Current through Reg. 50, No. 187; September 24, 2024
The protect function of the SFCS is visually represented as
such:
|
Function
|
Category
|
Subcategory
|
|
Protect (PR)
|
Identity Management, Authentication, and Access
Control (AC)
|
PR.AC-1: Issue, manage, verify, revoke, and audit
identities and credentials for authorized devices, processes, and Users
|
|
PR.AC-2: Manage and protect physical access to
assets
|
|
PR.AC-3: Manage Remote Access
|
|
PR.AC-4: Manage access permissions and
authorizations, incorporate the principles of least privilege and Separation of
Duties
|
|
PR.AC-5: Protect network integrity, by incorporating
network segregation and segmentation where appropriate
|
|
PR.AC-6: Proof and bond identities to credentials,
asserting in interactions when appropriate (see Token Control
definition)
|
|
PR.AC-7: Authenticate credentials assigned to Users,
devices, and other assets commensurate with the risk of the transaction.
|
|
Awareness and Training (AT)
|
PR.AT-1: Inform and train all Users
|
|
PR.AT-2: Ensure that Privileged Users understand
roles and responsibilities
|
|
PR.AT-3: Ensure that third-party Stakeholders
understand roles and responsibilities
|
|
PR.AT-4: Ensure that senior executives understand
roles and responsibilities
|
|
PR.AT-5: Ensure that physical and cybersecurity
personnel understand their roles and responsibilities
|
|
Data Security
(DS)
|
PR.DS-1: Protect Data-at-rest
|
|
PR.DS-2: Protect data-in-transit
|
|
PR.DS-3: Formally manage assets managed throughout
removal, transfers, and disposition
|
|
PR.DS-4: Ensure that adequate capacity is maintained
to support availability needs
|
|
PR.DS-5: Implement data leak protection
measures
|
|
PR.DS-6: Use integrity checking mechanisms to verify
software, firmware, and information integrity
|
|
PR.DS-7: Logically or physically separate the
development and testing environment(s) from the production environment
|
|
|
PR.DS-8: Use integrity checking mechanisms to verify
hardware integrity
|
|
Information Protection Processes and
Procedures
|
PR.IP-1: Create and maintain a baseline configuration
that incorporates all security principles for information technology/industrial
control systems
|
|
PR.IP-2: Implement a System Development Life Cycle
(SDLC) to manage systems
|
|
PR.IP-3: Establish configuration change control
processes
|
|
PR.IP-4: Conduct, maintain, and test backups of
information
|
|
PR.IP-5: Meet policy and regulatory requirements that
are relevant to the physical operating environment for organizational
assets
|
|
PR.IP-6: Destroy data according to policy
|
|
PR.IP-7: Continuously improve protection
processes
|
|
PR.IP-8: Share effectiveness of protection
technologies with Stakeholders that should or must receive this
information
|
|
PR.IP-9: Establish and manage response plans
(Incident Response and Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery)
|
|
PR.IP-10: Test response and recovery plans
|
|
PR.IP-11: Include cybersecurity in human resources
practices (e.g., deprovisioning, personnel screening)
|
|
PR.IP-12: Develop and implement a vulnerability
management plan
|
|
Maintenance (MA)
|
PR.MA-1: Perform and log maintenance and repair of
organizational assets, with approved and controlled tools
|
|
PR.MA-2: Approve, log, and perform remote maintenance
of Agency assets in a manner that prevents unauthorized access
|
|
Protective Technology (PT)
|
PR.PT-1: Determine, document, implement, and review
audit/log records in accordance with policy
|
|
PR.PT-2: Protect and restrict Removable Media usage
according to policy
|
|
PR.PT-3: Incorporate the principle of least
functionality by configuring systems to provide only essential
capabilities
|
|
PR.PT-4: Protect communications and control
networks
|
|
PR.PT-5: Implement mechanisms (e.g., failsafe, load
balancing, hot swap) to achieve resilience requirements in normal and adverse
situations
|
(1) Access
Control. Each Agency shall ensure that access to IT Resources is limited to
authorized Users, processes, or devices, and to authorized activities and
transactions. Specifically:
(a) Each Agency
shall manage identities and credentials for authorized devices and Users
(PR.AC-1). Control measures shall, at a minimum include authentication token(s)
unique to the individual.
Agencies shall:
1.
Require that all Agency-owned or approved computing devices, including Mobile
Devices, use unique User Authentication.
2. Require Users to log off or lock their
workstations prior to leaving the work area.
3. Require inactivity timeouts that log-off
or lock workstations or sessions.
