The identify function of the FCS is visually represented as
such:
|
Function
|
Category
|
Subcategory
|
|
Identify (ID)
|
Asset Management (AM)
|
ID.AM-1: Inventory Agency physical devices and
systems
|
|
ID.AM-2: Inventory Agency software platforms and
applications
|
|
ID.AM-3: Map Agency communication and data
flows
|
|
ID.AM-4: Catalog interdependent external information
systems
|
|
ID.AM-5: Prioritize IT Resources based on
classification, criticality, and business value
|
|
ID.AM-6: Establish cybersecurity roles and
responsibilities for the entire Workforce and third-party Stakeholders
|
|
Business Environment
(BE)
|
ID.BE-1: Identify and communicate the Agency's role
in the business mission/processes
|
|
ID.BE-2: Identify and communicate the Agency's place
in Critical Infrastructure and its Industry Sector to Workers
|
|
ID.BE-3: Establish and communicate priorities for
Agency mission, objectives, and activities
|
|
ID.BE-4: Identify dependencies and critical functions
for delivery of critical services
|
|
ID.BE-5: Implement resiliency requirements to support
the delivery of critical services for all operating states (e.g., normal
operations, under duress, during recovery)
|
|
Governance
(GV)
|
ID.GV-1: Establish and communicate an organizational
cyber security policy
|
|
ID.GV-2: Coordinate and align cybersecurity roles and
responsibilities with internal roles and External Partners
|
|
ID.GV-3: Understand and manage legal and regulatory
requirements regarding cybersecurity, including privacy and civil liberties
obligations
|
|
ID.GV-4: Ensure that governance and risk management
processes address cybersecurity risks
|
|
Risk Assessment
(RA)
|
ID.RA-1: Identify and document asset
vulnerabilities
|
|
ID.RA-2: Receive cyber Threat intelligence from
information sharing forums and sources
|
|
ID.RA-3: Identify and document Threats, both internal
and external
|
|
ID.RA-4: Identify potential business impacts and
likelihoods
|
|
ID.RA-5: Use Threats, vulnerabilities, likelihoods,
and impacts to determine risk
|
|
ID.RA-6: Identify and prioritize risk
responses
|
|
Risk Management
Strategy
(RM)
|
ID.RM-1: Establish, manage, and ensure organizational
Stakeholders understand the approach to be employed via the risk management
processes
|
|
ID.RM-2: Determine and clearly express organizational
risk tolerance
|
|
ID.RM-3: Ensure that the organization's determination
of risk tolerance is informed by its role in Critical Infrastructure and sector
specific risk analysis
|
|
|
Supply Chain Risk Management (SC)
|
ID.SC-1: Establish management processes to identify,
establish, assess, and manage cyber supply chain risk which are agreed to by
organizational Stakeholders
|
|
ID.SC-2: Identify, prioritize, and assess Suppliers
and third-party providers of information systems, components, and services
using a cyber supply chain risk assessment process
|
|
ID.SC-3: Require Suppliers and third-party providers
(by contractual requirement when necessary) to implement appropriate measures
designed to meet the objectives of the organization's information security
program or cyber supply chain risk management plan
|
|
ID.SC-4: Routinely assess Suppliers and third-party
providers to confirm that they are meeting their contractual obligations by
conducting reviews of audits, summaries of test results, or other equivalent
evaluations of Suppliers/providers
|
|
ID.SC-5: Conduct response and recovery planning and
testing with Suppliers and third-party providers
|
(1) Asset
Management. Each agency shall ensure that IT Resources are identified and
managed. Identification and management shall be consistent with the IT
Resource's relative importance to agency objectives and the organization's risk
strategy. Specifically, each agency shall:
(a)
Ensure that physical devices and systems within the organization are
inventoried and managed (ID.AM-1).
(b) Ensure that software platforms and
applications within the organization are inventoried and managed
(ID.AM-2).
(c) Ensure that
organizational communication and data flows are mapped and systems are designed
or configured to regulate information flow based on data classification
(ID.AM-3). Each Agency shall:
1. Establish
procedures that ensure only Agency-owned or approved IT Resources are connected
to the Agency internal network and resources.
2. Design and document its information
security architecture using a defense-in-breadth approach. Design and
documentation shall be assessed and updated periodically based on an
Agency-defined, risk-driven frequency that considers potential Threat vectors
(i.e., paths or tools that a Threat actor may use to attack a
target).
