Statutes, codes, and regulations
Florida Administrative Code
Department 60 - DEPARTMENT OF MANAGEMENT SERVICESDivision 60GG - Florida Digital Service
Chapter 60GG-2 - STATE OF FLORIDA CYBERSECURITY STANDARDS
Section 60GG-2.002 - Identify

Fla. Admin. Code R. 60GG-2.002

Download
PDF
Current through Reg. 50, No. 222; November 13, 2024
Section 60GG-2.002 - Identify

The identify function of the FCS is visually represented as such:

Function

Category

Subcategory

Identify (ID)

Asset Management (AM)

ID.AM-1: Inventory Agency physical devices and systems

ID.AM-2: Inventory Agency software platforms and applications

ID.AM-3: Map Agency communication and data flows

ID.AM-4: Catalog interdependent external information systems

ID.AM-5: Prioritize IT Resources based on classification, criticality, and business value

ID.AM-6: Establish cybersecurity roles and responsibilities for the entire Workforce and third-party Stakeholders

Business Environment

(BE)

ID.BE-1: Identify and communicate the Agency's role in the business mission/processes

ID.BE-2: Identify and communicate the Agency's place in Critical Infrastructure and its Industry Sector to Workers

ID.BE-3: Establish and communicate priorities for Agency mission, objectives, and activities

ID.BE-4: Identify dependencies and critical functions for delivery of critical services

ID.BE-5: Implement resiliency requirements to support the delivery of critical services for all operating states (e.g., normal operations, under duress, during recovery)

Governance

(GV)

ID.GV-1: Establish and communicate an organizational cyber security policy

ID.GV-2: Coordinate and align cybersecurity roles and responsibilities with internal roles and External Partners

ID.GV-3: Understand and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations

ID.GV-4: Ensure that governance and risk management processes address cybersecurity risks

Risk Assessment

(RA)

ID.RA-1: Identify and document asset vulnerabilities

ID.RA-2: Receive cyber Threat intelligence from information sharing forums and sources

ID.RA-3: Identify and document Threats, both internal and external

ID.RA-4: Identify potential business impacts and likelihoods

ID.RA-5: Use Threats, vulnerabilities, likelihoods, and impacts to determine risk

ID.RA-6: Identify and prioritize risk responses

Risk Management

Strategy

(RM)

ID.RM-1: Establish, manage, and ensure organizational Stakeholders understand the approach to be employed via the risk management processes

ID.RM-2: Determine and clearly express organizational risk tolerance

ID.RM-3: Ensure that the organization's determination of risk tolerance is informed by its role in Critical Infrastructure and sector specific risk analysis

Supply Chain Risk Management (SC)

ID.SC-1: Establish management processes to identify, establish, assess, and manage cyber supply chain risk which are agreed to by organizational Stakeholders

ID.SC-2: Identify, prioritize, and assess Suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process

ID.SC-3: Require Suppliers and third-party providers (by contractual requirement when necessary) to implement appropriate measures designed to meet the objectives of the organization's information security program or cyber supply chain risk management plan

ID.SC-4: Routinely assess Suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of Suppliers/providers

ID.SC-5: Conduct response and recovery planning and testing with Suppliers and third-party providers

