applicable.
3182. Define minimum management, operational, and technical security controls to be used by Agencies to secure IT resources.
3363. Allow authorizing officials to employ compensating sec344urity controls or deviate from minimum standards when the Agency is unable to implement a security standard, or the standard is not cost-effective due to the specific nature of a system or its environment. The Agency shall document the reasons why the minimum standards cannot be satisfied and the Compensating Controls to be employed. After the Agency analyzes the issue and related risk, a compensating security control or deviation may be employed if the Agency documents the analysis and risk steering workgroup, as outlined in subsection 60GG-2.002(5), F.A.C., accepts the associated risk. This documentation is exempt from section 442119.07(1), F.S., 444pursuant to sections 447282.318 448(4)(d), and (4)(e), F.S., and upon acceptance by the risk steering workgroup, shall be securely submitted to the Florida Digital Service (FL[DS]).
470(c) The 472NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (April 2018483), maintained at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, is hereby incorporated by reference into this rule: 495http://www.flrules.org/Gateway/reference.asp?No=Ref-14659.
497(2) Definitions.
499(a) This rule defines the following terms used in rule Chapter 60GG-2, F.A.C.:
5121. Agency – shall have the same meaning as state agency, as provided in section 527282.0041, F.S., 529except that, per section 533282.318(2), F.S., 535the term also includes 539the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services557.
5582. Agency-owned (also Agency-managed) – any device, service, or technology owned, leased, or managed by the Agency for which an Agency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.
6003. Authentication – A process of determining the validity of one or more credentials used to claim as digital identity.
6204. 621Authentication protocol – 624a defined sequence of messages between a claimant and the relying parties (RP) or credential service provider (CSP) that demonstrate that the claimant has control of a valid token to establish his or her identity.
6595. Breach – means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the entity which acquires, maintains, stores, or uses the data does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
7226. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.
7487. Compensating Controls – a management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
7908. Complex Password – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).
8419. Continuity of Operations Plan (COOP) – disaster-preparedness plan created pursuant to section 854252.365(3), F.S.
85610. Critical Infrastructure – systems and assets, whether physical or virtual so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
90311. Critical Process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or disruption seriously impacting an Agency’s mission.
92412. Customer – an entity in receipt of services or information rendered by an Agency. This term does not include state agencies with regard to information sharing activities.
95213. Cybersecurity Event – a cybersecurity change that may have an impact on Agency operations (including mission, capabilities, or reputation).
97214. Data-at-rest – stationary data which is stored physically in any digital form.
98515. External Partners – non-agency entities doing business with an Agency, including other governmental entities, third parties, contractors, vendors, Suppliers, and partners. External Partners do not include customers.
101316. Incident – means a violation or imminent Threat of violation, whether such a violation is accidental or deliberate, of information technology resources, security, policies, or practices. An imminent Threat of violation refers to a situation in which the state agency has a factual basis for believing that a specific incident is about to occur.
106817. Industry Sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.
110018. Information Security Manager (ISM) – the person designated pursuant to section 1112282.318(4)(a), F.S.
111419. Information System Owner – the Agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
113820. Information Technology Resources (IT Resources) – data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training.
116021. Legacy Applications 1163– programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life but are still required to meet mission objectives or fulfill program area requirements.
120322. Malware – means a computer program that is covertly or maliciously placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data applications or operating systems.
123823. Mobile Device – any computing device that can be conveniently relocated from one network to another.
125524. Privileged User – a User that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary Users are not authorized to perform.
127925. Privileged Accounts – an information system account with authorizations of a Privileged User.
129326. Remote Access – access by Users (or information systems) communicating externally to an information security perimeter.
131027. Risk Assessment – the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.
132828. Separation of Duties – an internal control concept of having more than one person required to complete a Critical Process. This is an internal control intended to prevent fraud, abuse, and errors.
136129. Stakeholder – a person, group, organization, or Agency involved in or affected by a course of action related to Agency-owned IT resources.
138430. Supplier (commonly referred to as “Vendor”) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided to the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.
143031. Threat – any circumstance or event that has the potential to adversely impact an Agency’s operations or assets through an information system via unauthorized access, destruction, disclosure, or modification of information or denial of service.
146632. Token Control – the process of ensuring, through the use of a secure authentication protocol, that the token has remained in control of and is being presented by the identity that the token was issued to and has not been modified.
150833. User – a Worker or non-worker who has been provided access to a system or data.
152534. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Agency, is under the direct control of the Agency, whether or not they are paid by the Agency (see User; Worker).
156535. Worker – a member of the Workforce. A Worker may or may not use IT Resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Agency, is under the direct control of the Agency, whether or not they are paid by the Agency.
1618(3) In accordance with section 1623282.318, F.S., 1625each Agency must:
1628(a) Notify FL[DS] of all confirmed Threats, Incidents, or Breaches of state IT Resources.
1642(b) Ensure that the written specifications for cybersecurity requirements in solicitations, contracts, and service-level agreements for IT Resources and information technology services meet or exceed the applicable standards, guidelines, and best practices outlined in the National Institute of Standards and Technology Cybersecurity Framework.
1685(c) Submit the Agency’s strategic and operational cybersecurity plans to FL[DS] by July 31 each year. The Agency’s strategic and operational cybersecurity plans must be based on the statewide cybersecurity strategic plan created by FL[DS]. The Agency’s strategic and operational cybersecurity plans must:
17281. Cover a 3-year period.
17332. Define security goals, intermediate objectives, and projected Agency costs for the strategic issues of Agency information security policy, risk management, security training, security Incident response, and disaster recovery.
17623. Include performance metrics that can be objectively measured to reflect the status of the Agency’s progress in meeting security goals and objectives identified in the Agency’s strategic information security plan.
17934. Include a progress report and a project plan.
1802a. The progress report must measure the Agency’s progress made towards the Agency’s prior strategic and operational cybersecurity plan.
1821b. The project plan must include activities, timelines, and deliverables for security objectives that the Agency will implement 1839during the current fiscal year.
18445. Include an assessment that documents the gaps between requirements of this rule and current Agency controls.
1861(d) Conduct a comprehensive Risk Assessment every 3 years and in accordance with subsection 60GG-2.002(4), F.A.C.
1877Rulemaking Authority 1879282.318(11) FS. 1881Law Implemented 1883282.0041, 1884282.318(3) FS. 1886History‒New 18873-10-16, Amended 1-2-19, Formerly 189174-2.001, 1892Amended 9-18-22.