3. Consider diverse
Suppliers when designing the information security
architecture.
(d) Each
Agency shall ensure that interdependent external information systems are
catalogued (ID.AM-4). Agencies shall:
1.
Verify or enforce required security controls on interconnected external IT
Resources in accordance with the information security policy or security
plan.
2. Implement service level
agreements for non-Agency provided technology services to ensure appropriate
security controls are established and maintained.
3. For non-interdependent external IT
Resources, execute information sharing or processing agreements with the entity
receiving the shared information or hosting the external system in receipt of
shared information.
4. Restrict or
prohibit portable storage devices either by policy or a technology that
enforces security controls for such devices.
5. Authorize and document inter-agency system
connections.
6. Require that (e.g.,
contractually) external service providers adhere to Agency security
policies.
7. Document Agency
oversight expectations, and periodically monitor provider
compliance.
(e) Each
Agency shall ensure that IT Resources (hardware, data, personnel, devices and
software) are categorized, prioritized, and documented based on their
classification, criticality, and business value (ID.AM-5). Agencies shall:
1. Perform a criticality analysis for each
categorized IT Resource and document the findings of the analysis
conducted.
2. Designate an
authorizing official for each categorized IT Resource and document the
authorizing official's approval of the security categorization.
3. Create a contingency plan for each
categorized IT Resource. The contingency plan shall be based on resource
classification and identify related cybersecurity roles and
responsibilities.
4. Identify and
maintain a reference list of exempt, and confidential and exempt Agency
information or software and the associated applicable state and federal
statutes and rules.
(f)
Establish cybersecurity roles and responsibilities for the entire Workforce and
third-party Stakeholders (ID.AM-6). Each Agency is responsible for:
1. Informing Workers that they are
responsible for safeguarding their passwords and other Authentication
methods.
2. Informing Workers that
they shall not share their Agency accounts, passwords, personal identification
numbers, security tokens, smart cards, identification badges, or other devices
used for identification and Authentication purposes.
3. Informing Workers that use, or oversee or
manage Workers that use, IT equipment that they shall report suspected
unauthorized activity, in accordance with Agency-established Incident reporting
procedures.
4. Informing Users that
they shall take precautions that are appropriate to protect IT Resources in
their possession from loss, theft, tampering, unauthorized access, and damage.
Consideration will be given to the impact that may result if the IT Resource is
lost, and safety issues relevant to protections identified in this
subsection.
5. Informing Users of
the extent that they will be held accountable for their activities.
6. Informing Workers that they have no
reasonable expectation of privacy with respect to Agency-owned or
Agency-managed IT Resources.
7.
Ensuring that monitoring, network sniffing, and related security activities are
only to be performed by Workers who have been assigned security-related
responsibilities either via their approved position descriptions or tasks
assigned to them.
8. Appointing an
Information Security Manager (ISM). Agency responsibilities related to the ISM
include:
a. Notifying FL[DS] of ISM
designations and redesignations.
b.
Specifying ISM responsibilities in the ISM position description.
c. Establishing an information security
program that includes information security policies, procedures, standards, and
guidelines; an information security awareness program; an information security
risk management process, including the comprehensive Risk Assessment required
by section 282.318, F.S.; a Cybersecurity
Incident Response Team; and a disaster recovery program that aligns with the
Agency's COOP Plan.
d. Each Agency
ISM shall be responsible for the information security program
plan.
9. Performing
background checks and ensuring that a background investigation is performed on
all individuals hired as IT Workers with access to information processing
facilities, or who have system, database, developer, network, or other
administrative capabilities for systems, applications, or servers with risk
categorization of moderate-impact or higher. These positions often, if not
always, have privileged access. As such, in addition to Agency-required
background screening, background checks conducted by Agencies shall include a
federal criminal history check that screens for felony convictions that concern
or involve the following:
a. Computer related
or IT crimes;
b. Identity theft
crimes;
c. Financially-related
crimes, such as: fraudulent practices, false pretenses and frauds, credit card
crimes;
d. Forgery and
counterfeiting;
e. Violations
involving checks and drafts;
f.
Misuse of medical or personnel records; and,
g. Theft.
Each Agency shall establish appointment selection
disqualifying criteria for individuals hired as IT Workers that will have
access to information processing facilities, or who have system, database,
developer, network, or other administrative capabilities for systems,
applications, or servers with risk categorization of moderate-impact or
higher.