4. Locked workstations or sessions must be
locked in a way that requires User Authentication with an authentication
token(s) unique to the individual User to disengage.
5. When passwords are used as the sole
authentication token, require Users to use Complex Passwords.
6. Address responsibilities of information
stewards that include administering access to systems and data based on the
documented authorizations and facilitate periodic review of access rights with
information owners. Frequency of reviews shall be based on system
categorization or assessed risk.
7.
Establish access disablement and notification timeframes for Worker
separations. The Agency will identify the appropriate person in the IT unit to
receive notification. Notification timeframes shall consider risks associated
with system access post-separation.
8. Ensure IT access is removed when the IT
Resource is no longer required.
9.
Require multi-factor authentication (MFA) for access to networks or
applications that have a categorization of moderate, high, or contain exempt,
or confidential and exempt, information. This excludes externally hosted
systems designed to deliver services to Agency Customers where the Agency
documents the analysis and the risk steering workgroup accepts the associated
risk.
10. Require MFA for access to
Privileged Accounts.
(b)
Each Agency shall manage and protect physical access to assets (PR.AC-2). In
doing so, Agency security procedures or controls shall:
1. Address protection of IT Resources from
environmental hazards (e.g., temperature, humidity, air movement, dust, and
faulty power) in accordance with manufacturer specifications.
2. Implement procedures to manage physical
access to IT facilities and/or equipment.
3. Identify physical controls that are
appropriate for the size and criticality of the IT Resources.
4. Specify physical access to information
resource facilities and/or equipment that is restricted to authorized
personnel.
5. Detail visitor access
protocols, including recordation procedures, and in locations housing systems
categorized as moderate-impact or high-impact, require that visitors be
supervised by authorized personnel.
6. Address how the Agency will protect
network integrity by incorporating network segregation.
(c) Each Agency shall manage Remote Access
(PR.AC-3). In doing so, Agencies shall:
1.
Address how the Agency will securely manage and document remote
Access.
2. Specify that only
secure, Agency-managed, Remote Access methods may be used to remotely connect
computing devices to the Agency internal network.
3. For systems containing exempt, or
confidential and exempt data, ensure written agreements and procedures are in
place to ensure security for sharing, handling or storing confidential data
with entities outside the Agency.
(d) Each Agency shall ensure that access
permissions and authorizations, are managed, incorporating the principles of
least privilege and Separation of Duties (PR.AC-4). In doing so, Agencies
shall:
1. Execute interconnection security
agreements to authorize, document, and support continual management of
inter-agency connected systems.
2.
Manage access permissions by incorporating the principles of "least privilege"
and "Separation of Duties."
3.
Specify that all Workers be granted access to Agency IT Resources based on the
principles of "least privilege" and "need to know determination."
4. Specify that system administrators
restrict and tightly control the use of system development utility programs
that may be capable of overriding system and application
controls.
(e) Each Agency
shall ensure that network integrity is protected, incorporating network
segregation and segmentation where appropriate (PR.AC-5).
(f) Proof and bond identities to credentials
and assert in interactions when appropriate (PR.AC-6).
(g) Authenticate Users, devices, and other
assets commensurate with the risk of the transaction
(PR.AC-7).
(2) Awareness
and Training. Agencies shall provide all their Workers cybersecurity awareness
education and training so as to ensure they perform their cybersecurity related
duties and responsibilities consistent with Agency policies and procedures. In
doing so, each Agency shall:
(a) Inform and
train all Workers (PR.AT-1).
(b)
Ensure that Privileged Users understand their roles and responsibilities
(PR.AT-2).
(c) Ensure that
third-party Stakeholders understand their roles and responsibilities
(PR.AT-3).
(d) Ensure that senior
executives understand their roles and responsibilities (PR.AT-4).
(e) Ensure that physical and cybersecurity
personnel understand their roles and responsibilities
(PR.AT-5).
(3) For each
of the above subsections the following shall also be addressed:
(a) Appoint a Worker to coordinate the Agency
information security awareness program. If an IT security Worker does not
coordinate the security awareness program, they shall be consulted for content
development purposes. Agencies will ensure that all Workers (including
volunteer workers) are clearly notified of applicable obligations, established
via Agency policies, to maintain compliance with such controls.
(b) Establish a program that includes, at a
minimum, annual security awareness training and on-going education and
reinforcement of security practices.
(c) Provide training to Workers within 30
days of start date.
(d) Include
security policy adherence expectations for the following, at a minimum:
disciplinary procedures and implications, acceptable use restrictions, data
handling (procedures for handling exempt and confidential and exempt
information), telework and Cybersecurity Incident reporting procedures.
