The Florida Bill HB 1297 and Florida State Cybersecurity Act

The Florida Bill HB 1297 and Florida State Cybersecurity Act

  Cyvatar | 01/25/2022

The government and government-sponsored entities are always at the risk of cyber-attacks due to the impact they have on the public and how much disruption they can bring among the masses in their daily lives as well as travelers visiting Florida.

  • For example, in February 2021, the hackers managed to gain access to Florida’s water supply system and tried to impact the lives of 15,000 citizens of Oldsmar, Florida. The hackers managed to change the level of sodium hydroxide (NaOH) from 100 parts per million to 11,100 parts per million.

    At such a high level, the water could have easily damaged the human tissue it touched. Luckily, for the people of Oldsmar, it was caught before it could do any damage.
  • In another event, hackers managed to unleash ransomware into the computer system of municipalities of Riviera Beach, Florida in June 2019. They had to pay 65 bitcoins worth $600,000 in ransom to the hackers to get back the control.

Many other such cyber-attacks on Government and Government-Sponsored entities led to the revision of section 20.055, Florida Statutes leading to the new State Cybersecurity Act, Florida Bill HB 1297.

The Florida Bill HB 1297:

  1. Requires audit plan of inspector general include certain information
  2. Revises provisions to replace references to it and computer security with references to cybersecurity
  3. Provides and revises requirements for Department of Management Services, acting through State Digital Service
  4. Creates State Cybersecurity Advisory Council within Department of Management Services
  5. Provides purpose of the council

The latest bill is a result of certain amendments as a result of recommendations from the Florida Cybersecurity 15-Person Task Force.

The Bill replaces all versions of the term “information technology security” with the term “cybersecurity” while making the conforming changes across several provisions.

Let’s quickly see what those amendments are and how this would impact the state bodies:

20.055 Agency inspectors general that talks about:

  1. Carrying about auditing and responsibilities of this act
  2. The inspector general shall develop short-term and long-term plans based on the findings of periodic risk assessments
  3. The plan should include a specific cybersecurity audit plan

282.0041 Definitions

It defines cybersecurity as “the protection afforded to an automated information system in order to attain the applicable objectives of preserving the confidentiality, integrity, and availability of data, information, and information technology (IT) resources.”

282.0051 Department of Management Services; Florida Digital Service; powers, duties, and functions

  1. Creation of The Florida Digital Service
  2. Provide operational management and oversight of the state data center

282.201 State data center

Emphasizing cloud-computing solutions that minimize or do not require the purchasing, financing, or leasing of state data center infrastructure

282.206 Cloud-first policy in state agencies

It ensures that each state agency shall show a preference for cloud-computing solutions if cloud-computing solutions meet the needs of the agency, reduce costs, and meet or exceed the applicable state and federal laws, regulations, and standards for cybersecurity

282.318 Cybersecurity

  1. This section is cited as “State Cybersecurity Act.”
  2. The department, acting through the Florida Digital Service, is the lead entity responsible for establishing standards and processes for assessing state agency cybersecurity risks and determining appropriate security measures.
    • Designate an employee of the Florida Digital Service as the state chief information security officer. The state chief information security officer is responsible for the development, operation, and oversight of cybersecurity for state technology systems.
    • Develop, and annually update by February 1, a statewide cybersecurity strategic plan.
    • Develop and publish for use by state agencies a cybersecurity governance framework. It includes guidelines and processes for:
      1. Establishing asset management procedures
      2. Using a standard risk assessment methodology
      3. Completing comprehensive risk assessments and cybersecurity audits, which may be completed by a private-sector vendor, and submitting completed assessments and audits to the department
      4. Identifying protection procedures
      5. Establishing procedures for accessing information and data
      6. Detecting threats through proactive monitoring of events, continuous security monitoring, and defined detection processes
      7. Establishing agency cybersecurity incident response teams and describing their responsibilities
      8. Recovering information and data in response to a cybersecurity an information technology security incident
      9. Establishing a cybersecurity and information technology security incident reporting process
      10. Incorporating information obtained through detection and response activities into the agency’s cybersecurity incident response plans
      11. Developing agency strategic and operational cybersecurity plans
      12. Establishing the managerial, operational, and technical safeguards for protecting state government data and IT resources
      13. Establishing procedures for procuring information technology commodities and services
      14. Assist state agencies in complying with this amendment.
    • Provide training for state agencies on cybersecurity in collaboration with the Cybercrime Office of the Department of Law Enforcement.
    • Annually review the strategic and operational cybersecurity plans of state agencies.
    • Operate and maintain a Cybersecurity Operations Center led by the state chief information security officer.
    • Lead an Emergency Support Function, ESF CYBER under the state comprehensive emergency management plan as described in section 252.35.
  3. Per the state cybersecurity act, each state agency head shall
    • Designate an information security manager to administer the cybersecurity program of the state agency
    •  In consultation with the department, through the Florida Digital Service, and the Cybercrime Office of the Department of Law Enforcement, establish an agency cybersecurity response team to respond to a cybersecurity incident
    • Submit to the department annually by July 31, the state agency’s strategic and operational cybersecurity plans developed
      • The state agency strategic cybersecurity plan must cover a 3-year period
      • The state agency operational cybersecurity information technology security plan must include a progress
    • Conduct, and update every 3 years, a comprehensive risk assessment, which may be completed by a private-sector vendor
    • Develop, and periodically update, written internal policies and procedures
    • Implement managerial, operational, and technical safeguards and risk assessment remediation plans
    • Ensure that periodic internal audits
    • Ensure that the information technology security and cybersecurity requirements in both the written specifications for the solicitation, contracts, and service-level agreement of information technology and information technology resources and services meet or exceed the applicable state and federal laws, regulations, and standards for cybersecurity, including the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
    • Provide cybersecurity awareness training to all state agency employees in the first 30 days after commencing employment concerning cybersecurity risks and the responsibility of employees to comply with policies, standards, guidelines, and operating procedures adopted by the state agency to reduce those risks.

The Next Step

The Florida Bill HB 1297 emphasizes auditing both short-term and long-term to stay up to date to reduce the chances of any possible cyber-attack.

It’s no rocket science now to understand that outsourcing cybersecurity to a private sector is a step toward efficient cyber management. The Cybersecurity Act emphasizes the use of cloud services to keep the overhead of managing and upgrading the data center to a minimum.

By design, Cyvatar was made with all these recommendations.
Come by to our CyLive event in Miami on Jan 25th from 6:00-9:00 PM or Tampa CyLive on Jan 27th for a great CyTime and get a free consultation from our cybersecurity experts on how to navigate the Cybersecurity Law for your business. Feel free to reach out to our cybersecurity experts.

Circa Las Vegas

Thurs. Aug 5th

Cybersecurity Reunion Pool Party at BlackHat 2021