(2) Business Environment. Each Agency's
cybersecurity roles, responsibilities, and IT risk management decisions shall
align with the Agency's mission, objectives, and activities. To accomplish
this, Agencies shall:
(a) Identify and
communicate the Agency's role in the business mission of the state
(ID.BE-1).
(b) Identify and
communicate the Agency's place in Critical Infrastructure and its Industry
Sector to inform internal Stakeholders of IT strategy and direction
(ID.BE-2).
(c) Establish and
communicate priorities for Agency mission, objectives, and activities
(ID.BE-3).
(d) Identify system
dependencies and critical functions for delivery of critical services
(ID.BE-4).
(e) Implement
information resilience requirements to support the delivery of critical
services for all operating states (ID.BE-5).
(3) Governance. Each Agency shall establish
policies, procedures, and processes to manage and monitor the Agency's
operational IT requirements based on the Agency's assessment of risk.
Procedures shall address providing timely notification to management of
cybersecurity risks. Agencies shall also:
(a)
Establish and communicate a comprehensive cybersecurity policy
(ID.GV-1).
(b) Coordinate and align
cybersecurity roles and responsibilities with internal roles and External
Partners (ID.GV-2).
(c) Document
and manage legal and regulatory requirements regarding cybersecurity, including
privacy and civil liberties obligations (ID.GV-3).
(d) Ensure governance and risk management
processes address cybersecurity risks (ID.GV-4).
(4) Risk Assessment.
(a) Approach. Each Agency shall identify and
manage the cybersecurity risk to Agency operations (including mission,
functions, image, or reputation), Agency assets, and individuals using the
following approach derived from the NIST Risk Management Framework (RMF). The
Risk Assessment steps provided in the table below must be followed; however,
Agencies may identify and, based on the risk to be managed, consider other Risk
Assessment security control requirements and frequency of activities necessary
to manage the risk at issue.
|
Risk Assessments
|
|
Categorize:
|
Categorize information systems and the information
processed, stored, and transmitted by that system based on a security impact
analysis.
|
|
Select:
|
Select baseline security for information systems
based on the security categorization; tailoring and supplementing the security
baseline as needed based on organization assessment of risk and local
conditions.
|
|
Implement:
|
Implement the selected baseline security and document
how the controls are deployed within information systems and environment of
operation.
|
|
Assess:
|
Assess the baseline security using appropriate
procedures to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for systems.
|
|
Authorize:
|
Authorize information system operation based upon a
determination of the risk to organizational operations and assets, individuals,
other organizations and the state resulting from the operation of the
information system and the decision that this risk is acceptable.
|
|
Monitor:
|
Monitor and assess selected baseline security in
information systems on an ongoing basis including assessing control
effectiveness, documenting changes to the system or environment of operation,
conducting security impact analyses of the associated changes, and reporting
the security state of systems to appropriate Agency officials.
|
Agencies are required to consider the following security
objectives when assessing risk and determining what kind of assessment is
required and when or how often an assessment is to occur: confidentiality,
integrity, and availability. When determining the potential impact to these
security objectives Agencies will use the following table.
|
POTENTIAL IMPACT
|
|
Security Objectives:
|
LOW
|
MODERATE
|
HIGH
|
|
Confidentiality
Preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy and
proprietary information.
|
The unauthorized disclosure of information could be
expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals.
|
The unauthorized disclosure of information could be
expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals.
|
The unauthorized disclosure of information could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
|
|
Integrity
Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity.
|
The unauthorized modification or destruction of
information could be expected to have a limited adverse effect on
organizational operations, organizational assets, or individuals.
|
The unauthorized modification or destruction of
information could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals.
|
The unauthorized modification or destruction of
information could be expected to have a severe or catastrophic
adverse effect on organizational operations, organizational assets, or
individuals.
|
|
Availability
Ensuring timely and reliable access to and use of
information.
|
The disruption of access to or use of information or
an information system could be expected to have a limited adverse
effect on organizational operations, organizational assets, or
individuals.
|
The disruption of access to or use of information or
an information system could be expected to have a serious adverse
effect on organizational operations, organizational assets, or
individuals.
|
The disruption of access to or use of information or
an information system could be expected to have a severe or
catastrophic adverse effect on organizational operations, organizational
assets, or individuals.
|
In accordance with section
282.318(4)(d),
F.S., each Agency shall complete and submit to FL[DS] no later than July 31,
2017, and every three years thereafter, a comprehensive Risk Assessment. In
completing the Risk Assessment, Agencies shall follow the six-step process
("Conducting the Risk Assessment") outlined in Section 3.2 of NIST Special
Publication 800-30, utilizing the exemplary tables provided therein as
applicable to address that particular Agency's Threat situation. NIST Special
Publication 800-30, Guide for Conducting Risk Assessments, Revision 1
(September 2012) is hereby incorporated by reference and may be found at:
http://www.flrules.org/Gateway/reference.asp?No=Ref-06499.
