The respond function of the SFCS is visually represented as
such:
|
Function
|
Category
|
Subcategory
|
|
Respond (RS)
|
Response Planning (RP)
|
RS.RP-1: Execute response plan during or after an
Incident
|
|
Communications (CO)
|
RS.CO-1: Ensure that personnel know their roles and
order of operations when a response is needed
|
|
RS.CO-2: Report Incidents consistent with established
criteria
|
|
RS.CO-3: Share information consistent with response
plans
|
|
RS.CO-4: Coordinate with Stakeholders consistent with
response plans
|
|
RS.CO-5: Engage in voluntary information sharing with
external Stakeholders to achieve broader cybersecurity situational
awareness
|
|
Analysis (AN)
|
RS.AN-1: Investigate notifications from detection
systems
|
|
RS.AN-2: Understand the impact of Incidents
|
|
RS.AN-3: Perform forensic analysis
|
|
RS.AN-4: Categorize Incidents consistent with
response plans
|
|
RS.AN-5: Establish processes to receive, analyze, and
respond to vulnerabilities disclosed to the Agency from internal and external
sources
|
|
Mitigation (MI)
|
RS.MI-1: Contain Incidents
|
|
RS.MI-2: Mitigate Incidents
|
|
RS.MI-3: Mitigate newly identified vulnerabilities or
document accepted risks
|
|
Improvements (IM)
|
RS.IM-1: Incorporate lessons learned in response
plans
|
|
RS.IM-2: Periodically update response
strategies
|
(1) Response
Planning. Each Agency shall establish and maintain response processes and
procedures and validate execution capability to ensure Agency response for
detected Cybersecurity Incidents. Each Agency shall execute a response plan
during or after an Incident (RS.RP-1).
(a)
Agencies shall establish a cybersecurity Incident Response Team (CSIRT) to
respond to Cybersecurity Incidents. CSIRT members shall convene immediately,
upon notice of Cybersecurity Incidents. Responsibilities of CSIRT members
include:
1. Convening a simple majority of
CSIRT members at least quarterly to review, at a minimum, established processes
and escalation protocols.
2.
Receiving incident response training annually. Training shall be coordinated as
a part of the information security program.
3. CSIRT membership shall include, at a
minimum, a member from the cybersecurity team, the CIO (or designee), and a
member from the Inspector General's Office who shall act in an advisory
capacity. The CSIRT team shall report findings to Agency management.
4. The CSIRT shall determine the appropriate
response required for each Cybersecurity Incident.
5. The Agency Cybersecurity Incident
reporting process must include notification procedures, established pursuant to
section 501.171, F.S., section
282.318, F.S., and as specified
in executed agreements with external parties. For reporting Incidents to FL[DS]
and the Cybercrime Office (as established within the Florida Department of Law
Enforcement and in accordance with section
943.0415, F.S.), Agencies shall
report observed Incident indicators to FL[DS]. Such indicators may include any
known attacker IP addresses, malicious uniform resource locator (URL)
addresses, malicious code file names and/or associated file hash
values.
(2)
Communications. Each Agency shall coordinate response activities with internal
and external Stakeholders, as appropriate, to include external support from law
enforcement Agencies. Each Agency shall:
(a)
Inform Workers of their roles and order of operations when a response is needed
(RS.CO-1).
(b) Require that
Incidents be reported consistent with established criteria and in accordance
with Agency Incident reporting procedures. Criteria shall require immediate
reporting, including instances of lost identification and Authentication
resources (RS.CO-2).
(c) Share
information, consistent with response plans (RS.CO-3).
(d) Coordinate with Stakeholders, consistent
with response plans (RS.CO-4).
(e)
Establish communications with external Stakeholders to share and receive
information to achieve broader cybersecurity situational awareness (RS.CO-5).
Where technology permits, enable automated security alerts. Establish processes
to receive, assess, and act upon security advisories.
(3) Analysis. Each Agency shall conduct
analysis to adequately respond and support recovery activities. Related
activities include:
(a) Each Agency shall
establish notification thresholds and investigate notifications from detection
systems (RS.AN-1).
(b) Each Agency
shall assess and identify the impact of Incidents (RS.AN-2).
(c) Each Agency shall perform forensics,
where deemed appropriate (RS.AN-3).
(d) Each Agency shall categorize incidents,
consistent with response plans (RS.AN-4). Each Incident report and analysis,
including findings and corrective actions, shall be documented.
(e) Establish processes to receive, analyze
and respond to vulnerabilities disclosed to the organization from internal and
external sources (RS.AN-5).
(4) Mitigation. Each Agency shall perform
Incident mitigation activities. The objective of Incident mitigation activities
shall be to attempt to contain and prevent recurrence of Incidents (RS.MI-1);
mitigate Incident effects and resolve the Incident (RS.MI-2); and address
vulnerabilities or document as accepted risks.
(5) Improvements. Each Agency shall improve
organizational response activities by incorporating lessons learned from
current and previous detection/response activities into response plans
(RS.IM-1). Agencies shall update response strategies in accordance with
Agency-established policy (RS.IM-2).