Incident reporting procedures shall:
1.
Establish requirements for Workers to immediately report loss of Mobile
Devices, security tokens, smart cards, identification badges, or other devices
used for identification and Authentication purposes according to Agency
reporting procedures.
(e)
Where technology permits, provide training prior to system access. For
specialized Agency Workers (e.g., law enforcement officers) who are required to
receive extended off-site training prior to reporting to their permanent duty
stations, initial security awareness training shall be provided within 30 days
of the date they report to their permanent duty station.
(f) Require, prior to access, Workers verify
in writing that they will comply with Agency IT security policies and
procedures.
(g) Document parameters
that govern personal use of Agency IT Resources and define what constitutes
personal use. Personal use, if allowed by the Agency, shall not interfere with
the normal performance of any Worker's duties, or consume significant or
unreasonable amounts of state IT Resources (e.g., bandwidth,
storage).
(h) Inform Workers of
what constitutes inappropriate use of IT Resources. Inappropriate use shall
include, but may not be limited to, the following:
1. Distribution of Malware.
2. Disablement or circumvention of security
controls.
3. Forging
headers.
4. Political campaigning
or unauthorized fundraising.
5. Use
for personal profit, benefit or gain.
6. Offensive, indecent, or obscene access or
activities, unless required by job duties.
7. Harassing, threatening, or abusive
activity.
8. Any activity that
leads to performance degradation.
9. Auto-forwarding to external email
addresses.
10. Unauthorized,
non-work-related access to: chat rooms, political groups, singles clubs or
dating services; peer-to-peer file sharing; material relating to gambling,
weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence;
hacker web-site/software; and pornography and sites containing obscene
materials.
(4)
Data Security. Each Agency shall manage and protect records and data, including
Data-at-rest, consistent with the organization's risk strategy to protect the
confidentiality, integrity, and availability of information. Agencies shall
establish procedures, and develop and maintain Agency cryptographic
implementations. Key management processes and procedures for cryptographic keys
used for encryption of data will be fully documented and will cover key
generation, distribution, storage, periodic changes, compromised key processes,
and prevention of unauthorized substitution. Also, key management processes
must be in place and verified prior to encrypting data at rest, to prevent data
loss and support availability. In protecting data security, Agencies shall:
(a) Protect Data-at-rest by establishing
(PR.DS-1):
1. Procedures that ensure only
Agency-owned or approved IT resources are used to store confidential or exempt
information.
2. Procedures that
ensure Agency-owned or approved portable IT Resources containing confidential
or mission critical data are encrypted.
3. Procedures that ensure Agency-owned or
approved portable IT Resources that connect to the Agency internal network use
Agency-managed security software.
4. Inform Users not to store unique copies of
Agency data on workstations or Mobile Devices.
(b) Protect data-in-transit (PR.DS-2). Each
Agency shall:
1. Encrypt confidential and
exempt information during transmission, except when the transport medium is
owned or managed by the Agency and controls are in place to protect the data
during transit.
2. Ensure that
wireless transmissions of Agency data employ cryptography for Authentication
and transmission.
3. Make passwords
unreadable during transmission and storage.
4. Encrypt mobile IT Resources that store,
process, or transmit exempt, or confidential and exempt Agency
data.
(c) Formally manage
assets throughout removal, transfer, and disposition (PR.DS-3).
1. Ensure any records stored on storage media
to be disposed of or released for reuse, are sanitized or destroyed in
accordance with organization-developed procedures and the State of Florida
General Records Schedule GS1-SL for State and Local Government
Agencies.
2. Destruction of
confidential or exempt information shall be conducted such that the information
is rendered unusable, unreadable, and indecipherable and not subject to
retrieval or reconstruction.
3.
Document procedures for sanitization of Agency-owned IT Resources prior to
reassignment or disposal.
4.
Equipment sanitization shall be performed such that confidential or exempt
information is rendered unusable, unreadable, and indecipherable and not
subject to retrieval or reconstruction. File deletion and media formatting are
not acceptable methods of sanitization. Acceptable methods of sanitization
include using software to overwrite data on computer media, degaussing, or
physically destroying media.
(d) Maintain adequate capacity to ensure
system availability and data integrity (PR.DS-4).
1. Ensure adequate audit/log
capacity.
2. Protect against or
limit the effects of denial of service attacks.
(e) Implement protections against data leaks
or unauthorized data disclosures by establishing policies and procedures that
address (PR.DS-5):
1. Appropriate handling and
protection of exempt, and confidential and exempt, information. Policies shall
be reviewed and acknowledged by all Workers.
