Statutes, codes, and regulations
Florida Administrative Code
Department 60 - DEPARTMENT OF MANAGEMENT SERVICESDivision 60GG - Florida Digital Service
Chapter 60GG-2 - STATE OF FLORIDA CYBERSECURITY STANDARDS
Section 60GG-2.003 - Protect

Fla. Admin. Code R. 60GG-2.003

Download
PDF
Current through Reg. 50, No. 222; November 13, 2024
Section 60GG-2.003 - Protect

The protect function of the SFCS is visually represented as such:

Function

Category

Subcategory

Protect (PR)

Identity Management, Authentication, and Access Control (AC)

PR.AC-1: Issue, manage, verify, revoke, and audit identities and credentials for authorized devices, processes, and Users

PR.AC-2: Manage and protect physical access to assets

PR.AC-3: Manage Remote Access

PR.AC-4: Manage access permissions and authorizations, incorporate the principles of least privilege and Separation of Duties

PR.AC-5: Protect network integrity, by incorporating network segregation and segmentation where appropriate

PR.AC-6: Proof and bond identities to credentials, asserting in interactions when appropriate (see Token Control definition)

PR.AC-7: Authenticate credentials assigned to Users, devices, and other assets commensurate with the risk of the transaction.

Awareness and Training (AT)

PR.AT-1: Inform and train all Users

PR.AT-2: Ensure that Privileged Users understand roles and responsibilities

PR.AT-3: Ensure that third-party Stakeholders understand roles and responsibilities

PR.AT-4: Ensure that senior executives understand roles and responsibilities

PR.AT-5: Ensure that physical and cybersecurity personnel understand their roles and responsibilities

Data Security

(DS)

PR.DS-1: Protect Data-at-rest

PR.DS-2: Protect data-in-transit

PR.DS-3: Formally manage assets managed throughout removal, transfers, and disposition

PR.DS-4: Ensure that adequate capacity is maintained to support availability needs

PR.DS-5: Implement data leak protection measures

PR.DS-6: Use integrity checking mechanisms to verify software, firmware, and information integrity

PR.DS-7: Logically or physically separate the development and testing environment(s) from the production environment

PR.DS-8: Use integrity checking mechanisms to verify hardware integrity

Information Protection Processes and Procedures

PR.IP-1: Create and maintain a baseline configuration that incorporates all security principles for information technology/industrial control systems

PR.IP-2: Implement a System Development Life Cycle (SDLC) to manage systems

PR.IP-3: Establish configuration change control processes

PR.IP-4: Conduct, maintain, and test backups of information

PR.IP-5: Meet policy and regulatory requirements that are relevant to the physical operating environment for organizational assets

PR.IP-6: Destroy data according to policy

PR.IP-7: Continuously improve protection processes

PR.IP-8: Share effectiveness of protection technologies with Stakeholders that should or must receive this information

PR.IP-9: Establish and manage response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery)

PR.IP-10: Test response and recovery plans

PR.IP-11: Include cybersecurity in human resources practices (e.g., deprovisioning, personnel screening)

PR.IP-12: Develop and implement a vulnerability management plan

Maintenance (MA)

PR.MA-1: Perform and log maintenance and repair of organizational assets, with approved and controlled tools

PR.MA-2: Approve, log, and perform remote maintenance of Agency assets in a manner that prevents unauthorized access

Protective Technology (PT)

PR.PT-1: Determine, document, implement, and review audit/log records in accordance with policy

PR.PT-2: Protect and restrict Removable Media usage according to policy

PR.PT-3: Incorporate the principle of least functionality by configuring systems to provide only essential capabilities

PR.PT-4: Protect communications and control networks

PR.PT-5: Implement mechanisms (e.g., failsafe, load balancing, hot swap) to achieve resilience requirements in normal and adverse situations

(1) Access Control. Each Agency shall ensure that access to IT Resources is limited to authorized Users, processes, or devices, and to authorized activities and transactions. Specifically:
(a) Each Agency shall manage identities and credentials for authorized devices and Users (PR.AC-1). Control measures shall, at a minimum include authentication token(s) unique to the individual.