When establishing risk management processes, it may be helpful for Agencies to
review NIST Risk Management Framework Special Publications - they can be
downloaded from the following website:
http://csrc.nist.gov/publications/PubsSPs.html.
When assessing risk, Agencies shall estimate the magnitude of harm resulting
from unauthorized access, unauthorized modification or destruction, or loss of
availability of a resource. Estimates shall be documented as low-impact,
moderate-impact, or high-impact relative to the security objectives of
confidentiality, integrity, and availability.
(b) Other Agency risk management activities
that Agencies shall perform:
1. Identify and
document asset vulnerabilities (ID.RA-1), business processes and protection
requirements. Establish procedures to analyze systems and applications to
ensure security controls are effective and appropriate.
2. Receive and manage cyber Threat
intelligence from information sharing forums and sources that contain
information relevant to the risks or Threats (ID.RA-2).
3. Identify and document internal and
external Threats (ID.RA-3).
4.
Identify potential business impacts and likelihoods (ID.RA-4).
5. Use Threats, vulnerabilities, likelihoods,
and impacts to determine risk (ID.RA-5).
6. Identify and prioritize risk responses,
implement risk mitigation plans, and monitor and document plan implementation
(ID.RA-6).
(5)
Risk Management. Each Agency shall ensure that the organization's priorities,
constraints, risk tolerances, and assumptions are established and used to
support operational risk decisions. Each Agency shall:
(a) Establish risk management processes that
are managed and agreed to by Agency Stakeholders and the Agency head (ID.RM-1).
1. Establish a risk steering workgroup that
ensures risk management processes are authorized by Agency Stakeholders. The
risk steering workgroup must include a member of the Agency IT unit and shall
determine the appropriate meeting frequency and Agency
Stakeholders.
(b)
Identify and clearly document organizational risk tolerance based on the
confidential and exempt nature of the data created, received, maintained, or
transmitted by the Agency; by the Agency's role in Critical Infrastructure and
sector specific analysis (ID.RM-2).
(c) Determine risk tolerance as necessary,
based upon analysis of sector specific risks, the Agency's Industry Sector;
Agency-specific risks (e.g., Health Information Portability Accountability Act
of 1996 compliance for Agencies that maintain this information), and the
Agency's role in the state's mission (ID.RM-3).
(d) Establish parameters for IT staff
participation in procurement activities.
(e) Identify the IT issues IT staff must
address during procurement activities (e.g., system hardening, logging,
performance, service availability, incident notification, and recovery
expectations).
(f) Implement
appropriate security controls for software applications obtained, purchased,
leased, or developed to minimize risks to the confidentiality, integrity, and
availability of the application, its data, and other IT Resources.
(g) Prior to introducing new IT Resources or
modifying current IT Resources, perform an impact analysis. The purpose of this
analysis is to assess the effects of the technology or modifications on the
existing environment. Validate that IT Resources conform to Agency standard
configurations prior to implementation into the production
environment.
(6) Supply
Chain Risk Management. Each Agency shall establish priorities, constraints,
risk tolerances, and assumptions to support risk decisions associated with
managing supply chain risk. Each Agency shall:
(a) Establish management processes to
identify, establish, assess, and manage cyber supply chain risks which are
agreed to by organizational Stakeholders (ID.SC-1).
(b) Identify, prioritize, and assess
Suppliers and third-party providers of information systems, components, and
services using a cyber supply chain risk assessment process
(ID.SC-2).
(c) Require Suppliers
and third-party providers (by contractual agreement when necessary) to
implement appropriate measures designed to meet the objectives of the
organization's information security program or cyber supply chain risk
management plan (ID.SC-3).
(d)
Routinely assess Suppliers and third-party providers to confirm that they are
meeting their contractual obligations by conducting reviews of audits,
summaries of test results, or other equivalent evaluations of
Suppliers/providers (ID.SC-4).
(e)
Conduct response and recovery planning and testing with suppliers and
third-party providers (ID.SC-5).