(1) Asset Management. Each agency shall ensure that IT Resources are identified and managed. Identification and management shall be consistent with the IT Resource's relative importance to agency objectives and the organization's risk strategy. Specifically, each agency shall:
(a) Ensure that physical devices and systems within the organization are inventoried and managed (ID.AM-1).
(b) Ensure that software platforms and applications within the organization are inventoried and managed (ID.AM-2).
(c) Ensure that organizational communication and data flows are mapped and systems are designed or configured to regulate information flow based on data classification (ID.AM-3). Each Agency shall:
1. Establish procedures that ensure only Agency-owned or approved IT Resources are connected to the Agency internal network and resources.
2. Design and document its information security architecture using a defense-in-breadth approach. Design and documentation shall be assessed and updated periodically based on an Agency-defined, risk-driven frequency that considers potential Threat vectors (i.e., paths or tools that a Threat actor may use to attack a target).
3. Consider diverse Suppliers when designing the information security architecture.
(d) Each Agency shall ensure that interdependent external information systems are catalogued (ID.AM-4). Agencies shall:
1. Verify or enforce required security controls on interconnected external IT Resources in accordance with the information security policy or security plan.
2. Implement service level agreements for non-Agency provided technology services to ensure appropriate security controls are established and maintained.
3. For non-interdependent external IT Resources, execute information sharing or processing agreements with the entity receiving the shared information or hosting the external system in receipt of shared information.
4. Restrict or prohibit portable storage devices either by policy or a technology that enforces security controls for such devices.
5. Authorize and document inter-agency system connections.
6. Require that (e.g., contractually) external service providers adhere to Agency security policies.
7. Document Agency oversight expectations, and periodically monitor provider compliance.
(e) Each Agency shall ensure that IT Resources (hardware, data, personnel, devices and software) are categorized, prioritized, and documented based on their classification, criticality, and business value (ID.AM-5). Agencies shall:
1. Perform a criticality analysis for each categorized IT Resource and document the findings of the analysis conducted.
2. Designate an authorizing official for each categorized IT Resource and document the authorizing official's approval of the security categorization.
3. Create a contingency plan for each categorized IT Resource. The contingency plan shall be based on resource classification and identify related cybersecurity roles and responsibilities.
4. Identify and maintain a reference list of exempt, and confidential and exempt Agency information or software and the associated applicable state and federal statutes and rules.
(f) Establish cybersecurity roles and responsibilities for the entire Workforce and third-party Stakeholders (ID.AM-6). Each Agency is responsible for:
1. Informing Workers that they are responsible for safeguarding their passwords and other Authentication methods.
2. Informing Workers that they shall not share their Agency accounts, passwords, personal identification numbers, security tokens, smart cards, identification badges, or other devices used for identification and Authentication purposes.
3. Informing Workers that use, or oversee or manage Workers that use, IT equipment that they shall report suspected unauthorized activity, in accordance with Agency-established Incident reporting procedures.
4. Informing Users that they shall take precautions that are appropriate to protect IT Resources in their possession from loss, theft, tampering, unauthorized access, and damage. Consideration will be given to the impact that may result if the IT Resource is lost, and safety issues relevant to protections identified in this subsection.
5. Informing Users of the extent that they will be held accountable for their activities.
6. Informing Workers that they have no reasonable expectation of privacy with respect to Agency-owned or Agency-managed IT Resources.
7. Ensuring that monitoring, network sniffing, and related security activities are only to be performed by Workers who have been assigned security-related responsibilities either via their approved position descriptions or tasks assigned to them.
8. Appointing an Information Security Manager (ISM). Agency responsibilities related to the ISM include:
a. Notifying FL[DS] of ISM designations and redesignations.
b. Specifying ISM responsibilities in the ISM position description.
c. Establishing an information security program that includes information security policies, procedures, standards, and guidelines; an information security awareness program; an information security risk management process, including the comprehensive Risk Assessment required by section 282.318, F.S.; a Cybersecurity Incident Response Team; and a disaster recovery program that aligns with the Agency's COOP Plan.
d. Each Agency ISM shall be responsible for the information security program plan.
9. Performing background checks and ensuring that a background investigation is performed on all individuals hired as IT Workers with access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher. These positions often, if not always, have privileged access. As such, in addition to Agency-required background screening, background checks conducted by Agencies shall include a federal criminal history check that screens for felony convictions that concern or involve the following:
a. Computer related or IT crimes;
b. Identity theft crimes;
c. Financially-related crimes, such as: fraudulent practices, false pretenses and frauds, credit card crimes;
d. Forgery and counterfeiting;
e. Violations involving checks and drafts;
f. Misuse of medical or personnel records; and,
g. Theft.

Each Agency shall establish appointment selection disqualifying criteria for individuals hired as IT Workers that will have access to information processing facilities, or who have system, database, developer, network, or other administrative capabilities for systems, applications, or servers with risk categorization of moderate-impact or higher.

(2) Business Environment. Each Agency's cybersecurity roles, responsibilities, and IT risk management decisions shall align with the Agency's mission, objectives, and activities. To accomplish this, Agencies shall:
(a) Identify and communicate the Agency's role in the business mission of the state (ID.BE-1).
(b) Identify and communicate the Agency's place in Critical Infrastructure and its Industry Sector to inform internal Stakeholders of IT strategy and direction (ID.BE-2).
(c) Establish and communicate priorities for Agency mission, objectives, and activities (ID.BE-3).
(d) Identify system dependencies and critical functions for delivery of critical services (ID.BE-4).
(e) Implement information resilience requirements to support the delivery of critical services for all operating states (ID.BE-5).
(3) Governance. Each Agency shall establish policies, procedures, and processes to manage and monitor the Agency's operational IT requirements based on the Agency's assessment of risk. Procedures shall address providing timely notification to management of cybersecurity risks. Agencies shall also:
(a) Establish and communicate a comprehensive cybersecurity policy (ID.GV-1).
(b) Coordinate and align cybersecurity roles and responsibilities with internal roles and External Partners (ID.GV-2).
(c) Document and manage legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations (ID.GV-3).
(d) Ensure governance and risk management processes address cybersecurity risks (ID.GV-4).
(4) Risk Assessment.
(a) Approach. Each Agency shall identify and manage the cybersecurity risk to Agency operations (including mission, functions, image, or reputation), Agency assets, and individuals using the following approach derived from the NIST Risk Management Framework (RMF). The Risk Assessment steps provided in the table below must be followed; however, Agencies may identify and, based on the risk to be managed, consider other Risk Assessment security control requirements and frequency of activities necessary to manage the risk at issue.

Risk Assessments

Categorize:

Categorize information systems and the information processed, stored, and transmitted by that system based on a security impact analysis.

Select:

Select baseline security for information systems based on the security categorization; tailoring and supplementing the security baseline as needed based on organization assessment of risk and local conditions.

Implement:

Implement the selected baseline security and document how the controls are deployed within information systems and environment of operation.

Assess:

Assess the baseline security using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for systems.