Agencies shall:

1. Require that all Agency-owned or approved computing devices, including Mobile Devices, use unique User Authentication.
2. Require Users to log off or lock their workstations prior to leaving the work area.
3. Require inactivity timeouts that log-off or lock workstations or sessions.
4. Locked workstations or sessions must be locked in a way that requires User Authentication with an authentication token(s) unique to the individual User to disengage.
5. When passwords are used as the sole authentication token, require Users to use Complex Passwords.
6. Address responsibilities of information stewards that include administering access to systems and data based on the documented authorizations and facilitate periodic review of access rights with information owners. Frequency of reviews shall be based on system categorization or assessed risk.
7. Establish access disablement and notification timeframes for Worker separations. The Agency will identify the appropriate person in the IT unit to receive notification. Notification timeframes shall consider risks associated with system access post-separation.
8. Ensure IT access is removed when the IT Resource is no longer required.
9. Require multi-factor authentication (MFA) for access to networks or applications that have a categorization of moderate, high, or contain exempt, or confidential and exempt, information. This excludes externally hosted systems designed to deliver services to Agency Customers where the Agency documents the analysis and the risk steering workgroup accepts the associated risk.
10. Require MFA for access to Privileged Accounts.
(b) Each Agency shall manage and protect physical access to assets (PR.AC-2). In doing so, Agency security procedures or controls shall:
1. Address protection of IT Resources from environmental hazards (e.g., temperature, humidity, air movement, dust, and faulty power) in accordance with manufacturer specifications.
2. Implement procedures to manage physical access to IT facilities and/or equipment.
3. Identify physical controls that are appropriate for the size and criticality of the IT Resources.
4. Specify physical access to information resource facilities and/or equipment that is restricted to authorized personnel.
5. Detail visitor access protocols, including recordation procedures, and in locations housing systems categorized as moderate-impact or high-impact, require that visitors be supervised by authorized personnel.
6. Address how the Agency will protect network integrity by incorporating network segregation.
(c) Each Agency shall manage Remote Access (PR.AC-3). In doing so, Agencies shall:
1. Address how the Agency will securely manage and document remote Access.
2. Specify that only secure, Agency-managed, Remote Access methods may be used to remotely connect computing devices to the Agency internal network.
3. For systems containing exempt, or confidential and exempt data, ensure written agreements and procedures are in place to ensure security for sharing, handling or storing confidential data with entities outside the Agency.
(d) Each Agency shall ensure that access permissions and authorizations, are managed, incorporating the principles of least privilege and Separation of Duties (PR.AC-4). In doing so, Agencies shall:
1. Execute interconnection security agreements to authorize, document, and support continual management of inter-agency connected systems.
2. Manage access permissions by incorporating the principles of "least privilege" and "Separation of Duties."
3. Specify that all Workers be granted access to Agency IT Resources based on the principles of "least privilege" and "need to know determination."
4. Specify that system administrators restrict and tightly control the use of system development utility programs that may be capable of overriding system and application controls.
(e) Each Agency shall ensure that network integrity is protected, incorporating network segregation and segmentation where appropriate (PR.AC-5).
(f) Proof and bond identities to credentials and assert in interactions when appropriate (PR.AC-6).
(g) Authenticate Users, devices, and other assets commensurate with the risk of the transaction (PR.AC-7).
(2) Awareness and Training. Agencies shall provide all their Workers cybersecurity awareness education and training so as to ensure they perform their cybersecurity related duties and responsibilities consistent with Agency policies and procedures. In doing so, each Agency shall:
(a) Inform and train all Workers (PR.AT-1).
(b) Ensure that Privileged Users understand their roles and responsibilities (PR.AT-2).
(c) Ensure that third-party Stakeholders understand their roles and responsibilities (PR.AT-3).
(d) Ensure that senior executives understand their roles and responsibilities (PR.AT-4).
(e) Ensure that physical and cybersecurity personnel understand their roles and responsibilities (PR.AT-5).
(3) For each of the above subsections the following shall also be addressed:
(a) Appoint a Worker to coordinate the Agency information security awareness program. If an IT security Worker does not coordinate the security awareness program, they shall be consulted for content development purposes. Agencies will ensure that all Workers (including volunteer workers) are clearly notified of applicable obligations, established via Agency policies, to maintain compliance with such controls.
(b) Establish a program that includes, at a minimum, annual security awareness training and on-going education and reinforcement of security practices.
