Amendments were signed into law to the Florida State Cybersecurity Act on July 1, 2022. These revisions illustrate the gap between desired levels of information security and attained levels in both the public and private sectors.
The Act, also known as the Cybersecurity Act applies to the Florida Digital Service (FLDS) and the heads of state and local agencies in the state of Florida. While the revisions are well intended, many will be difficult if not impossible to meet. Therefore further revisions will probably be required to adjust the legislation to accommodate the reality of government entities’ operations.
A major requirement is that fines and penalties are now established for parties that engage in ransomware attacks against government agencies. Another development is that those agencies are prohibited to make payments or comply with ransom demands. Additionally, and perhaps most importantly, the revision requires local governments to adopt cybersecurity standards in accordance with NIST and train technology employees with access to highly sensitive information annually.
Reporting Requirements Under the Revised Act
The revised act now requires state agencies and local governments to provide after-action reports of ransomware incidents no later than 12 hours after discovery. Reports are to be placed with the state’s Cybersecurity Operations Center (“CSOC”), the Cybercrime Office of the Department of Law Enforcement and local sheriff. The CSOC must then provide the Legislature and the Cybersecurity Advisory Council (CAC) with a consolidated incident report on a quarterly basis.
Information required to be reported to the CSOS by agencies includes:
- a summary of the incident
- date of most recent data backup
- integrity of backed up data, and physical location of data
- the types of data compromised
- any estimated fiscal impact
- ransom demand details
Other Florida State Cybersecurity Act Requirements
The revised legislation now requires that incidents be classified in severity based on the Department of Homeland Security’s National Cyber Incident Response Plan (NCIRP). The NCIRP rates incidents (which are defined as a violation or imminent threat of violation) on a 1-5 scale, with 1 being a low-level incident, and 5 being and emergency-level incident. The rating reflects the inherent impacts on public safety, governmental security, economic security, civil liberties, and public confidence.
Unintended Consequences of the Revision
Though well intentioned, these amendments could create significant issues, especially for smaller local governments. Adoption of an effective cybersecurity program is a challenging task that requires significant effort and resources. Example of this situation can be seen at the federal level where adoption of the CMMC by the Department of Defense is causing distress for smaller defense contractors.
Another potential issue is the number of agencies involved in an incident. This could well hamper a swift and efficient response and resolution to incidents that pose high threat levels to a community.
Overall many items remain vague or undefined which can lead to confusion and ineffective actions taken. As an example the term “highly sensitive information” is not defined in the documentation. Levels and types of information assets need to be specifically defined in NIST cybersecurity protocols.
CVG Strategy Cybersecurity
CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.
Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.
CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk based management systems. We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.