2. Retention and destruction of confidential
and exempt information in accordance with the records retention requirements as
provided in the State of Florida General Records Schedule GS1-SL for State and
Local Government Agencies.
3.
Access agreements for Agency information systems.
4. Boundary protection.
5. Transmission confidentiality and
integrity.
(f) Employ
integrity checking mechanisms to verify software, firmware, and information
integrity (PR.DS-6).
1. Application controls
shall be established to ensure the accuracy and completeness of data, including
validation and integrity checks, to detect data corruption that may occur
through processing errors or deliberate actions.
(g) Physically or logically separate
development and testing environment(s) from the production environment and
ensure that production exempt, or confidential and exempt data is not used for
development where technology permits. Production exempt, or confidential and
exempt data may be used for testing if the data owner authorizes the use and
regulatory prohibitions do not exist; the test environment limits access and
access is audited; and production exempt, and confidential and exempt data is
removed from the system when testing is completed. Data owner authorization
shall be managed via technical means, to the extent practical
(PR.DS-7).
(h) Use integrity
checking mechanisms to verify hardware integrity (PR.DS-8). In doing so,
Agencies shall establish processes to protect against and/or detect
unauthorized changes to hardware used to support systems with a categorization
of high-impact.
(5)
Information Protection Processes and Procedures. Each Agency shall ensure that
security policies, processes and procedures are maintained and used to manage
protection of information systems and assets. Such policies, processes and
procedures shall:
(a) Include a current
baseline configuration of information systems which incorporate security
principles (PR.IP-1). Baselines shall:
1.
Specify standard hardware and secure standard configurations.
2. Include documented firewall and router
configuration standards, and include a current network diagram.
3. Require that vendor default settings,
posing security risks, are changed or disabled for Agency-owned or managed IT
Resources, including encryption keys, accounts, passwords, and SNMP (Simple
Network Management Protocol) community strings, and ensure device security
settings are enabled where appropriate.
4. Allow only Agency-approved software to be
installed on Agency-owned IT Resources.
(b) Establish a System Development Life Cycle
(SDLC) to manage system implementation and maintenance (PR.IP-2). In doing so,
Agencies shall:
1. Develop and implement
processes that include reviews of security requirements and controls to
ascertain effectiveness and appropriateness relative to new technologies and
applicable state and federal regulations.
2. Ensure security reviews are approved by
the ISM and Chief Information Officer (or designee) before new or modified
applications or technologies are moved into production. For IT Resources housed
in a state data center, the security review shall also be approved by the data
center before the new or modified applications or technologies are moved into
production.
3. The application
development team at each Agency shall implement appropriate security controls
to minimize risks to Agency IT Resources and meet the security requirements of
the application owner. Agencies will identify in their policies, processes and
procedures the security coding guidelines the Agency will follow when
obtaining, purchasing, leasing or developing software.
4. Where technology permits, the Agency shall
ensure anti-Malware software is maintained on Agency IT
Resources.
(c) Establish
a configuration change control process to manage upgrades and modifications to
existing IT Resources (PR.IP-3). In doing so, Agencies shall:
1. Determine types of changes that are
configuration-controlled (e.g. emergency patches, releases, and other
out-of-band security packages).
2.
Develop a process to review and approve or disapprove proposed changes based on
a security impact analysis (e.g., implementation is commensurate with the risk
associated with the weakness or vulnerability).
3. Develop a process to document change
decisions.
4. Develop a process to
implement approved changes and review implemented changes.
5. Develop an oversight capability for change
control activities.
6. Develop
procedures to ensure security requirements are incorporated into the change
control process.
(d)
Ensure backups of information are conducted, maintained, and tested
(PR.IP-4).
(e) Establish policy and
regulatory expectations for protection of the physical operating environment
for Agency-owned or managed IT Resources (PR.IP-5).
(f) Manage and dispose of records/data in
accordance with the records retention requirements as provided in the State of
Florida General Records Schedule GS1-SL for State and Local Government Agencies
(PR.IP-6).
(g) Establish a policy
and procedure review process that facilitates continuous improvement to
protection processes (PR.IP-7). Each Agency shall:
1. Ensure system security control selection
occurs during the beginning of the SDLC and is documented in final design
documentation.
2. Ensure system
security plans shall document controls necessary to protect production data in
the production environment and copies of production data used in non-production
environments.
3. Ensure system
security plans are confidential per section
282.318, F.S., and shall be
available to the Agency ISM.
4.