(c) Provide training to Workers within 30 days of start date.
(d) Include security policy adherence expectations for the following, at a minimum: disciplinary procedures and implications, acceptable use restrictions, data handling (procedures for handling exempt and confidential and exempt information), telework and Cybersecurity Incident reporting procedures. Incident reporting procedures shall:
1. Establish requirements for Workers to immediately report loss of Mobile Devices, security tokens, smart cards, identification badges, or other devices used for identification and Authentication purposes according to Agency reporting procedures.
(e) Where technology permits, provide training prior to system access. For specialized Agency Workers (e.g., law enforcement officers) who are required to receive extended off-site training prior to reporting to their permanent duty stations, initial security awareness training shall be provided within 30 days of the date they report to their permanent duty station.
(f) Require, prior to access, Workers verify in writing that they will comply with Agency IT security policies and procedures.
(g) Document parameters that govern personal use of Agency IT Resources and define what constitutes personal use. Personal use, if allowed by the Agency, shall not interfere with the normal performance of any Worker's duties, or consume significant or unreasonable amounts of state IT Resources (e.g., bandwidth, storage).
(h) Inform Workers of what constitutes inappropriate use of IT Resources. Inappropriate use shall include, but may not be limited to, the following:
1. Distribution of Malware.
2. Disablement or circumvention of security controls.
3. Forging headers.
4. Political campaigning or unauthorized fundraising.
5. Use for personal profit, benefit or gain.
6. Offensive, indecent, or obscene access or activities, unless required by job duties.
7. Harassing, threatening, or abusive activity.
8. Any activity that leads to performance degradation.
9. Auto-forwarding to external email addresses.
10. Unauthorized, non-work-related access to: chat rooms, political groups, singles clubs or dating services; peer-to-peer file sharing; material relating to gambling, weapons, illegal drugs, illegal drug paraphernalia, hate-speech, or violence; hacker web-site/software; and pornography and sites containing obscene materials.
(4) Data Security. Each Agency shall manage and protect records and data, including Data-at-rest, consistent with the organization's risk strategy to protect the confidentiality, integrity, and availability of information. Agencies shall establish procedures, and develop and maintain Agency cryptographic implementations. Key management processes and procedures for cryptographic keys used for encryption of data will be fully documented and will cover key generation, distribution, storage, periodic changes, compromised key processes, and prevention of unauthorized substitution. Also, key management processes must be in place and verified prior to encrypting data at rest, to prevent data loss and support availability. In protecting data security, Agencies shall:
(a) Protect Data-at-rest by establishing (PR.DS-1):
1. Procedures that ensure only Agency-owned or approved IT resources are used to store confidential or exempt information.
2. Procedures that ensure Agency-owned or approved portable IT Resources containing confidential or mission critical data are encrypted.
3. Procedures that ensure Agency-owned or approved portable IT Resources that connect to the Agency internal network use Agency-managed security software.
4. Inform Users not to store unique copies of Agency data on workstations or Mobile Devices.
(b) Protect data-in-transit (PR.DS-2). Each Agency shall:
1. Encrypt confidential and exempt information during transmission, except when the transport medium is owned or managed by the Agency and controls are in place to protect the data during transit.
2. Ensure that wireless transmissions of Agency data employ cryptography for Authentication and transmission.
3. Make passwords unreadable during transmission and storage.
4. Encrypt mobile IT Resources that store, process, or transmit exempt, or confidential and exempt Agency data.
(c) Formally manage assets throughout removal, transfer, and disposition (PR.DS-3).
1. Ensure any records stored on storage media to be disposed of or released for reuse, are sanitized or destroyed in accordance with organization-developed procedures and the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies.
2. Destruction of confidential or exempt information shall be conducted such that the information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or reconstruction.
3. Document procedures for sanitization of Agency-owned IT Resources prior to reassignment or disposal.
4. Equipment sanitization shall be performed such that confidential or exempt information is rendered unusable, unreadable, and indecipherable and not subject to retrieval or reconstruction. File deletion and media formatting are not acceptable methods of sanitization. Acceptable methods of sanitization include using software to overwrite data on computer media, degaussing, or physically destroying media.
(d) Maintain adequate capacity to ensure system availability and data integrity (PR.DS-4).
1. Ensure adequate audit/log capacity.
2. Protect against or limit the effects of denial of service attacks.
(e) Implement protections against data leaks or unauthorized data disclosures by establishing policies and procedures that address (PR.DS-5):