Authorize:

Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the state resulting from the operation of the information system and the decision that this risk is acceptable.

Monitor:

Monitor and assess selected baseline security in information systems on an ongoing basis including assessing control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of systems to appropriate Agency officials.

Agencies are required to consider the following security objectives when assessing risk and determining what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity, and availability. When determining the potential impact to these security objectives Agencies will use the following table.

POTENTIAL IMPACT

Security Objectives:

LOW

MODERATE

HIGH

Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Integrity

Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.

The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Availability

Ensuring timely and reliable access to and use of information.

The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

In accordance with section 282.318(4)(d), F.S., each Agency shall complete and submit to FL[DS] no later than July 31, 2017, and every three years thereafter, a comprehensive Risk Assessment. In completing the Risk Assessment, Agencies shall follow the six-step process ("Conducting the Risk Assessment") outlined in Section 3.2 of NIST Special Publication 800-30, utilizing the exemplary tables provided therein as applicable to address that particular Agency's Threat situation. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, Revision 1 (September 2012) is hereby incorporated by reference and may be found at: http://www.flrules.org/Gateway/reference.asp?No=Ref-06499. When establishing risk management processes, it may be helpful for Agencies to review NIST Risk Management Framework Special Publications - they can be downloaded from the following website: http://csrc.nist.gov/publications/PubsSPs.html. When assessing risk, Agencies shall estimate the magnitude of harm resulting from unauthorized access, unauthorized modification or destruction, or loss of availability of a resource. Estimates shall be documented as low-impact, moderate-impact, or high-impact relative to the security objectives of confidentiality, integrity, and availability.

(b) Other Agency risk management activities that Agencies shall perform:
1. Identify and document asset vulnerabilities (ID.RA-1), business processes and protection requirements. Establish procedures to analyze systems and applications to ensure security controls are effective and appropriate.
2. Receive and manage cyber Threat intelligence from information sharing forums and sources that contain information relevant to the risks or Threats (ID.RA-2).
3. Identify and document internal and external Threats (ID.RA-3).
4. Identify potential business impacts and likelihoods (ID.RA-4).
5. Use Threats, vulnerabilities, likelihoods, and impacts to determine risk (ID.RA-5).
6. Identify and prioritize risk responses, implement risk mitigation plans, and monitor and document plan implementation (ID.RA-6).
(5) Risk Management. Each Agency shall ensure that the organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. Each Agency shall:
(a) Establish risk management processes that are managed and agreed to by Agency Stakeholders and the Agency head (ID.RM-1).
1. Establish a risk steering workgroup that ensures risk management processes are authorized by Agency Stakeholders. The risk steering workgroup must include a member of the Agency IT unit and shall determine the appropriate meeting frequency and Agency Stakeholders.
(b) Identify and clearly document organizational risk tolerance based on the confidential and exempt nature of the data created, received, maintained, or transmitted by the Agency; by the Agency's role in Critical Infrastructure and sector specific analysis (ID.RM-2).
(c) Determine risk tolerance as necessary, based upon analysis of sector specific risks, the Agency's Industry Sector; Agency-specific risks (e.g., Health Information Portability Accountability Act of 1996 compliance for Agencies that maintain this information), and the Agency's role in the state's mission (ID.RM-3).
(d) Establish parameters for IT staff participation in procurement activities.
(e) Identify the IT issues IT staff must address during procurement activities (e.g., system hardening, logging, performance, service availability, incident notification, and recovery expectations).
(f) Implement appropriate security controls for software applications obtained, purchased, leased, or developed to minimize risks to the confidentiality, integrity, and availability of the application, its data, and other IT Resources.
(g) Prior to introducing new IT Resources or modifying current IT Resources, perform an impact analysis. The purpose of this analysis is to assess the effects of the technology or modifications on the existing environment. Validate that IT Resources conform to Agency standard configurations prior to implementation into the production environment.
(6) Supply Chain Risk Management. Each Agency shall establish priorities, constraints, risk tolerances, and assumptions to support risk decisions associated with managing supply chain risk. Each Agency shall:
(a) Establish management processes to identify, establish, assess, and manage cyber supply chain risks which are agreed to by organizational Stakeholders (ID.SC-1).
(b) Identify, prioritize, and assess Suppliers and third-party providers of information systems, components, and services using a cyber supply chain risk assessment process (ID.SC-2).
(c) Require Suppliers and third-party providers (by contractual agreement when necessary) to implement appropriate measures designed to meet the objectives of the organization's information security program or cyber supply chain risk management plan (ID.SC-3).
(d) Routinely assess Suppliers and third-party providers to confirm that they are meeting their contractual obligations by conducting reviews of audits, summaries of test results, or other equivalent evaluations of Suppliers/providers (ID.SC-4).
(e) Conduct response and recovery planning and testing with suppliers and third-party providers (ID.SC-5).

Fla. Admin. Code Ann. R. 60GG-2.002

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS.

New 3-16-16, Amended 2-5-19, Formerly 74-2.002, Amended by Florida Register Volume 48, Number 174, September 7, 2022 effective 9/18/2022.

New 3-16-16, Amended 2-5-19, Formerly 74-2.002, Amended 9-18-22.