What Government Entities and Their Strategic Partners Should Know

On June 29, 2021, the State Cybersecurity Act (H.B. 1297) was signed into law by Governor Ron DeSantis. The Act reflected input from a cybersecurity task force formed in late 2019 to analyze the current condition of security programs for state governments, departments, and agencies; evaluating the potential for improving security; and prioritizing the known risks posed by identified security threats.

Now, with a year of experience on record, sweeping amendments to update the legislation have been enacted and took effect on July 1, 2022 as H.B. 7055. Both the original and amended legislation mandate specific strategies and tactics designed to enable governmental entities within the state of Florida to more effectively address cybersecurity incidents, including ransomware.

The Florida Cybersecurity Act applies to state, county, and municipal governments, departments, and agencies throughout Florida. By association, strategic partners, vendors, and service providers who assist those entities with their cybersecurity initiatives are also affected.

Recap of 2021 Act Provisions

In 2020, the State of Florida created the Florida Digital Service to partner with state agencies and departments in leveraging data and technology to transform state government digital services, with the ultimate goal of creating a better experience for Floridians.

The Florida Cybersecurity Act of 2021 assigned the Department of Management Services responsibility for establishing standards and processes to assess state cybersecurity risks and determine appropriate security safeguards. The standards and processes must be consistent with cybersecurity best practices, including the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF).

Because the Department of Management Services is authorized to act through the Florida Digital Service, for simplicity’s sake the two entities will be referred to in this article as Florida Digital Service.

The Act directs the Department of Management Services, acting through the Florida Digital Service, to adopt rules that mitigate risks; safeguard state digital assets, data, information, and information technology resources to ensure availability, confidentiality, and integrity; and support a security governance framework.

Requirements at State Level

Among other provisions of the 2021 Act are the following requirements, to be implemented at the state level through Florida Digital Service.

• Designate an employee of Florida Digital Service to serve as the state chief information security officer (CISO).
• Develop, and annually update by February 1st, a statewide cybersecurity strategic plan that includes security goals and objectives for cybersecurity; identification and mitigation of risk; proactive protections against threats; tactical risk detection; threat reporting; and response and recovery protocols for a cyber incident.
• Operate and maintain a Cybersecurity Operations Center, led by the state CISO, to serve as a clearinghouse for threat information and support state agencies and their cybersecurity incident response. The Operations Center must be primarily virtual, and must be staffed with tactical detection and incident response personnel.
• Develop and publish a cybersecurity governance framework for use by state agencies and assist them in complying with the framework.
• Annually review agencies’ strategic and operational cybersecurity plans. (Agencies must submit their plans each year by July 31 and the plans must encompass a three-year period.)
• Provide annual training for information security managers and computer security incident response team members that includes cybersecurity training in threats, trends, and best practices. For technology professionals, provide training that develops, assesses, and documents competencies by role and skill level.

Requirements for State Agencies and Departments

The 2021 Florida Cybersecurity Act also has requirements for each state agency and department, including:

• Designate an information security manager to administer the cybersecurity program of the agency.
• Establish an agency cybersecurity response team to respond to cybersecurity incidents and breaches. The team will meet upon being notified of an incident and immediately report all confirmed or suspected incidents to the state CISO.
• Conduct a comprehensive risk assessment to determine the security threats to agency data, information, and IT resources, including mobile devices and print environments. The assessment must be updated every three years, and may be conducted by a private sector vendor.
• Develop, and periodically update, written internal policies and procedures, including procedures for reporting cybersecurity incidents and breaches.
• Implement managerial, operational, and technical safeguards and risk assessment remediation plans to address identified risks to the data, information, and information technology resources of the agency.
• For information technology and IT resources and services, ensure that cybersecurity requirements in written specifications for solicitations, contracts, and service-level agreements meet or exceed applicable state and federal requirements for cybersecurity, including the NIST Cybersecurity Framework. Service-level agreements must identify service provider and state agency responsibilities for privacy and security, protection of government data, personnel background screening, and security deliverables with associated frequencies.
• Provide cybersecurity awareness training to all state agency employees within 30 days of employment. (The 2022 amendments require training annually thereafter.)

