Fla. Admin. Code Ann. R. 60FF-3.004 - Protection Standards for State Network

To protect the integrity, predictability and availability of state communications services, Customers shall adhere to the following security specifications and directives:

(1) Any configurations of Network Equipment, Network Software or Communications Devices that allow for Unauthorized Activity are prohibited.

(2) Absent written approval from the Department, the following are prohibited:

(a) Any non-SUNCOM connections to or from the State Intranet without SUNCOM managed or sanctioned filtering;

(b) Any configurations creating non-SUNCOM managed Virtual Connections to or from the State Intranet;

(c) Any configuration creating non-SUNCOM managed tunnels to or from the State Intranet;

(d) Any configuration creating non-SUNCOM managed remote access Connections to or from the State Intranet; and

(e) Any non-SUNCOM managed equipment without two-factor authentication access. Authentication factors include, but are not limited to, something a person knows (e.g., password or personal identification number) and something a person has (e.g., cryptographic identification device or taken).

(3) To obtain approval for any of the conditions described in subsection 60FF-3.004(2), F.A.C., Customers shall submit a Notice of Security Concern Regarding a Network Solution in accordance with Rule 60FF-1.005, F.A.C. Additionally, if the Department does not keep a log for the Customer, the Customer shall maintain current 15-day log(s) for all of the Customer firewalls that connect any Customer Sub-network to any SUNCOM services outside of the Sub-network. The logs shall contain records for every transaction processed by the firewall with each record containing the following at a minimum:

(a) Source and destination ports contained in the transaction;

(b) Source and destination addresses contained in the transaction;

(c) The date and time for the transaction.

(4) The Department shall take several findings into consideration in determining whether or not to approve any of the conditions described in subsection 60FF-3.004(2), F.A.C. Those findings shall determine whether or not the Customer has in place:

(a) The appropriate and generally accepted processes for protecting the State Intranet;

(b) A modern firewall using contemporary tools and functionality for protecting the State Intranet;

(c) Trained staff available to inform and work with the Department;

(d) Monitoring activities and modern tools that are adequate for protecting the State Intranet;

(e) Ongoing transparent access available to the Department to the information necessary to verify paragraphs (a)-(d) and perform associated diagnostics.

(5) Customers shall not use or allow scanning tools, Traffic generating stress testing of applications or communications, or network topology discovery tools that automatically generate repeated contact with other nodes outside the Customer's Sub-network or across the SUNCOM network without written authorization from the Department. Customers shall request authorizations via email through the SUNCOM Network Operations Center. If the Customer is requesting authorization of a repetitive activity, the request must comprehensively define the repetitive activity. Authorizations shall be granted based upon the Department verifying that:

(a) The activity shall not impair the capacity of SUNCOM circuits to accommodate communications traffic; and

(b) The initiator of the activity shall coordinate the timing and extent of the activity to minimize impact on the State Network and its Customers.

(6) The Customer's Information Security Manager, as established by section 282.318(4), F.S., or the highest level information security official for the Customer, shall work with the Department to ensure that the Customer adheres to the Department's security rules and any SUNCOM service requirement based on the appropriate technical specifications and procedures associated with the applicable service, as outlined in the Portfolio of Services.

(a) Customers shall adhere to all other applicable security requirements, including, but not limited to, chapter 282, F.S., and Rule Chapter 60GG-2, F.A.C.

(b) The Customer's designees are responsible for:

1. Keeping any Unauthorized Traffic or Connection from traversing the SUNCOM network; and

2. Notifying the SUNCOM Network Operations Center (888-478-6266) immediately upon discovery, and in no case more than fifteen (15) minutes after, a Security Exposure (e.g., a virus, Denial of Service, worm, hoax email, discovery of hacking tools, or altered data) that impacts or has the potential to impact the State's information resource is suspected or confirmed.

(7) Network Solutions obtained outside the official SUNCOM offering are subject to the Security Breach Protection provisions stated in Rules 60FF-3.004 through 60FF-3.007, F.A.C., and shall be documented by the Customer, as required in subsection 60FF-1.008(6), F.A.C., for Required Users or in Rule 60FF-1.013, F.A.C., for other Customers.

(8) SUNCOM communication Traffic shall be monitored by the Department's Division of Telecommunications for Unauthorized Activity. The Department will report violations to the Customer having appeared to have facilitated the Unauthorized Activity as well as the appropriate authority with jurisdiction over associated prevention and enforcement, which shall include the Florida Digital Service, and be remedied through the provisions of Rule 60FF-3.006, F.A.C.

(9) The Customer shall provide documentation of network topology and configuration information to the Department during any related Network Security audits or during resolution or investigation of security incidents.

(10) Customers shall be responsible for resolving all Security Breaches, Security Exposures, and System Failures for conditions within the Customer's purview and shall cooperate with the Department on SUNCOM resolution efforts through the provisions of Rule 60FF-3.006, F.A.C.

Notes

Fla. Admin. Code Ann. R. 60FF-3.004

Rulemaking Authority 282.702(2), (9), 282.707(2) FS. Law Implemented 282.702(2), (8), (12), 282.703, 282.704, 282.705, 282.706, 282.707 FS.

New 6-25-08, Amended by Florida Register Volume 48, Number 086, May 3, 2022 effective 5/19/2022.

New 6-25-08, Amended 5-19-22.