(1) Purpose and Applicability.
    (a) Rules 60GG-2.001 through 60GG-2.006, F.A.C., will be known as the State of Florida Cybersecurity Standards (SFCS).
    (b) These rules establish cybersecurity standards for information technology (IT) resources. Agencies must comply with these standards in the management and operation of state IT resources. This rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, and the Federal Information Security Management Act of 2002 (44 U.S.C. § 3541, et seq.). For the convenience of the reader cross-references to these documents and Special Publications issued by the NIST are provided throughout the SFCS as they may be helpful to Agencies when drafting their cybersecurity procedures. For procurement of IT commodities and services, the commodity or service must comply with the NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (April 2018). The SFCS:
    1. Establish minimum standards to be used by Agencies to secure IT resources. The SFCS consists of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The SFCS are visually represented as follows:
Function Unique Identifier
Function
Category Unique Identifier
Category
ID
Identify
    ID.AM
Asset Management

    ID.BE
Business Environment

    ID.GV
Governance

    ID.RA
Risk Assessment

    ID.RM
Risk Management Strategy

    ID.SC
Supply Chain Risk Management
PR
Protect
    PR.AC
Identity Management and Access Control

    PR.AT
Awareness & Training

    PR.DS
Data Security

    PR.IP
Information Protection Processes & Procedures

    PR.MA
Maintenance

    PR.PT
Protective Technology
DE
Detect
    DE.AE
Anomalies & Events

    DE.CM
Security Continuous Monitoring

    DE.DP
Detection Processes
RS
Respond
    RS.RP
Response Planning

    RS.CO
Communications

    RS.AN
Analysis

    RS.MI
Mitigation

    RS.IM
Improvements
RC
Recover
    RC.RP
Recovery Planning

    RC.IM
Improvements

    RC.CO
Communications
Category Unique Identifier subcategory references are detailed in Rules 60GG-2.002 — 60GG-2.006, F.A.C., and are used throughout the SFCS as applicable.
    2. Define minimum management, operational, and technical security controls to be used by Agencies to secure IT resources.
    3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the Agency is unable to implement a security standard, or the standard is not cost-effective due to the specific nature of a system or its environment. The Agency shall document the reasons why the minimum standards cannot be satisfied and the Compensating Controls to be employed. After the Agency analyzes the issue and related risk, a compensating security control or deviation may be employed if the Agency documents the analysis and risk steering workgroup, as outlined in subsection 60GG-2.002(5), F.A.C., accepts the associated risk. This documentation is exempt from Florida Statutes § 119.07(1), pursuant to sections 282.318 (4)(d), and (4)(e), F.S., and upon acceptance by the risk steering workgroup, shall be securely submitted to the Florida Digital Service (FL[DS]).
    (c) The NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (April 2018), maintained at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, is hereby incorporated by reference into this rule: http://www.flrules.org/Gateway/reference.asp?No=Ref-14659.
    (2) Definitions.
    (a) This rule defines the following terms used in rule Fl. Admin. Code Chapter 60GG-2:
    1. Agency – shall have the same meaning as state agency, as provided in Florida Statutes § 282.0041, except that, per Florida Statutes § 282.318(2), the term also includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.
    2. Agency-owned (also Agency-managed) – any device, service, or technology owned, leased, or managed by the Agency for which an Agency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.
    3. Authentication – A process of determining the validity of one or more credentials used to claim as digital identity.
    4. Authentication protocol – a defined sequence of messages between a claimant and the relying parties (RP) or credential service provider (CSP) that demonstrate that the claimant has control of a valid token to establish his or her identity.
    5. Breach – means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the entity which acquires, maintains, stores, or uses the data does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.
    6. Buyer – refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.
    7. Compensating Controls – a management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
    8. Complex Password – a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).
    9. Continuity of Operations Plan (COOP) – disaster-preparedness plan created pursuant to Florida Statutes § 252.365(3)
    10. Critical Infrastructure – systems and assets, whether physical or virtual so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
    11. Critical Process – a process that is susceptible to fraud, cyberattack, unauthorized activity, or disruption seriously impacting an Agency’s mission.
    12. Customer – an entity in receipt of services or information rendered by an Agency. This term does not include state agencies with regard to information sharing activities.
    13. Cybersecurity Event – a cybersecurity change that may have an impact on Agency operations (including mission, capabilities, or reputation).
    14. Data-at-rest – stationary data which is stored physically in any digital form.
