(1) The state agency will document a risk mitigation strategy including but not limited to an exit strategy specific to application criticality and business continuity needs.
    (2) The state agency will ensure that the documented risk mitigation strategy is supported by the contract with the cloud service provider.
    (3) The state agency will identify and document all current security rules (to include Fl. Admin. Code Chapter 60GG-2, Information Technology Security) and applicable standards that apply to state agency applications regardless of hosting infrastructure. The state agency will base the data classification on the Federal Information Processing Standards (FIPS) Publication No. 199. (February 2004), which is hereby incorporated into this rule by reference and may be found at: http://flrules.org/Gateway/reference.asp?No=Ref-11363.
    (4) The state agency will develop a security plan that documents compliance with applicable data classification requirements.
    (5) The state agency will conduct and document a security assessment for the implementation of each cloud service, which will contain data classified as moderate or higher based on the data classification of FIPS Publication No. 199, and consider the potential risk of breach of data deployed in the cloud. This assessment may be performed by a third party (to include a government entity).
    (6) To prevent Internet Protocol (IP) routing conflicts, state agencies will consult with the Florida Digital Service (FDS) prior to the use of cloud-based services where DMS allocated IP addresses (including RFC1918 IP addresses) will be assigned to cloud-based resources that have State Data Center (SDC) or state intranet connectivity requirements. The state agency will document such consultation in writing.
Rulemaking Authority Florida Statutes § 282.0051(6). Law Implemented Florida Statutes § 282.0051. History—New 1-9-20.