1. Appropriate handling and protection of exempt, and confidential and exempt, information. Policies shall be reviewed and acknowledged by all Workers.
2. Retention and destruction of confidential and exempt information in accordance with the records retention requirements as provided in the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies.
3. Access agreements for Agency information systems.
4. Boundary protection.
5. Transmission confidentiality and integrity.
(f) Employ integrity checking mechanisms to verify software, firmware, and information integrity (PR.DS-6).
1. Application controls shall be established to ensure the accuracy and completeness of data, including validation and integrity checks, to detect data corruption that may occur through processing errors or deliberate actions.
(g) Physically or logically separate development and testing environment(s) from the production environment and ensure that production exempt, or confidential and exempt data is not used for development where technology permits. Production exempt, or confidential and exempt data may be used for testing if the data owner authorizes the use and regulatory prohibitions do not exist; the test environment limits access and access is audited; and production exempt, and confidential and exempt data is removed from the system when testing is completed. Data owner authorization shall be managed via technical means, to the extent practical (PR.DS-7).
(h) Use integrity checking mechanisms to verify hardware integrity (PR.DS-8). In doing so, Agencies shall establish processes to protect against and/or detect unauthorized changes to hardware used to support systems with a categorization of high-impact.
(5) Information Protection Processes and Procedures. Each Agency shall ensure that security policies, processes and procedures are maintained and used to manage protection of information systems and assets. Such policies, processes and procedures shall:
(a) Include a current baseline configuration of information systems which incorporate security principles (PR.IP-1). Baselines shall:
1. Specify standard hardware and secure standard configurations.
2. Include documented firewall and router configuration standards, and include a current network diagram.
3. Require that vendor default settings, posing security risks, are changed or disabled for Agency-owned or managed IT Resources, including encryption keys, accounts, passwords, and SNMP (Simple Network Management Protocol) community strings, and ensure device security settings are enabled where appropriate.
4. Allow only Agency-approved software to be installed on Agency-owned IT Resources.
(b) Establish a System Development Life Cycle (SDLC) to manage system implementation and maintenance (PR.IP-2). In doing so, Agencies shall:
1. Develop and implement processes that include reviews of security requirements and controls to ascertain effectiveness and appropriateness relative to new technologies and applicable state and federal regulations.
2. Ensure security reviews are approved by the ISM and Chief Information Officer (or designee) before new or modified applications or technologies are moved into production. For IT Resources housed in a state data center, the security review shall also be approved by the data center before the new or modified applications or technologies are moved into production.
3. The application development team at each Agency shall implement appropriate security controls to minimize risks to Agency IT Resources and meet the security requirements of the application owner. Agencies will identify in their policies, processes and procedures the security coding guidelines the Agency will follow when obtaining, purchasing, leasing or developing software.
4. Where technology permits, the Agency shall ensure anti-Malware software is maintained on Agency IT Resources.
(c) Establish a configuration change control process to manage upgrades and modifications to existing IT Resources (PR.IP-3). In doing so, Agencies shall:
1. Determine types of changes that are configuration-controlled (e.g. emergency patches, releases, and other out-of-band security packages).
2. Develop a process to review and approve or disapprove proposed changes based on a security impact analysis (e.g., implementation is commensurate with the risk associated with the weakness or vulnerability).
3. Develop a process to document change decisions.
4. Develop a process to implement approved changes and review implemented changes.
5. Develop an oversight capability for change control activities.
6. Develop procedures to ensure security requirements are incorporated into the change control process.
(d) Ensure backups of information are conducted, maintained, and tested (PR.IP-4).
(e) Establish policy and regulatory expectations for protection of the physical operating environment for Agency-owned or managed IT Resources (PR.IP-5).
(f) Manage and dispose of records/data in accordance with the records retention requirements as provided in the State of Florida General Records Schedule GS1-SL for State and Local Government Agencies (PR.IP-6).
(g) Establish a policy and procedure review process that facilitates continuous improvement to protection processes (PR.IP-7). Each Agency shall:
1. Ensure system security control selection occurs during the beginning of the SDLC and is documented in final design documentation.
2. Ensure system security plans shall document controls necessary to protect production data in the production environment and copies of production data used in non-production environments.