The Act also includes provisions for maintaining the confidentiality and security of certain records and documents that are created or maintained by state agencies if their disclosure would cause certain harms as specified in the Act.

Outline of 2022 Amendments to Act

One of the most important clarifications made by in the 2022 Act is to add counties and municipalities to the scope of the Act’s requirements, where previously only state-level entities had been specified.

Other important additions to the Act, through the 2022 amendments, are highlighted below:

• New: Ransomware Guidance. Conspicuous by its absence in the 2021 Act, ransomware incidents have been addressed specifically in the 2022 amendments. Ransomware policies and protocols have been included for the handling of these ongoing, ever-changing, and potentially devastating cybercrimes. One such policy expressly prohibits state agencies, counties, and municipalities from paying or otherwise complying with a ransom demand.
• New: Levels of Incident Severity. Levels of severity have been assigned to cybersecurity incidents, as defined by the U.S. Department of Homeland Security’s National Cyber Incident Response Plan. The five levels of severity range from Emergency (Level 5) to High (Level 3) to Low (Level 1) and are based on the scope of impact and degree of impact as described in the 2022 amendments. Training specified in the original 2021 Act must be modified to address these levels.
• New: Reporting of High Severity Incidents. If a state entity experiences an incident of Severity Level 3 or higher, it must be reported to designated authorities no later than 48 hours after discovery of a cybersecurity incident and no later than 12 hours after discovery of a ransomware incident. (Level 1 or 2 incidents must be reported “as soon as possible.”) In addition, a post-incident report is now required upon completion of remediation.
• New: Incident Reporting Details. The cybersecurity incident reporting process has been spelled out in greater detail, including the types of information to be disclosed in any incident report. This includes at minimum a summary of the facts pertaining to the cybersecurity or ransomware incident; the date and other facts about the most recent data backup; the types of data compromised; the estimated fiscal impact; and details of the ransom demand if a ransomware incident.
• New: Counties and Municipalities. A new section has been added to the 2022 Act, called the Local Government Cybersecurity Act, to encompass local governments, including counties and municipalities. Local governments are subject to the reporting requirements above and other provisions of the 2022 Act.
  
• New: Deadlines for Local Compliance. Each county with a population of 75,000+ and each municipality with 25,000+ must adopt the required cybersecurity standards spelled out in the 2022 Act by January 1, 2024. Counties with fewer than 75,000 and municipalities with fewer than 25,000 must do so by January 1, 2025.
• New: Felony Penalties for Cybercrime. Felony criminal penalties have been specified for cybercriminal offenses against government entities in Florida. For this purpose, “government entity” includes officials, councils, and committees in addition to state government, state agencies, and county and municipal governments. Unlike misdemeanors, felonies usually result in imprisonment for longer than one year.

The felony penalties apply to employees and contractors of government entities who have access to the entity's network and who willfully and knowingly aid or abet another in the commission of a cybercrime against the government entity. Felony penalties also apply to malicious outsiders who introduce malware or ransomware that hijacks the electronic data of a government entity and who demand a ransom payment to restore the data.

Summary

The Florida Cybersecurity Act (Florida H.B. 1297) was signed into law by Governor Ron DeSantis on June 29, 2021. Subsequent implementation activity spotlighted the need for rather extensive content updates and additions, which were published as amendments to the 2021 Act (Florida H.B. 7055) effective July 1, 2022. Three significant amendments added counties and municipalities to the scope of the Act, incorporated ransomware provisions, and specified cyber incident severity levels. The last two drove specific ransomware and cyber incident reporting protocols.

The Florida Cybersecurity Act applies to state, county, and municipal governments, departments, and agencies throughout Florida. By association, strategic partners, vendors, and service providers who assist those entities with their cybersecurity initiatives are also engaged. A number of resources are available from the Florida Digital Service to assist affected entities in understanding the new requirements. In addition, professional cybersecurity and compliance expertise is available to assist with security risk assessments, policy and procedure development, and implementation of other requirements.