Florida Administrative Code
60 - DEPARTMENT OF MANAGEMENT SERVICES
60GG - Florida Digital Service
Chapter 60GG-2 - STATE OF FLORIDA CYBERSECURITY STANDARDS
Section 60GG-2.001 - Purpose and Applicability; Definitions; Agency Requirements

1. Establish minimum standards to be used by Agencies to secure IT resources. The SFCS consists of five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions support lifecycle management of IT risk. The functions identify underlying key categories and subcategories for each function. Subcategories contain specific IT controls. The SFCS are visually represented as follows:

Category Unique Identifier subcategory references are detailed in Rules 60GG-2.002 - 60GG-2.006, F.A.C., and are used throughout the SFCS as applicable.

2. Define minimum management, operational, and technical security controls to be used by Agencies to secure IT resources.

3. Allow authorizing officials to employ compensating security controls or deviate from minimum standards when the Agency is unable to implement a security standard, or the standard is not cost-effective due to the specific nature of a system or its environment. The Agency shall document the reasons why the minimum standards cannot be satisfied and the Compensating Controls to be employed. After the Agency analyzes the issue and related risk, a compensating security control or deviation may be employed if the Agency documents the analysis and risk steering workgroup, as outlined in subsection 60GG-2.002(5), F.A.C., accepts the associated risk. This documentation is exempt from section 119.07(1), F.S., pursuant to sections 282.318 (4)(d), and (4)(e), F.S., and upon acceptance by the risk steering workgroup, shall be securely submitted to the Florida Digital Service (FL[DS]).

1. Agency - shall have the same meaning as state agency, as provided in section 282.0041, F.S., except that, per section 282.318(2), F.S., the term also includes the Department of Legal Affairs, the Department of Agriculture and Consumer Services, and the Department of Financial Services.

2. Agency-owned (also Agency-managed) - any device, service, or technology owned, leased, or managed by the Agency for which an Agency through ownership, configuration management, or contract has established the right to manage security configurations, including provisioning, access control, and data management.

3. Authentication - A process of determining the validity of one or more credentials used to claim as digital identity.

4. Authentication protocol - a defined sequence of messages between a claimant and the relying parties (RP) or credential service provider (CSP) that demonstrate that the claimant has control of a valid token to establish his or her identity.

5. Breach - means unauthorized access of data in electronic form containing personal information. Good faith access of personal information by an employee or agent of the entity which acquires, maintains, stores, or uses the data does not constitute a breach of security, provided that the information is not used for a purpose unrelated to the business or subject to further unauthorized use.

6. Buyer - refers to the downstream people or organizations that consume a given product or service from an organization, including both for-profit and not-for-profit organizations.

7. Compensating Controls - a management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.

8. Complex Password - a password sufficiently difficult to correctly guess, which enhances protection of data from unauthorized access. Complexity requires at least eight characters that are a combination of at least three of the following character types: uppercase letters, lowercase letters, numbers, and special characters (@, #, $, %, etc.).

9. Continuity of Operations Plan (COOP) - disaster-preparedness plan created pursuant to section 252.365(3), F.S.

10. Critical Infrastructure - systems and assets, whether physical or virtual so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

11. Critical Process - a process that is susceptible to fraud, cyberattack, unauthorized activity, or disruption seriously impacting an Agency's mission.

12. Customer - an entity in receipt of services or information rendered by an Agency. This term does not include state agencies with regard to information sharing activities.

13. Cybersecurity Event - a cybersecurity change that may have an impact on Agency operations (including mission, capabilities, or reputation).

14. Data-at-rest - stationary data which is stored physically in any digital form.

15. External Partners - non-agency entities doing business with an Agency, including other governmental entities, third parties, contractors, vendors, Suppliers, and partners. External Partners do not include customers.

16. Incident - means a violation or imminent Threat of violation, whether such a violation is accidental or deliberate, of information technology resources, security, policies, or practices. An imminent Threat of violation refers to a situation in which the state agency has a factual basis for believing that a specific incident is about to occur.

17. Industry Sector(s) - the following major program areas of state government: Health and Human Services, Education, Government Operations, Criminal and Civil Justice, Agriculture and Natural Resources, and Transportation and Economic Development.

18. Information Security Manager (ISM) - the person designated pursuant to section 282.318(4)(a), F.S.

19. Information System Owner - the Agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system.

20. Information Technology Resources (IT Resources) - data processing hardware and software and services, communications, supplies, personnel, facility resources, maintenance, and training.

21. Legacy Applications - programs or applications inherited from languages, platforms, and techniques earlier than current technology. These applications may be at or near the end of their useful life but are still required to meet mission objectives or fulfill program area requirements.

22. Malware - means a computer program that is covertly or maliciously placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data applications or operating systems.

23. Mobile Device - any computing device that can be conveniently relocated from one network to another.

24. Privileged User - a User that is authorized (and, therefore trusted) to perform security-relevant functions that ordinary Users are not authorized to perform.

25. Privileged Accounts - an information system account with authorizations of a Privileged User.

26. Remote Access - access by Users (or information systems) communicating externally to an information security perimeter.

27. Risk Assessment - the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards.

28. Separation of Duties - an internal control concept of having more than one person required to complete a Critical Process. This is an internal control intended to prevent fraud, abuse, and errors.

29. Stakeholder - a person, group, organization, or Agency involved in or affected by a course of action related to Agency-owned IT resources.

30. Supplier (commonly referred to as "Vendor") - encompasses upstream product and service providers used for an organization's internal purposes (e.g., IT infrastructure) or integrated into the products or services provided to the Buyer. These terms are applicable for both technology-based and non-technology-based products and services.

31. Threat - any circumstance or event that has the potential to adversely impact an Agency's operations or assets through an information system via unauthorized access, destruction, disclosure, or modification of information or denial of service.

32. Token Control - the process of ensuring, through the use of a secure authentication protocol, that the token has remained in control of and is being presented by the identity that the token was issued to and has not been modified.

33. User - a Worker or non-worker who has been provided access to a system or data.

34. Workforce - employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Agency, is under the direct control of the Agency, whether or not they are paid by the Agency (see User; Worker).

35. Worker - a member of the Workforce. A Worker may or may not use IT Resources. This includes employees, contractors, volunteers, trainees, and other persons whose conduct, in the performance of work for the Agency, is under the direct control of the Agency, whether or not they are paid by the Agency.

1. Cover a 3-year period.

2. Define security goals, intermediate objectives, and projected Agency costs for the strategic issues of Agency information security policy, risk management, security training, security Incident response, and disaster recovery.

3. Include performance metrics that can be objectively measured to reflect the status of the Agency's progress in meeting security goals and objectives identified in the Agency's strategic information security plan.

4. Include a progress report and a project plan.

5. Include an assessment that documents the gaps between requirements of this rule and current Agency controls.