Require that each Agency application or system with a categorization of
moderate-impact or higher have a documented system security plan (SSP). For
existing production systems that lack a SSP, a Risk Assessment shall be
performed to determine prioritization of subsequent documentation efforts. The
SSP shall include provisions that:
(I) Align
the system with the Agency's enterprise architecture.
(II) Define the authorization boundary for
the system.
(III) Describe the
mission-related business purpose.
(IV) Provide the security categorization,
including security requirements and rationale (compliance, availability,
etc.).
(V) Describe the operational
environment, including relationships, interfaces, or dependencies on external
services.
(VI) Provide an overview
of system security requirements.
(VII) Identify authorizing official or
designee, who reviews and approves prior to implementation.
5. Require Information System Owners (ISOs)
to define application security-related business requirements using role-based
access controls and rule-based security policies where technology
permits.
6. Require ISOs to
establish and authorize the types of privileges and access rights appropriate
to system Users, both internal and external.
7. Create procedures to address inspection of
content stored, processed or transmitted on Agency-owned or managed IT
Resources, including attached removable Media. Inspection shall be performed
where authorization has been provided by Stakeholders that should or must
receive this information.
8.
Establish parameters for Agency-managed devices that prohibit installation
(without Worker consent) of clients that allow the Agency to inspect private
partitions or personal data.
9.
Require ISOs ensure segregation of duties when establishing system
authorizations.
10. Establish
controls that prohibit a single individual from having the ability to complete
all steps in a transaction or control all stages of a Critical
Process.
11. Require Agency
information owners to identify exempt, and confidential and exempt information
in their systems.
(h)
Ensure that effectiveness of protection technologies is shared with
Stakeholders that should or must receive this information (PR.IP-8).
(i) Develop, implement and manage response
plans (e.g., Incident Response and Business Continuity) and recovery plans
(e.g., Incident Recovery and Disaster Recovery) (PR.IP-9).
(j) Establish a procedure that ensures that
Agency response and recovery plans are regularly tested (PR.IP-10).
(k) Include cybersecurity in human resources
practices (e.g., deprovisioning, personnel screening) (PR.IP-11).
(l) Each Agency shall develop and implement a
vulnerability management plan (PR.IP-12).
(6) Maintenance. Each Agency shall perform
maintenance and repairs of information systems and components consistent with
Agency-developed policies and procedures. Each Agency shall:
(a) Perform and log maintenance and repair of
IT Resources, with tools that have been approved and are administered by the
Agency to be used for such activities (PR.MA-1).
(b) Approve, encrypt, log and perform remote
maintenance of IT Resources in a manner that prevents unauthorized access
(PR.MA-2).
(c) Not engage in new
development of custom authenticators. Agencies assess the feasibility of
replacing Agency-developed authenticators in Legacy
Applications.
(7)
Protective Technology. Each Agency shall ensure that technical security
solutions are managed to ensure the security and resilience of systems and
assets, consistent with related policies, procedures, and agreements.
Specifically, each Agency shall:
(a)
Determine and document required audit/log records, implement logging of audit
records, and protect and review logs in accordance with Agency-developed
policy. Agency-developed policy shall be based on resource criticality. Where
possible, ensure that electronic audit records allow actions of Users to be
uniquely traced to those Users so they can be held accountable for their
actions. Maintain logs identifying where access to exempt, or confidential and
exempt data was permitted. The logs shall support unique identification of
individuals and permit an audit of the logs to trace activities through the
system, including the capability to determine the exact confidential or exempt
data accessed, acquired, viewed or transmitted by the individual
(PR.PT-1).
(b) Protect and restrict
Removable Media in accordance with Agency-developed information security policy
(PR.PT-2).
(c) Incorporate the
principle of least functionality by configuring systems to only provide
essential capabilities (PR.PT-3).
(d) Protect communications and control
networks by establishing perimeter security measures to prevent unauthorized
connections to Agency IT Resources (PR.PT-4). Agencies shall:
1. Place databases containing mission
critical, exempt, or confidential and exempt data in an internal network zone,
segregated from the demilitarized zone (DMZ).
2. Agencies shall require host-based (e.g., a
system controlled by a central or main computer) boundary protection on mobile
computing devices where technology permits (i.e., detection
agent).
(e) Implement
mechanisms (e.g., failsafe, load balancing across duplicated systems, hot swap)
to achieve resilience requirements in normal and adverse situations
(PR.PT-5).
Rulemaking Authority
282.318(11) FS.
Law Implemented 282.318(3)
FS.
New 3-10-16, Amended 1-2-19, Formerly
74-2.003, Amended
9-18-22.