    15. External Partners – non-agency entities doing business with an Agency, including other governmental entities, third parties, contractors, vendors, Suppliers, and partners. External Partners do not include customers.
    16. Incident – means a violation or imminent Threat of violation, whether such a violation is accidental or deliberate, of information technology resources, security, policies, or practices. An imminent Threat of violation refers to a situation in which the state agency has a factual basis for believing that a specific incident is about to occur.
    17. Industry Sector(s) – the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.
    18. Information Security Manager (ISM) – the person designated pursuant to section 282.318(4)(a), F.S.
    19. Information System Owner – the Agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.
    20. Information Technology Resources (IT Resources) – data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training.
    21. Legacy Applications – programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life but are still required to meet mission objectives or fulfill program area requirements.
    22. Malware – means a computer program that is covertly or maliciously placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data applications or operating systems.
    23. Mobile Device – any computing device that can be conveniently relocated from one network to another.
    24. Privileged User – a User that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary Users are not authorized to perform.
    25. Privileged Accounts – an information system account with authorizations of a Privileged User.
    26. Remote Access – access by Users (or information systems) communicating externally to an information security perimeter.
    27. Risk Assessment – the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.
    28. Separation of Duties – an internal control concept of having more than one person required to complete a Critical Process. This is an internal control intended to prevent fraud, abuse, and errors.
    29. Stakeholder – a person, group, organization, or Agency involved in or affected by a course of action related to Agency-owned IT resources.
    30. Supplier (commonly referred to as “”Vendor””) – encompasses upstream product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products or services provided to the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.
    31. Threat – any circumstance or event that has the potential to adversely impact an Agency’s operations or assets through an information system via unauthorized access, destruction, disclosure, or modification of information or denial of service.
    32. Token Control – the process of ensuring, through the use of a secure authentication protocol, that the token has remained in control of and is being presented by the identity that the token was issued to and has not been modified.
    33. User – a Worker or non-worker who has been provided access to a system or data.
    34. Workforce – employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Agency, is under the direct control of the Agency, whether or not they are paid by the Agency (see User; Worker).
    35. Worker – a member of the Workforce. A Worker may or may not use IT Resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Agency, is under the direct control of the Agency, whether or not they are paid by the Agency.
    (3) In accordance with Florida Statutes § 282.318, each Agency must:
    (a) Notify FL[DS] of all confirmed Threats, Incidents, or Breaches of state IT Resources.
    (b) Ensure that the written specifications for cybersecurity requirements in solicitations, contracts, and service-level agreements for IT Resources and information technology services meet or exceed the applicable standards, guidelines, and best practices outlined in the National Institute of Standards and Technology Cybersecurity Framework.
    (c) Submit the Agency’s strategic and operational cybersecurity plans to FL[DS] by July 31 each year. The Agency’s strategic and operational cybersecurity plans must be based on the statewide cybersecurity strategic plan created by FL[DS]. The Agency’s strategic and operational cybersecurity plans must:
    1. Cover a 3-year period.
    2. Define security goals, intermediate objectives, and projected Agency costs for the strategic issues of Agency information security policy, risk management, security training, security Incident response, and disaster recovery.
    3. Include performance metrics that can be objectively measured to reflect the status of the Agency’s progress in meeting security goals and objectives identified in the Agency’s strategic information security plan.
    4. Include a progress report and a project plan.
    a. The progress report must measure the Agency’s progress made towards the Agency’s prior strategic and operational cybersecurity plan.
    b. The project plan must include activities, timelines, and deliverables for security objectives that the Agency will implement during the current fiscal year.
    5. Include an assessment that documents the gaps between requirements of this rule and current Agency controls.
    (d) Conduct a comprehensive Risk Assessment every 3 years and in accordance with subsection 60GG-2.002(4), F.A.C.
Rulemaking Authority Florida Statutes § 282.318(11). Law Implemented 282.0041, 282.318(3) FS. History—New 3-10-16, Amended 1-2-19, Formerly 74-2.001, Amended 9-18-22.