3. Ensure system security plans are confidential per section 282.318, F.S., and shall be available to the Agency ISM.
4. Require that each Agency application or system with a categorization of moderate-impact or higher have a documented system security plan (SSP). For existing production systems that lack a SSP, a Risk Assessment shall be performed to determine prioritization of subsequent documentation efforts. The SSP shall include provisions that:
(I) Align the system with the Agency's enterprise architecture.
(II) Define the authorization boundary for the system.
(III) Describe the mission-related business purpose.
(IV) Provide the security categorization, including security requirements and rationale (compliance, availability, etc.).
(V) Describe the operational environment, including relationships, interfaces, or dependencies on external services.
(VI) Provide an overview of system security requirements.
(VII) Identify authorizing official or designee, who reviews and approves prior to implementation.
5. Require Information System Owners (ISOs) to define application security-related business requirements using role-based access controls and rule-based security policies where technology permits.
6. Require ISOs to establish and authorize the types of privileges and access rights appropriate to system Users, both internal and external.
7. Create procedures to address inspection of content stored, processed or transmitted on Agency-owned or managed IT Resources, including attached removable Media. Inspection shall be performed where authorization has been provided by Stakeholders that should or must receive this information.
8. Establish parameters for Agency-managed devices that prohibit installation (without Worker consent) of clients that allow the Agency to inspect private partitions or personal data.
9. Require ISOs ensure segregation of duties when establishing system authorizations.
10. Establish controls that prohibit a single individual from having the ability to complete all steps in a transaction or control all stages of a Critical Process.
11. Require Agency information owners to identify exempt, and confidential and exempt information in their systems.
(h) Ensure that effectiveness of protection technologies is shared with Stakeholders that should or must receive this information (PR.IP-8).
(i) Develop, implement and manage response plans (e.g., Incident Response and Business Continuity) and recovery plans (e.g., Incident Recovery and Disaster Recovery) (PR.IP-9).
(j) Establish a procedure that ensures that Agency response and recovery plans are regularly tested (PR.IP-10).
(k) Include cybersecurity in human resources practices (e.g., deprovisioning, personnel screening) (PR.IP-11).
(l) Each Agency shall develop and implement a vulnerability management plan (PR.IP-12).
(6) Maintenance. Each Agency shall perform maintenance and repairs of information systems and components consistent with Agency-developed policies and procedures. Each Agency shall:
(a) Perform and log maintenance and repair of IT Resources, with tools that have been approved and are administered by the Agency to be used for such activities (PR.MA-1).
(b) Approve, encrypt, log and perform remote maintenance of IT Resources in a manner that prevents unauthorized access (PR.MA-2).
(c) Not engage in new development of custom authenticators. Agencies assess the feasibility of replacing Agency-developed authenticators in Legacy Applications.
(7) Protective Technology. Each Agency shall ensure that technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Specifically, each Agency shall:
(a) Determine and document required audit/log records, implement logging of audit records, and protect and review logs in accordance with Agency-developed policy. Agency-developed policy shall be based on resource criticality. Where possible, ensure that electronic audit records allow actions of Users to be uniquely traced to those Users so they can be held accountable for their actions. Maintain logs identifying where access to exempt, or confidential and exempt data was permitted. The logs shall support unique identification of individuals and permit an audit of the logs to trace activities through the system, including the capability to determine the exact confidential or exempt data accessed, acquired, viewed or transmitted by the individual (PR.PT-1).
(b) Protect and restrict Removable Media in accordance with Agency-developed information security policy (PR.PT-2).
(c) Incorporate the principle of least functionality by configuring systems to only provide essential capabilities (PR.PT-3).
(d) Protect communications and control networks by establishing perimeter security measures to prevent unauthorized connections to Agency IT Resources (PR.PT-4). Agencies shall:
1. Place databases containing mission critical, exempt, or confidential and exempt data in an internal network zone, segregated from the demilitarized zone (DMZ).
2. Agencies shall require host-based (e.g., a system controlled by a central or main computer) boundary protection on mobile computing devices where technology permits (i.e., detection agent).
(e) Implement mechanisms (e.g., failsafe, load balancing across duplicated systems, hot swap) to achieve resilience requirements in normal and adverse situations (PR.PT-5).

Fla. Admin. Code Ann. R. 60GG-2.003

Rulemaking Authority 282.318(11) FS. Law Implemented 282.318(3) FS.

New 3-10-16, Amended 1-2-19, Formerly 74-2.003, Amended by Florida Register Volume 48, Number 174, September 7, 2022 effective 9/18/2022.

New 3-10-16, Amended 1-2-19, Formerly 74-2.003, Amended 9-18-22.