Florida Enacts New State and Local Government Cybersecurity Act
Posted on August 4, 2022 by Richard Yates
In 2021, the Biden administration announced a massive federal initiative to bolster cybersecurity across the private and public sectors. This announcement was soon followed by the Infrastructure Investment and Jobs Act (IIJA) in November of last year, which provides $1 billion in grants for cybersecurity protection efforts for state and local government systems over the next four years. While the public sector awaits direction from the Cybersecurity and Infrastructure Security Agency (CISA) regarding the rules concerning how this money should be spent, state governments —starting with Florida — are beginning to take matters into their own hands.
On June 29, HB 7055 went into effect in Florida. The new law intends to strengthen the cybersecurity defenses of state and local entities. The following are some of the highlights of the law and how county and local agencies should begin preparing to comply with it.
A New Statewide Cybersecurity Organization
A new entity, the Florida Digital Service (FDS), part of the state’s Department of Management Services, will oversee a statewide data center. This entity also will collaborate with the Department of Law Enforcement to develop and implement a process for detecting and responding to cybersecurity incidents and threats.
The FDS also will lead the state’s cybersecurity efforts and will define the appropriate protections based on national guidelines, specifically the National Institute for Standards & Technology (NIST) Cybersecurity Framework.
By February 1, 2022, the FDS was directed to develop a statewide cybersecurity strategic plan. A critical element of that plan is the completion of comprehensive cybersecurity risk assessments based on a standardized methodology. Detecting threats through proactive, 24x7 monitoring of cybersecurity incidents also will be established.
Statewide agencies will also be required to develop three-year cybersecurity strategic plans, report on vulnerability identification and mitigation progress, and conduct comprehensive risk assessments annually.
County and Local Requirements
County and local government agencies will have new, more-stringent requirements defined by the “Local Government Cybersecurity Act.” Requirements include:
- Completing basic or advanced cybersecurity training based on the employee’s network or sensitive information access.
- Adopting cybersecurity standards in line with the NIST Cybersecurity Framework by 2024 or 2025, depending on their population.
- Reporting cybersecurity or ransomware incidents to the statewide Cybersecurity Operations Center and rejecting all ransomware requests.
- Organizations performing work on local municipalities also will be required to adhere to the NIST Cybersecurity Framework.
Where to Begin
The most significant challenge for these agencies — one not unique to Florida — will likely involve people and not technology. Many county and municipal government organizations are staffed at drastically lower levels than what will be needed, with less than one person on average splitting their time between organization-wide information technology (IT) management and cybersecurity. Some smaller municipalities have an operating staff of fewer than five people and lack the trained staff to implement what’s required of them. And during a post-COVID era that’s been referred to as the “great resignation,” cybersecurity talent is in high demand.
Organizations suffering from this challenge should begin by thinking about budgeting, resource allocation, establishing an effective cybersecurity posture, and building a prioritized roadmap outlining their path to compliance with HB 7055.
Recognizing the need to be more strategic when it comes to cybersecurity and the necessity to have oversight for program management and guidance, county and municipal organizations may want to consider partnering with a firm like Mission Critical Partners that brings a “virtual chief information security officer (CISO).” Virtual CISO offerings combine several necessary skills – staff augmentation, consulting, project management, and strategic planning — so that an organization can shift toward a more proactive approach to cybersecurity risk management. And in the case of Florida, a virtual CISO can play an instrumental role in ensuring compliance with the new law without overwhelming the organization’s budget.
Assess the Threat Environment
Another critical step is to conduct an independent, standards-based assessment, or gap analysis, to understand your organization’s specific threat environment based on the NIST Cybersecurity Framework. The framework is based on five key elements — identify, protect, detect, respond, and recover — and contains 23 categories with 108 subcategories. All of these controls will need to be met – some could take a year, and some could take a day, depending on the organization’s current IT infrastructure state.
Even focusing first on the top ten mitigation steps that will have the largest impact on securing an organization’s IT environment will have a significant impact on meeting the new law’s requirements.
Success Is Possible
Complying with the new regulations represents a significant amount of work and may seem overwhelming. But the good news is that, with a plan and added resources, success is possible.
We would welcome the opportunity to guide your agency on how to leverage third-party resources to leverage the NIST Cybersecurity Framework and enhance your cybersecurity posture as you work to comply with HB 7055. Please reach out.